01-03 Configuration Examples
Uploaded by
s.sadique1000001-03 Configuration Examples
Uploaded by
s.sadique10000Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3 Configuration Examples
About This Chapter
3.1 WLAN Basic Networking Configuration Examples
3.2 Authentication Configuration Examples
3.3 Reliability Configuration Examples
3.4 Roaming Configuration Examples
3.5 Mesh Configuration Examples
3.6 Radio Resource Management Configuration Examples
3.7 Spectrum Analysis Configuration Examples
3.8 WLAN Security Configuration Examples
3.9 WLAN QoS Configuration Examples
3.10 WLAN Hotspot2.0 Configuration Examples
3.11 IoT Configuration Examples
3.12 Other WLAN Service Configuration Examples
3.1 WLAN Basic Networking Configuration Examples
3.1.1 Example for Configuring Layer 2 Direct Forwarding in
Inline Mode
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 41
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Networking Requirements
● AC networking mode: Layer 2 networking in inline mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
Figure 3-1 Networking for configuring Layer 2 direct forwarding in inline mode
Data Planning
Table 3-1 AC data planning
Item Data
Managem VLAN100
ent VLAN
for APs
Service VLAN101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs
server and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 42
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default
Regulatory ● Name: default
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 43
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100 and VLAN 101. The
default VLAN of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 44
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 45
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set Interface type of GigabitEthernet0/0/2 to Trunk and add the interface
to VLAN 101 in the same way.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way. The IP address
10.23.101.2 cannot be assigned.
NOTE
Configure the DNS server address as required.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop
address to 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 46
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 47
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 48
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 4 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personal networks), select the AES
mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 5 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 49
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 6 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.1.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 50
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
----End
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 51
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in
Inline Mode
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
Networking Requirements
● AC networking mode: Layer 2 networking in inline mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: tunnel forwarding
Figure 3-2 Networking for configuring Layer 2 tunnel forwarding in inline mode
Data Planning
Table 3-2 AC data planning
Item Data
Managem VLAN100
ent VLAN
for APs
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 52
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Service VLAN101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs
server and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default
Regulatory ● Name: default
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 53
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 54
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100.
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 55
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Set Interface type of GigabitEthernet0/0/2 to Trunk and add the interface
to VLAN 101 in the same way.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 56
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way. The IP address
10.23.101.2 cannot be assigned.
NOTE
Configure the DNS server address as required.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop
address to 10.23.101.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 57
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 58
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 4 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 59
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 5 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 60
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 6 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.1.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 61
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
----End
3.1.3 Example for Configuring Layer 2 Direct Forwarding in
Bypass Mode
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
Networking Requirements
● AC networking mode: Layer 2 networking in bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: direct forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 62
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-3 Networking for configuring Layer 2 direct forwarding in bypass mode
Data Planning
Table 3-3 AC data planning
Item Data
Managem VLAN100
ent VLAN
for APs
Service VLAN101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs.
server SwitchB functions as a DHCP server to assign IP addresses to STAs.
The default gateway address of STAs is 10.23.101.2.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 63
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default
Regulatory ● Name: default
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 64
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN 101, and set the
PVID of GE0/0/1 to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101,
GE0/0/2 to VLAN100 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 65
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway
for the STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the
default gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 66
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 67
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 68
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 69
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personal networks), select the AES
mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 70
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 71
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
----End
3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in
Bypass Mode
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
Networking Requirements
● AC networking mode: Layer 2 networking in bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: tunnel forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 72
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-4 Networking for configuring Layer 2 tunnel forwarding in bypass mode
Data Planning
Table 3-4 AC data planning
Item Data
Managem VLAN 100
ent VLAN
for APs
Service VLAN 101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs.
server SwitchB functions as a DHCP server to assign IP addresses to STAs.
The default gateway address of STAs is 10.23.101.2.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 73
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, 2G radio profile wlan-radio2g, and 5G radio
profile wlan-radio5g
Regulatory ● Name: default
domain ● Country code: CN
profile
● Calibration channel set: calibration bandwidth and channels for
2.4 GHz and 5 GHz radios
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
Air scan ● Name: wlan-airscan
profile ● Probe channel set: calibration channels
● Air scan interval: 60000 ms
● Air scan period: 60 ms
2G radio ● Name: wlan-radio2g
profile ● Referenced profile: air scan profile wlan-airscan
5G radio ● Name: wlan-radio5g
profile ● Referenced profile: air scan profile wlan-airscan
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 74
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 75
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and
GE0/0/2 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway
for the STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the
default gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
Step 3 Configure AC system parameters.
1. Perform basic AC configurations.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 76
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 77
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 78
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 79
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 80
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Enable radio calibration to allow APs to automatically select the optimal channels
and power.
1. Enable automatic channel and power calibration functions of radios.
NOTE
Radio 0 is used as an example. The configuration for other radios is similar and will not be
mentioned here.
# Choose Configuration > AP Config > AP Group > AP Group.
# Click the AP group name ap-group1 in the AP group list. Choose Radio
Management > Radio 0. The Radio 0 Settings(2.4G) page is displayed.
# On the Radio 0 Settings(2.4G) configuration page, enable automatic
channel and power calibration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 81
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
By default, the global automatic channel and power calibration functions are enabled.
Therefore, select Follow. If the global automatic channel and power calibration functions
are disabled, choose Configuration > AP Config > Radio Planning/Calibration > Radio
Calibration Configuration, and set Calibration to ON.
# Click Apply. In the dialog box that is displayed, click OK.
2. Create radio profiles.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio
profile is similar.
# Choose Radio 0 > 2G Radio Profile. The 2G Radio Profile page is
displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter
the profile name wlan-radio2g and click OK. The 2G radio profile
configuration page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Create an air scan profile and configure the probe channel set, scan interval,
and scan duration.
# Click next to 2G Radio Profile. Select Air Scan Profile. The Air Scan
Profile page is displayed. Click Create. On the Create Air Scan Profile page
that is displayed, enter the profile name wlan-airscan and click OK. The air
scan profile configuration page is displayed.
# Enable scanning, and configure the probe channel set, scan interval, and
scan duration.
# Click Apply. In the dialog box that is displayed, click OK.
4. Enable radio calibration.
# Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Planning. The Radio Planning page is displayed.
# Click Immediate Calibration. In the dialog box that is displayed, click OK.
# Choose Monitoring > Radio. In Radio List, check the channel and power of
the radio. In this example, three APs have gone online on the AC, and the list
shows that AP channels have been automatically assigned through the radio
calibration function.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 82
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Radio calibration stops one hour after the radio calibration is manually
triggered.
# Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Calibration Configuration. The Radio Calibration Configuration page is
displayed. The Radio Calibration Configuration page is displayed. On the
Radio Calibration Configuration page, set Triggering condition to
Scheduled and set the start time to 3:00 am.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 83
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
----End
3.1.5 Example for Configuring Layer 3 Direct Forwarding in
Inline Mode
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area. A VLAN pool is configured as service VLANs to
prevent IP address insufficiency or waste. Furthermore, this measure can reduce
the number of users in each VLAN and the size of the broadcast domain.
Networking Requirements
● AC networking mode: Layer 3 networking in inline mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: direct forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 84
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-5 Networking for configuring Layer 3 direct forwarding in inline mode
Data Planning
Table 3-5 AC data planning
Item Data
Management VLAN for APs VLAN 10 and VLAN 100
Service VLAN for STAs VLAN pool
● Name: sta-pool
● VLANs in the VLAN pool: VLAN 101
and VLAN 102
DHCP server The AC functions as a DHCP server to
assign IP addresses to APs.
SwitchB functions as a DHCP server to
assign IP addresses to STAs. The
default gateway IP addresses of STAs
are 10.23.101.2 and 10.23.102.2.
IP address pool for APs 10.23.10.2-10.23.10.254/24
IP address pool for STAs 10.23.101.3-10.23.101.254/24
10.23.102.3-10.23.102.254/24
AC's source interface address VLANIF 100: 10.23.100.1/24
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 85
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AP group ● Name: ap-group1
● Referenced profiles: VAP profile
wlan-net, 2G radio profile wlan-
radio2g, and 5G radio profile wlan-
radio5g
Regulatory domain profile ● Name: default
● Country code: CN
● Calibration channel set: calibration
bandwidth and channels for 2.4
GHz and 5 GHz radios
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: YsHsjx_202206
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLANs in the VLAN
pool
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
Air scan profile ● Name: wlan-airscan
● Probe channel set: calibration
channels
● Air scan interval: 60000 ms
● Air scan period: 60 ms
2G radio profile ● Name: wlan-radio2g
● Referenced profiles: air scan profile
wlan-airscan
5G radio profile ● Name: wlan-radio5g
● Referenced profiles: air scan profile
wlan-airscan
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 86
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the switches and router.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 87
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102.
The default VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB to VLAN 10, VLAN 101, and VLAN 102, and GE0/0/2 to
VLAN 100, VLAN 101, and VLAN 102. Create VLANIF 100 and set its IP address to
10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and
VLANIF 102, and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP
address of VLANIF 102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
Step 2 Configure the DHCP services to assign IP addresses to APs and STAs.
# On SwitchB, configure DHCP relay to assign IP addresses on behalf of the AC.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to
STAs and set the default gateways.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 88
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLANs 100, 101, and 102.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 89
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Deselect GigabitEthernet0/0/1 and then select GigabitEthernet0/0/2. Add
GigabitEthernet0/0/2 to VLAN 101 and VLAN 102 in the same way.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network connectivity.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click OK.
# Click Create under DHCPv4 Address Pool List and configure a global
address pool named huawei.
– IP address pool subnet: 10.23.10.0
– Option 43: ASCII, IP address of 10.23.100.1
– Gateway IP address: 10.23.10.1
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 90
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 10.23.10.0, Subnet Mask to 24(255.255.255.0), and
Next hop address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 91
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 92
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to
VLAN Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is
displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add
VLANs 101 and 102.
# Click OK. In the dialog box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 93
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Enable radio calibration to allow APs to automatically select the optimal channels
and power.
1. Enable automatic channel and power calibration functions of radios.
NOTE
Radio 0 is used as an example. The configuration for other radios is similar and will not be
mentioned here.
# Choose Configuration > AP Config > AP Group > AP Group.
# Click the AP group name ap-group1 in the AP group list. Choose Radio
Management > Radio 0. The Radio 0 Settings(2.4G) page is displayed.
# On the Radio 0 Settings(2.4G) configuration page, enable automatic
channel and power calibration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 94
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
By default, the global automatic channel and power calibration functions are enabled.
Therefore, select Follow. If the global automatic channel and power calibration functions
are disabled, choose Configuration > AP Config > Radio Planning/Calibration > Radio
Calibration Configuration, and set Calibration to ON.
# Click Apply. In the dialog box that is displayed, click OK.
2. Create radio profiles.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio
profile is similar.
# Choose Radio 0 > 2G Radio Profile. The 2G Radio Profile page is
displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter
the profile name wlan-radio2g and click OK. The 2G radio profile
configuration page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Create an air scan profile and configure the probe channel set, scan interval,
and scan duration.
# Click next to 2G Radio Profile. Select Air Scan Profile. The Air Scan
Profile page is displayed. Click Create. On the Create Air Scan Profile page
that is displayed, enter the profile name wlan-airscan and click OK. The air
scan profile configuration page is displayed.
# Enable scanning, and configure the probe channel set, scan interval, and
scan duration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 95
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
4. Enable radio calibration.
# Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Planning. The Radio Planning page is displayed.
# Click Immediate Calibration. In the dialog box that is displayed, click OK.
# Choose Monitoring > Radio. In Radio List, check the channel and power of
the radio. In this example, three APs have gone online on the AC, and the list
shows that AP channels have been automatically assigned through the radio
calibration function.
# Radio calibration stops one hour after the radio calibration is manually
triggered.
# Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Calibration Configuration. The Radio Calibration Configuration page is
displayed. The Radio Calibration Configuration page is displayed. On the
Radio Calibration Configuration page, set Triggering condition to
Scheduled and set the start time to 3:00 am.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 96
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
----End
3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in
Inline Mode
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 97
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
roaming in the coverage area. A VLAN pool is configured as service VLANs to
prevent IP address insufficiency or waste. Furthermore, this measure can reduce
the number of users in each VLAN and the size of the broadcast domain.
Networking Requirements
● AC networking mode: Layer 3 networking in inline mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: tunnel forwarding
Figure 3-6 Networking for configuring Layer 3 tunnel forwarding in inline mode
Data Planning
Table 3-6 AC data planning
Item Data
Management VLANs for APs VLAN 10 and VLAN 100
Service VLAN for STAs VLAN pool
● Name: sta-pool
● VLANs in the VLAN pool: VLAN 101
and VLAN 102
DHCP server The AC functions as a DHCP server to
assign IP addresses to APs and STAs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 98
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
IP address pool for APs 10.23.10.2-10.23.10.254/24
IP address pool for STAs 10.23.101.3-10.23.101.254/24
10.23.102.3-10.23.102.254/24
AC's source interface address VLANIF 100: 10.23.100.1/24
AP group ● Name: ap-group1
● Referenced profiles: VAP profile
wlan-net, 2G radio profile wlan-
radio2g, and 5G radio profile wlan-
radio5g
Regulatory domain profile ● Name: default
● Country code: CN
● Calibration channel set: calibration
bandwidth and channels for 2.4
GHz and 5 GHz radios
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: YsHsjx_202206
VAP profile ● Name: wlan-net
● Forwarding mode: tunnel
forwarding
● Service VLAN: VLANs in the VLAN
pool
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
Air scan profile ● Name: wlan-airscan
● Probe channel set: calibration
channels
● Air scan interval: 60000 ms
● Air scan period: 60 ms
2G radio profile ● Name: wlan-radio2g
● Referenced profiles: air scan profile
wlan-airscan
5G radio profile ● Name: wlan-radio5g
● Referenced profiles: air scan profile
wlan-airscan
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 99
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 100
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default
VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, and GE0/0/2 to
VLAN 100. Create VLANIF 100 and set the IP address of VLANIF 100 to
10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and
VLANIF 102, and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP
address of VLANIF 102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
Step 2 Configure DHCP relay.
# On SwitchB, configure DHCP relay to assign IP addresses on behalf of the AC.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 101
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
Step 3 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Deselect GigabitEthernet0/0/1 and then select GigabitEthernet0/0/2. Add
GigabitEthernet0/0/2 to VLAN 101 and VLAN 102 in the same way.
# Click Next. The Network Interconnection Configuration page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 102
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and that of VLANIF 102
to 10.23.102.1/24 in the same way.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 101.
# Create an interface address pool in the same way and select VLANIF 102.
# Click Create under DHCPv4 Address Pool List and configure a global
address pool named huawei.
– IP address pool subnet: 10.23.10.0
– Option 43: ASCII, IP address of 10.23.100.1
– Gateway IP address: 10.23.10.1
NOTE
Configure the DNS server address as required.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 103
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 10.23.10.0, Subnet Mask to 24(255.255.255.0), and
Next hop address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 104
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 105
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to
VLAN Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is
displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add
VLANs 101 and 102.
# Click OK. In the dialog box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 106
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks) and set the
key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Enable radio calibration to allow APs to automatically select the optimal channels
and power.
1. Enable automatic channel and power calibration functions of radios.
NOTE
Radio 0 is used as an example. The configuration for other radios is similar and will not be
mentioned here.
# Choose Configuration > AP Config > AP Group > AP Group.
# Click the AP group name ap-group1 in the AP group list. Choose Radio
Management > Radio 0. The Radio 0 Settings(2.4G) page is displayed.
# On the Radio 0 Settings(2.4G) configuration page, enable automatic
channel and power calibration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 107
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
By default, the global automatic channel and power calibration functions are enabled.
Therefore, select Follow. If the global automatic channel and power calibration functions
are disabled, choose Configuration > AP Config > Radio Planning/Calibration > Radio
Calibration Configuration, and set Calibration to ON.
# Click Apply. In the dialog box that is displayed, click OK.
2. Create radio profiles.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio
profile is similar.
# Choose Radio 0 > 2G Radio Profile. The 2G Radio Profile page is
displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter
the profile name wlan-radio2g and click OK. The 2G radio profile
configuration page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Create an air scan profile and configure the probe channel set, scan interval,
and scan duration.
# Click next to 2G Radio Profile. Select Air Scan Profile. The Air Scan
Profile page is displayed. Click Create. On the Create Air Scan Profile page
that is displayed, enter the profile name wlan-airscan and click OK. The air
scan profile configuration page is displayed.
# Enable scanning, and configure the probe channel set, scan interval, and
scan duration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 108
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
4. Enable radio calibration.
# Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Planning. The Radio Planning page is displayed.
# Click Immediate Calibration. In the dialog box that is displayed, click OK.
# Choose Monitoring > Radio. In Radio List, check the channel and power of
the radio. In this example, three APs have gone online on the AC, and the list
shows that AP channels have been automatically assigned through the radio
calibration function.
# Radio calibration stops one hour after the radio calibration is manually
triggered.
# Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Calibration Configuration. The Radio Calibration Configuration page is
displayed. The Radio Calibration Configuration page is displayed. On the
Radio Calibration Configuration page, set Triggering condition to
Scheduled and set the start time to 3:00 am.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 109
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.1.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
----End
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 110
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.1.7 Example for Configuring Layer 3 Direct Forwarding in
Bypass Mode
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area. A VLAN pool is configured as service VLANs to
prevent IP address insufficiency or waste. Furthermore, this measure can reduce
the number of users in each VLAN and the size of the broadcast domain.
Networking Requirements
● AC networking mode: Layer 3 networking in bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: direct forwarding
Figure 3-7 Networking for configuring Layer 3 direct forwarding in bypass mode
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 111
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-7 AC data planning
Item Data
Management VLANs for APs VLAN 10 and VLAN 100
Service VLAN for STAs VLAN pool
● Name: sta-pool
● VLANs in the VLAN pool: VLAN 101
and VLAN 102
DHCP server The AC functions as a DHCP server to
assign IP addresses to APs.
The aggregation switch functions as a
DHCP server for STAs. The default
gateway IP addresses of STAs are
10.23.101.2 and 10.23.102.2.
IP address pool for APs 10.23.10.2-10.23.10.254/24
IP address pool for STAs 10.23.101.3-10.23.101.254/24
10.23.102.3-10.23.102.254/24
AC's source interface address VLANIF 100: 10.23.100.1/24
AP group ● Name: ap-group1
● Referenced profiles: VAP profile
wlan-net and regulatory domain
profile default
Regulatory domain profile ● Name: default
● Country code: CN
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: YsHsjx_202206
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLANs in the VLAN
pool
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 112
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 113
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102.
The default VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and
VLAN 102, GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create
VLANIF 100 and set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and
VLANIF 102, and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP
address of VLANIF 102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
Step 2 Configure the DHCP services to assign IP addresses to APs and STAs.
# On SwitchB, configure DHCP relay to assign IP addresses on behalf of the AC.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 114
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to
STAs and set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 115
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network connectivity.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click OK.
# Click Create under DHCPv4 Address Pool List and configure a global
address pool named huawei.
– IP address pool subnet: 10.23.10.0
– Option 43: ASCII, IP address of 10.23.100.1
– Gateway IP address: 10.23.10.1
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 116
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 10.23.10.0, Subnet Mask to 24(255.255.255.0), and
Next hop address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 117
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 118
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to
VLAN Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is
displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add
VLANs 101 and 102.
# Click OK. In the dialog box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 119
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 120
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 121
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
----End
3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in
Bypass Mode
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
Networking Requirements
● AC networking mode: Layer 3 bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: tunnel forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 122
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-8 Networking for configuring Layer 3 tunnel forwarding in bypass mode
Data Planning
Table 3-8 AC data planning
Item Data
Management VLAN for APs VLAN 10 and VLAN 100
Service VLAN for STAs VLAN pool
DHCP server The AC functions as a DHCP server to
assign IP addresses to APs.
SwitchB functions as a DHCP server to
assign IP addresses to STAs. The
default gateway IP addresses of STAs
are 10.23.101.2 and 10.23.102.2.
IP address pool for APs 10.23.10.2-10.23.10.254/24
IP address pool for STAs 10.23.101.3-10.23.101.254/24
10.23.102.3-10.23.102.254/24
VLAN pool ● Name: sta-pool
● VLANs in the VLAN pool: VLAN 101
and VLAN 102
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 123
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AC's source interface address VLANIF 100: 10.23.100.1/24
AP group ● Name: ap-group1
● Referenced profiles: VAP profile
wlan-net and regulatory domain
profile default
Regulatory domain profile ● Name: default
● Country code: CN
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: YsHsjx_202206
VAP profile ● Name: wlan-net
● Forwarding mode: tunnel
forwarding
● Service VLAN: VLANs in the VLAN
pool
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 124
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default
VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, GE0/0/2 to VLAN
100, VLAN 101, and VLAN 102, and GE0/0/3 to VLAN 101 and VLAN 102. Create
VLANIF 100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 125
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and
VLANIF 102, and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP
address of VLANIF 102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
Step 2 Configure the DHCP services to assign IP addresses to APs and STAs.
# On SwitchB, configure DHCP relay to assign IP addresses on behalf of the AC.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to
STAs and set the default gateways.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
Step 3 Configure system parameters for the AC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 126
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLANs 100, 101, and 102.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network connectivity.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 127
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Create under DHCPv4 Address Pool List and configure a global
address pool named huawei.
– IP address pool subnet: 10.23.10.0
– Option 43: ASCII, IP address of 10.23.100.1
– Gateway IP address: 10.23.10.1
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 10.23.10.0, Subnet Mask to 24(255.255.255.0), and
Next hop address to 10.23.100.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 128
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 129
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 130
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to
VLAN Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is
displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add
VLANs 101 and 102.
# Click OK. In the dialog box that is displayed, click OK.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks) and set the
key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 131
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 132
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
----End
3.1.9 Example for Configuring an Agile Distributed WLAN
Service Requirements
Students in dormitories need to access the Internet through WLANs.
Walls between numerous rooms in the dormitory building cause serious wireless
signal attenuation, degrading signal quality. To resolve this issue, an agile
distributed WLAN is used, with a remote unit (RU) deployed in each dormitory.
RUs are connected to a central AP, and all RUs and the central AP are centrally
managed by the AC, delivering high-quality WLAN coverage for each dormitory.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 133
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Networking Requirements
● AC networking mode: Layer 2 networking in inline mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to the central AP, RUs, and STAs.
● Service data forwarding mode: tunnel forwarding
● Uplink interfaces of a central AP have a high transmission rate, and connect
to an AC and forward service traffic of all connected RUs. Downlink interfaces
of a central AP connect to RUs. If the number of downlink interfaces of the
central AP is insufficient, one downlink interface can be connected to an
uplink interface of a PoE switch, through which RUs can connect the central
AP. This increases the number of connected RUs. For example, an
AD9431DN-24X provides four 10GE uplink interfaces numbered from 0 to 3
and 24 GE downlink interfaces numbered from 0 to 23.
Figure 3-9 Networking for configuring an agile distributed WLAN
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 134
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-9 AC data planning
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to
server central APs, RUs, and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
central
APs and
RUs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default
Regulatory ● Name: default
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
Configuration Roadmap
1. Configure the AC, RUs, central APs, and network devices to communicate at
Layer 2.
2. Select Config Wizard to configure system parameters for the AC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 135
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. Select Config Wizard to configure the central APs and RUs to go online on
the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the central APs and RUs, and verify the
configuration.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 136
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
# Configure the switch to enable Layer 2 communication between the central AP
and RUs. If a Huawei switch is used, interfaces on it are added to VLAN 1 by
default and can communicate one another at Layer 2. Therefore, this
configuration is not required on the switch. If a non-Huawei switch is used,
perform the configuration to enable Layer 2 communication of uplink and
downlink interfaces.
NOTE
On the network between RUs and the central AP, service packets of STAs must be properly
forwarded. In this example, the tunnel forwarding mode is used. Therefore, service VLAN packets
do not need to be permitted between the central AP and RUs. If the direct forwarding mode is
used, configure the network between the central AP and RUs to permit service VLAN packets
depending on the central AP model.
● If the central AP is a gigabit AP (such as the AD9430DN-24), such configuration is not
required on the switch. Because all service packets from RUs are first sent to the central AP
through MAC-IN-MAC tunnels, these packets need to be permitted only from the upstream
direction of the central AP.
● If the central AP is a 10GE AP (such as the AD9431DN-24X), add uplink and downlink
interfaces on the switch to the service VLAN. Because service packets are forwarded starting
from the upstream direction of RUs, these packets must be permitted from the upstream
direction of RUs.
Step 2 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 137
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Set Interface type of GigabitEthernet0/0/2 to Trunk and add the interface
to VLAN 101 in the same way.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 138
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way. The IP address
10.23.101.2 cannot be assigned.
NOTE
Configure the DNS server address as required.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop
address to 10.23.101.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 139
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Configure a central AP and RUs to go online.
1. Configure a central AP and RUs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 140
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– MAC address of the central AP: 68a8-2845-62fd
– AP SN: 210235419610CB002287
– AP name: central_AP
– AP group: ap-group1
NOTE
– If AP authentication mode is set to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If AP authentication mode is set to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to import the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 4 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 141
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 5 Configure the RU channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 142
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 6 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.1.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 143
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
----End
More Information
(Video) Example for Configuring AC and central AP Distributed Networking
3.1.10 Example for Configuring NAT Traversal Between the AC
and APs
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
APs are located in an enterprise branch, while the AC is located at the
headquarters. Administrators require unified AP management by the AC.
Therefore, NAT traversal is configured between the AC and APs to save the
enterprise's public IP addresses.
Networking Requirements
● AC networking mode: NAT traversal between the AC at the headquarters and
APs in the branch
● DHCP deployment mode: Router_1 functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 144
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-10 Networking for configuring NAT traversal between the AC and APs
Data Planning
Table 3-10 AC data planning
Item Data
Management VLAN for APs VLAN 200
Service VLAN for STAs VLAN 101
DHCP server Router_1 functions as a DHCP server
to assign IP addresses to APs and STAs.
IP address pool for APs 10.23.100.2-10.23.100.254/24
IP address pool for STAs 10.23.101.2-10.23.101.254/24
AC's source interface address VLANIF 200: 10.23.200.1/24
AP group ● Name: ap-group1
● Referenced profiles: VAP profile
wlan-net and regulatory domain
profile default
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 145
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Regulatory domain profile ● Name: default
● Country code: China
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: YsHsjx_202206
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
NAT Outbound Router_1: translates the private IP
addresses in the network segment
10.23.100.0/24 to the public IP
addresses in the network segment
2.2.2.1.
Static NAT Router_2: translates the private IP
addresses in the network segment
10.23.200.1 to the public IP addresses
in the network segment 3.3.3.3.
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure NAT for address translation.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Verify the configuration.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 146
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 100 and VLAN 101.
VLAN 100 is the default VLAN of GE0/0/1 and GE0/0/2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] port-isolate enable
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/3] quit
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 147
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of
GE0/0/1 is at 2.2.2.2/24, set the IP address of GE0/0/1 to 2.2.2.1/24.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1] interface gigabitethernet0/0/1
[Router_1-GigabitEthernet0/0/1] ip address 2.2.2.1 255.255.255.0
[Router_1-GigabitEthernet0/0/1] quit
# Configure a default route with the next hop address 2.2.2.2 on Router_1.
[Router_1] ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
# On Router_2, add GE1/0/0 to VLAN 200. If the peer end of GE0/0/1 is at
3.3.3.2/24, set the IP address of GE0/0/1 to 3.3.3.1/24. Create VLANIF 200 and set
its IP address to 10.23.200.2/24.
<Huawei> system-view
[Huawei] sysname Router_2
[Router_2] vlan batch 200
[Router_2] interface GigabitEthernet1/0/0
[Router_2-GigabitEthernet1/0/0] port link-type trunk
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2-GigabitEthernet1/0/0] quit
[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] ip address 3.3.3.1 255.255.255.0
[Router_2-GigabitEthernet0/0/1] quit
[Router_2] interface vlanif 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
[Router_2-Vlanif200] quit
# Configure a default route with the next hop address 3.3.3.2 on Router_2.
[Router_2] ip route-static 0.0.0.0 0.0.0.0 3.3.3.2
Step 2 Configure a DHCP server to assign IP addresses to APs and STAs.
# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs.
The AC's source interface address is translated into the public IP address 3.3.3.3
after NAT mapping.
[Router_1] dhcp enable
[Router_1] interface vlanif 100
[Router_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Router_1-Vlanif100] dhcp select global
[Router_1-Vlanif100] quit
[Router_1] ip pool ap
[Router_1-ip-pool-ap] gateway-list 10.23.100.1
[Router_1-ip-pool-ap] network 10.23.100.0 mask 24
[Router_1-ip-pool-ap] option 43 sub-option 3 ascii 3.3.3.3
[Router_1-ip-pool-ap] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Router_1-Vlanif101] dhcp select interface
[Router_1-Vlanif101] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
Step 3 Configure NAT.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 148
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Configure outbound NAT on Router_1.
[Router_1] acl 2000
[Router_1-acl-basic-2000] rule 5 permit source 10.23.100.0 0.0.0.255
[Router_1-acl-basic-2000] rule 10 permit source 10.23.101.0 0.0.0.255
[Router_1-acl-basic-2000] quit
[Router_1] interface gigabitethernet 0/0/1
[Router_1-GigabitEthernet0/0/1] nat outbound 2000
[Router_1-GigabitEthernet0/0/1] quit
# Configure static NAT on Router_2.
[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] nat static global 3.3.3.3 inside 10.23.200.1
[Router_2-GigabitEthernet0/0/1] quit
Step 4 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 200 (management VLAN).
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 149
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 200 to 10.23.200.1/24.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 200.
# Click OK. An address pool for VLANIF 200 is configured.
NOTE
Configure the DNS server address as required.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop
address to 10.23.200.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 150
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select
Vlanif200.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 5 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 151
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 6 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personal networks), select the AES
mode, and set the key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 152
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 7 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 153
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 8 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.1.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 154
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
----End
3.1.11 Example for Configuring VPN Traversal Between the AC
and APs
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
APs are located in an enterprise branch, while the AC is located at the
headquarters. Administrators require unified AP management by the AC and
protection on traffic exchanged between the branch and headquarters. Therefore,
an IPSec tunnel is established between the branch and headquarters to protect
traffic.
Networking Requirements
● AC networking mode: IPSec tunnel between the AC at the headquarters and
APs in the branch.
● DHCP deployment mode: Router_1 functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 155
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-11 Networking for configuring VPN traversal between the AC and APs
Data Planning
Table 3-11 AC data planning
Item Data
WLAN service data planning on the AC
Management VLAN for APs VLAN 200
Service VLAN for STAs VLAN 101
DHCP server Router_1 functions as a DHCP server
to assign IP addresses to APs and STAs.
IP address pool for APs 10.23.100.2-10.23.100.254/24
IP address pool for STAs 10.23.101.2-10.23.101.254/24
AC's source interface address VLANIF 200: 10.23.200.1/24
AP group ● Name: ap-group1
● Referenced profiles: VAP profile
wlan-net and regulatory domain
profile default
Regulatory domain profile ● Name: default
● Country code: China
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 156
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: YsHsjx_202206
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
IPSec data planning on Router_2
IKE parameters ● IKE version: IKEv1
● Negotiation mode: main
● Peer IP address: 192.168.1.1
● Authentication mode: pre-shared
key authentication
● Pre-shared key: YsHsjx_202206
● Authentication algorithm:
SHA2-256
● Encryption algorithm: AES-128
● DH group number: group14
IPSec parameters ● Security protocol: ESP
● ESP negotiation mode: main
● ESP authentication algorithm:
SHA2-256
● ESP encryption algorithm: AES-128
● Encapsulation mode: tunnel
IPSec policy Connection name: map1
● Interface name: gigabitethernet
0/0/1
● Networking mode: branch site
● Connection number: 10
● ACL number: 3101
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 157
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure IPSec parameters to set up an IPSec tunnel.
a. Configure an IP address and a static route on each interface to
implement communication between both ends.
b. Configure ACLs and define the data flows to be protected by the IPSec
tunnel.
c. Configure an IPSec proposal to define the traffic protection method.
d. Configure IKE peers and define the attributes used for IKE negotiation.
e. Configure an IPSec policy, and apply the ACL, IPSec proposal, and IKE
peers to the IPSec policy to define the data flows to be protected and
protection method.
f. Apply the IPSec policy to the interface so that the interface can protect
traffic.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to
the group for unified configuration.
b. Configure AC system parameters, including the country code and source
interface used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to
allow the APs to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 158
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1 and GE0/0/2 to VLAN 100 and VLAN 101. VLAN 100 is
the default VLAN of GE0/0/1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of
GE0/0/1 is at 192.168.1.2/24, set the IP address of GE0/0/1 to 192.168.1.1/24.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet 1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1] interface gigabitethernet 0/0/1
[Router_1-GigabitEthernet0/0/1] ip address 192.168.1.1 255.255.255.0
[Router_1-GigabitEthernet0/0/1] quit
# Configure a default route with the next hop address 192.168.1.2 on Router_1.
[Router_1] ip route-static 0.0.0.0 0.0.0.0 192.168.1.2
# On Router_2, add GE1/0/0 to VLAN 200. Create VLANIF 200 and set its IP
address to 10.23.200.2/24. If the peer end of GE0/0/1 is at 192.168.2.2/24, set the
IP address of GE0/0/1 to 192.168.2.1/24.
<Huawei> system-view
[Huawei] sysname Router_2
[Router_2] vlan batch 200
[Router_2] interface gigabitethernet 1/0/0
[Router_2-GigabitEthernet1/0/0] port link-type trunk
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2-GigabitEthernet1/0/0] quit
[Router_2] interface gigabitethernet 0/0/1
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 159
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[Router_2-GigabitEthernet0/0/1] ip address 192.168.2.1 255.255.255.0
[Router_2-GigabitEthernet0/0/1] quit
[Router_2] interface vlanif 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
[Router_2-Vlanif200] quit
# Configure a static route from Router_2 to APs with the next hop address
192.168.2.2 on Router_2.
[Router_2] ip route-static 10.23.100.0 255.255.255.0 192.168.2.2
[Router_2] ip route-static 192.168.1.0 255.255.255.0 192.168.2.2
Step 2 Configure a DHCP server to assign IP addresses to APs and STAs.
# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs.
[Router_1] dhcp enable
[Router_1] interface vlanif 100
[Router_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Router_1-Vlanif100] dhcp select global
[Router_1-Vlanif100] quit
[Router_1] ip pool ap
[Router_1-ip-pool-ap] gateway-list 10.23.100.1
[Router_1-ip-pool-ap] network 10.23.100.0 mask 24
[Router_1-ip-pool-ap] option 43 sub-option 3 ascii 10.23.200.1
[Router_1-ip-pool-ap] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Router_1-Vlanif101] dhcp select interface
[Router_1-Vlanif101] quit
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
Step 3 Configure ACLs and define the data flows to be protected by the IPSec tunnel.
# On Router_2, configure an ACL to protect the data flows from the AC (IP
address 10.23.200.0/24) at the headquarters to the APs (IP address
10.23.100.0/24) in the branch.
[Router_2] acl number 3101
[Router_2-acl-adv-3101] rule permit ip source 10.23.200.0 0.0.0.255 destination 10.23.100.0 0.0.0.255
[Router_2-acl-adv-3101] quit
# On Router_1, configure an ACL to protect the data flows from the APs (IP
address 10.23.100.0/24) in the branch to the AC (IP address 10.23.200.0/24) at the
headquarters.
[Router_1] acl number 3101
[Router_1-acl-adv-3101] rule permit ip source 10.23.100.0 0.0.0.255 destination 10.23.200.0 0.0.0.255
[Router_1-acl-adv-3101] quit
Step 4 Configure IPSec.
1. Create an IPSec proposal on Router_2 and Router_1.
# Create an IPSec proposal on Router_2.
[Router_2] ipsec proposal tran1
[Router_2-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[Router_2-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[Router_2-ipsec-proposal-tran1] quit
# Create an IPSec proposal on Router_1.
[Router_1] ipsec proposal tran1
[Router_1-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 160
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[Router_1-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[Router_1-ipsec-proposal-tran1] quit
2. Create IKE peers on Router_2 and Router_1.
# Create an IKE proposal on Router_2.
[Router_2] ike proposal 5
[Router_2-ike-proposal-5] authentication-algorithm sha2-256
[Router_2-ike-proposal-5] encryption-algorithm aes-128
[Router_2-ike-proposal-5] dh group14
[Router_2-ike-proposal-5] quit
# Configure an IKE peer on Router_2, and configure the pre-shared key and
peer ID based on the default settings.
[Router_2] ike peer spub
[Router_2-ike-peer-spub] undo version 2
[Router_2-ike-peer-spub] ike-proposal 5
[Router_2-ike-peer-spub] pre-shared-key cipher YsHsjx_202206
[Router_2-ike-peer-spub] remote-address 192.168.1.1
[Router_2-ike-peer-spub] quit
# Create an IKE proposal on Router_1.
[Router_1] ike proposal 5
[Router_1-ike-proposal-5] authentication-algorithm sha2-256
[Router_1-ike-proposal-5] encryption-algorithm aes-128
[Router_1-ike-proposal-5] dh group14
[Router_1-ike-proposal-5] quit
# Configure an IKE peer on Router_1, and configure the pre-shared key and
peer ID based on the default settings.
[Router_1] ike peer spua
[Router_1-ike-peer-spub] undo version 2
[Router_1-ike-peer-spub] ike-proposal 5
[Router_1-ike-peer-spua] pre-shared-key cipher YsHsjx_202206
[Router_1-ike-peer-spua] remote-address 192.168.2.1
[Router_1-ike-peer-spua] quit
3. Create IPSec policies on Router_2 and Router_1.
# Configure an IPSec policy in IKE negotiation mode on Router_2.
[Router_2] ipsec policy map1 10 isakmp
[Router_2-ipsec-policy-isakmp-map1-10] ike-peer spub
[Router_2-ipsec-policy-isakmp-map1-10] proposal tran1
[Router_2-ipsec-policy-isakmp-map1-10] security acl 3101
[Router_2-ipsec-policy-isakmp-map1-10] quit
# Configure an IPSec policy in IKE negotiation mode on Router_1.
[Router_1] ipsec policy use1 10 isakmp
[Router_1-ipsec-policy-isakmp-use1-10] ike-peer spua
[Router_1-ipsec-policy-isakmp-use1-10] proposal tran1
[Router_1-ipsec-policy-isakmp-use1-10] security acl 3101
[Router_1-ipsec-policy-isakmp-use1-10] quit
4. Apply the IPSec policies to the interfaces of Router_2 and Router_1, so that
the interfaces can protect traffic.
# Apply the IPSec policy to the interface of Router_2.
[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] ipsec policy map1
[Router_2-GigabitEthernet0/0/1] quit
# Apply the IPSec policy to the interface of Router_1.
[Router_1] interface gigabitethernet 0/0/1
[Router_1-GigabitEthernet0/0/1] ipsec policy use1
[Router_1-GigabitEthernet0/0/1] quit
Step 5 Configure system parameters for the AC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 161
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 200 (management VLAN).
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 200 to 10.23.200.1/24.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 162
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 200.
# Click OK. An address pool for VLANIF 200 is configured.
NOTE
Configure the DNS server address as required.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop
address to 10.23.200.2.
# Click OK.
# Click Next.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 163
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select
Vlanif200.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 6 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 164
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 7 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personal networks), select the AES
mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 8 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 165
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 9 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.1.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 166
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
----End
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 167
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.1.12 Example for Configuring the Soft GRE Service
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area. A wired network has been deployed in an area. To
provide more convenient network access services, administrators need to deploy a
wireless network in this area. To facilitate the unified management of wired and
wireless users, administrators also need to use the existing wired access gateway
ME60 for authentication and accounting of wireless users.
Networking Requirements
● AC networking mode: Layer 2 networking in bypass mode
● DHCP deployment mode:
– The ME60 functions as a DHCP server to assign IP addresses to STAs.
– Switch functions as a DHCP server to assign IP addresses to APs.
● Service data forwarding mode: soft GRE forwarding
Figure 3-12 Networking for configuring the soft GRE service
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 168
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-12 AC data planning
Item Data
Switch data planning
DHCP Switch functions as a DHCP server to assign IP addresses to APs.
server
IP address 10.23.100.3-10.23.100.254/24
pool for
APs
AC data planning
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default
Regulatory ● Name: default
domain ● Country code: China
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: open
Soft GRE ● Name: wlan-soft
profile ● Destination address of the soft GRE tunnel: 10.23.200.1
VAP ● Name: wlan-net
profile ● Forwarding mode: soft GRE forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net, security profile
wlan-net, and soft GRE profile wlan-soft
ME60 data planning
DHCP The ME60 functions as a DHCP server to assign IP addresses to
server STAs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 169
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
VE Virtual-Ethernet2/0/0
interface
for soft
GRE
Soft GRE ● Name: group1
group ● Virtual-Ethernet2/0/0 is referenced.
Destinatio ● Name: Loopback 1
n address ● IP address: 10.23.200.1/24
of the soft
GRE ● The soft GRE group group1 is referenced.
tunnel
RADIUS ● Server group: radius1
server ● Server IP address: 10.1.1.1
parameter
s ● Authentication port number: 1812
● Accounting port number: 1813
● Shared key: YsHsjx_202206
● RADIUS accounting scheme: radius
● RADIUS authentication scheme: radius
● Domain: aaadomain1
Configuration Roadmap
1. Configure network interworking of the AC, APs, ME60, and other network
devices.
2. Configure the ME60, soft GRE tunnel, and authentication and accounting
functions.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Deliver the WLAN service to the AP and verify the configuration.
NOTE
● In this example, the ME60 in V600R008C10 is used. The actual configuration may vary
depending on versions.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 170
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1 to VLAN 100 and VLAN 101, GE0/0/2 to VLAN 100, and
GE0/0/3 to VLAN 199. Set the PVIDs of GE0/0/1 and GE0/0/3 to VLAN 100 and
VLAN 199, respectively. Create VLANIF 199 and set its IP address to
10.23.199.2/24.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101 199
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 171
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 199
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 199
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface vlanif 199
[Switch-Vlanif199] ip address 10.23.199.2 24
[Switch-Vlanif199] quit
# On the ME60, set the IP address of GE2/0/0 to 10.23.199.1/24, and configure a
route to 10.23.100.0/24.
<HUAWEI> system-view
[HUAWEI] sysname ME60
[ME60] interface gigabitethernet 2/0/0
[ME60-GigabitEthernet2/0/0] ip address 10.23.199.1 24
[ME60-GigabitEthernet2/0/0] quit
[ME60] ip route-static 10.23.100.0 24 10.23.199.2
Step 2 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure Switch as a DHCP server to assign IP addresses to APs, and configure
a route to 10.23.200.0/24.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.23.100.2 24
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.1
[Switch-Vlanif100] quit
[Switch] ip route-static 10.23.200.0 24 10.23.199.1
# Configure the ME60 as a DHCP server to assign IP addresses to STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[ME60] dhcp enable
[ME60] ip pool sta-pool bas local
[ME60-ip-pool-sta-pool] gateway 10.23.101.1 24
[ME60-ip-pool-sta-pool] section 1 10.23.101.3 10.23.101.254
[ME60-ip-pool-sta-pool] option 43 ip 10.23.101.1
[ME60-ip-pool-sta-pool] quit
Step 3 Configure the soft GRE tunnel on the ME60.
# Create a VE interface to support soft GRE.
[ME60] interface virtual-ethernet 2/0/0
[ME60-Virtual-Ethernet2/0/0] soft-gre enable
[ME60-Virtual-Ethernet2/0/0] quit
# Create a soft GRE group.
[ME60] soft-gre group group1
[ME60-softgre-group-group1] master virtual-ethernet 2/0/0
[ME60-softgre-group-group1] quit
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 172
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Configure an IP address for the loopback interface and bind the soft GRE group
to it.
[ME60] interface loopback 1
[ME60-LoopBack1] ip address 10.23.200.1 255.255.255.0
[ME60-LoopBack1] binding soft-gre group group1
[ME60-LoopBack1] quit
Step 4 Configure RADIUS authentication and accounting on the ME60.
# Configure a RADIUS server profile, an AAA authentication and accounting
scheme, and domain information.
[ME60] radius-server group radius1
[ME60-radius-radius1] radius-server authentication 10.1.1.1 1812
[ME60-radius-radius1] radius-server accounting 10.1.1.1 1813
[ME60-radius-radius1] radius-server shared-key YsHsjx_202206
[ME60-radius-radius1] quit
[ME60] aaa
[ME60-aaa] authentication-scheme radius
[ME60-aaa-authen-radius] authentication-mode radius
[ME60-aaa-authen-radius] quit
[ME60-aaa] accounting-scheme radius
[ME60-aaa-accounting-radius] accounting-mode radius
[ME60-aaa-accounting-radius] quit
[ME60-aaa] domain aaadomain1
[ME60-aaa-domain-aaadomain1] ip-pool sta-pool
[ME60-aaa-domain-aaadomain1] authentication-scheme radius
[ME60-aaa-domain-aaadomain1] accounting-scheme radius
[ME60-aaa-domain-aaadomain1] radius-server group radius1
[ME60-aaa-domain-aaadomain1] quit
[ME60-aaa] quit
Step 5 Configure the BAS interface on the ME60.
# Create a BAS interface and configure the BAS interface type and authentication
mode. Configure the user VLAN and service VLAN as the same VLAN.
[ME60] interface virtual-ethernet 2/0/0.1
[ME60-Virtual-Ethernet2/0/0.1] user-vlan 101
[ME60-Virtual-Ethernet2/0/0.1-vlan-101-101] bas
[ME60-Virtual-Ethernet2/0/0.1-bas] access-type layer2-subscriber default-domain authentication
aaadomain1
[ME60-Virtual-Ethernet2/0/0.1-bas] authentication-method bind
Step 6 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 173
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click OK. VLANIF 100 is configured.
# Click Next.
# Click Next. The AC Source Address page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 174
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 7 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 175
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 8 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
Click Next. The Security Authentication page is displayed.
# Set Authentication mode to No authentication.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 176
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
Click Finish.
Step 9 Create a soft GRE profile.
# Choose Configuration > AP Config > Profile > Wireless Service > SoftGRE
Profile. The SoftGRE Profile List page is displayed.
# Click Create. The Create SoftGRE Profile page is displayed.
# Enter the name of the new soft-GRE profile wlan-soft in Profile name.
# Click OK. Set the destination IPv4 address of the soft GRE tunnel to 10.23.200.1.
# Click Apply. In the dialog box that is displayed, click OK.
Step 10 Change the VAP forwarding mode to Soft-GRE.
# Choose Configuration > AP Config > Profile.
# Choose Wireless Service > VAP Profile in Profile Management. The VAP
Profile List page is displayed.
# Select VAP profile wlan-net. On the VAP profile configuration page that is
displayed, set Forwarding mode to SoftGRE, and SoftGRE profile to wlan-soft.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 177
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
Step 11 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 12 Verify the configuration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 178
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.1.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 179
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
----End
3.1.13 Configuring Ethernet over GRE to Enable Layer 2
Communication Between an AC and a Wireless Gateway
Networking Requirements
As shown in Figure 3-13, an enterprise provides the Internet access service for
users through a WLAN. On the network, APs provide access to user traffic, AC_1
provides AP access and user authentication, and AC_2 serves as the user gateway
and assigns IP addresses to users. AC_1 and AC_2 are connected by an IP/MPLS
backbone network. A large number of APs are involved in this scenario. To prevent
severe resource consumption caused by frequent setup and deletion of a large
number of GRE tunnels on AC_2, an administrator configures Ethernet over GRE
(EoGRE) between AC_1 and AC_2 to implement Layer 2 communication.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 180
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-13 Layer 2 communication between the wireless gateway and AC
implemented through EoGRE
Data Planning
Table 3-13 WLAN data planning
Item Data
Management VLAN for VLAN 100
APs
Service VLAN for STAs VLAN 101
AC's source interface VLANIF 100: 10.23.100.1/24
address
DHCP server AC_1 serves as a DHCP server to assign IP addresses
to APs, and AC_2 serves as a DHCP server to assign
IP addresses to STAs.
IP address pool for APs 10.23.100.2 to 10.23.100.254/24
IP address pool for STAs 10.23.101.3 to 10.23.101.254/24
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and
regulatory domain profile default
Regulatory domain ● Name: default
profile ● Country code: China
SID profile ● Name: wlan-net
● SSID name: wlan-net
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 181
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP profile ● Name: wlan-net
● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and
security profile wlan-net
Table 3-14 EoGRE data planning
Item Data
Tunnel interface on AC_1 ● Interface: Tunnel0/0/1
● Tunnel protocol type: GRE
● IP address: 10.40.1.1/24
● Source address: 10.20.1.1
● Destination address: 10.30.1.1
● Bound VE interface: VE0/0/1
Tunnel interface on AC_2 ● Interface: Tunnel0/0/1
● Tunnel protocol type: GRE
● IP address: 10.40.1.2/24
● Source address: 10.30.1.1
● Destination address: 10.20.1.1
● Bound VE interface: VE0/0/1
VE interface on AC_1 ● Interface type: Trunk
● Allowed VLAN: 101
VE interface on AC_2 ● Interface type: Trunk
● Allowed VLAN: 101
Configuration Roadmap
1. Use the configuration wizard to configure system parameters for AC_1 and
AC_2.
2. Use the configuration wizard to configure APs to go online on AC_1.
3. Use the configuration wizard to configure WLAN services on AC_1.
4. Configure Ethernet over GRE on AC_1 and AC_2.
5. Deliver services to APs and verify the configuration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 182
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Procedure
Step 1 Configure system parameters for AC_1.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure ports.
# Select GigabitEthernet0/0/1, expand Batch Modify, set Interface type to
Trunk, and add GigabitEthernet0/0/1 to VLAN 10.
# Click Apply. In the dialog box that is displayed, click OK.
# Set Interface type of GigabitEthernet0/0/2 to Trunk, and add the
interface to VLAN 100 and VLAN 101 in the same way.
NOTE
If the AC and AP are directly connected, set the default VLAN of the interface connected to
the AP to management VLAN 100.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 183
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
# Click OK.
# Set the IP address of VLANIF 10 to 10.20.1.1/24 in the same way.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 184
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 2 Configure system parameters for AC_2.
Complete the following configurations in the same way as configuring AC_1.
● Set Interface type of GigabitEthernet0/0/1 to Trunk and add the interface
to VLAN 10. Set Interface type of GigabitEthernet0/0/2 to Trunk and add
the interface to VLAN 101.
● Set the IP address of VLANIF 101 to 10.23.101.1/24 and DHCP type to
Interface address pool. Specify IP address 10.23.101.2 that cannot be
automatically assigned.
● Set the IP address of VLANIF 10 to 10.30.1.1/24.
Step 3 Configure an AP to go online on AC_1.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 185
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 4 Configure WLAN services on AC_1.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks) and set the
key.
# Click Next. The Access Control page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 186
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set Binding the AP group to ap-group1.
Click Finish.
Step 5 Configure Ethernet over GRE.
# The following assumes that IGP is run between all devices for communication
on the public network, the source and destination interface IP addresses of the
GRE tunnel on AC_1 is 10.20.1.1 and 10.30.1.1, respectively.
1. Configure Ethernet over GRE on AC_1.
# Choose Configuration > Other Services > VPN > GRE. The GRE page is
displayed.
# Click Create. The Create GRE page is displayed.
# Set Tunnel ID to 1, IP address/mask to 10.40.1.1/255.255.255.0, Tunnel
destination address to 10.30.1.1, Tunnel source address type to IP address,
and the tunnel source IP address to 10.20.1.1.
# Click next to VE interface bound to EoGRE. On the page that is
displayed, click Create to create Virtual-Ethernet0/0/1 and add the VE
interface to VLAN 101. Note that the VE interface must be added to the same
VLAN to which the inbound interface of user-side packets belongs.
# Click OK. In the dialog box that is displayed, click OK. On the VE interface
page that is displayed, select Virtual-Ethernet0/0/1 and click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 187
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
2. Configure Ethernet over GRE on AC_2.
Complete the following configurations in the same way as configuring AC_1.
– Create a GRE tunnel. Set Tunnel ID to 1, IP address/mask to
10.40.1.2/255.255.255.0, Tunnel destination address to 10.20.1.1,
Tunnel source address type to IP address, and the tunnel source IP
address to 10.30.1.1.
– Create Virtual-Ethernet0/0/1 and add it to VLAN 101.
– Bind Virtual-Ethernet0/0/1 to the GRE tunnel.
Step 6 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.1.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 188
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
----End
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 189
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.2 Authentication Configuration Examples
3.2.1 Example for Configuring External Portal Authentication
Service Requirements
To improve WLAN security, an enterprise uses the external Portal authentication
mode to control user access.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: tunnel forwarding
● Authentication mode: External Portal authentication
● Security policy: open
Figure 3-14 Networking for configuring external Portal authentication
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 190
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-15 AC data planning
Item Data
Managem VLAN100
ent VLAN
for APs
Service VLAN101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs.
server SwitchB functions as a DHCP server to assign IP addresses to STAs.
The default gateway address of STAs is 10.23.101.2.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.4-10.23.101.254/24
pool for
STAs
AC's VLANIF100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profile: VAP profile wlan-net and regulatory domain
profile default
Regulatory ● Name: default
domain ● Country code: China
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: open
RADIUS Name of the RADIUS authentication scheme: wlan-net
authentica Name of the RADIUS accounting scheme: wlan-net
tion
parameter Name of the RADIUS server template: wlan-net
s ● IP address: 10.23.102.1
● Authentication port number: 1812
● Shared key: YsHsjx_202206
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 191
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Portal ● Name: wlan-net
server ● IP address: 10.23.103.1
template
● Destination port number in the packets that the AC sends to the
Portal server: 50200
● Portal shared key: YsHsjx_202206
Portal ● Name: wlan-net
access ● Referenced profile: Portal server template wlan-net
profile
Authentica ● Name:default_free_rule
tion-free ● Authentication-free resource: IP address of the DNS server
rule profile (8.8.8.8)
Authentica ● Name: wlan-net
tion Profile ● Referenced profile: Portal access profile wlan-net, RADIUS
Server profile wlan-net, authentication-free rule profile
default_free_rule and authentication scheme wlan-net
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profile: SSID profile wlan-net, security profile wlan-
net and Authentication profile wlan-net
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Configure WLAN services and external Portal authentication on the AC using
the WLAN configuration wizard.
5. Configure authentication-free rules for an AP group.
6. Configure third-party server interconnection parameters.
7. Complete service verification.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 192
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and
GE0/0/2 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 193
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway
for the STAs.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] dhcp server excluded-ip-address 10.23.101.3
[SwitchB-Vlanif101] quit
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 194
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Set the IP address of VLANIF 101 to 10.23.101.3/24 in the same way.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 195
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK. An address pool for VLANIF 100 is configured.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Configure the default route and set its next hop address to 10.23.101.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 196
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 197
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
Click Next. The Security Authentication page is displayed.
# Set Security settings to Portal (applicable to enterprise networks) and
deselect MAC address-prioritized. Under External Portal Server Configuration,
set the server name, IP address, shared-key, port number, and server URL. Under
External RADIUS Server Configuration, set the server name, Port number,
authentication server IP address, and shared key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 198
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
Click Finish.
Step 6 Configure network resources accessible to authentication-free users.
1. Choose Configuration > AP Config > Profile. The Profile Management page
is displayed.
2. Choose Wireless Service > VAP Profile > wlan-net > Authentication Profile
> Authentication-free Rule Profile. The Authentication-free Rule Profile
page is displayed.
3. Set Authentication-free Rule Profile to default_free_rule.
4. Select Authentication-free Rule in Control mode.
5. Click Create. On the Create Authentication-free Rule page that is displayed,
set Rule ID to 1 and the authentication-free resource to the IP address of the
DNS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog
box that is displayed, click OK.
Step 7 Configure third-party server interconnection parameters.
For the detailed configuration, see the related product documentation.
Step 8 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 199
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
4. When a user opens the browser and attempts to access the network, the user
is automatically redirected to the authentication page provided by the Portal
server. After entering the correct user name and password on the page, the
user can access the network.
----End
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 200
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.2.2 Example for Configuring Built-in Portal Authentication
for Local Users
Service Requirements
To improve WLAN security, an enterprise uses the Portal authentication mode. To
reduce costs, the enterprise deploys an AC as the Portal server and uses the local
authentication mode so that authentication is performed on the AC.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: tunnel forwarding
● Authentication mode: built-in Portal authentication
● Security policy: open
Figure 3-15 Networking for configuring built-in Portal authentication for local
users
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 201
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-16 AC data planning
Item Data
Managem VLAN 100
ent VLAN
for APs
Service VLAN 101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs.
server SwitchB functions as a DHCP server to assign IP addresses to STAs.
The default gateway address of STAs is 10.23.101.2.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.4-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24
source
interface
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default
Regulatory ● Name: default
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: open authentication
Local user ● User name: guest
● Password: YsHsjx_202206
Authentica ● Name: wlan-net
tion ● Authentication scheme: local
scheme
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 202
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Portal ● Name: wlan-net
access ● The built-in Portal server is used.
profile
– IP address of the built-in Portal server: 10.1.1.1/24
– SSL policy: default_policy
– Port number: 20000
Authentica ● Name: default_free_rule
tion-free ● Authentication-free resource: IP address of the DNS server
rule profile (8.8.8.8)
Authentica ● Name: wlan-net
tion ● Referenced profiles and authentication scheme: Portal access
profile profile wlan-net, authentication-free rule profile
default_free_rule, and authentication scheme wlan-net
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net, security profile
wlan-net, and authentication profile wlan-net
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network connectivity between the AC, APs, and other network
devices.
2. Configure system parameters for the AC using the configuration wizard.
3. Configure the APs to go online on the AC using the configuration wizard.
4. Configure WLAN services and built-in Portal authentication on the AC using
the configuration wizard.
5. Configure authentication-free rules for an AP group.
6. Complete service verification.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 203
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and
GE0/0/2 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 204
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway
for the STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the
default gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 205
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network connectivity.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Set the IP address of VLANIF 101 to 10.23.101.3/24 in the same way.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 206
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed. Set Interface type to Loopback, Interface
number to 1, and IP address of Loopback1 to 10.1.1.1/24.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Configure the default route and set its next hop address to 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 207
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 208
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 209
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Portal (applicable to enterprise networks) and
Portal server to Built-in Portal server. Under Built-in Portal Server
Configuration, configure the server IP address and port number and set SSL
policy to default_policy. The server IP address is the IP address of a Layer 3
interface that has a reachable route to the user. In this example, 10.1.1.1 is used as
the server IP address.
# Click Manage next to Local user. The Local User page is displayed
# Click Create. The Create Local User page is displayed.
# Set Creation mode to Manually add and configure the local user name and
password.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 210
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# On the Create Local User page, select the new user and click OK.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 On the router (STAs' gateway), configure a route to the Portal server.
[Router] ip route-static 10.1.1.1 32 10.23.101.3
Step 7 Configure network resources accessible to authentication-free users.
1. Choose Configuration > AP Config > Profile. The Profile Management page
is displayed.
2. Choose Wireless Service > VAP Profile > wlan-net > Authentication Profile
> Authentication-free Rule Profile. The Authentication-free Rule Profile
page is displayed.
3. Set Authentication-free Rule Profile to default_free_rule.
4. Select Authentication-free Rule in Control mode.
5. Click Create. On the Create Authentication-free Rule page that is displayed,
set Rule ID to 1 and the authentication-free resource to the IP address of the
DNS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog
box that is displayed, click OK.
Step 8 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 211
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. When a user browses a web page, the browser automatically redirects the
user to the Portal authentication page. After entering the correct user name
and password, the user passes the authentication and can access the web
page.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
----End
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 212
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.2.3 Example for Configuring MAC Address-prioritized Portal
Authentication
Service Requirements
To improve WLAN security, an enterprise uses the MAC address-prioritized Portal
authentication mode to control user access.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: tunnel forwarding
● Authentication mode: MAC address-prioritized Portal authentication
● Security policy: open
Figure 3-16 Networking for configuring MAC address-prioritized Portal
authentication
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 213
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-17 AC data planning
Item Data
Managem VLAN100
ent VLAN
for APs
Service VLAN101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs.
server SwitchB functions as a DHCP server to assign IP addresses to STAs.
The default gateway address of STAs is 10.23.101.2.
IP address 10.23.100.2–10.23.100.254/24
pool for
APs
IP address 10.23.101.4–10.23.101.254/24
pool for
STAs
AC's VLANIF100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profile: VAP profile wlan-net and regulatory domain
profile default
Regulatory ● Name: default
domain ● Country code: China
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: open
RADIUS Name of the RADIUS authentication scheme: wlan-net
authentica Name of the RADIUS accounting scheme: wlan-net
tion
parameter Name of the RADIUS server template: wlan-net
s ● IP address: 10.23.102.1
● Authentication port number: 1812
● Shared key: YsHsjx_202206
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 214
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Portal ● Name: wlan-net
server ● IP address: 10.23.103.1
template
● Destination port number in the packets that the AC sends to the
Portal server: 50200
● Portal shared key: YsHsjx_202206
Portal ● Name: wlan-net
access ● Referenced profile: Portal server template wlan-net
profile
MAC Name:wlan-net
access
profile
Authentica ● Name: default_free_rule
tion-free ● Authentication-free resource: IP address of the DNS
rule profile server(8.8.8.8)
Authentica ● Name: wlan-net
tion Profile ● Referenced profile: Portal access profile wlan-net, MAC access
profile wlan-net, RADIUS server template wlan-net,
authentication-free rule profile default_free_rule and
authentication scheme wlan-net
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profile: SSID profile wlan-net, security profile wlan-
net and Authentication profile wlan-net
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Configure WLAN services and MAC address-prioritized Portal authentication
on the AC using the WLAN configuration wizard.
5. Configure authentication-free rules for an AP group.
6. Complete service verification.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 215
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and
GE0/0/2 and GE0/0/3 to VLAN 101.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 216
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway
for the STAs.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] dhcp server excluded-ip-address 10.23.101.3
[SwitchB-Vlanif101] quit
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 217
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Set the IP address of VLANIF 101 to 10.23.101.3/24 in the same way.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 218
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK. An address pool for VLANIF 100 is configured.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Configure the default route and set its next hop address to 10.23.101.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 219
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 220
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Portal (applicable to enterprise networks) and select
MAC address-prioritized. Under External Portal Server Configuration, set the
server name, IP address, shared-key, port number, and server URL. Under External
RADIUS Server Configuration, set the server name, authentication server IP
address, and shared key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 221
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Configure network resources accessible to authentication-free users.
1. Choose Configuration > AP Config > Profile. The Profile Management page
is displayed.
2. Choose Wireless Service > VAP Profile > wlan-net > Authentication Profile
> Authentication-free Rule Profile. The Authentication-free Rule Profile
page is displayed.
3. Set Authentication-free Rule Profile to default_free_rule.
4. Select Authentication-free Rule in Control mode.
5. Click Create. On the Create Authentication-free Rule page that is displayed,
set Rule ID to 1 and the authentication-free resource to the IP address of the
DNS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog
box that is displayed, click OK.
Step 7 Configure third-party server interconnection parameters.
For the detailed configuration, see the related product documentation.
Step 8 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 222
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
4. When a user opens the browser and attempts to access the network, the user
is automatically redirected to the authentication page provided by the Portal
server. After entering the correct user name and password on the page, the
user can access the network.
5. Assume that the MAC address validity period configured on the server is 60
minutes. If a user is disconnected from the wireless network for 5 minutes
and reconnects to the network, the user can directly access the network. If a
user is disconnected from the wireless network for 65 minutes and reconnects
to the network, the user will be redirected to the Portal authentication page.
----End
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 223
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
More Information
(Video) Example for Configuring Guests to Access the WLAN (MAC Address-
prioritized Portal Authentication)
3.2.4 Example for Configuring Built-in Portal Access Code
Authentication
Service Requirements
The hotel wants to provide guests with convenient network access services so that
guests only need to enter a character string on the login page for access
authentication without having to enter their user names and passwords. Guests
are allowed network access after being authenticated successfully. Considering
that the hotel scale is small, built-in Portal access code authentication can meet
the preceding requirement and local authentication can be used.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: tunnel forwarding
● Authentication mode: Built-in Portal access code authentication
● Security policy: open authentication
Figure 3-17 Configuring built-in Portal access code authentication
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 224
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-18 AC data planning
Item Data
Managem VLAN 100
ent VLAN
for APs
Service VLAN 101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs.
server SwitchB functions as a DHCP server to assign IP addresses to STAs.
The default gateway address of STAs is 10.23.101.2.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.4-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24
source
interface
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default
Regulatory ● Name: default
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: open authentication
Local ● Access code 1: randomly generated, expired on 00:00:00 of
access 2019-12-30 (description: 301)
code ● Access code 2: randomly generated, expired on 00:00:00 of
2019-12-30 (description: 302)
Authentica ● Name: wlan-net
tion ● Authentication scheme: local
scheme
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 225
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Portal ● Name: wlan-net
access ● The built-in Portal server is used.
profile
– IP address of the built-in Portal server: 10.1.1.1/24
– SSL policy: default_policy
– Port number: 20000
Authentica ● Name: default_free_rule
tion-free ● Authentication-free resource: IP address of the DNS server
rule profile (8.8.8.8)
Authentica ● Name: wlan-net
tion ● Referenced profiles and authentication scheme: Portal access
profile profile wlan-net, authentication-free rule profile
default_free_rule, and authentication scheme wlan-net
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net, security profile
wlan-net, and authentication profile wlan-net
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network connectivity between the AC, APs, and other network
devices.
2. Configure system parameters for the AC using the configuration wizard.
3. Configure the APs to go online on the AC using the configuration wizard.
4. Configure WLAN services and built-in Portal authentication on the AC using
the configuration wizard.
5. Configure access code authentication parameters.
6. Configure authentication-free rules for an AP group.
7. Complete service verification.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 226
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and
GE0/0/2 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 227
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway
for the STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the
default gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 228
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network connectivity.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Set the IP address of VLANIF 101 to 10.23.101.3/24 in the same way.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 229
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
# Click OK.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed. Set Interface type to Loopback, Interface
number to 1, and IP address of Loopback1 to 10.1.1.1/24.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Configure the default route and set its next hop address to 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 230
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 231
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 232
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Portal (applicable to enterprise networks) and
Portal server to Built-in Portal server. Under Built-in Portal Server
Configuration, configure the server IP address and port number and set SSL
policy to default_policy. The server IP address is the IP address of a Layer 3
interface that has a reachable route to the user. In this example, 10.23.101.3 is
used as the server IP address.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Configure access code authentication.
# Choose Configuration > AP Config > Profile. The Profile Management page is
displayed.
# Choose Wireless Service > VAP Profile > wlan-net > Authentication Profile >
Portal Profile. The Portal Profile page is displayed.
# Set Built-in Portal authentication mode to Access Code.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 233
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Configure network resources accessible to authentication-free users.
1. Choose Configuration > AP Config > Profile. The Profile Management page
is displayed.
2. Choose Wireless Service > VAP Profile > wlan-net > Authentication Profile
> Authentication-free Rule Profile. The Authentication-free Rule Profile
page is displayed.
3. Set Authentication-free Rule Profile to default_free_rule.
4. Select Authentication-free Rule in Control mode.
5. Click Create. On the Create Authentication-free Rule page that is displayed,
set Rule ID to 1 and the authentication-free resource to the IP address of the
DNS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog
box that is displayed, click OK.
Step 8 Create a lobby administrator account for hotel receptionists as the network
administrator.
# Choose Maintenance > Administrator. The administrator configuration page is
displayed.
# Click Create. Create a lobby administrator account and click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 234
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-18 Creating a lobby administrator account
Step 9 Verify the configuration.
1. The hotel receptionist prints the guest access code.
# The hotel receptionist logs in to the web platform and chooses Guest
Management > Guest Access Code.
# Click Create. The page for creating a guest access code is displayed. Click
Random, and configure the access code description and expiration time.
# Click OK. On the page that is displayed, print the access code for the user.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 235
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. When the user browses a web page, the browser is automatically redirected
to the Portal authentication page. After entering the access code obtained
from the hotel receptionist, the user can properly access the web page.
5. Hotel IT personnel can choose Monitoring > User > Online STA Statistics. In
User List, set the search criteria to SSID, enter wlan-net, and click . STAs
go online successfully and obtain IP addresses.
----End
3.2.5 Example for Configuring Certificate Replacement for
Built-in Portal Authentication
Context
In the Portal authentication system using a built-in Portal server, no external
independent Portal server is used, and functions of the Portal server are
implemented by the access device.
For security purposes, the access device provides the built-in Portal server function
in HTTPS mode. In HTTPS mode, the web browser checks whether the certificate
carried by the website is a certificate issued by the trusted certification authority
(CA). The web browser contains some certificates issued by trusted CAs by default,
and you can also import the CA certificate to the web browser to add trusted
certificates. If the certificate carried by the website is issued by an untrusted CA,
the web browser displays a message indicating that the security certificate of this
website is faulty, as shown in the following figure (using the Firefox browser as an
example):
After you click Advanced, a message indicating that the certificate is incorrect is
displayed in the lower part of the window. You can find that the security certificate
is invalid.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 236
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
In addition to checking whether the certificate is issued by a trusted server, the
web browser also checks whether the domain name (the value of the Subject: CN
field) in the certificate matches the domain name in the address bar of the
browser. If they do not match, a message indicating that the security certificate of
the website is faulty is displayed, as shown in the following figure:
By default, the device has a self-signed certificate, which can be used for HTTPS
services. However, this certificate is an untrusted certificate that is issued by the
device itself. Therefore, when you use this certificate to perform HTTPS services, a
message indicating that the security certificate of the website is faulty is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 237
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
The trusted certificate is issued by the trusted CA. To obtain the security
certificate, the certificate user needs to contact the CA and apply for the related
information according to the requirements of the CA. After the application is
successful, the CA issues the certificate file and password to the certificate user.
The domain name in the certificate must match the domain name of the web
page. Therefore, you need to configure the DNS server in advance so that the DNS
server can correctly parse the domain name of the built-in Portal page. In this
case, the web browser can access the built-in Portal page of the device. When
configuring an IP address for a service terminal, you need to configure the DNS
server. If the IP address is automatically obtained through the DHCP server, you
need to configure the IP address of the DNS server for the client on the DHCP
server.
After obtaining a trusted certificate, perform the following steps to import the
certificate to the device to solve the above problems.
Procedure
Step 1 Upload the certificate file.
# Choose Configuration > Security > Certificate Management. The Certificate
Management page is displayed.
# Click Upload Certificate. The Upload Certificate dialog box is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 238
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# In Certificate name, enter the certificate name.
# Set Certificate type to Local+CA+Private key.
# In Certificate format, set the format of the certificate file.
# In Certificate file, click the browse button and select the certificate file.
# In Certificate password, enter the password of the certificate file.
# Click OK.
Step 2 Configure an SSL policy.
# Choose Configuration > Security > SSL. The SSL page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 239
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Create. The Create SSL Policy dialog box is displayed.
# In SSL policy name, enter the SSL policy name.
# In SSL policy type, set the SSL policy type.
# In Certificate Name, select the certificate name configured in step 1.
# Click OK.
Step 3 Apply the SSL policy to built-in Portal authentication.
# Choose Configuration > Security > AAA. The Built-in Portal tab under Portal
Server Global Configuration is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 240
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# In SSL policy, click the browse button and select the SSL policy name configured
in step 2.
# Click Apply.
----End
3.2.6 Example for Configuring WLAN 802.1X Authentication
Service Requirements
When users attempt to access a WLAN, they can use 802.1X clients for
authentication. After entering the correct user names and passwords, users can
connect to the Internet. Furthermore, users' services are not affected during
roaming in the coverage area.
Networking Requirements
● AC networking mode: Layer 2 in bypass mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs, and SwitchB functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: direct forwarding
● WLAN authentication mode: WPA-WPA2+802.1X+AES
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 241
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-19 Network diagram for configuring 802.1X authentication
Data Planning
Table 3-19 AC data planning
Item Data
Management VLAN VLAN 100
Service VLAN VLAN 101
AC's source interface VLANIF 100: 10.23.100.1/24
DHCP server The AC functions as a DHCP server to assign IP
addresses to APs, and SwitchB functions as a
DHCP server to assign IP addresses to STAs.
IP address pool for APs 10.23.100.2-10.23.100.254/24
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 242
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
IP address pool for STAs 10.23.101.2-10.23.101.254/24
RADIUS authentication ● RADIUS server template name: wlan-net
parameters ● IP address: 10.23.103.1
● Authentication port number: 1812
● Shared key: YsHsjx_202206
● Authentication scheme: wlan-net
802.1X access profile ● Name: wlan-net
● Authentication mode: EAP
Authentication profile ● Name: wlan-net
● Referenced profiles and authentication
scheme: 802.1X access profile wlan-net,
RADIUS server template wlan-net, and
authentication scheme wlan-net
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net
and regulatory domain profile default
Regulatory domain profile ● Name: default
● Country code: CN
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+802.1X+AES
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net,
security profile wlan-net, and authentication
profile wlan-net
Configuration Roadmap
1. Configure network connectivity between the AC, APs, and other network
devices.
2. Configure system parameters for the AC using the configuration wizard.
3. Configure the APs to go online on the AC using the configuration wizard.
4. Configure WLAN services on the AC using the configuration wizard. When
configuring a security policy, select 802.1X and RADIUS authentication and set
RADIUS server parameters.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 243
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. Configure a third-party server.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN
101, respectively.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 244
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 100 and VLAN 101,
GE0/0/2 to VLAN 100 and VLAN 101, and GE0/0/4 to VLAN 104. Create VLANIF
104 and configure a default route with the router as the next hop.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Configure an IP address for GE0/0/1 on the router and configure a static route
to the network segment for STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure a DHCP server to assign IP addresses to STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit
Step 3 Configure system parameters for the AC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 245
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure ports.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 102.
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network connectivity.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 246
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
NOTE
Configure the DNS server as required.
# Click OK.
# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 10.23.103.0, Subnet Mask to 24(255.255.255.0), and
Next hop address to 10.23.102.1.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 247
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 248
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 249
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
1. # Click Create. The Basic Information page is displayed.
2. # Set the SSID name, forwarding mode, and service VLAN ID.
3. # Click Next. The Security Authentication page is displayed.
4. # Set Security settings to 802.1X authentication and set parameters of the
external RADIUS server.
5. # Click Next. The Access Control page is displayed.
6. # Set Binding the AP group to ap-group1.
7. # Click Finish.
Step 6 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 250
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Configure a third-party server.
For details about the configuration method, see the corresponding product
manual.
Step 8 Verify the configuration.
● The WLAN with the SSID wlan-net is available for STAs connected to the APs.
● The wireless PC obtains an IP address after it associates with the WLAN.
● A user can use the 802.1X authentication client on a STA for authentication.
After entering the correct user name and password, the user is successfully
authenticated and can access resources on the WLAN. You must configure the
client for PEAP authentication.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties
dialog box, add the SSID wlan-net, and set the authentication mode
to WPA2 and encryption algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click
Properties. In the Protected EAP Properties dialog box, deselect
Validate server certificate and click Configure. In the dialog box
that is displayed, deselect Automatically use my Windows logon
name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add and select
Manually create a network profile. In the dialog box that is
displayed, add the SSID wlan-net, set the authentication mode to
WPA2-Enterprise and encryption algorithm to AES. Click Next.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 251
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
ii. Click Change connection settings. On the Wireless Network
Properties page that is displayed, select the Security tab page and
click Settings. In the Protected EAP Properties dialog box, deselect
Validate server certificate and click Configure. In the displayed
dialog box, deselect Automatically use my Windows logon name
and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings.
On the Advanced settings page that is displayed, select Specify
authentication mode, set the identity authentication mode to User
authentication, and click OK.
----End
3.2.7 Example for Configuring Local EAP Authentication
Service Requirements
The local EAP server can be used to authenticate 802.1X users if no external
authentication server is deployed.
Networking Requirements
● AC networking mode: Layer 2 in bypass mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs, and SwitchB functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: direct forwarding
● Authentication mode: local EAP authentication
● Security policy: WPA-WPA2+802.1X+AES
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 252
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-20 Networking diagram for configuring local EAP authentication
Data Planning
Table 3-20 AC data planning
Item Data
Managem VLAN 100
ent VLANs
for APs
Service VLAN 101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs,
server and SwitchB functions as a DHCP server to assign IP addresses to
STAs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 253
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24
source
interface
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default
Regulatory ● Name: default
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+802.1X+AES
Local EAP EAP server template: wlan-net
authentica Local user name and password:
tion
● User name: huawei
● Password: YsHsjx_202206
Certificate ● CA certificate file: ca.cer
s and keys ● Local certificate file: cer.pem
● Private key file: cer.pem
● Local certificate key: YsHsjx_202206
Authentica ● Name: wlan-net
tion ● Authentication scheme: local authentication
scheme
802.1X ● Name: wlan-net
access
profile
Authentica ● Name: wlan-net
tion ● Referenced profile and authentication scheme: 802.1X access
profile profile wlan-net and authentication scheme wlan-net
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 254
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
VAP ● Name: wlan-net
profile ● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net, security profile
wlan-net, and authentication profile wlan-net
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network connectivity between the AC, APs, and other network
devices.
2. Configure system parameters for the AC using the configuration wizard.
3. Configure the APs to go online on the AC using the configuration wizard.
4. Configure WLAN services and local EAP authentication on the AC using the
configuration wizard.
5. Configure a local user.
6. Complete service verification.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 255
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN
101, respectively.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 100 and VLAN 101,
GE0/0/2 to VLAN 100 and VLAN 101, and GE0/0/4 to VLAN 104. Create VLANIF
104 and configure a default route with the router as the next hop.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Configure an IP address for GE0/0/1 on the router and configure a static route
to the network segment for STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 256
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure a DHCP server to assign IP addresses to STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 257
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 258
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 259
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
1. # Click Create. The Basic Information page is displayed.
2. # Set the SSID name, forwarding mode, and service VLAN ID.
3. # Click Next. The Security Authentication page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 260
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. # Set Security settings to 802.1X authentication, select Built-in EAP
authentication, and configure parameters of the built-in EAP server.
NOTE
If there is no user-configured CA certificate, the CA certificate delivered with the
device is used. If there is no user-configured local certificate and private key file, the
local certificate and private key file delivered with the device are used.
5. # Click Next. The Access Control page is displayed.
6. # Set Binding the AP group to ap-group1.
7. # Click Finish.
Step 6 Configure a local user.
# Choose Configuration > Security > AAA > Local User. The local user
configuration page is displayed.
# Click Create. The Create User page is displayed.
# Configure the user name and password for a local user and set Access mode to
802.1X. You can manually add or import local users in batches. This example
describes how to manually add local users.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 261
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
Step 7 Verify the configuration.
After a STA is associated with a WLAN SSID and logs in with the correct user
name and password, the user can access the network service normally.
The following uses Windows 10 as an example to describe how to set EAP access
parameters.
1. On the Network and Internet page, choose Wi-Fi > Manage known
networks. The Manage known networks page is displayed.
2. Click Add a new network. Set the network name, Security type to WPA2-
Enterprise AES, EAP Method to Protected EAP (PEAP), and the
authentication method to Smart Card or other certificate.
----End
3.2.8 Example for Configuring WLAN MAC Address
Authentication
Service Requirements
MAC address authentication needs to be configured to authenticate dumb
terminals such as wireless printers and wireless phones that cannot have
authentication clients installed.
Networking Requirements
● AC networking mode: Layer 2 in bypass mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs, and SwitchB functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: direct forwarding
● WLAN authentication mode: open-system authentication
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 262
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-21 Network diagram for configuring MAC address authentication
Data Planning
Table 3-21 Data planning on the AC
Configuration Item Data
Management VLAN VLAN 100
Service VLAN VLAN 101
AC's source interface VLANIF 100: 10.23.100.1/24
DHCP server The AC functions as the DHCP server to assign
IP addresses to APs, and SwitchB functions as
the DHCP server to assign IP addresses to STAs.
IP address pool for APs 10.23.100.2-10.23.100.254/24
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 263
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Item Data
IP address pool for the STAs 10.23.101.2-10.23.101.254/24
RADIUS authentication ● RADIUS server template name: wlan-net
parameters ● IP address: 10.23.103.1
● Authentication port number: 1812
● Shared key: YsHsjx_202206
● Authentication scheme: wlan-net
MAC access profile Name: wlan-net
Authentication profile ● Name: wlan-net
● Bound profile and authentication scheme:
MAC access profile wlan-net, RADIUS server
template wlan-net, and authentication
scheme wlan-net
AP group ● Name: ap-group1
● Bound profile: VAP profile wlan-net and
regulatory domain profile default
Regulatory domain profile ● Name: default
● Country code: CN
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: open system authentication
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Bound profiles: SSID profile wlan-net,
security profile wlan-net, and authentication
profile wlan-net
Configuration Roadmap
1. Configure network connectivity between the AC, APs, and other network
devices.
2. Configure system parameters for the AC using the configuration wizard.
3. Configure the APs to go online on the AC using the configuration wizard.
4. Configure WLAN services on the AC using the configuration wizard. When
configuring a security policy, select MAC and RADIUS authentication and set
RADIUS server parameters.
5. Configure third-party server parameters.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 264
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN
101, respectively.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 265
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 100 and VLAN 101,
GE0/0/2 to VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN
104. Create VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default
route with the router as the next hop.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Configure an IP address for GE0/0/1 on the router and configure a static route
to the network segment for STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure a DHCP server to assign IP addresses to STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 266
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure ports.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 102.
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 267
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network connectivity.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
NOTE
Configure the DNS server as required.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 268
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 10.23.103.0, Subnet Mask to 24(255.255.255.0), and
Next hop address to 10.23.102.1.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 269
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 270
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN ID.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Open (applicable to personal networks).
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Configure MAC address authentication.
1. Create the authentication profile wlan-net.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 271
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
#Choose Configuration > AP Config > AP Group. The AP Group page is
displayed.
# Click the AP group ap-group1. The AP group configuration page is
displayed.
# Choose VAP Configuration > wlan-net > Authentication Profile. The
Authentication Profile page is displayed.
# Click Create. On the Create Authentication Profile page that is displayed,
enter the profile name wlan-net and click OK. The authentication profile
configuration page is displayed.
# Set Access mode to MAC authentication and Authentication mode to
RADIUS authentication.
# Click Apply. In the dialog box that is displayed, click OK.
2. Configure a MAC access profile.
# Click in front of Authentication Profile. Under it, click MAC
Authentication. The MAC Authentication Profile page is displayed.
# Click Create. On the Create MAC Authentication Profile page that is
displayed, enter the profile name wlan-net and click OK. On the MAC access
profile configuration page that is displayed, configure the user name format
for MAC address authentication.
NOTE
The user name and password used for MAC address authentication must be the same as
those configured for local authentication.
# Click Apply. In the dialog box that is displayed, click OK.
3. Configure a RADIUS server template.
# Click in front of Authentication Profile. Under it, click RADIUS Server.
The RADIUS Server page is displayed.
# Click under RADIUS Server Profile. The RADIUS Server Profile page
is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 272
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Create. On the Create RADIUS Server Profile page that is displayed,
set Profile Name to wlan-net and Profile default shared key to
YsHsjx_202206.
# Choose Create Server. In the Create Server Configuration dialog box that
is displayed, configure the RADIUS server parameters.
# Click OK. On the Create RADIUS Server Profile page, select the created
server and click OK. On the RADIUS Server Profile page, select the created
RADIUS server template wlan-net and click OK.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 273
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 8 Configure a third-party server.
For details about the configuration method, see the corresponding product
manual.
Step 9 Verify the configuration.
● After dumb terminals connect to the WLAN, authentication is performed
automatically. Users can directly access the network after the authentication
succeeds.
----End
3.2.9 Example for Configuring MAC Authentication for Local
Users
Service Requirements
Dumb terminals (such as printers) in the physical access control department
cannot have an authentication client installed. To meet the enterprise's security
requirements, configure MAC address authentication on the AC and use the local
authentication mode to authenticate identities of dumb terminals.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: tunnel forwarding
● Authentication mode: MAC authentication
● Security policy: open
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 274
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-22 Networking for configuring MAC authentication for local users
Data Planning
Table 3-22 AC data planning
Item Data
Management VLAN for APs VLAN 100
Service VLAN for STAs VLAN 101
DHCP server The AC functions as a DHCP server to
assign IP addresses to APs.
SwitchB functions as a DHCP server to
assign IP addresses to STAs. The
default gateway address of STAs is
10.23.101.2.
IP address pool for APs 10.23.100.2-10.23.100.254/24
IP address pool for STAs 10.23.101.3-10.23.101.254/24
AC's source interface VLANIF 100:10.23.100.1/24
AP group ● Name: ap-group1
● Referenced profiles: VAP profile
wlan-net and regulatory domain
profile default
Regulatory domain profile ● Name: default
● Country code: CN
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 275
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: open
Local authentication parameters ● Name of the local authentication
scheme: wlan-net
● User name and password of the
local user: 0011-2233-4455 and
YsHsjx_202206, respectively, which
must be consistent with those in
the MAC access profile
● Access type of the local user: MAC
MAC access profile ● Name: wlan-net
● User name and password for MAC
address authentication: A MAC
address is used as the user name
and the password is YsHsjx_202206,
which must be consistent with
those in the local authentication
parameters
Authentication profile ● Name: wlan-net
● Referenced profiles: MAC access
profile wlan-net and
authentication scheme wlan-net
VAP profile ● Name: wlan-net
● Forwarding mode: tunnel
forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net, security profile wlan-net
and Authentication profile wlan-
net
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the AP to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC. When
configuring a security policy, select MAC address authentication and local
authentication. When adding a local user, ensure that the user name is the
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 276
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
same as the MAC address of the user, and the password is the same as that
configured in the MAC access profile. Configure the planned password in the
MAC access profile.
5. Complete service verification.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 277
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and
GE0/0/2 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway
for the STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the
default gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
Step 3 Configure system parameters for the AC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 278
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 279
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Set the IP address of VLANIF 101 to 10.23.101.3/24 in the same way.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
# Click OK. An address pool for VLANIF 100 is configured.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Configure the default route and set its next hop address to 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 280
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 281
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Open (applicable to personal networks).
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 282
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Configure MAC authentication for local users.
1. Create the authentication profile wlan-net.
# Choose Configuration > AP Config > AP Group. The AP Group page is
displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.
# Choose VAP Configuration > wlan-net > Authentication Profile. The
Authentication Profile page is displayed.
# Click Create. On the Create Authentication Profile page that is displayed,
enter the profile name wlan-net and click OK. The authentication profile
configuration page is displayed.
# Set Access mode to MAC authentication and Authentication mode to
Local authentication.
# Click Apply. In the dialog box that is displayed, click OK.
2. Configure the MAC access profile wlan-net.
# Click in front of Authentication Profile. Under it, click MAC
Authentication. The MAC Authentication Profile page is displayed.
# Click Create. On the Create MAC Authentication Profile page that is
displayed, enter the profile name wlan-net and click OK. On the MAC
authentication profile configuration page that is displayed, configure the user
name format for MAC address authentication.
NOTE
The user name and password used for MAC address authentication must be the same as
those configured for local authentication.
# Click Apply. In the dialog box that is displayed, click OK.
3. Configure the local authentication scheme wlan-net.
# Click in front of Authentication Profile. Under it, click Local
Authentication. The Local Authentication page is displayed.
# Click Manage. The Create Local User page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 283
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Create. In the dialog box that is displayed, enter the user name and
password.
NOTE
The local user name and password must be the same as those in the MAC authentication
profile.
# Click OK. Click Close. Click Apply.
Step 7 Verify the configuration.
1. The STAs automatically access the WLAN with the SSID wlan-net.
2. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
----End
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 284
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.2.10 Example for Configuring the RADIUS Server and AC to
Deliver User Group Rights to Users
Service Requirements
Different user groups are created to assign network access rights to different users
when they access the WLAN through 802.1X authentication. Furthermore, users'
services are not affected during roaming in the coverage area.
Networking Requirements
● AC networking mode: Layer 2 in bypass mode
● DHCP deployment mode: The AC and SwitchB function as DHCP servers to
assign IP addresses to APs and STAs, respectively.
● Service data forwarding mode: direct forwarding
● WLAN authentication mode: WPA-WPA2+802.1X+AES
Figure 3-23 Networking diagram for configuring user authorization based on user
groups
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 285
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-23 AC data planning
Item Data
Management VLAN VLAN 100
Service VLAN VLAN 101
AC's source interface VLANIF 100: 10.23.100.1/24
DHCP server The AC functions as a DHCP server to assign IP
addresses to APs, and SwitchB functions as a
DHCP server to assign IP addresses to STAs.
IP address pool for APs 10.23.100.2-10.23.100.254/24
IP address pool for STAs 10.23.101.2-10.23.101.254/24
RADIUS authentication ● RADIUS server template name: wlan-net
parameters ● IP address: 10.23.103.1
● Authentication port number: 1812
● Shared key: YsHsjx_202206
● Authentication scheme: wlan-net
802.1X access profile ● Name: wlan-net
● Authentication mode: EAP
Authentication profile ● Name: wlan-net
● Referenced profiles and authentication
scheme: 802.1X access profile wlan-net,
RADIUS server template wlan-net, and
authentication scheme wlan-net
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net
and regulatory domain profile default
Regulatory domain profile ● Name: default
● Country code: CN
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+802.1X+AES
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 286
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net,
security profile wlan-net, and authentication
profile wlan-net
User group ● Name: group1
● Referenced ACL number: 3001
● User group right: Only members in the user
group are allowed to access network
resources on the 10.23.200.0/24 network
segment.
Configuration Roadmap
1. Configure network connectivity between the AC, APs, and other network
devices.
2. Configure system parameters for the AC using the configuration wizard.
3. Configure the APs to go online on the AC using the configuration wizard.
4. Configure WLAN services on the AC using the configuration wizard. When
configuring a security policy, select 802.1X and RADIUS authentication and set
RADIUS server parameters.
5. Configure a user group.
6. Configure third-party server parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 287
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN
101, respectively.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 100 and VLAN 101,
GE0/0/2 to VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN
104. Create VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default
route with the router as the next hop.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 288
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Configure an IP address for GE0/0/1 on the router and configure a static route
to the network segment for STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure a DHCP server to assign IP addresses to STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] quit
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 289
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Port Configuration page is displayed.
2. Configure ports.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 102.
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 290
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set the IP address of VLANIF 101 to 10.23.101.3/24 in the same way.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
# Click OK. An address pool for VLANIF 100 is configured.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Configure the default route and set its next hop address to 10.23.101.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 291
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 292
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
1. # Click Create. The Basic Information page is displayed.
2. # Set the SSID name, forwarding mode, and service VLAN ID.
3. # Click Next. The Security Authentication page is displayed.
4. # Set Security settings to 802.1X authentication and set parameters of the
external RADIUS server.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 293
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. # Click Next. The Access Control page is displayed.
6. # Set Binding the AP group to ap-group1.
7. # Click Finish.
Step 6 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 294
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Configure a user group.
1. Configure an ACL.
# Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.
# Click Create on the ACLv4 tab page. On the Create Advanced ACL page
that is displayed, configure an ACL.
# Click OK. The Advanced ACL Configuration page is displayed.
# Click Add Rule next to ACL 3001. On the Add Rule page that is displayed,
add an ACL rule.
# Click OK. On the Advanced ACL Settings page that is displayed, add
another ACL rule in the same way.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 295
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
2. Configure a user group.
# Choose Configuration > Security > User Group > User Group. The User
Group page is displayed.
# Click Create. On the Create User Group page that is displayed, set User
group name and bind an ACL.
# Click OK.
Step 8 Configure a third-party server.
For details about the configuration method, see the corresponding product
manual.
Step 9 Verify the configuration.
● The WLAN with the SSID wlan-net is available for STAs connected to the APs.
● The wireless PC obtains an IP address after it associates with the WLAN.
● A user can use the 802.1X authentication client on a STA for authentication.
After entering the correct user name and password, the user is successfully
authenticated and can access resources on the WLAN. You must configure the
client for PEAP authentication.
– Configuration on the Windows XP operating system:
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 296
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
i. On the Association tab page of the Wireless network properties
dialog box, add the SSID wlan-net, and set the authentication mode
to WPA2 and encryption algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click
Properties. In the Protected EAP Properties dialog box, deselect
Validate server certificate and click Configure. In the dialog box
that is displayed, deselect Automatically use my Windows logon
name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add and select
Manually create a network profile. In the dialog box that is
displayed, add the SSID wlan-net, set the authentication mode to
WPA2-Enterprise and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network
Properties page that is displayed, select the Security tab page and
click Settings. In the Protected EAP Properties dialog box, deselect
Validate server certificate and click Configure. In the displayed
dialog box, deselect Automatically use my Windows logon name
and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings.
On the Advanced settings page that is displayed, select Specify
authentication mode, set the identity authentication mode to User
authentication, and click OK.
----End
3.2.11 Example for Configuring External Portal Authentication
(In HACA Mode)
Service Requirements
An enterprise deploys a cloud AC to manage users connected to the Internet and
the iMaster NCE-Campus as a Huawei Agile Cloud Authentication (HACA) server.
The HACA server is located on the cloud to implement functions of an external
Portal server, authentication server, and accounting server. Access users are
authenticated and charged on the HACA server through the cloud AC. This reduces
routing network maintenance costs of the enterprise.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: tunnel forwarding
● AAA scheme: HACA
● Authentication mode: External Portal authentication
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 297
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-24 Networking for configuring external Portal authentication (in HACA
mode)
Data Planning
Item Data
Managem VLAN 100
ent VLAN
for APs
Service VLAN 101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs.
server SwitchB functions as a DHCP server to assign IP addresses to STAs.
The default gateway address of STAs is 10.23.101.2.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 298
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AP group ● Name: ap-group1
● Referenced profile: VAP profile wlan-net and regulatory domain
profile default
Regulatory ● Name: default
domain ● Country code: China
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: open
HACA ● Name: wlan-net
server ● IP address: 10.23.200.1
template
● Destination port number in the packets that the AC sends to the
Portal server: 50301
● PKI realm name: default
Portal ● Name: wlan-net
access ● Referenced profile: Portal server template wlan-net
profile
Portal ● Name: wlan-net
server ● IP address: 10.23.200.1
template
Authentica ● Name:default_free_rule
tion-free ● Authentication-free resource: IP address of the DNS server
rule profile (8.8.8.8)
Authentica ● Name: wlan-net
tion ● Referenced profiles: Portal access profile wlan-net,
profile authentication scheme wlan-net, authentication-free rule
profile default_free_rule, and HACA server template wlan-net
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net, security profile
wlan-net, and authentication profile wlan-net
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Register the AC with the iMaster NCE-Campus and go to the web platform of
the AC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 299
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Configure WLAN services on the AC using the WLAN configuration wizard.
6. Configure HACA authentication in a VAP profile.
7. Configure authentication-free rules for an AP group.
8. Configure the iMaster NCE-Campus parameters.
9. Complete service verification.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and
GE0/0/2 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway
for the STAs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 300
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the
default gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
Step 3 Register the AC with the iMaster NCE-Campus and add APs. For the registration
procedure, see Configuration - Cloud-based Management Configuration of AC. For
operations of adding APs, see CloudCampus Cloud Managed Campus Solution
Product Documentation.
Step 4 Log in to the iMaster NCE-Campus through the Internet, go to the web platform
of the AC, and remotely configure WLAN service data.
1. Select a site.
a. Choose Deploy > Site > Site Configuration from the main menu.
b. In the displayed window, select a site from the Site drop-down list box in
the upper left corner, and set the selected site as the operation object.
2. In the navigation tree on the left, choose AC(Fit AP) > Fit AP.
3. Click the name of the desired WLAN AC in the Device Name area. The WLAN
AC management page is displayed.
4. Click Open Web System in the upper right corner and the WLAN AC web
platform page is displayed.
Step 5 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 301
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 302
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set the IP address of VLANIF 101 to 10.23.101.3/24 in the same way.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
# Click OK. An address pool for VLANIF 100 is configured.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Configure the default route and set its next hop address to 10.23.101.2.
# Click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 303
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 6 Configure an AP to go online.
1. Configure an AP to go online.
# Click Next. The Group APs page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 304
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click next to AP Group List. The page for adding an AP group is
displayed.
# Enter the AP group name ap-group1 and click OK.
# Click Add. Select the AP added on the iMaster NCE-Campus, and add this
AP to ap-group1.
# Click OK.
# Click Next.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 7 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Open (applicable to personal networks).
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 8 Configure HACA authentication.
1. Create the authentication profile wlan-net.
# Choose Configuration > AP Config > AP Group. The AP Group page is
displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.
# Choose VAP Configuration > wlan-net > Authentication Profile. The
Authentication Profile page is displayed.
# Set Access mode to Portal authentication and Portal option to HACA
access.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 305
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
2. Configure HACA access parameters.
# Click in front of Authentication Profile. Under it, click HACA Access. The
Portal Profile page is displayed.
# Click next to Portal server group. The Portal Authentication Server
List page is displayed.
# Click Create. On the Create Portal server group page that is displayed, set
Server name to wlan-net, Server IP to 10.23.200.1, and parameters in
Redirection Setting as follows:
– AC-MAC keyword: lsw-mac
– User access URL keyword: redirect-url
– User MAC keyword: umac
– User IP address keyword: uaddress
– SSID keyword: ssid
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 306
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK. In Portal Authentication Server List, select the server named
wlan-net and click OK.
# Click Apply. In the dialog box that is displayed, click OK.
3. Configure the HACA server.
# Click in front of Authentication Profile. Under it, click HACA Server.
The HACA Server page is displayed.
# On the HACA Server Template tab, click Create. The Create HACA Server
Template page is displayed. Set Profile name to wlan-net. Enable HACA
function. Set IP address to 10.23.200.1, Port number to 50301, and
Certificate name to default.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 307
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK. In the dialog box that is displayed, click OK.
# Set HACA Server Template to wlan-net, Accounting mode to HACA
accounting, and Policy for accounting-start failures to Allow user login.
# Click Apply. In the dialog box that is displayed, click OK.
Step 9 Configure network resources accessible to authentication-free users.
1. Choose Configuration > AP Config > Profile. The Profile Management page
is displayed.
2. Choose Wireless Service > VAP Profile > wlan-net > Authentication Profile
> Authentication-free Rule Profile. The Authentication-free Rule Profile
page is displayed.
3. Set Authentication-free Rule Profile to default_free_rule.
4. Select Authentication-free Rule in Control mode.
5. Click Create. On the Create Authentication-free Rule page that is displayed,
set Rule ID to 1 and the authentication-free resource to the IP address of the
DNS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog
box that is displayed, click OK.
Step 10 Configure the user group and users on the iMaster NCE-Campus.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 308
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
1. Choose Admission > User Management > Users from the main menu.
2. Click to batch import users and user groups using the Excel template.
Download the template, fill users and user groups in the document, and
upload the Excel document.
3. Click OK.
Step 11 Configure authentication parameters on the iMaster NCE-Campus.
1. Select a site.
a. Choose Deploy > Site > Site configuration from the main menu.
b. Select a site from the Site drop-down list box in the upper left corner and
set the site as an operation object.
2. In the navigation tree on the left, choose AC(Fit AP) > Fit AP.
3. Click Add and configure authentication parameters as follows:
– Name: wlan-net
– SSID: wlan-net, which must be the same as the SSID configured on the
AC
– Authentication mode: Open network
– Push mode: Fast
– Push page: Default customization page with user name and password
authentication
– User group: Guest
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 309
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Click OK.
Step 12 Verify the configuration.
● The WLAN with the SSID wlan-net is available for STAs after the
configuration is complete.
● The STAs obtain IP addresses when they successfully associate with the
WLAN.
● When a user opens the browser and attempts to access the network, the user
is automatically redirected to the authentication page provided by the Portal
server. After entering the correct user name and password on the page, the
user can access the network.
----End
3.2.12 Example for Configuring LDAP to Perform
Authentication and Authorization
Networking Requirements
As shown in Figure 3-25, an AC on an enterprise network connects to an AP and
an LDAP server. The AC functions as the DHCP server to assign IP addresses on the
network segment 10.23.101.0/24 to STAs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 310
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
STAs in an enterprise are authenticated in the following modes:
● The AC authenticates access users in the MAC+LDAP mode and the LDAP
server authorizes the users.
● The IP address of the LDAP server is 10.23.200.1 and the port number is 389.
NOTE
When terminal accounts are stored on an LDAP server, it is recommended that 802.1X +
RADIUS authentication be used. In this case, the device connects to the LDAP server
through a RADIUS server.
Figure 3-25 Networking diagram for configuring LDAP to perform user
authentication and authorization
Data Planning
Item Data
LDAP Authentication scheme name: wlan-net
authentica Authorization scheme name: wlan-net
tion
parameter LDAP server template name: template1
s ● IP address: 10.23.200.1
● Port number: 389
● Server type: AD LDAP
● Base DN: dc=my-domain,dc=com and dc=esaptest,dc=com
● Administrator DN: cn=Administrator,cn=users
● Administrator password: YsHsjx_202206
MAC ● Name: wlan-net
access ● User name and password for MAC address authentication: MAC
profile addresses without hyphens (-)
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 311
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Authentica ● Name: wlan-net
tion ● Bound profiles and authentication scheme: MAC access profile
profile wlan-net, LDAP server template template1, and authentication
scheme wlan-net
DHCP The AC functions as a DHCP server to assign IP addresses to APs
server and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24
source
interface
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default
Regulatory ● Name: default
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: open authentication
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net, security profile
wlan-net, and authentication profile wlan-net
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network connectivity between the AC, APs, and other network
devices.
2. Configure system parameters for the AC using the configuration wizard.
3. Configure the APs to go online on the AC using the configuration wizard.
4. Configure WLAN services on the AC using the configuration wizard. Configure
MAC address authentication and LDAP authentication to authenticate users.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 312
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. Complete service verification.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure system parameters for the AC.
1. Configure AC basic parameters.
Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region as required (China as an example). Set System time
to Manual and Date and time to PC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 313
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Port Configuration page is displayed.
2. Configure ports.
# Select GigabitEthernet0/0/1. Expand Batch Modify. Set Interface type to
Trunk and Default VLAN to 100, and add GigabitEthernet0/0/1 to VLAN
100 (management VLAN).
# Click Apply.
# Select GigabitEthernet0/0/2. Expand Batch Modify. Set Interface type to
Trunk and add GigabitEthernet0/0/2 to VLAN 101 (service VLAN).
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 314
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply.
# Click Next. The Network Interconnection page is displayed.
3. Configure network connectivity.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24, DHCP status to ON,
and DHCP type to Interface address pool.
# Click OK.
# Configure the address pool for VLANIF 101 in the similar way. Set the IP
address of VLANIF 101 to 10.23.101.1/24, DHCP status to ON, and DHCP
type to Interface address pool.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 315
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set the destination IP address to 10.23.200.0/24 and Next hop address to
10.23.101.2 (assuming that the IP address of the uplink device is 10.23.101.2).
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select
Vlanif100.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 2 Configure APs to go online.
1. Configure APs to go online.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 316
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 3 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Click Next. The Security Authentication page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 317
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set Security settings to Open (applicable to personal networks).
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 4 Configure MAC address authentication and LDAP authentication.
1. Create the authentication profile wlan-net.
# Choose Configuration > AP Config > AP Group. The AP Group page is
displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.
# Choose VAP Configuration > wlan-net > Authentication Profile. The
Authentication Profile page is displayed.
# Set Access mode to MAC authentication and Authentication mode to
LDAP authentication.
# Click Apply. In the dialog box that is displayed, click OK.
2. Configure the MAC access profile wlan-net.
# Click in front of Authentication Profile. Under it, click MAC
Authentication. The MAC Authentication Profile page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Configure an LDAP authentication scheme.
# Click in front of Authentication Profile and select LDAP Server. The
Authentication Profile page is displayed.
# Click next to LDAP Server Template. The LDAP Server Template
page is displayed.
# Click Create. The Create LDAP Server Template page is displayed. Set the
parameters as follows:
– Template Name: template1
– Primary server IP address/port number: 10.23.200.1/389
– Server type: AD LDAP
– Base DN: Click next to Base DN and enter dc=my-domain,dc=com
and dc=esaptest,dc=com.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 318
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
– Administrator DN: cn=Administrator,cn=users
– Administrator password: YsHsjx_202206
NOTE
– User filtering field: The value of the user filtering field is used as the user name to
log in to an LDAP server. The user filtering field must be the same as that on the
server. The default value is sAMAccountName.
– Group filtering field: The device uses the value of a group filtering field as the
group name to perform authorization. The group filtering field must be the same
as that on the server. The default value is ou.
# Click OK. Select the created LDAP server template, and click OK.
# Click Apply. In the dialog box that is displayed, click OK.
4. Configure an LDAP authorization scheme.
# Choose Configuration > AP Config > Profile. On the Profile Management
page, choose AAA > Authorization Scheme. The Authorization Scheme List
page is displayed.
# Click Create. On the Create Authorization Scheme page that is displayed,
set Profile name to wlan-net and click OK.
# Set First authorization to LDAP authorization and click Apply. In the
dialog box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 319
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Choose Wireless Service > VAP Profile > wlan-net > Authentication
Profile > Authorization Scheme. The Authorization Scheme page is
displayed.
# Set Authorization Scheme to wlan-net.
# Click Apply. In the dialog box that is displayed, click OK.
Step 5 Verify the configuration.
1. STAs automatically connect to the WLAN with the SSID wlan-net.
2. Choose Monitoring > User > User List. In User List, set the search criteria to
SSID, enter wlan-net, and click . STAs go online successfully and obtain IP
addresses.
----End
3.2.13 Example for Configuring AD to Perform Authentication
and Authorization
Networking Requirements
As shown in Figure 3-26, an enterprise AC connects to an AP and an AD server.
The AC functions as the DHCP server to assign IP addresses on the network
segment 10.23.101.0/24 to STAs.
STAs in an enterprise are authenticated in the following modes:
● The AC authenticates access STAs in MAC+AD mode.
● # Set the IP address of an AD server to 10.23.200.1 and port number to 88.
NOTE
When terminal accounts are stored on an LDAP server, it is recommended that 802.1X +
RADIUS authentication be used. In this case, the device connects to the LDAP server
through a RADIUS server.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 320
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-26 Networking diagram for configuring AD to perform user
authentication and authorization
Data Planning
Item Data
AD Authentication scheme name: wlan-net
authentica Authorization scheme name: wlan-net
tion
parameter AD server template name: template1
s ● IP address: 10.23.200.1
● Port number: 88
● Base DN: dc=test1,dc=com
● Administrator DN: cn=Administrator,cn=users
● Administrator password: YsHsjx_202206
MAC ● Name: wlan-net
access ● User name and password for MAC address authentication: MAC
profile addresses without hyphens (-)
Authentica ● Name: wlan-net
tion ● Bound profiles and authentication scheme: MAC access profile
profile wlan-net, AD server template template1, authentication
scheme wlan-net, and authorization scheme wlan-net
DHCP The AC functions as a DHCP server to assign IP addresses to APs
server and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 321
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AC's VLANIF 100: 10.23.100.1/24
source
interface
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default
Regulatory ● Name: default
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: open authentication
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net, security profile
wlan-net, and authentication profile wlan-net
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network connectivity between the AC, APs, and other network
devices.
2. Configure system parameters for the AC using the configuration wizard.
3. Configure the APs to go online on the AC using the configuration wizard.
4. Configure WLAN services on the AC using the configuration wizard. Configure
MAC address authentication and AD authentication to authenticate users.
5. Complete service verification.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 322
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure system parameters for the AC.
1. Configure AC basic parameters.
Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region as required (China as an example). Set System time
to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure ports.
# Select GigabitEthernet0/0/1. Expand Batch Modify. Set Interface type to
Trunk and Default VLAN to 100, and add GigabitEthernet0/0/1 to VLAN
100 (management VLAN).
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 323
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply.
# Select GigabitEthernet0/0/2. Expand Batch Modify. Set Interface type to
Trunk and add GigabitEthernet0/0/2 to VLAN 101 (service VLAN).
# Click Apply.
# Click Next. The Network Interconnection page is displayed.
3. Configure network connectivity.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24, DHCP status to ON,
and DHCP type to Interface address pool.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 324
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Configure the address pool for VLANIF 101 in the similar way. Set the IP
address of VLANIF 101 to 10.23.101.1/24, DHCP status to ON, and DHCP
type to Interface address pool.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set the destination IP address to 10.23.200.0/24 and Next hop address to
10.23.101.2 (assuming that the IP address of the uplink device is 10.23.101.2).
# Click OK.
# Click Next.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 325
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select
Vlanif100.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 2 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 326
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 3 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Open (applicable to personal networks).
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 4 Configure MAC address authentication and AD authentication.
1. Create the authentication profile wlan-net.
# Choose Configuration > AP Config > AP Group. The AP Group page is
displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.
# Choose VAP Configuration > wlan-net > Authentication Profile. The
Authentication Profile page is displayed.
# Set Access mode to MAC authentication and Authentication mode to AD
authentication.
# Click Apply. In the dialog box that is displayed, click OK.
2. Configure the MAC access profile wlan-net.
# Click in front of Authentication Profile. Under it, click MAC
Authentication. The MAC Authentication Profile page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 327
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
3. Configure an AD authentication scheme.
# Click in front of Authentication Profile and select AD Server. The
Authentication Profile page is displayed.
# Click next to AD Server Template. The AD Server Template page is
displayed.
# Click Create. The Create AD Server Template page is displayed. Set the
parameters as follows:
– Template Name: template1
– Primary server IP address/port number: 10.23.200.1/88
– Base DN: dc=test1,dc=com
– Administrator DN: cn=Administrator,cn=users
– Administrator password: YsHsjx_202206
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 328
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
– User filtering field: The value of the user filtering field is used as the user name to
log in to an AD server. The user filtering field must be the same as that on the
server. The default value is sAMAccountName.
– Group filtering field: The device uses the value of a group filtering field as the
group name to perform authorization. The group filtering field must be the same
as that on the server. The default value is ou.
# Click OK. Select the created AD server template, and click OK.
# Click Apply. In the dialog box that is displayed, click OK.
4. Configure an AD authorization scheme.
# Choose Configuration > AP Config > Profile. On the Profile Management
page, choose AAA > Authorization Scheme. The Authorization Scheme List
page is displayed.
# Click Create. On the Create Authorization Scheme page that is displayed,
set Profile name to wlan-net and click OK.
# Set First authorization to AD authorization and click Apply. In the dialog
box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 329
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Choose Wireless Service > VAP Profile > wlan-net > Authentication
Profile > Authorization Scheme. The Authorization Scheme page is
displayed.
# Set Authorization Scheme to wlan-net.
# Click Apply. In the dialog box that is displayed, click OK.
Step 5 Verify the configuration.
1. STAs automatically connect to the WLAN with the SSID wlan-net.
2. Choose Monitoring > User > User List. In User List, set the search criteria to
SSID, enter wlan-net, and click . STAs go online successfully and obtain IP
addresses.
----End
3.3 Reliability Configuration Examples
3.3.1 Example for Configuring Wireless Configuration
Synchronization in VRRP HSB Scenarios
Service Requirements
To ensure that services are running normally, an enterprise wants to improve
network reliability while reducing the configuration maintenance workload.
Wireless configuration synchronization can be deployed in VRRP HSB to meet this
requirement. In this solution, the master and backup ACs are often deployed in the
same location, and the service switchover is fast and has higher reliability than
dual-link HSB.
Networking Requirements
● AC networking mode: Layer 2 networking in bypass mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs, and a CSS functions as a DHCP server to assign IP addresses
to STAs.
● Service data forwarding mode: direct forwarding
● Switch cluster: A cluster is set up using CSS cards, containing SwitchB and
SwitchC at the core layer. SwitchB is the master switch, and SwitchC is the
standby switch.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 330
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-27 Networking for configuring wireless configuration synchronization in
VRRP HSB scenarios (direct forwarding)
Data Planning
Table 3-24 AC data planning
Item Data
AC1's source interface VLANIF 100: 10.23.100.1/24
AC2's source interface VLANIF 100: 10.23.100.2/24
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 331
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Virtual IP address of the 10.23.100.3/24
management VRRP group
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: security profile wlan-net
and SSID profile wlan-net
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net
and regulatory domain profile default
Regulatory domain profile ● Name: default
● Country code: CN
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK+AES
● Password: YsH_2022
DHCP server The AC functions as the DHCP server to assign
IP addresses to APs, and a CSS functions as the
DHCP server to assign IP addresses to STAs.
Gateway for APs VLANIF 100: 10.23.100.3/24
IP address pool for APs 10.23.100.4-10.23.100.254/24
Gateway for STAs VLANIF 101: 10.23.101.1/24
IP address pool for STAs 10.23.101.2-10.23.101.254/24
IP address and port number IP address: 10.23.102.1/24 of VLANIF 102
of the HSB channel for AC1 Port number: 10241
IP address and port number IP address: 10.23.102.2/24 of VLANIF 102
of the HSB channel for AC2 Port number: 10241
Scheduled wireless Start time of scheduled synchronization: 01:00
configuration synchronization Interval for scheduled synchronization: 1440
minutes
Configuration Roadmap
1. Configure a cluster between SwitchB and SwitchC through cluster cards to
improve the core layer reliability and configure SwitchB as the master switch.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 332
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Configure SwitchA, SwitchB, and SwitchC to communicate with each other.
3. Configure AC1 based on the configuration wizard. VRRP HSB and wireless
configuration synchronization are both configured following the configuration
wizard.
4. Configure APs to go online and basic WLAN services on AC1.
5. Configure AC2 following the configuration wizard.
6. Trigger wireless configuration synchronization manually on AC1.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● During the configuration, check whether loops occur on the wired network. If
so, configure MSTP on corresponding NEs.
● In the VRRP HSB networking, the configurations of the DHCP address pools
on the master and backup ACs must be consistent. For example, the ranges of
IP addresses that cannot be automatically assigned to clients in the DHCP
address pools must be consistent.
Procedure
Step 1 Establish a cluster using CSS card.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card
connection for SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 333
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card
connection for SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10
# Check the CSS configuration on SwitchB.
[SwitchB] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off
# Check the CSS configuration on SwitchC.
[SwitchC] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 2 Off CSS card 10 Off
# Enable the CSS function on SwitchB and restart SwitchB.
[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# Enable the CSS function on SwitchC and restart SwitchC.
[SwitchC] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# Log in to the CSS through the console port on any MPU to check whether the
CSS is established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
3 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 334
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
<SwitchB> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows the card status and CSS status of both member
switches, indicating that the CSS is established successfully.
# Check whether the cluster links are normal.
<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7
32 1/14/0/8 10G 10G 2/14/0/8
--------------------------------------------------------------------------------
The command output shows that all the cluster links are in Up state, indicating
that the CSS has been established successfully.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 335
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Step 2 Configure SwitchA, SwitchB, and SwitchC to ensure that APs and ACs can
exchange CAPWAP packets.
NOTE
If direct forwarding is used, configure port isolation on GE0/0/1 of SwitchA connected to
the AP. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
# On SwitchA, set the PVID of GE0/0/1 connected to the AP to management VLAN
100, add GE0/0/1 to VLAN 100 amd VLAN 101 (service VLAN), and add GE0/0/2
connected to SwitchB and GE0/0/3 connected to SwitchC to Eth-Trunk 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo port link-type
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add
E1/1/0/1 on SwitchB and GE2/1/0/1 on SwitchC both to VLAN 100.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] undo port link-type
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
[CSS-GigabitEthernet1/1/0/2] quit
[CSS] interface gigabitethernet 2/1/0/2
[CSS-GigabitEthernet2/1/0/2] undo port link-type
[CSS-GigabitEthernet2/1/0/2] eth-trunk 10
[CSS-GigabitEthernet2/1/0/2] quit
Step 3 Configure a DHCP server.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 336
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Configure the CSS as a DHCP server to assign IP addresses to STAs.
[CSS] dhcp enable
[CSS] interface vlanif 101
[CSS-Vlanif101] ip address 10.23.101.1 24
[CSS-Vlanif101] dhcp select interface
[CSS-Vlanif101] quit
Step 4 Configure AC1.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC from the main menu. The
Basic AC Configuration page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China, System time to Manual, and Date and time to PC Time.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Modify all. Set Interface type to
Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply.
# Deselect GigabitEthernet0/0/1 and then select GigabitEthernet0/0/2. Add
GigabitEthernet0/0/2 to VLAN 102 in the same way.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 337
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network connectivity.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click OK.
# Click Create under DHCPv4 Address Pool List, set Address pool type to
Interface address pool, and select VLANIF 100. Expand Advanced. Click
to add 10.23.100.1 to 10.23.100.3 to Excluded IP address.
NOTE
Configure the DNS server address as required.
# Click OK.
# Set the IP address of VLANIF 102 to 10.23.102.1/24.
# Click Next. The AC Backup Configuration page is displayed.
4. Configure AC backup.
# Enable the HSB function.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 338
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Create. The Create VRID page is displayed.
# Create an mVRRP group. Set parameters as follows:
– VLANIF/IP: VLANIF100
– VRID: 1
– VRRP type: mVRRP group
– Virtual IP address: 10.23.100.3
– Priority: 120
– Preemption delay(s): 1800
# Click OK.
# Configure HSB. Set the parameters as follows:
– Local AC IP address: 10.23.102.1
– Peer AC IP address: 10.23.102.2
– Local port: 10241
– Remote port: 10241
– Associated VRID: 1
# Enable wireless configuration synchronization and set PSK key.
# Click Next. The AC Source Address page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 339
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. Configure the source address for AC1.
# Set AC source address to IP address and set the IP address to 10.23.100.3.
# Click Next. The Confirm Settings page is displayed.
6. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 5 Configure APs connected to AC1.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the template file with AP information according to the following
example. To add multiple APs, fill in the file with information about the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
# Click next to Import AP File, select the template file with AP
information, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
2. Configure an AP group.
# AP group information has been added in the template file. Click Next. The
Confirm Configurations page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 340
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 6 Configure basic WLAN services on AC1.
1. Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN ID.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select
the AES mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 7 Configure AC2.
1. Perform basic AC configurations.
# Configure AC2 in the same way as that for configuring AC1.
2. Configure interfaces.
# Configure AC2 in the same way as that for configuring AC1.
3. Configure network connectivity.
# Configure AC2 in the same way as that for configuring AC1. The difference
lies in the VLANIF interfaces' IP addresses (VLANIF 100: 10.23.100.2/24;
VLANIF 102: 10.23.102.2/24).
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 341
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Configure AC backup.
# Configure AC2 in the same way as that for configuring AC1. The difference
lies in the priority and preemption delay (s). When configuring a VRRP group,
retain the default settings of Priority and Preemption delay(s). When
configuring HSB, set Local AC IP address to 10.23.102.2 and Peer AC IP
address to 10.23.102.1.
5. Configure the source address for AC2.
# Configure AC2 in the same way as that for configuring AC1.
6. Confirm the configuration.
# Confirm the configuration and click Finish.
Step 8 Trigger wireless configuration synchronization manually on AC1.
# Choose Monitoring > AC > Wireless Configuration Synchronization
Information. The Wireless Configuration Synchronization Information page is
displayed. Set Auto refresh to ON.
# Click Manual synchronization under Operation. In the Confirm dialog box that
is displayed, click OK. AC2 restarts automatically.
Step 9 Verify the configuration.
# After AC2 restarts, check the configuration synchronization status on AC1. If
Configuration Synchronization State is Synchronization success, the wireless
configuration synchronization function is normal.
# The WLAN with SSID wlan-net is available for STAs connected to the AP, and
these STAs can connect to the WLAN and go online normally.
# Simulate a master AC fault by restarting the master AC to verify the backup
configuration. Restart AC1. When an AP detects a fault on the link connected to
AC1, AC2 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, click Save in the upper right corner of the web page to save the
configuration file on the AC to prevent configuration loss after the restart.
# During the restart of AC1, services on the STAs are not interrupted. The AP goes
online on AC2. On AC2, choose Monitoring > AP > AP Statistics Collection. It is
found that the AP status changes from standby to normal.
# After AC1 recovers from the restart, an active/standby switchback is triggered.
The AP automatically goes online on AC1.
----End
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 342
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.3.2 Example for Configuring Wireless Configuration
Synchronization in Dual-Link HSB Scenarios
Service Requirements
To ensure that services are running normally, an enterprise wants to improve
network reliability while reducing the configuration maintenance workload.
Wireless configuration synchronization can be deployed in dual-link HSB to meet
this requirement. This solution frees active and standby ACs from location
restrictions and allows both ACs to be flexibly deployed.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode: The router functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 343
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-28 Networking diagram for configuring dual-link HSB
Data Planning
Table 3-25 AC data planning
Item Data
Management VLAN for APs VLAN100
Service VLAN for STAs VLAN101
AC's backup VLAN VLAN102
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 344
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
DHCP server The Router functions as the DHCP
server for the APs and STAs.
STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
IP address pool for APs 10.23.100.4-10.23.100.254/24
IP address pool for STAs 10.23.101.2-10.23.101.254/24
AC's source interface VLANIF100
AC1's management IP address VLANIF 100: 10.23.100.2/24
AC2's management IP address VLANIF 100: 10.23.100.3/24
Active AC AC1
Standby AC AC2
Master AC AC1
Local AC AC2
AP group ● Name: ap-group1
● Referenced profiles: VAP profile
wlan-net and regulatory domain
profile default
Regulatory domain profile ● Name: default
● Country code: CN
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: YsH_2022
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
AP system profile ● Name: wlan-net
● Primary AC's IP address: 10.23.100.2
● Backup AC's IP address: 10.23.100.3
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 345
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Scheduled wireless configuration Start time of scheduled
synchronization synchronization: 01:00
Interval for scheduled synchronization:
1440 minutes
Configuration Roadmap
1. Configure network interconnection. Configure Router as a DHCP server to
assign IP addresses to APs and STAs.
2. Configure AC1, APs going online, and WLAN services following the
configuration wizard.
3. Configure dual-link hot standby (HSB) on AC1.
4. Configure AC2 following the configuration wizard.
5. Configure dual-link HSB on AC2.
6. Trigger wireless configuration synchronization on AC1.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 346
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure SwitchA and SwitchB to ensure that the APs and ACs can exchange
CAPWAP packets.
# On SwitchA, set the PVID on GE0/0/1 connected to the AP to the management
VLAN 100 and add the interface to VLAN 100 and VLAN 101. Add GE0/0/2
connected to SwitchB to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# On SwitchB, add GE0/0/1 (connected to SwitchA) to VLAN 100 and VLAN 101,
and GE0/0/2 (connected to AC1) and GE0/0/3 (connected to AC2) to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/3] quit
Step 2 Configure the communication between Router, AC1, and AC2.
# On SwitchB, add GE0/0/2 and GE0/0/3 to VLAN 102, and add GE0/0/4
connected to Router to VLAN 100 and VLAN 101.
[SwitchB] vlan batch 101 102
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 347
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/4] quit
Step 3 Configure Router to assign IP addresses to STAs and APs.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In the interface address pool scenario, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In the global address pool scenario, run the dns-list ip-address &<1-8> command in the IP
address pool view.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 100 101
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] excluded-ip-address 10.23.100.2
[Router-ip-pool-ap] excluded-ip-address 10.23.100.3
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit
[Router] interface vlanif 100
[Router-Vlanif100] ip address 10.23.100.1 24
[Router-Vlanif100] dhcp select global
[Router-Vlanif100] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.1 24
[Router-Vlanif101] dhcp select global
[Router-Vlanif101] quit
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] port link-type trunk
[Router-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Router-GigabitEthernet0/0/1] quit
Step 4 Configure AC1.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC from the main menu. The
Basic AC Configuration page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China, System time to Manual, and Date and time to PC Time.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 and VLAN 102.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 348
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnection.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.2/24.
# Click OK. VLANIF 100 is configured.
# Repeat the preceding steps to configure VLANIF 102. Set the IP address of
VLANIF 102 to 10.23.102.1/24.
# Click Next. The AC Backup Configuration page is displayed.
# Click Next. The AC Source Address page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 349
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Configure the source address for AC1.
# Set AC source address to VLANIF and set the IP address to Vlanif100.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 5 Configure APs connected to AC1.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the template file with AP information according to the following
example. To add multiple APs, fill in the file with information about the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
# Click next to Import AP File, select the template file with AP
information, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
2. Configure an AP group.
# AP group information has been added in the template file. Click Next. The
Confirm Configurations page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 350
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 6 Configure basic WLAN services on AC1.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks) and set the
key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
Click Finish.
Step 7 Configure dual-link HSB on AC1.
1. Configure IP addresses for primary and backup ACs.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. On the page that is displayed, click
in front of AP. Under it, click AP System Profile. The AP System Profile
page is displayed.
# Click Create. On the Create AP System Profile page that is displayed, enter
the profile name wlan-net and click OK. The AP system profile configuration
page is displayed.
# On the Advanced Configuration page of the AP system profile, click in
front of Dual-Link/N+1 Backup. On the expanded page, set Primary AC IP
address to 10.23.100.2 and Backup AC IP address to 10.23.100.3.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 351
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
2. Configure dual-link HSB.
# Choose Configuration > Reliability > Reliability. The Reliability page is
displayed.
# Set parameters as follows:
– Backup mode: Dual-link hot backup
– Local AC IP address: 10.23.102.1
– Peer AC IP address: 10.23.102.2
– Local port: 10241
– Remote port: 10241
– Wireless configuration synchronization: ON
– Synchronization mode: From local to peer
– Peer AC IP address: 10.23.100.3
– PSK key: H@123456
Step 8 Configure AC2.
1. Perform basic AC configurations.
# Configure AC2 in the same way as that for configuring AC1.
2. Configure interfaces.
# Configure interfaces on AC2 in the same way as that on AC1.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 352
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. Configure network interconnection.
# Configure network interconnections on AC2 in the same way as that on
AC1. The differences are as follows:
– Set IP addresses of VLANIF 100 and VLANIF 102 to 10.23.100.3/24 and
10.23.102.2/24, respectively.
4. Configure the source address for AC2.
# Configure the source address for AC2 in the same way as that for AC1.
5. Confirm the configuration.
# Confirm the configuration and click Finish.
Step 9 Configure dual-link HSB on AC2.
1. Configure IP addresses for primary and backup ACs.
# Choose Configuration > AP Config > AP Group > AP Group.
# Click Create. On the page that is displayed, create the AP group ap-group1
and click OK.
# In the AP group list, click ap-group1. On the page that is displayed, click
in front of AP. Under it, click AP System Profile. The AP System Profile
page is displayed.
# Click Create. On the Create AP System Profile page that is displayed, enter
the profile name wlan-net and click OK. The AP system profile configuration
page is displayed.
# On the Advanced Configuration page of the AP system profile, click in
front of Dual-Link/N+1 Backup. On the expanded page, set Primary AC IP
address to 10.23.100.2 and Backup AC IP address to 10.23.100.3.
# Click Apply. In the dialog box that is displayed, click OK.
2. Configure dual-link HSB.
# Choose Configuration > Reliability > Reliability. The Reliability page is
displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 353
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set parameters as follows:
– Backup mode: Dual-link hot backup
– Local AC IP address: 10.23.102.2
– Peer AC IP address: 10.23.102.1
– Local port: 10241
– Remote port: 10241
– Wireless configuration synchronization: ON
– Synchronization mode: From peer to local
– Peer AC IP address: 10.23.100.2
– PSK key: H@123456
Step 10 Trigger wireless configuration synchronization manually on AC1.
# Choose Monitoring > AC > Wireless Configuration Synchronization
Information. The Wireless Configuration Synchronization Information page is
displayed. Set Auto refresh to ON.
# Click Manual synchronization under Operation. In the Confirm dialog box that
is displayed, click OK. AC2 restarts automatically.
Step 11 Verify the configuration.
# After AC2 restarts, check the configuration synchronization state on AC1. If
Configuration Synchronization State is Synchronization success, wireless
configuration synchronization succeeds.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 354
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# STAs associated with the AP can find the SSID wlan-net and connect to the
WLAN.
# Simulate a master AC fault by restarting the master AC to verify the backup
configuration. Restart AC1. When an AP detects a fault on the link connected to
AC1, AC2 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, click Save in the upper right corner of the web page to save the
configuration file on the AC to prevent configuration loss after the restart.
# During the restart of AC1, services on the STAs are not interrupted. The AP goes
online on AC2. On AC2, choose Monitoring > AP > AP Statistics Collection. It is
found that the AP status changes from standby to normal.
# After AC1 recovers from the restart, an active/standby switchback is triggered.
The AP automatically goes online on AC1.
----End
3.3.3 Example for Configuring Dual-link Cold Backup (Global
Configuration Mode)
Service Requirements
An enterprise uses two APs to deploy WLAN area A to provide WLAN services. The
enterprise requires that dual-link backup be used to improve data transmission
reliability.
Networking Requirements
● AC networking mode: Layer 2 networking in bypass mode
● DHCP deployment mode: The switch functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 355
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-29 Networking diagram for configuring dual-link cold backup
Data Planning
Table 3-26 AC data planning
Item Data
Management VLANs for APs VLAN 100
Service VLAN for STAs VLAN 101
DHCP server Switch functions as the DHCP server
for the APs and STAs.
STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
IP address pool for APs 10.23.100.4-10.23.100.254/24
IP address pool for STAs 10.23.101.2-10.23.101.254/24
AC's source interface VLANIF 100
Management IP address of AC1 VLANIF 100: 10.23.100.2/24
Management IP address of AC2 VLANIF 100: 10.23.100.3/24
AP group ● Name: ap-group1
● Referenced profiles: VAP profile
wlan-net, regulatory domain
profile default, and AP system
profile wlan-net
Regulatory domain profile ● Name: default
● Country code: CN
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 356
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: YsH_2022
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
AP system profile ● Name: wlan-net
● Active AC: 10.23.100.2
● Standby AC: 10.23.100.3
Configuration Roadmap
1. Set up connections between AC1, AC2, and other network devices. Configure
the switch as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2.
Ensure that service configurations on AC1 and AC2 are the same.
4. Configure dual-link backup on the active AC first and then on the standby AC.
When dual-link backup is enabled, all APs are restarted. With dual-link
backup enabled, the standby AC will replace the active AC to manage APs if
the CAPWAP tunnel between the active AC and APs is disconnected.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 357
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the switch.
# On the switch, create VLAN 100 and VLAN 101. VLAN 100 is used as the
management VLAN and VLAN 101 is used as the service VLAN. Set the link type
of GE0/0/1 and GE0/0/4 that connect the switch to the APs to trunk and the PVID
of the two interfaces to 100, and configure the interfaces to allow packets in
VLAN 100 and VLAN 101 to pass. Set the link type of GE0/0/2 and GE0/0/3 on the
switch to trunk, and configure the interfaces to allow packets in VLAN 100 to pass.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/4] port-isolate enable
[Switch-GigabitEthernet0/0/4] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 358
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] quit
Configure the DHCP function on the switch to assign IP addresses to APs and
STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
# Configure VLANIF 100 to use the interface address pool to assign IP addresses
to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
[Switch-Vlanif100] quit
# Configure VLANIF 101 to use the interface address pool to assign IP addresses
to STAs.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
Step 2 Configure AC1.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 359
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.2/24.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 360
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Add APs on AC1.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 361
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 4 Configure WLAN services on AC1.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks) and set the
key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 362
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
Click Finish.
Step 5 Configure AC2.
The configuration is similar to that on AC1. The difference is that the IP address of
VLANIF 100 is 10.23.100.3/24.
Step 6 Add APs on AC2.
The configuration is similar to that on AC1.
Step 7 Configure WLAN services on AC2.
The configuration is similar to that on AC1.
Step 8 Configure IP addresses for primary ACs and the backup AC on AC_1.
1. # Choose Configuration > AP Config > AP Group > AP Group.
2. # In the AP group list, click ap-group1. Choose AP > AP System Profile. The
AP System Profile page is displayed.
3. # Click Create. On the page that is displayed, set Profile name to wlan-net
and click OK.
4. # On the Advanced Configuration page of the AP system profile, expand
Dual-Link/N+1 Backup. Set Configuration mode to IP address-based,
Primary AC IP address to 10.23.100.2, and Backup AC IP address to
10.23.100.3.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 363
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. # Click Apply. In the dialog box that is displayed, click OK.
Step 9 Configure IP addresses for primary ACs and the backup AC on AC_1.
The configuration is similar to that on AC1.
Step 10 Configure dual-link backup on AC1 and AC2.
1. Configure dual-link backup on AC1.
# On AC1, choose Configuration > Reliability > Reliability. The Reliability
page is displayed.
# Set Backup mode to Dual-link cold backup, AC dual-link switchover
status to ON.
# Click Apply. In the dialog box that is displayed, click OK.
2. Configure dual-link backup on AC2.
# The configuration is similar to that on AC1.
NOTE
By default, dual-link backup is disabled. Enabling dual-link backup will restart all APs. After the
APs are restarted, the dual-link backup function takes effect.
If dual-link backup is already enabled, performing the configuration does not restart APs.
Choose Maintenance > AP Maintenance > AP Restart on the active AC to restart the APs and
make the dual-link backup function take effect.
Step 11 Verify the configuration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 364
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# The WLAN with the SSID wlan-net is available for STAs connected to AP1 and
AP2, and the STAs can connect to the WLAN and go online properly.
# Simulate a master AC fault by restarting the master AC to verify the backup
configuration. Restart AC1. When an AP detects a fault on the link connected to
AC1, AC2 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, click Save in the upper right corner of the web page to save the
configuration file on the AC to prevent configuration loss after the restart.
# During the restart of AC1, the AP goes online on AC2. On AC2, choose
Monitoring > AP > AP Statistics Collection. It is found that the AP status
changes from standby to normal.
# After AC1 recovers from the restart, an active/standby switchback is triggered.
The AP automatically goes online on AC1.
----End
3.3.4 Example for Configuring Dual-Link Hot Standby (HSB)
for ACs
Service Requirements
An enterprise deploys a WLAN to provide WLAN services. The enterprise requires
that dual-link HSB be used to improve data transmission reliability.
Networking Requirements
● AC networking mode: Layer 2 networking in bypass mode
● DHCP deployment mode: The router functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 365
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-30 Networking diagram for configuring dual-link HSB
Data Planning
Table 3-27 AC data planning
Item Data
Management VLANs for APs VLAN 100
Service VLAN for STAs VLAN 101
Backup VLAN for ACs VLAN 102
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 366
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
DHCP server The router functions as a DHCP server
to assign IP addresses to AP and STA.
STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
IP address pool for APs 10.23.100.4-10.23.100.254/24
IP address pool for STAs 10.23.101.2-10.23.101.254/24
AC's source interface VLANIF 100
Management IP address of AC1 VLANIF 100: 10.23.100.2/24
Management IP address of AC2 VLANIF 100: 10.23.100.3/24
IP address and port number of the IP address: 10.23.102.1/24 of VLANIF
HSB channel for AC1 102
Port number: 10241
IP address and port number of the IP address: 10.23.102.2/24 of VLANIF
HSB channel for AC2 102
Port number: 10241
AP group ● Name: ap-group1
● Referenced profiles: VAP profile
wlan-net, regulatory domain
profile default, and AP system
profile wlan-net
Regulatory domain profile ● Name: default
● Country code: CN
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: YsH_2022
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
AP system profile ● Name: wlan-net
● Active AC: 10.23.100.2
● Standby AC: 10.23.100.3
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 367
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Roadmap
1. Configure network interworking of the APs, ACs, and other network devices.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2.
Ensure that service configurations on AC1 and AC2 are the same.
4. Configure hot standby on the ACs so that the WLAN and NAC services on AC1
are backed up to AC2 in real time or in a batch. If AC1 is faulty, AC2 takes
over services from AC1. User services are not interrupted.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 368
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Procedure
Step 1 Configure SwitchA and SwitchB to ensure that the APs and ACs can exchange
CAPWAP packets.
# On SwitchA, set the PVID on GE0/0/1 connected to the AP to the management
VLAN 100 and add the interface to VLAN 100 and VLAN 101. Add GE0/0/2
connected to SwitchB to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# On SwitchB, add GE0/0/1 (connected to SwitchA) to VLAN 100 and VLAN 101,
and GE0/0/2 (connected to AC1) and GE0/0/3 (connected to AC2) to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/3] quit
Step 2 Configure the communication between Router, AC1, and AC2.
# On SwitchB, add GE0/0/2 and GE0/0/3 to VLAN 102, and add GE0/0/4
connected to Router to VLAN 100 and VLAN 101.
[SwitchB] vlan batch 101 102
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/4] quit
Step 3 Configure Router to assign IP addresses to STAs and APs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 369
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
Configure the DNS server as required. The common methods are as follows:
● In the interface address pool scenario, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In the global address pool scenario, run the dns-list ip-address &<1-8> command in the IP
address pool view.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 100 101
[Router] dhcp enable
[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] excluded-ip-address 10.23.100.2
[Router-ip-pool-ap] excluded-ip-address 10.23.100.3
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit
[Router] interface vlanif 100
[Router-Vlanif100] ip address 10.23.100.1 24
[Router-Vlanif100] dhcp select global
[Router-Vlanif100] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.1 24
[Router-Vlanif101] dhcp select global
[Router-Vlanif101] quit
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] port link-type trunk
[Router-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Router-GigabitEthernet0/0/1] quit
Step 4 Configure AC1.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC from the main menu. The
Basic AC Configuration page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China, System time to Manual, and Date and time to PC Time.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 and VLAN 102.
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 370
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnection.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.2/24.
# Click OK. VLANIF 100 is configured.
# Repeat the preceding steps to configure VLANIF 102. Set the IP address of
VLANIF 102 to 10.23.102.1/24.
# Click Next. The AC Backup Configuration page is displayed.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC1.
# Set AC source address to VLANIF and set the IP address to Vlanif100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 371
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 5 Configure APs connected to AC1.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the template file with AP information according to the following
example. To add multiple APs, fill in the file with information about the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
# Click next to Import AP File, select the template file with AP
information, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
2. Configure an AP group.
# AP group information has been added in the template file. Click Next. The
Confirm Configurations page is displayed.
3. Confirm the configuration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 372
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 6 Configure basic WLAN services on AC1.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks) and set the
key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
Click Finish.
Step 7 Configure AC2.
The configuration is similar to that on AC1. The difference is that the IP addresses
of VLANIF 100 and VLANIF 102 are 10.23.100.3/24 and 10.23.102.2/24,
respectively.
Step 8 Add APs on AC2.
The configuration is similar to that on AC1.
Step 9 Configure WLAN services on AC2.
The configuration is similar to that on AC1.
Step 10 Configure IP addresses for primary ACs and the backup AC on AC_1.
1. # Choose Configuration > AP Config > AP Group > AP Group.
2. # In the AP group list, click ap-group1. Choose AP > AP System Profile. The
AP System Profile page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 373
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. # Click Create. On the page that is displayed, set Profile name to wlan-net
and click OK.
4. # On the Advanced Configuration page of the AP system profile, expand
Dual-Link/N+1 Backup. Set Configuration mode to IP address-based,
Primary AC IP address to 10.23.100.2, and Backup AC IP address to
10.23.100.3.
5. # Click Apply. In the dialog box that is displayed, click OK.
Step 11 Configure IP addresses for primary ACs and the backup AC on AC_1.
The configuration is similar to that on AC1.
Step 12 Configure dual-link HSB on AC1.
# Choose Configuration > Reliability > Reliability. The Reliability page is
displayed.
# Set parameters as follows:
● Backup mode: Dual-link hot backup
● AC dual-link switchover status: ON
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 374
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● Local AC IP address: 10.23.102.1
● Peer AC IP address: 10.23.102.2
● Local port: 10241
● Remote port: 10241
Step 13 Configure dual-link HSB on AC2.
The configuration is similar to that on AC1. The following parameter settings are
different:
● Local AC IP address: 10.23.102.2
● Peer AC IP address: 10.23.102.1
Step 14 Verify the configuration.
# The WLAN with the SSID wlan-net is available for STAs connected to AP1 and
AP2, and these STAs can connect to the WLAN and go online properly.
# Simulate a master AC fault by restarting the master AC to verify the backup
configuration. Restart AC1. When an AP detects a fault on the link connected to
AC1, AC2 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, click Save in the upper right corner of the web page to save the
configuration file on the AC to prevent configuration loss after the restart.
# During the restart of AC1, services on the STAs are not interrupted. The AP goes
online on AC2. On AC2, choose Monitoring > AP > AP Statistics Collection. It is
found that the AP status changes from standby to normal.
# After AC1 recovers from the restart, an active/standby switchback is triggered.
The AP automatically goes online on AC1.
----End
3.3.5 Example for Configuring VRRP HSB
Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise
requires that VRRP HSB be used to improve data transmission reliability.
Networking Requirements
● AC networking mode: Layer 2 networking in bypass mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs, and a CSS functions as a DHCP server to assign IP addresses
to STAs.
● Service data forwarding mode: direct forwarding
● Switch cluster: A cluster is set up using CSS cards, containing SwitchB and
SwitchC at the core layer. SwitchB is the master switch, and SwitchC is the
standby switch.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 375
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-31 Networking diagram for configuring VRRP HSB (direct forwarding)
Data Planning
Table 3-28 AC data planning
Item Data
AC1's source interface VLANIF 100: 10.23.100.1/24
AC2's source interface VLANIF 100: 10.23.100.2/24
Virtual IP address of the 10.23.100.3/24
management VRRP group
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 376
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: security profile wlan-net
and SSID profile wlan-net
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net
and regulatory domain profile default
Regulatory domain profile ● Name: default
● Country code: CN
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK+AES
● Password: YsH_2022
DHCP server The AC functions as a DHCP server to assign IP
addresses to APs, and a CSS functions as a
DHCP server to assign IP addresses to STAs.
Gateway for APs VLANIF 100: 10.23.100.3/24
IP address pool for APs 10.23.100.4-10.23.100.254/24
Gateway for STAs VLANIF 101: 10.23.101.1/24
IP address pool for STAs 10.23.101.2-10.23.101.254/24
IP address and port number IP address: 10.23.102.1/24 of VLANIF 102
of the HSB channel for AC1 Port number: 10241
IP address and port number IP address: 10.23.102.2/24 of VLANIF 102
of the HSB channel for AC2 Port number: 10241
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a cluster between SwitchB and SwitchC through cluster cards to
improve the core layer reliability and configure SwitchB as the master switch.
2. Configure AC1 and AC2 using the configuration wizard.
– Configure network connectivity between the AC, APs, and other network
devices.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 377
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
– Configure a VRRP group on AC1 and AC2. Configure a high priority for
AC1 as the active device to forward traffic, and a low priority for AC2 as
the standby device.
– Configure the hot standby (HSB) function on the ACs so that service
information on AC1 is backed up to AC2 in real time or in batches,
ensuring seamless service switchover from the active device to the
standby device.
– Add APs on AC1 and AC2, and configure basic WLAN services.
NOTE
During the configuration, check whether loops occur on the wired network. If so, configure
MSTP on corresponding NEs.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 378
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Establish a cluster using CSS card.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card
connection for SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100
# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card
connection for SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10
# Check the CSS configuration on SwitchB.
[SwitchB] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off
# Check the CSS configuration on SwitchC.
[SwitchC] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 2 Off CSS card 10 Off
# Enable the CSS function on SwitchB and restart SwitchB.
[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# Enable the CSS function on SwitchC and restart SwitchC.
[SwitchC] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# Log in to the CSS through the console port on any MPU to check whether the
CSS is established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 379
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
3 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
4 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
<SwitchB> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows the card status and CSS status of both member
switches, indicating that the CSS is established successfully.
# Check whether the cluster links are normal.
<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 380
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7
32 1/14/0/8 10G 10G 2/14/0/8
--------------------------------------------------------------------------------
The command output shows that all the cluster links are in Up state, indicating
that the CSS has been established successfully.
Step 2 Configure SwitchA, SwitchB, and SwitchC to ensure that APs and ACs can
exchange CAPWAP packets.
NOTE
If direct forwarding is used, configure port isolation on GE0/0/1 of SwitchA connected to
the AP. If port isolation is not configured, many broadcast packets will be transmitted in the
VLANs or WLAN users on different APs can directly communicate at Layer 2.
# On SwitchA, set the PVID of GE0/0/1 connected to the AP to management VLAN
100, add GE0/0/1 to VLAN 100 amd VLAN 101 (service VLAN), and add GE0/0/2
connected to SwitchB and GE0/0/3 connected to SwitchC to Eth-Trunk 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo port link-type
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add
E1/1/0/1 on SwitchB and GE2/1/0/1 on SwitchC both to VLAN 100.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 381
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] undo port link-type
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
[CSS-GigabitEthernet1/1/0/2] quit
[CSS] interface gigabitethernet 2/1/0/2
[CSS-GigabitEthernet2/1/0/2] undo port link-type
[CSS-GigabitEthernet2/1/0/2] eth-trunk 10
[CSS-GigabitEthernet2/1/0/2] quit
Step 3 Configure a DHCP server.
# Configure the CSS as a DHCP server to assign IP addresses to STAs.
[CSS] dhcp enable
[CSS] interface vlanif 101
[CSS-Vlanif101] ip address 10.23.101.1 24
[CSS-Vlanif101] dhcp select interface
[CSS-Vlanif101] quit
Step 4 Configure AC1.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC from the main menu. The
Basic AC Configuration page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China, System time to Manual, and Date and time to PC Time.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Modify all. Set Interface type to
Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 382
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply.
# Deselect GigabitEthernet0/0/1 and then select GigabitEthernet0/0/2. Add
GigabitEthernet0/0/2 to VLAN 102 in the same way.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network connectivity.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click OK.
# Click Create under DHCPv4 Address Pool List, set Address pool type to
Interface address pool, and select VLANIF 100. Expand Advanced. Click
to add 10.23.100.1 to 10.23.100.3 to Excluded IP address.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 383
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
Configure the DNS server address as required.
# Click OK.
# Set the IP address of VLANIF 102 to 10.23.102.1/24.
# Click Next. The AC Backup Configuration page is displayed.
4. Configure AC backup.
# Enable the HSB function.
# Click Create. The Create VRID page is displayed.
# Create an mVRRP group. Set parameters as follows:
– VLANIF/IP: VLANIF100
– VRID: 1
– VRRP type: mVRRP group
– Virtual IP address: 10.23.100.3
– Priority: 120
– Preemption delay(s): 1800
# Click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 384
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Configure HSB. Set the parameters as follows:
– Local AC IP address: 10.23.102.1
– Peer AC IP address: 10.23.102.2
– Local port: 10241
– Remote port: 10241
– Associated VRID: 1
# Click Next. The AC Source Address page is displayed.
5. Configure the source address for AC1.
# Set AC source address to IP address and set the IP address to 10.23.100.3.
# Click Next. The Confirm Settings page is displayed.
6. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 5 Configure APs connected to AC1.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the template file with AP information according to the following
example. To add multiple APs, fill in the file with information about the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 385
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
# Click next to Import AP File, select the template file with AP
information, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
2. Configure an AP group.
# AP group information has been added in the template file. Click Next. The
Confirm Configurations page is displayed.
3. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 6 Configure basic WLAN services on AC1.
1. Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN ID.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select
the AES mode, and set the key.
# Click Next. The Access Control page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 386
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 7 Configure AC2.
1. Perform basic AC configurations.
# Configure AC2 in the same way as that for configuring AC1.
2. Configure interfaces.
# Configure AC2 in the same way as that for configuring AC1.
3. Configure network connectivity.
# Configure AC2 in the same way as that for configuring AC1. The difference
lies in the VLANIF interfaces' IP addresses (VLANIF 100: 10.23.100.2/24;
VLANIF 102: 10.23.102.2/24).
4. Configure AC backup.
# Configure AC2 in the same way as that for configuring AC1. The difference
lies in the priority and preemption delay (s). When configuring a VRRP group,
retain the default settings of Priority and Preemption delay(s). When
configuring HSB, set Local AC IP address to 10.23.102.2 and Peer AC IP
address to 10.23.102.1.
5. Configure the source address for AC2.
# Configure AC2 in the same way as that for configuring AC1.
6. Confirm the configuration.
# Confirm the configuration and click Finish.
Step 8 Configure APs connected to AC2.
The configuration is the same as that on AC1 and is not mentioned here.
Step 9 Configure basic WLAN services on AC2.
The configuration is the same as that on AC1 and is not mentioned here.
Step 10 Verify the configuration.
# The WLAN with SSID wlan-net is available for STAs connected to the AP, and
these STAs can connect to the WLAN and go online normally.
# Simulate a master AC fault by restarting the master AC to verify the backup
configuration. Restart AC1. When an AP detects a fault on the link connected to
AC1, AC2 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, click Save in the upper right corner of the web page to save the
configuration file on the AC to prevent configuration loss after the restart.
# During the restart of AC1, services on the STAs are not interrupted. The AP goes
online on AC2. On AC2, choose Monitoring > AP > AP Statistics Collection. It is
found that the AP status changes from standby to normal.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 387
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# After AC1 recovers from the restart, an active/standby switchback is triggered.
The AP automatically goes online on AC1.
----End
3.3.6 Example for Configuring N+1 Backup
Service Requirements
A large enterprise has branches in different areas. ACs are deployed in the
branches to manage APs, providing WLAN access and email services. These
services require low network reliability and allow temporary service interruption.
An AC is required to be a backup of all ACs to save costs. In this scenario, the
enterprise can deploy a high-performance AC at the headquarters as a standby AC
to provide backup services for active ACs in the branches.
Networking Requirements
● AC networking mode: Layer 3 bypass mode
● DHCP deployment mode: Router_3 functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 388
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-32 Networking for configuring N+1 backup
Data Planning
Table 3-29 AC data planning
Item Data
Management VLAN for APs AC_1 (primary AC): VLAN 99
AC_2 (primary AC): VLAN 100
Service VLAN for STAs AC_1: VLAN 101
AC_2: VLAN 102
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 389
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
DHCP server Router_3 functions as a DHCP server
to assign IP addresses to APs and STAs.
STAs' gateway:
● STA_1: 10.23.101.1/24
● STA_2: 10.23.102.1/24
APs' gateway:
● AP_1: 10.23.99.1/24
● AP_2: 10.23.100.1/24
IP address pool for APs AP_1: 10.23.99.2-10.23.99.254/24
AP_2: 10.23.100.2-10.23.100.254/24
IP address pool for STAs STA1: 10.23.101.2-10.23.101.254/24
STA2: 10.23.102.2-10.23.102.254/24
AC's source interface AC_1: VLANIF 201
AC_2: VLANIF 202
AC_3: VLANIF 203
AC_1's management IP address VLANIF 201: 10.23.201.1/24
AC_2's management IP address VLANIF 202: 10.23.202.1/24
AC_3's management IP address VLANIF 203: 10.23.203.1/24
AP group On AC_1 (primary AC):
● Name: ap-group1
● Referenced profiles: AP system
profile ap-system, VAP profile
wlan-net, and regulatory domain
profile default
On AC_2 (primary AC):
● Name: ap-group2
● Referenced profiles: AP system
profile ap-system, VAP profile
wlan-net1, and regulatory domain
profile default
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 390
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
On AC_3 (backup AC):
● Name: ap-group1
– Referenced profiles: AP system
profile ap-system, VAP profile
wlan-net, and regulatory
domain profile default
● Name: ap-group2
– Referenced profiles: AP system
profile ap-system, VAP profile
wlan-net1, and regulatory
domain profile default
Regulatory domain profile ● Name: default
● Country code: China
SSID profile AC_1:
● Name: wlan-net
● SSID name: wlan-net
AC_2:
● Name: wlan-net1
● SSID name: wlan-net1
AC_3:
● Name: wlan-net
● SSID name: wlan-net
● Name: wlan-net1
● SSID name: wlan-net1
Security profile AC_1, AC_3:
● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: YsH_2022
AC_2, AC_3:
● Name: wlan-net1
● Security policy: WPA-WPA2+PSK
+AES
● Password: YsH_2022
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 391
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
VAP profile AC_1:
● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
AC_2:
● Name: wlan-net1
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 102
● Referenced profiles: SSID profile
wlan-net1 and security profile
wlan-net1
AC_3:
● Name: wlan-net
– Forwarding mode: direct
forwarding
– Service VLAN: VLAN 101
– Referenced profiles: SSID profile
wlan-net and security profile
wlan-net
● Name: wlan-net1
– Forwarding mode: direct
forwarding
– Service VLAN: VLAN 102
– Referenced profiles: SSID profile
wlan-net1 and security profile
wlan-net1
AP system profile On AC_1:
● Name: ap-system
– Primary AC IP address:
10.23.201.1
– Backup AC IP address:
10.23.203.1
On AC_2:
● Name: ap-system1
– Primary AC IP address:
10.23.202.1
– Backup AC IP address:
10.23.203.1
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 392
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
On AC_3:
● Name: ap-system
– Primary AC IP address:
10.23.201.1
– Backup AC IP address:
10.23.203.1
● Name: ap-system1
– Primary AC IP address:
10.23.202.1
– Backup AC IP address:
10.23.203.1
Configuration Roadmap
1. Configure network connectivity between ACs and other network devices.
Configure Router_3 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2, respectively,
and configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC of AP_1 and AP_2, and configure basic
WLAN services on AC_3. Ensure that service configurations on AC_3 are the
same as those on AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC.
After the configuration, restart all the APs.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 393
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the routers and switches to communicate with each other.
# On Router_1, create VLAN 99, VLAN 101, and VLAN 201. VLAN 99 is used as the
management VLAN and VLAN 101 is used as the service VLAN. Add Eth2/0/0
connected to Switch_1 to VLAN 99 and VLAN 101, and Eth2/0/1 connected to
AC_1 to VLAN 201. Configure the IP address 10.23.99.1/24 for VLANIF 99,
10.23.101.1/24 for VLANIF 101, and 10.23.201.2/24 for VLANIF 201.
<HUAWEI> system-view
[HUAWEI] sysname Router_1
[Router_1] vlan batch 99 101 201
[Router_1] interface ethernet 2/0/0
[Router_1-Ethernet2/0/0] port link-type trunk
[Router_1-Ethernet2/0/0] port trunk allow-pass vlan 99 101
[Router_1-Ethernet2/0/0] quit
[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 201
[Router_1-Ethernet2/0/1] quit
[Router_1] interface vlanif 99
[Router_1-Vlanif99] ip address 10.23.99.1 255.255.255.0
[Router_1-Vlanif99] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Router_1-Vlanif101] quit
[Router_1] interface vlanif 201
[Router_1-Vlanif201] ip address 10.23.201.2 255.255.255.0
[Router_1-Vlanif201] quit
# On Router_2, create VLAN 100, VLAN 102, and VLAN 202. VLAN 100 is used as
the management VLAN and VLAN 102 is used as the service VLAN. Add Eth2/0/0
connected to Switch_2 to VLAN 100 and VLAN 102, and Eth2/0/1 connected to
AC_2 to VLAN 202. Configure the IP address 10.23.100.1/24 for VLANIF 100,
10.23.102.1/24 for VLANIF 102, and 10.23.202.2/24 for VLANIF 202. The
configuration procedure is the same as that on Router_1.
# On Router_3, create VLAN 200 and VLAN 203. Add Eth2/0/0 connected to the
Internet to VLAN 200, and Eth2/0/1 connected to AC_3 to VLAN 203. Configure
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 394
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
the IP address 10.23.200.1/24 for VLANIF 200 and 10.23.203.2/24 for VLANIF 203.
The configuration procedure is the same as that on Router_1.
# On Switch_1, create VLAN 99 and VLAN 101. Add GE0/0/2 connected to
Router_1 and GE0/0/1 connected to AP_1 to VLAN 99 and VLAN 101. Set the PVID
of the interfaces to VLAN 99.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 99 101
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 99
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/1] port-isolate enable
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/2] quit
# On Switch_2, create VLAN 100 and VLAN 102. Add GE0/0/2 connected to
Router_2 and GE0/0/1 connected to AP_2 to VLAN 100 and VLAN 102. Set the
PVID of the interfaces to VLAN 100. The configuration procedure is the same as
that on Switch_1.
Step 2 Configure a DHCP server to assign IP addresses to APs and STAs.
# Configure Router_1 as a DHCP relay agent.
[Router_1] dhcp enable
[Router_1] interface vlanif 99
[Router_1-Vlanif99] dhcp select relay
[Router_1-Vlanif99] dhcp relay server-ip 10.23.200.1
[Router_1-Vlanif99] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] dhcp select relay
[Router_1-Vlanif101] dhcp relay server-ip 10.23.200.1
[Router_1-Vlanif101] quit
# Configure Router_2 as a DHCP relay agent.
[Router_2] dhcp enable
[Router_2] interface vlanif 100
[Router_2-Vlanif100] dhcp select relay
[Router_2-Vlanif100] dhcp relay server-ip 10.23.200.1
[Router_2-Vlanif100] quit
[Router_2] interface vlanif 102
[Router_2-Vlanif102] dhcp select relay
[Router_2-Vlanif102] dhcp relay server-ip 10.23.200.1
[Router_2-Vlanif102] quit
# Configure Router_3 as the DHCP server to assign IP addresses to APs and STAs,
and configure the Option 43 field to advertise the IP addresses of AC_1 and AC_3
to AP_1, and to advertise the IP addresses of AC_2 and AC_3 to AP_2. Configure
the DHCP server to assign IP addresses to AP_1 from the IP address pool
ap_1_pool, to AP_2 from ap_2_pool, to STA_1 from sta_1_pool, and to STA_2
from sta_2_pool.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 395
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
In this example, AP_1 and AP_2 cannot share an IP address pool; otherwise, AP_1 can discover
AC_2 and AP_2 can discover AC_1, which will cause APs unable to connect to the correct AC
based on the AC priority.
Configure the DNS server as required. The common methods are as follows:
● In the interface address pool scenario, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In the global address pool scenario, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[Router_3] dhcp enable
[Router_3] ip pool ap_1_pool
[Router_3-ip-pool-ap_1_pool] network 10.23.99.0 mask 24
[Router_3-ip-pool-ap_1_pool] gateway-list 10.23.99.1
[Router_3-ip-pool-ap_1_pool] option 43 sub-option 2 ip-address 10.23.201.1 10.23.203.1
[Router_3-ip-pool-ap_1_pool] quit
[Router_3] ip pool ap_2_pool
[Router_3-ip-pool-ap_2_pool] network 10.23.100.0 mask 24
[Router_3-ip-pool-ap_2_pool] gateway-list 10.23.100.1
[Router_3-ip-pool-ap_2_pool] option 43 sub-option 2 ip-address 10.23.202.1 10.23.203.1
[Router_3-ip-pool-ap_2_pool] quit
[Router_3] ip pool sta_1_pool
[Router_3-ip-pool-sta_1_pool] network 10.23.101.0 mask 24
[Router_3-ip-pool-sta_1_pool] gateway-list 10.23.101.1
[Router_3-ip-pool-sta_1_pool] quit
[Router_3] ip pool sta_2_pool
[Router_3-ip-pool-sta_2_pool] network 10.23.102.0 mask 24
[Router_3-ip-pool-sta_2_pool] gateway-list 10.23.102.1
[Router_3-ip-pool-sta_2_pool] quit
[Router_3] interface Vlanif200
[Router_3-Vlanif200] dhcp select global
[Router_3-Vlanif200] quit
Step 3 Configure AC_1.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 201.
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 396
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 201 to 10.23.201.1/24.
# Click OK. An address for VLANIF 201 is configured.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 10.23.99.0, Subnet Mask to 24(255.255.255.0), and
Next hop address to 10.23.201.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 397
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select
Vlanif201.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 398
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services on AC_1.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personal networks), select the AES
mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Configure IP addresses for primary ACs and the backup AC on AC_1.
1. # Choose Configuration > AP Config > AP Group > AP Group.
2. # In the AP group list, click ap-group1. Choose AP > AP System Profile. The
AP System Profile page is displayed.
3. # Click Create. On the page that is displayed, set Profile name to ap-system
and click OK.
4. # On the Advanced Configuration page of the AP system profile, expand
Dual-Link/N+1 Backup. Set Configuration mode to IP address-based,
Primary AC IP address to 10.23.201.1, and Backup AC IP address to
10.23.203.1.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 399
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. # Click Apply. In the dialog box that is displayed, click OK.
Step 7 Configure AC_2.
The configuration is similar to that on AC_1. The following parameters are
different:
● Add GigabitEthernet0/0/1 to VLAN 202.
● Create VLANIF 202 and set its IP address to 10.23.202.1/24. Configure
10.23.202.2 as the next hop of the route to the 10.23.100.0/24 network
segment.
● Add APs to ap-group2.
● When configuring WLAN services, set the SSID name to wlan-net1 and
service VLAN to 102.
● Set the AP system profile name to ap-system1 and Primary AC IP address to
10.23.202.1.
Step 8 Configure AC_3.
The configuration is similar to that on AC_1. The following parameters are
different:
● Add GigabitEthernet0/0/1 to VLAN 203.
● Create VLANIF 203 and set its IP address to 10.23.203.1/24. Configure
10.23.203.2 as the next hop of the routes to the 10.23.99.0/24 and
10.23.100.0/24 network segments.
● Import APs on AC_1 and AC_2 to AC_3, and add the APs to ap-group1 and
ap-group2, respectively.
● When configuring WLAN services on AC_3, choose Configuration > Config
Wizard > Wireless Service and create SSIDs wlan-net and wlan-net1. Set
parameters on wlan-net to the same as those on AC_1 and parameters on
wlan-net1 to the same as those on AC_2.
● Creates AP system profiles ap-system and ap-system1 in AP groups ap-
group1 and ap-group2, respectively. Set parameters on ap-system to the
same as those on AC_1 and parameters on ap-system1 to the same as those
on AC_2.
Step 9 Enable N+1 backup on AC_1, AC_2, and AC_3.
1. Enable N+1 backup on AC_1.
# On AC_1, choose Configuration > Reliability > Reliability. The Reliability
page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 400
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set Backup mode to N+1 backup, AC dual-link switchover status to ON.
# Click Apply. In the dialog box that is displayed, click OK.
# Choose Maintenance > AP Maintenance > AP Restart > Restart All to
restart all APs, so that the N+1 backup function can take effect.
NOTE
By default, N+1 backup is enabled. You need to restart all APs on the primary AC. After the
APs are restarted, N+1 backup takes effect.
2. Enable N+1 backup on AC_2 and AC_3. The configuration is similar to that on
AC_1.
Step 10 Verify the configuration.
# The WLAN with SSIDs wlan-net and wlan-net1 is available for STAs connected
to the APs, and these STAs can connect to the WLAN and go online properly.
# Simulate a master AC fault by restarting the master AC to verify the backup
configuration. Restart AC_1. When the AP_1 detects a fault on the link connected
to AC_1, AC_3 takes the active role, ensuring service stability.
NOTE
Before restarting the AC, click Save in the upper right corner of the web page to save the
configuration file on the AC to prevent configuration loss after the restart.
# During the restart of AC_1, the AP_1 goes online on AC_3. On AC_3, choose
Monitoring > AP > AP Statistics Collection. It is found that the AP status
changes from fault to normal.
# After AC_1 recovers from the restart, an active/standby switchback is triggered.
The AP_1 automatically goes online on AC_1.
----End
3.3.7 Example for Configuring Service Holding upon WLAN
CAPWAP Link Disconnection
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
The enterprise requires that data forwarding be not affected even when the AC is
faulty to improve data transmission reliability.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 401
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● DHCP deployment mode: Switch functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
Figure 3-33 Networking for configuring service holding upon WLAN CAPWAP link
disconnection
Data Planning
Table 3-30 AC data planning
Item Data
Management VLAN for APs VLAN 100
Service VLAN for STAs VLAN 101
DHCP server Switch functions as a DHCP server to assign IP
addresses to APs and STAs.
IP address pool for APs 10.1.1.3-10.1.1.254/24
IP address pool for STAs 10.1.2.3-10.1.2.254/24
Gateway address for APs 10.1.1.1/24
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 402
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Gateway address for STAs 10.1.2.1/24
AC source interface VLANIF 100: 10.1.1.2/24
AP group ● Name: ap-group1
● Referenced profiles: AP system profile ap-
system, VAP profile wlan-net, and
regulatory domain profile default
Regulatory domain profile ● Name: default
● Country code: China
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net
and security profile wlan-net
AP system profile ● Name: ap-system
● Service holding upon CAPWAP link
disconnection: enabled
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Configure service holding upon CAPWAP link disconnection to improve data
transmission reliability so that data forwarding is not affected even when the
AC is faulty.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 403
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the
switch. Set the link type of GE0/0/1 that connects the switch to the APs to trunk
and PVID of the interface to 100, and configure the interface to allow packets of
VLAN 100 and VLAN 101 to pass. Set the link type of GE0/0/2 on the switch to
trunk, and configure the interface to allow packets of VLAN 100 to pass.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 404
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.1.2.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.1.2.2 24
[Router-Vlanif101] quit
Step 2 Configure the DHCP servers to assign IP addresses to APs and STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
# Configure VLANIF 100 to use the interface address pool to allocate IP addresses
to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.1.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] quit
# Configure VLANIF 101 to use the interface address pool to allocate IP addresses
to STAs.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.1.2.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 405
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.1.1.2/24.
# Click OK. An address pool for VLANIF 100 is configured.
# Click Next.
# Click Next. The AC Source Address page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 406
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 407
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personal networks), select the AES
mode, and set the key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 408
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Create an AP system profile and configure service holding upon link disconnection.
# Choose Configuration > AP Config > AP Group. The AP Group page is
displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.
# Choose AP > AP System Profile. The AP System Profile page is displayed.
# Click Create. On the Create AP System Profile page that is displayed, enter the
profile name ap-system and click OK. The AP system profile configuration page is
displayed.
# Set Policy for service holding upon link disconnection to Holding and
prohibiting new user access.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 409
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 8 Verify the configuration.
The WLAN with the SSID wlan-net is available, and STAs can access the WLAN
normally. When the CAPWAP link is disconnected due to an AC fault, service data
forwarding of STAs in Area A is not affected.
----End
3.4 Roaming Configuration Examples
3.4.1 Example for Configuring Inter-VLAN Layer 3 Roaming
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
inter-VLAN roaming in the coverage area.
Networking Requirement
● AC networking mode: Layer 3 networking in bypass mode
● DHCP deployment mode:
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 410
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: direct forwarding
Figure 3-34 Networking for configuring inter-VLAN Layer 3 roaming
Data Planning
Table 3-31 AC data planning
Item Data
Management VLANs for APs VLAN 10 and VLAN 100
Service VLAN for STAs ● area_1: VLAN 101
● area_2: VLAN 102
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 411
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
DHCP server The AC functions as a DHCP server to
assign IP addresses to APs.
The aggregation switch functions as a
DHCP server for STAs. The default
gateway IP addresses of STAs are
10.23.101.2/24 and 10.23.102.2/24.
IP address pool for APs 10.23.10.2-10.23.10.254/24
IP address pool for STAs ● area_1:
10.23.101.3-10.23.101.254/24
● area_2:
10.23.102.3-10.23.102.254/24
AC's source interface address VLANIF 100: 10.23.100.1/24
AP group ● Name: ap-group1
● Referenced profiles: VAP profile
wlan-net, regulatory domain
profile default, 2G radio profile
wlan-radio2g, and 5G radio profile
wlan-radio5g
● Name: ap-group2
● Referenced profiles: VAP profile
wlan-net2, regulatory domain
profile default, 2G radio profile
wlan-radio2g, and 5G radio profile
wlan-radio5g
Regulatory domain profile ● Name: default
● Country code: China
● Calibration channel set: calibration
bandwidth and channels for 2.4
GHz and 5 GHz radios
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: YsHsjx_202206
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 412
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
● Name: wlan-net2
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 102
● Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
Air scan profile ● Name: wlan-airscan
● Probe channel set: calibration
channels
● Air scan interval: 60000 ms
● Air scan period: 60 ms
RRM profile ● Name: wlan-rrm
● Automatic channel calibration:
enabled
● Automatic power calibration:
enabled
2G radio profile ● Name: wlan-radio2g
● Referenced profiles: air scan profile
wlan-airscan and RRM profile
wlan-rrm
5G radio profile ● Name: wlan-radio5g
● Referenced profiles: air scan profile
wlan-airscan and RRM profile
wlan-rrm
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the management VLANs and service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 413
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# On SwitchA, add GE0/0/1 to VLAN 10 and VLAN 101, GE0/0/2 to VLAN 10,
VLAN 101, and VLAN102, and GE0/0/3 to VLAN 10 and VLAN 102. The default
VLAN of GE0/0/1 and GE0/0/3 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 414
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 102
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and
VLAN 102, GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create
VLANIF 100 and set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and
VLANIF 102, and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP
address of VLANIF 102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
Step 2 Configure the DHCP services to assign IP addresses to APs and STAs.
# On SwitchB, configure DHCP relay to assign IP addresses on behalf of the AC.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to
STAs and set the default gateways.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 415
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 416
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network connectivity.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click OK.
# Click Create under DHCPv4 Address Pool List and configure a global
address pool named huawei.
– IP address pool subnet: 10.23.10.0
– Option 43: ASCII, IP address of 10.23.100.1
– Gateway IP address: 10.23.10.1
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 417
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 10.23.10.0, Subnet Mask to 24(255.255.255.0), and
Next hop address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 418
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure an AP to go online.
1. Configure an AP to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 419
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs. In
this example, add area_1 and area_2 to ap-group1 and ap-group2,
respectively.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP name: area_1
– AP group: ap-group1
NOTE
– If AP authentication mode is set to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If AP authentication mode is set to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to import the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set SSID Name to wlan-net, Forwarding mode to Direct, Service VLAN to
Single VLAN, and Service VLAN ID to 101.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks) and set the
key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 420
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
# Choose Configuration > AP Config > AP Group > AP Group. The AP Group
page is displayed.
# In the AP group list, click ap-group2. Click VAP Configuration. On the VAP
Profile List page, click Create. On the page that is displayed, create the VAP
profile wlan-net2 and click OK.
# In the VAP profile list, click wlan-net2. On the VAP profile configuration page,
set Service VLAN to Single VLAN and Service VLAN ID to 102, and click Apply.
In the dialog box that is displayed, click OK.
# Click in front of wlan-net2. The profiles referenced by the VAP profile are
displayed.
# Click SSID Profile. On the SSID profile configuration page that is displayed, set
SSID Profile to wlan-net and click Apply. In the dialog box that is displayed, click
OK.
# Click Security Profile. On the security profile configuration page that is
displayed, set Security Profile to wlan-net and click Apply. In the dialog box that
is displayed, click OK.
Step 6 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 421
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Configure WLAN services.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 422
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
5. When a STA roams from area_1 to area_2, choose Monitoring > User. In User
List, select the STA of which you want to view the roaming tracks and click
Roaming Track. The roaming tracks of the STA are displayed.
----End
3.4.2 Example for Configuring Intra-VLAN Roaming
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 423
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Networking Requirement
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: tunnel forwarding
Figure 3-35 Networking for configuring intra-VLAN roaming
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 424
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-32 AC data planning
Item Data
Managem VLAN 100
ent VLAN
for APs
Service VLAN 101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs.
server SwitchB functions as a DHCP server to assign IP addresses to STAs.
The default gateway address of STAs is 10.23.101.2.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, 2G radio profile wlan-radio2g, and 5G radio
profile wlan-radio5g
Regulatory ● Name: default
domain ● Country code: CN
profile
● Calibration channel set: calibration bandwidth and channels for
2.4 GHz and 5 GHz radios
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 425
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
Air scan ● Name: wlan-airscan
profile ● Probe channel set: calibration channels
● Air scan interval: 60000 ms
● Air scan period: 60 ms
2G radio ● Name: wlan-radio2g
profile ● Referenced profile: air scan profile wlan-airscan
5G radio ● Name: wlan-radio5g
profile ● Referenced profile: air scan profile wlan-airscan
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 426
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA to VLAN 100. The default VLAN
of GE0/0/1 and GE0/0/3 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and
GE0/0/2 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 427
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway
for the STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the
default gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
Step 3 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 428
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 429
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 430
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 431
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Enable radio calibration to allow APs to automatically select the optimal channels
and power.
1. Enable automatic channel and power calibration functions of radios.
NOTE
Radio 0 is used as an example. The configuration for other radios is similar and will not be
mentioned here.
# Choose Configuration > AP Config > AP Group > AP Group.
# Click the AP group name ap-group1 in the AP group list. Choose Radio
Management > Radio 0. The Radio 0 Settings(2.4G) page is displayed.
# On the Radio 0 Settings(2.4G) configuration page, enable automatic
channel and power calibration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 432
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
By default, the global automatic channel and power calibration functions are enabled.
Therefore, select Follow. If the global automatic channel and power calibration functions
are disabled, choose Configuration > AP Config > Radio Planning/Calibration > Radio
Calibration Configuration, and set Calibration to ON.
# Click Apply. In the dialog box that is displayed, click OK.
2. Create radio profiles.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio
profile is similar.
# Choose Radio 0 > 2G Radio Profile. The 2G Radio Profile page is
displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter
the profile name wlan-radio2g and click OK. The 2G radio profile
configuration page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Create an air scan profile and configure the probe channel set, scan interval,
and scan duration.
# Click next to 2G Radio Profile. Select Air Scan Profile. The Air Scan
Profile page is displayed. Click Create. On the Create Air Scan Profile page
that is displayed, enter the profile name wlan-airscan and click OK. The air
scan profile configuration page is displayed.
# Enable scanning, and configure the probe channel set, scan interval, and
scan duration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 433
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
4. Enable radio calibration.
# Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Planning. The Radio Planning page is displayed.
# Click Immediate Calibration. In the dialog box that is displayed, click OK.
# Choose Monitoring > Radio. In Radio List, check the channel and power of
the radio. In this example, three APs have gone online on the AC, and the list
shows that AP channels have been automatically assigned through the radio
calibration function.
# Radio calibration stops one hour after the radio calibration is manually
triggered.
# Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Calibration Configuration. The Radio Calibration Configuration page is
displayed. The Radio Calibration Configuration page is displayed. On the
Radio Calibration Configuration page, set Triggering condition to
Scheduled and set the start time to 3:00 am.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 434
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
5. When a STA roams from area_1 to area_2, choose Monitoring > User. In User
List, select the STA of which you want to view the roaming tracks and click
Roaming Track. The roaming tracks of the STA are displayed.
----End
3.4.3 Example for Configuring Inter-AC Layer 2 Roaming
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 435
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Networking Requirement
● AC networking mode: AC_1 and AC_2 in a mobility group
● DHCP deployment mode: AC_1 functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: tunnel forwarding
Figure 3-36 Networking for configuring inter-AC Layer 2 roaming
Data Planning
Table 3-33 AC data planning
Item Data
DHCP AC_1 functions as a DHCP server to allocate IP addresses to APs
server and STAs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 436
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
IP address 10.23.100.3-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's Source interface: VLANIF 100
source ● AC_1: 10.23.100.1/24
interface
address ● AC_2: 10.23.100.2/24
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, 2G radio profile wlan-radio2g, and 5G radio
profile wlan-radio5g
Regulatory ● Name: default
domain ● Country code: CN
profile
● Calibration channel set: calibration bandwidth and channels for
2.4 GHz and 5 GHz radios
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
Air scan ● Name: wlan-airscan
profile ● Probe channel set: calibration channels
● Air scan interval: 60000 ms
● Air scan period: 60 ms
2G radio ● Name: wlan-radio2g
profile ● Referenced profiles: air scan profile wlan-airscan
5G radio ● Name: wlan-radio5g
profile ● Referenced profiles: air scan profile wlan-airscan
Mobility ● Name: mobility
group ● Members: AC_1 and AC_2
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 437
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
6. Configure WLAN roaming on AC_1 and AC_2 to implement inter-AC roaming.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to
network planning or configure the radio calibration function to enable the APs to automatically
select the optimal channels.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 438
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_1-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 100
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_2-GigabitEthernet0/0/2] quit
Step 2 Configure system parameters for AC_1.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure ports.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 439
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and AP are directly connected, set the default VLAN of the interface connected to
the AP to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Set Interface type of GigabitEthernet0/0/2 to Trunk and add the interface
to VLANs 100 and 101 in the same way.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100. Exclude the IP address 10.23.100.2 from being
automatically allocated.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 440
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure
the interface address pool on VLANIF 101 in the same way. Exclude the IP
address 10.23.101.2 from being automatically allocated.
NOTE
Configure the DNS server address as required.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 441
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Configure system parameters for AC_2.
Configure AC_2 according to the configuration of AC_1. The following lists
configuration differences between AC_1 and AC_2.
● Set the IP addresses of VLANIF 100 and VLANIF 101 to 10.23.100.2/24 and
10.23.101.2/24 respectively.
● Do not configure the DHCP address pool.
Step 4 Configure an AP to go online on AC_1.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 442
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Step 5 Configure an AP to go online on AC_2.
Configure the AP to go online on AC_2 according to the configuration of AC_1.
The following lists configuration differences between AC_1 and AC_2:
● Add an AP (MAC address dcd2-fc04-b500 and SN 210235554710CB000078)
on AC_2, set the AP name to area_2, and add the AP to the AP group ap-
group1.
Step 6 Configure WLAN services on AC_1.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks) and set the
key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
Click Finish.
Step 7 Configure WLAN services on AC_2.
The configuration for WLAN services on AC_2 is similar to that on AC_1.
Step 8 Enable radio calibration to allow APs to automatically select the optimal channels
and power.
1. Enable automatic channel and power calibration functions of radios.
NOTE
Radio 0 is used as an example. The configuration for other radios is similar and will not be
mentioned here.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 443
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Choose Configuration > AP Config > AP Group > AP Group.
# Click the AP group name ap-group1 in the AP group list. Choose Radio
Management > Radio 0. The Radio 0 Settings(2.4G) page is displayed.
# On the Radio 0 Settings(2.4G) configuration page, enable automatic
channel and power calibration.
NOTE
By default, the global automatic channel and power calibration functions are enabled.
Therefore, select Follow. If the global automatic channel and power calibration functions
are disabled, choose Configuration > AP Config > Radio Planning/Calibration > Radio
Calibration Configuration, and set Calibration to ON.
# Click Apply. In the dialog box that is displayed, click OK.
2. Create radio profiles.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio
profile is similar.
# Choose Radio 0 > 2G Radio Profile. The 2G Radio Profile page is
displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter
the profile name wlan-radio2g and click OK. The 2G radio profile
configuration page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Create an air scan profile and configure the probe channel set, scan interval,
and scan duration.
# Click next to 2G Radio Profile. Select Air Scan Profile. The Air Scan
Profile page is displayed. Click Create. On the Create Air Scan Profile page
that is displayed, enter the profile name wlan-airscan and click OK. The air
scan profile configuration page is displayed.
# Enable scanning, and configure the probe channel set, scan interval, and
scan duration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 444
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
4. Enable radio calibration.
# Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Planning. The Radio Planning page is displayed.
# Click Immediate Calibration. In the dialog box that is displayed, click OK.
# Choose Monitoring > Radio. In Radio List, check the channel and power of
the radio. In this example, three APs have gone online on the AC, and the list
shows that AP channels have been automatically assigned through the radio
calibration function.
# Radio calibration stops one hour after the radio calibration is manually
triggered.
# Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Calibration Configuration. The Radio Calibration Configuration page is
displayed. The Radio Calibration Configuration page is displayed. On the
Radio Calibration Configuration page, set Triggering condition to
Scheduled and set the start time to 3:00 am.
# Click Apply. In the dialog box that is displayed, click OK.
Step 9 Configure WLAN roaming on AC_1.
1. Choose Configuration > AC Config > Basic Config > Inter-AC Roaming. The
Inter-AC Roaming page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 445
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Create a mobility group, and add AC_1 and AC_2 to the mobility group.
# Click Create. The Create Mobility Group page is displayed.
# Set Mobility group name to mobility, and add AC_1 and AC_2 to the
mobility group.
Click OK. The Inter-AC Roaming page is displayed.
3. # Click Apply. In the dialog box that is displayed, click OK.
Step 10 Configure WLAN roaming on AC_2.
The configuration is similar to that of AC_1 and is not mentioned here.
Step 11 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 446
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
5. When a STA roams from area_1 to area_2, choose Monitoring > User. In User
List, select the STA of which you want to view the roaming tracks and click
Roaming Track. The roaming tracks of the STA are displayed.
----End
3.4.4 Example for Configuring Inter-AC Layer 3 Roaming
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. To differentiate department management,
employees are assigned different subnets by department. Furthermore, users'
services are not affected during roaming in the coverage area.
Networking Requirement
● AC networking mode: AC_1 and AC_2 in a mobility group
● DHCP deployment mode:
– AC_1 functions as a DHCP server to assign IP addresses to APs and STAs
connected to it.
– AC_2 functions as a DHCP server to assign IP addresses to APs and STAs
connected to it.
● Service data forwarding mode: direct forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 447
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-37 Networking for configuring inter-AC Layer 3 roaming
Data Planning
Table 3-34 AC data planning
Item Data
DHCP AC_1 functions as a DHCP server to assign IP addresses to STAs
server and APs connected to it.
AC_2 functions as a DHCP server to assign IP addresses to STAs
and APs connected to it.
IP address 10.23.100.2-10.23.100.254/24
pool for 10.23.200.2-10.23.200.254/24
APs
IP address 10.23.101.2-10.23.101.254/24
pool for 10.23.102.2-10.23.102.254/24
STAs
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 448
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AC_1's VLANIF 100: 10.23.100.1/24
source
interface
address
AC_2's VLANIF 200: 10.23.200.1/24
source
interface
address
AP group AC_1:
● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default
AC_2:
● Name: ap-group2
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default
Regulatory ● Name: default
domain ● Country code: China
profile
● Calibration channel set: calibration bandwidth and channels for
2.4 GHz and 5 GHz radios
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP AC_1:
profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
AC_2:
● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 102
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 449
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Air scan ● Name: wlan-airscan
profile ● Probe channel set: calibration channels
● Air scan interval: 60000 ms
● Air scan period: 60 ms
RRM ● Name: wlan-rrm
profile ● Automatic channel calibration: enabled
● Automatic power calibration: enabled
2G radio ● Name: wlan-radio2g
profile ● Referenced profiles: air scan profile wlan-airscan and RRM
profile wlan-rrm
5G radio ● Name: wlan-radio5g
profile ● Referenced profiles: air scan profile wlan-airscan and RRM
profile wlan-rrm
Mobility ● Name: mobility
group ● Members: AC_1 and AC_2
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
6. Configure WLAN roaming on AC_1 and AC_2 to implement inter-AC roaming.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to
network planning or configure the radio calibration function to enable the APs to automatically
select the optimal channels.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 450
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100 and VLAN 101. The default
VLAN of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100 101
[Switch_1] interface GigabitEthernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_1-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 200 and VLAN 102. The default
VLAN of GE0/0/1 is VLAN 200.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 200 102
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 200
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 200 102
[Switch_2-GigabitEthernet0/0/1] quit
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 451
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 200 102
[Switch_2-GigabitEthernet0/0/2] quit
# Configure Router.
<HUAWEI> system-view
[HUAWEI] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.100.2 255.255.255.0
[Router-GigabitEthernet0/0/1] quit
[Router] interface gigabitethernet 0/0/2
[Router-GigabitEthernet0/0/2] ip address 10.23.200.2 255.255.255.0
[Router-GigabitEthernet0/0/2] quit
Step 2 Configure system parameters for AC_1.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 452
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Set Interface type of GigabitEthernet0/0/2 to Trunk and add the interface
to VLAN 100 in the same way.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure
the interface address pool on VLANIF 101 in the same way.
NOTE
Configure the DNS server address as required.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 453
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 10.23.200.0, Subnet Mask to 24(255.255.255.0), and
Next hop address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 454
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Configure system parameters for AC_2.
Configure AC_2 according to the configuration of AC_1. The following lists
configuration differences between AC_1 and AC_2.
● Create VLAN 200 and VLAN 102 on AC_2 and add GigabitEthernet0/0/1 to the
two VLANs in tagged mode.
● Add GigabitEthernet0/0/2 to VLAN 200 in tagged mode.
● Set the IP addresses of VLANIF 200 and VLANIF 102 to 10.23.200.1/24 and
10.23.102.1/24 respectively.
● Configure an IP address pool on VLANIF 200 and VLANIF 102.
● Configure the route between AC_2 and AC_1 on AC_2 with the destination
address 10.23.100.0/24 and next-hop address 10.23.200.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 455
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Step 4 Configure an AP to go online on AC_1.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure an AP to go online on AC_2.
Configure the AP to go online on AC_2 according to the configuration of AC_1.
The following lists configuration differences between AC_1 and AC_2:
● Add an AP (MAC address dcd2-fc04-b500 and SN 210235554710CB000078)
on AC_2, set the AP name to area_2, and add the AP to the AP group ap-
group2.
Step 6 Configure WLAN services on AC_1.
# Click Create. The Basic Information page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 456
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set SSID Name to wlan-net, Forwarding mode to Direct, Service VLAN to
Single VLAN, and Service VLAN ID to 101.
Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks) and set the
key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
Click Finish.
Step 7 Configure WLAN services on AC_2.
Configure WLAN services on AC_2 according to the configuration of AC_1. The
following lists the configuration difference between AC_1 and AC_2:
● In the VAP profile wlan-net, set the service VLAN to VLAN 102.
Step 8 Enable radio calibration to allow APs to automatically select the optimal channels
and power.
1. Enable automatic channel and power calibration functions of radios.
NOTE
Radio 0 is used as an example. The configuration for other radios is similar and will not be
mentioned here.
# Choose Configuration > AP Config > AP Group > AP Group.
# Click the AP group name ap-group1 in the AP group list. Choose Radio
Management > Radio 0. The Radio 0 Settings(2.4G) page is displayed.
# On the Radio 0 Settings(2.4G) configuration page, enable automatic
channel and power calibration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 457
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
By default, the global automatic channel and power calibration functions are enabled.
Therefore, select Follow. If the global automatic channel and power calibration functions
are disabled, choose Configuration > AP Config > Radio Planning/Calibration > Radio
Calibration Configuration, and set Calibration to ON.
# Click Apply. In the dialog box that is displayed, click OK.
2. Create radio profiles.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio
profile is similar.
# Choose Radio 0 > 2G Radio Profile. The 2G Radio Profile page is
displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter
the profile name wlan-radio2g and click OK. The 2G radio profile
configuration page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Create an air scan profile and configure the probe channel set, scan interval,
and scan duration.
# Click next to 2G Radio Profile. Select Air Scan Profile. The Air Scan
Profile page is displayed. Click Create. On the Create Air Scan Profile page
that is displayed, enter the profile name wlan-airscan and click OK. The air
scan profile configuration page is displayed.
# Enable scanning, and configure the probe channel set, scan interval, and
scan duration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 458
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
4. Enable radio calibration.
# Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Planning. The Radio Planning page is displayed.
# Click Immediate Calibration. In the dialog box that is displayed, click OK.
# Choose Monitoring > Radio. In Radio List, check the channel and power of
the radio. In this example, three APs have gone online on the AC, and the list
shows that AP channels have been automatically assigned through the radio
calibration function.
# Radio calibration stops one hour after the radio calibration is manually
triggered.
# Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Calibration Configuration. The Radio Calibration Configuration page is
displayed. The Radio Calibration Configuration page is displayed. On the
Radio Calibration Configuration page, set Triggering condition to
Scheduled and set the start time to 3:00 am.
# Click Apply. In the dialog box that is displayed, click OK.
Step 9 Configure WLAN roaming on AC_1.
1. Choose Configuration > AC Config > Basic Config > Inter-AC Roaming. The
Inter-AC Roaming page is displayed.
2. Create a mobility group, and add AC_1 and AC_2 to the mobility group.
# Click Create. The Create Mobility Group page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 459
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set Mobility group name to mobility, and add AC_1 and AC_2 to the
mobility group.
Click OK. The Inter-AC Roaming page is displayed.
3. # Click Apply. In the dialog box that is displayed, click OK.
Step 10 Configure WLAN roaming on AC_2.
The configuration is similar to that of AC_1 and is not mentioned here.
Step 11 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 460
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. When a STA roams from area_1 to area_2, choose Monitoring > User. In User
List, select the STA of which you want to view the roaming tracks and click
Roaming Track. The roaming tracks of the STA are displayed.
----End
3.4.5 Example for Configuring Agile Distributed SFN Roaming
Service Requirements
A hospital wants to deploy an agile distributed WLAN to provide WLAN access to
doctors and nurses, meeting their basic office requirements. The administrator
requires that STA roaming within the coverage area be not perceived by STAs and
do not interrupt services.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to the central
AP and RUs.
– SwitchA functions as a DHCP server to assign IP addresses to STAs.
● Service data forwarding mode: direct forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 461
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-38 Networking for configuring agile distributed SFN roaming
Data Planning
Table 3-35 AC data planning
Item Data
DHCP ● The AC functions as a DHCP server to assign IP addresses to the
server central AP and RUs.
● SwitchA functions as a DHCP server to assign IP addresses to
STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
the central
AP and
RUs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 462
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default
Regulatory ● Name: default
domain ● Country: China
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
Profile ● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
Working ● ru_1: channel 6
channel of ● ru_2: channel 6
RUs
Agile Enabled
distributed
SFN
roaming
Configuration Roadmap
1. Configure the central AP, AC, RUs, and upper-layer devices to communicate at
Layer 2.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the central AP and RUs to go online on the
AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Configure agile distributed SFN roaming.
6. Deliver the WLAN services to the central AP and RUs and verify the
configuration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 463
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Notes
● Network planning precautions:
– Agile distributed SFN roaming is supported only by the AD9430DN-12
(including matching RUs) and AD9430DN-24 (including matching RUs).
RUs support agile distributed SFN roaming in the following combination
modes:
▪ Between the R230D and R240D (Note: Only the 2.4 GHz radio of the
R230D and R240D supports agile distributed SFN roaming, and the 5
GHz radio does not support.)
▪ Among the R250D, R250D-E, R251D, R251D-E and R450D
– For the central AP, after agile distributed SFN roaming is enabled, the
total number of agile distributed SFN roaming STAs on a single frequency
band (2.4 GHz or 5 GHz) of all RUs does not exceed 128, and that of
STAs associated with other VAPs on the same band does not exceed 128.
– After agile distributed SFN roaming is enabled, configure all RUs to work
on the same channel. When agile distributed SFN roaming is enabled on
the 5 GHz frequency band, configure non-radar channels.
– RUs involved in roaming must be associated with the same central AP but
do not support agile distributed SFN roaming between central APs.
– Inter-RU roaming is Layer 2 roaming within a central AP. Agile distributed
SFN roaming is not performed on Layer 3.
● Configuration precautions:
– When agile distributed SFN roaming is enabled for both the 2.4 GHz and
5 GHz radios, it is recommended that different SSIDs be used. Otherwise,
the radio switchover may occur, affecting user experience.
– Agile distributed SFN roaming can be enabled only on one VAP of a
radio. If multiple VAPs are configured on a radio, it is recommended that
the total VAP rate limit on all VAPs with agile distributed SFN roaming
disabled be set to 5 Mbit/s.
NOTE
If agile distributed SFN roaming is enabled on a VAP of a radio in an AP group,
the roaming tracks of all the STAs that are connected to the central AP and
associated with the radio may carry the s flag.
– Radios enabled with agile distributed SFN roaming do not support
channel scanning, channel calibration, or smart roaming.
– Agile distributed SFN roaming can be configured based only on AP
groups but not based on APs.
– RUs involved in agile distributed SFN roaming need to have the following
items configured the same:
▪ SSID
▪ VAP profile and VAP ID
▪ Security policy. Agile distributed SFN roaming supports these
encryption modes: WPA+PSK, WPA2+PSK, WPA-WPA2+PSK, WPA
+802.1X (EAP authentication), WPA2+802.1X (EAP authentication),
WPA-WPA2+802.1X (EAP authentication), and Portal+PSK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 464
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Procedure
Step 1 Configure the network devices.
# On SwitchA, add GE0/0/1 to VLAN 100 (management VLAN) and VLAN 101
(service VLAN), set the default VLAN of GE0/0/1 to VLAN 100, add GE0/0/2 to
VLAN 100, and add GE0/0/3 and GE0/0/4 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] port link-type trunk
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[SwitchA-GigabitEthernet0/0/4] quit
# Configure an IP address for GE1/0/0 on Router.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 10.23.101.2 24
[Router-GigabitEthernet1/0/0] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs.
# On SwitchA, configure VLANIF 101 to assign IP addresses to STAs, and configure
a default route with the next hop of the address of Router.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchA] dhcp enable
[SwitchA] interface vlanif 101
[SwitchA-Vlanif101] ip address 10.23.101.1 24
[SwitchA-Vlanif101] dhcp select interface
[SwitchA-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[SwitchA-Vlanif101] quit
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 465
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 466
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 467
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure a central AP and RUs to go online.
1. Configure a central AP and RUs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 468
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– MAC address of the central AP: 68a8-2845-62fd
– AP SN: 210235419610CB002287
– AP name: central_AP
– AP group: ap-group1
NOTE
– If AP authentication mode is set to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If AP authentication mode is set to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to import the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 469
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1, and Valid radio to 0.
# Click Finish.
Step 6 Configure the RU channel and power.
NOTE
The automatic channel and power calibration function is enabled for radios by default. When
this function is enabled, the manual calibration configuration does not take effect. The settings
of the RU channel and power in this example are for reference only. You need to configure the
RU channel and power based on the actual country code and network planning.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click AP ID 1. The AP customized settings page for ru_1 is displayed.
# Click next to Radio Management. The profiles under Radio Management
are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable the
automatic channel and power calibration functions, and set the channel to 20-
MHz channel 6 and transmit power to 127 dBm.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 470
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Disable the automatic channel and power calibration functions for ru_2, and set
the channel to 20-MHz channel 6 and transmit power to 127 dBm. The
configurations are the same as those for ru_2, and is not mentioned here.
Step 7 Enable agile distributed SFN roaming.
# Choose Configuration > AP Config > AP Group. The AP Group page is
displayed.
# Click the AP group ap-group1. The AP group configuration page is displayed.
# Click in front of VAP Configuration and click wlan-net. The VAP profile
configuration page is displayed.
# On the Advanced Configuration page, set SFN to ON. In the dialog box that is
displayed, click OK.
# Click Apply. In the dialog box that is displayed, click OK.
Step 8 Configure parameters related to agile distributed SFN roaming.
# Retain the default settings for roaming decision parameters, as shown in the
following figure.
# Set radio parameters related to roaming based on the network planning result.
The configuration is not mentioned here. The following figure shows the default
settings.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 471
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Step 9 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.1.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 472
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
5. When a STA roams from ru_1 to ru_2, choose Monitoring > User. In User
List, select the STA of which you want to view the roaming tracks and click
Roaming Track. The roaming tracks of the STA are displayed.
----End
3.5 Mesh Configuration Examples
3.5.1 Example for Configuring Common Mesh Services
Service Requirements
An enterprise needs to establish Mesh wireless backhaul links in different areas to
expand wireless coverage and reduce wired deployment costs.
Networking Requirements
● AC networking mode: Layer 2 networking in off-path mode
● Wireless backhaul mode: Mesh portal-node
● Backhaul radio: 5 GHz radio
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 473
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-39 Networking for configuring mesh services
Data Planning
Table 3-36 AP data planning
AP MAC Address
area_1 00e0-fc76-e360
area_2 00e0-fc04-b500
area_3 00e0-fc74-9640
Table 3-37 AC data planning
Item Data
Management VLAN VLAN 100
for APs
DHCP server The AC functions as a DHCP server to assign IP
addresses to APs.
IP address pool for 10.23.100.2-10.23.100.254/24
APs
AC's source interface VLANIF 100: 10.23.100.1/24
Mesh role ● area_1: Mesh-portal (MPP)
● area_2: Mesh-node (MP)
● area_3: Mesh-node (MP)
Mesh ID Name: mesh-net
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 474
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Radio used by Mesh Radio 1:
services ● Bandwidth: 40 MHz-plus
● Channel: 157
● WDS/Mesh bridge distance: 20 (unit: 100 m)
Security profile ● Security policy: WPA2+PSK+AES
● Password type: PASS-PHRASE
● Password: a1234567
AP group Name: ap-group1
Configuration Roadmap
1. Configure network connectivity and enable the AP (MPP) in area A to go
online on the AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in area B and area C to go
online on the AC through Mesh links.
3. Configure the wireless coverage service so that wireless STAs in area C can
access the Wi-Fi network through an SSID.
4. Configure wired services so that wired STAs in area C can access the network
in wired mode.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 475
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100, and set the PVID of
GE0/0/1 to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on the aggregation switch Switch_A to VLAN 100 and
VLANs 100, 101, and 102, respectively.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 102
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 102
[Switch_A-GigabitEthernet0/0/2] quit
Step 2 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 476
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 477
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Add APs and configure the Mesh roles for them.
1. Choose Configuration > Config Wizard > Mesh.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 478
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Create the AP group ap-group1 for the APs.
# In AP Group List, click Create. The Create AP Group page is displayed.
# Enter the AP group name ap-group1 and click OK.
3. Add APs to the AP group ap-group1.
# In AP Group List, select the AP group ap-group1.
# On the AP Config tab page, click Add. The Add AP page is displayed.
# Set the Mode to Manually add and manually add the APs.
# Click OK. The APs are added.
# Select an AP, click Modify Mesh Role, and change the Mesh role of the AP
to Mesh-Portal.
# Click OK. The Mesh role of the AP is changed.
Step 4 Configure the Mesh service.
# Click the Service Settings tab and configure Mesh parameters.
● Set the Mesh ID to mesh-net.
● Select Radio 1 as the radio used by Mesh links. Set the bandwidth of radio 1
to 40+MHz, channel to 157, and WDS/Mesh bridge distance to 20.
● In Security Settings, set the key type to PASS-PHRASE, and enter the key
a1234567.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 479
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● Click Add in the Mesh whitelist area to add MAC addresses of Mesh nodes.
# Click Apply. In the dialog box that is displayed, click OK.
Step 5 Verify the configuration.
1. Choose Configuration > Config Wizard > Mesh. In AP Group List, select ap-
group1 to check whether the AP status is normal. If so, the APs have gone
online on the AC through Mesh links.
2. Choose Monitoring > Mesh&WDS > Mesh Link Information to check Mesh
link information. After the Mesh links are successfully established, you can
view detailed information about the Mesh links on the page. In V200R022C00
and later versions, the Mesh topology is displayed on this page.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 480
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
----End
3.5.2 Example for Configuring Multi-hop Mesh Services
Service Requirements
An enterprise needs to establish Mesh wireless backhaul links in different areas to
expand wireless coverage and reduce wired deployment costs.
Networking Requirements
● AC networking mode: Layer 2 networking in off-path mode
● Wireless backhaul mode: Mesh portal-node
● Backhaul radio: 5 GHz radio
Figure 3-40 Mesh networking diagram
Data Planning
Table 3-38 AP data planning
AP MAC
area_1 00e0-fc76-e360
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 481
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
AP MAC
area_2 00e0-fc04-b500
area_3 00e0-fc74-9640
area_4 00e0-fc04-c600
Table 3-39 AC data planning
Item Data
Managem VLAN 100
ent VLANs
for APs
DHCP The AC functions as a DHCP server to assign IP addresses to APs.
server
IP address 10.23.100.2–10.23.100.254/24
pool for
APs
AC's VLANIF 100: 10.23.100.1/24
source
interface
Mesh roles ● area_1: Mesh-portal (MPP)
● area_2 to area_4: Mesh-node (MP)
Mesh ID Name: mesh-net
Radios Radio 0
used by ● Switched to the 5 GHz radio
Mesh
services ● Bandwidth: 80 MHz
● Channel: 35
● Radio coverage distance parameter: 20 (unit: 100 m)
Radio 1
● Bandwidth: 80 MHz
● Channel: 149
● Radio coverage distance parameter: 20 (unit: 100 m)
Security ● Security policy: WPA2+PSK+AES
profile ● Password type: PASS-PHRASE
● Password: YsH_2022
AP group Name: ap-group1
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 482
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Roadmap
1. Configure network connectivity and enable the AP (MPP) in area A to go
online on the AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in other areas to go online on
the AC through Mesh links.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100, and set the PVID of
GE0/0/1 to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on the aggregation switch Switch_A to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 483
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[Switch_A] vlan batch 100
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
Step 2 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 484
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 485
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Add APs and configure the Mesh roles for them.
1. Choose Configuration > Config Wizard > Mesh.
2. Create the AP group ap-group1.
# In AP Group List, click Create. The Create AP Group page is displayed.
# Set the AP group name to ap-group1 and click OK.
3. Add APs to the AP group ap-group1.
# In AP Group List, select the AP group ap-group1.
# On the AP Config tab page, click Add. The Add AP page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 486
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set Mode to Manually add and manually add APs. If there are a large
number of APs, you can add APs in batches.
# Click OK. The APs are added.
# Select the AP area_1 and click Modify Mesh Role. In the dialog box that is
displayed, set Role in mesh networking to Mesh-portal.
# Click OK. The Mesh role of the AP is changed.
Step 4 Switch AP radio 0 to the 5 GHz frequency band.
1. Choose Configuration > AP Config > AP Group. The AP Group page is
displayed.
2. Click the AP group ap-group1. The AP group configuration page is displayed.
3. In the navigation tree on the left, choose Radio Management > Radio 0. The
page for configuring radio 0 is displayed.
4. Enable Switch to 5G to switch radio 0 to the 5 GHz frequency band.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 487
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. Click Apply.
Step 5 Configure the Mesh service.
1. Choose Configuration > Config Wizard > Mesh.
2. Click the Service Settings tab and configure Mesh parameters.
– Select Radio 0 and Radio 1 as the radios used by Mesh links.
– Set Mesh ID to mesh-net.
– For radio 0, set Bandwidth to 80 MHz, Channel to 36, and WDS/Mesh
bridge distance to 20.
– For radio 1, set Bandwidth to 80 MHz, Channel to 149, and WDS/Mesh
bridge distance to 20.
– In Security Settings set Key type to Pass-phrase and enter Key to
YsH_2022.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 488
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
– In the Mesh Whitelist area of radio 0 and radio 1, click Add and add
MAC addresses of Mesh nodes.
3. After configuring Mesh parameters, click Apply. In the dialog box that is
displayed, click OK.
Step 6 Verify the configuration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 489
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
1. Choose Configuration > Config Wizard > Mesh. In AP Group List, select ap-
group1 and check whether the AP status is normal. If so, the AP has gone
online on the AC through a Mesh link.
2. Choose Monitoring > Mesh&WDS > Mesh Link Information to view Mesh
link information. Detailed information about the Mesh links that are
successfully established is displayed on this page. In V200R022C00 and later
versions, the Mesh topology is displayed on this page.
----End
3.5.3 Example for Configuring Dual-MPP Mesh Services
Service Requirements
If an enterprise needs to provide wireless network access services for different
areas, multiple Mesh Portal Points (MPPs) can be configured to work on different
channels. This can reduce MP contention for wireless channels, thus improving
coverage performance.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
● Wireless backhaul node: dual Mesh portal-nodes
● Backhaul radio: 5 GHz radio
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 490
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-41 Networking for configuring dual-MPP Mesh services
Data Planning
Table 3-40 AP data planning
AP Name MAC Address
AP_1 60de-4474-9640
AP_2 dcd2-fc04-b500
AP_3 dcd2-fc96-e4c0
AP_4 1047-80ac-cc60
Table 3-41 AC data planning
Item Data
Management VLAN VLAN 100
for APs
DHCP server The AC functions as a DHCP server to assign IP
addresses to APs.
IP address pool for 10.23.100.2-10.23.100.254/24
APs
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 491
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AC's source interface VLANIF 100: 10.23.100.1/24
Mesh role ● AP_1: Mesh-portal (MPP)
● AP_2: Mesh-portal (MPP)
● AP_3: Mesh-node (MP)
● AP_4: Mesh-node (MP)
Mesh ID Name: mesh-net
Regulatory domain ● Name: default
profile ● Country code: CN
Radio used by Mesh Radio 1:
services ● Bandwidth: 40 MHz-plus
● Channel: 157
● WDS/Mesh bridge distance: 20 (unit: 100 m)
Security profile ● Security policy: WPA2+PSK+AES
● Password type: PASS-PHRASE
● Password: a1234567
AP group Name: ap-group1
Configuration Roadmap
1. Configure network connectivity and enable APs (MPPs) in Area A to go online
on the AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B to go online on the AC
through Mesh links.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 492
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● During the configuration of a Mesh network with multiple MPPs, to enable
MPs to set up wireless links with multiple MPPs simultaneously, configure the
MPPs to work on the same channel.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the aggregation switch Switch_A to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on the access switch Switch_B to VLAN 100,
and set the PVID of GE0/0/1 and GE0/0/2 to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] port-isolate enable
[Switch_B-GigabitEthernet0/0/2] quit
[Switch_B] interface gigabitEthernet 0/0/3
[Switch_B-GigabitEthernet0/0/3] port link-type trunk
[Switch_B-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/3] quit
Step 2 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 493
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 494
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 495
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Add APs and configure the Mesh roles for them.
1. Choose Configuration > Config Wizard > Mesh.
2. Create the AP group ap-group1 for the APs.
# In AP Group List, click Create. The Create AP Group page is displayed.
# Enter the AP group name ap-group1 and click OK.
3. Add APs to the AP group ap-group1.
# In AP Group List, select the AP group ap-group1.
# On the AP Config tab page, click Add. The Add AP page is displayed.
# Set the Mode to Manually add and manually add the APs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 496
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK. The APs are added.
# Select an AP, click Modify Mesh Role, and change the Mesh role of the AP
to Mesh-Portal.
# Click OK. The Mesh role of the AP is changed.
Step 4 Configure the Mesh service.
# Click the Service Settings tab and configure Mesh parameters.
● Set the Mesh ID to mesh-net.
● Select Radio 1 as the radio used by Mesh links. Set the bandwidth of radio 1
to 40+MHz, channel to 157, and WDS/Mesh bridge distance to 20.
● In Security Settings, set the key type to PASS-PHRASE, and enter the key
a1234567.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 497
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● Click Add in the Mesh whitelist area to add MAC addresses of Mesh nodes.
# Click Apply. In the dialog box that is displayed, click OK.
Step 5 Verify the configuration.
1. Choose Configuration > Config Wizard > Mesh. In AP Group List, select ap-
group1 to check whether the status of APs in the AP list is normal. If the AP
status is normal, the APs have gone online on the AC through Mesh links.
2. Choose Monitoring > Mesh&WDS > Mesh Link Information and check
information about Mesh links. After the Mesh links are successfully
established, you can view details about the Mesh links on the following page.
In V200R022C00 and later versions, the Mesh topology is displayed on this
page.
----End
3.5.4 Example for Configuring Vehicle-Ground Fast Link
Handover
Service Requirements
To reduce network deployment costs and better serve passengers, a rail
transportation enterprise wants to use WLAN technology to implement vehicle-
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 498
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
ground communications and expects that multicast servers on the ground network
can deliver multimedia information services to passengers.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
● Wireless backhaul mode: Mesh-based vehicle-ground fast link handover
● Backhaul radio: 5 GHz radio
Figure 3-42 Networking for configuring vehicle-ground fast link handover
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 499
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-42 AP information
AP MAC
Trackside AP (L1_001) 0046-4b59-1d10
Trackside AP (L1_003) 0046-4b59-1d20
Trackside AP (L1_010) 0046-4b59-1d30
Trackside AP (L1_150) 0046-4b59-1d40
Trackside AP (L1_160) 0046-4b59-1d50
Trackside AP (L1_170) 0046-4b59-1d60
Depot AP (L1_180) 0046-4b59-1d70
Depot AP (L1_190) 0046-4b59-1d80
...
Vehicle-mounted AP (in 0046-4b59-2e10
the front)
Vehicle-mounted AP (in 0046-4b59-2e20
the rear)
...
Table 3-43 Data planning
Item Data
Managem VLAN 100
ent VLAN
Multicast VLAN 101
service
VLAN
Service VLAN 200
VLAN for
STAs
DHCP ● Configure the AC as a DHCP server to assign IP addresses to
server trackside APs.
● Configure Switch_A as a DHCP server to assign IP addresses to
vehicle-mounted terminals.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 500
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
Gateway IP address of VLANIF 101 on Switch_A: 10.23.224.1/24
address
IP address 10.23.100.2 to 10.23.100.254/24
pool for
trackside
APs
IP address 10.23.224.4 to 10.23.224.254/24
pool for
vehicle-
mounted
terminals
AP group Name: mesh-mpp
for
trackside
APs
IDs of ● Trackside AP (L1_001): 1
trackside ● Trackside AP (L1_003): 2
APs
● Trackside AP (L1_010): 3
● Trackside AP (L1_150): 101
● Trackside AP (L1_160): 102
● Trackside AP (L1_170): 103
AP group Name: mesh-depot
for depot
APs
Depot AP ● Depot AP (L1_180): 201
ID ● Depot AP (L1_190): 202
AP wired ● Name: wired-port
port
profile
Security ● Name: sp01
profile ● Security policy: WPA2+PSK+AES
● Password type: PASS-PHRASE
● Authentication key: YsH_2022
AP system ● Name: mesh-sys
profile ● Mesh role: Mesh-portal
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 501
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Mesh ● Name: mesh-net
profile for ● Identifier: mesh-net
trackside
APs ● Referenced Mesh handover profile for trackside APs: hand-over
Mesh ● Name: mesh-client
profile for ● Identifier: mesh-net
depot APs
● Mesh client mode: enabled
Mesh ● Name: mesh-net
profile 1 ● Identifier: mesh-net
for
vehicle- ● Index: 0
mounted ● Referenced Mesh handover profile for vehicle-mounted APs:
APs hand-over
Mesh ● Name: mesh-client
profile 2 ● Identifier: mesh-net
for
vehicle- ● Index: 1
mounted ● Mesh client mode: enabled
APs
Mesh Trackside APs:
handover ● Name: hand-over
profile
Vehicle-mounted APs:
● Name: hand-over
Mesh Name: whitelist01
whitelist Add MAC addresses of all vehicle-mounted APs on trains running
on on the rail to the whitelist according to actual situations.
trackside
APs
MAC ● Gateway: 707b-e8e9-d328
addresses ● Network management device: 286e-d488-12cd
of proxied
ground ● Multicast source: 286e-d488-b6ab
devices
MAC ● Vehicle-mounted terminal_1: 286e-d488-d359
addresses ● Vehicle-mounted terminal_2: 286e-d488-d270
of proxied
vehicle-
mounted
devices
Multicast 225.1.1.1-225.1.1.3
group
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 502
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Roadmap
1. Configure the ground network to enable Layer 2 communications between
trackside APs and the AC.
2. Configure multicast services on ground network devices to enable proper
multicast data forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-
mounted APs so that the vehicle-mounted AP can set up Mesh links with the
trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data
communications.
NOTE
● Switches and routers used in this example are all Huawei products.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 503
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure other network devices on the ground network.
1. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add
interfaces GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to
allow packets from VLAN 101 to pass through. Set PVIDs of GE0/0/3 and
GE0/0/4 to VLAN 101. Add GE0/0/5 to VLAN 200, set its PVID to VLAN 200,
and configure GE0/0/5 to allow packets from VLAN 200 to pass through.
Configure GE0/0/1, GE0/0/2, and GE0/0/6 to allow packets from VLAN 100 to
pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 101 200
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
[Switch_A] interface gigabitEthernet 0/0/4
[Switch_A-GigabitEthernet0/0/4] port link-type trunk
[Switch_A-GigabitEthernet0/0/4] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/4] quit
[Switch_A] interface gigabitEthernet 0/0/5
[Switch_A-GigabitEthernet0/0/5] port link-type trunk
[Switch_A-GigabitEthernet0/0/5] port trunk pvid vlan 200
[Switch_A-GigabitEthernet0/0/5] port trunk allow-pass vlan 200
[Switch_A-GigabitEthernet0/0/5] quit
[Switch_A] interface gigabitEthernet 0/0/6
[Switch_A-GigabitEthernet0/0/6] port link-type trunk
[Switch_A-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/6] quit
2. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP
server function to assign IP addresses for vehicle-mounted terminals.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.224.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
[Switch_A-Vlanif101] quit
3. Configure an IP address for VLANIF 200 on Switch_A and specify the IP
address of GE1/0/0 on the router as the next hop address of the default route
so that packets from the vehicle-ground communication network can be
forwarded to the egress router.
[Switch_A] interface vlanif 200
[Switch_A-Vlanif200] ip address 10.23.200.2 24
[Switch_A-Vlanif200] quit
[Switch_A] ip route-static 0.0.0.0 0 10.23.200.1
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 504
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Configure an IP address for GE1/0/0 on Router and configure routes to the
internal network segment, with the next hop address 10.23.200.2.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 10.23.200.1 24
[Router-GigabitEthernet1/0/0] quit
[Router] ip route-static 10.23.224.0 24 10.23.200.2
[Router] ip route-static 10.23.100.0 24 10.23.200.2
NOTE
You can configure routes to external networks and the NAT function on the egress router
according to service requirements to ensure normal communications between internal and
external networks.
5. Configure Switch_B and Switch_C to enable Layer 2 communication between
trackside APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and
GE0/0/1 to allow packets from VLAN 100 and VLAN 101 to pass through, and
set the PVID of GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
# Configure other interfaces on Switch_B connected to trackside APs
according to the configuration for GE0/0/1. Configure these interfaces to
allow packets from VLAN 100 and VLAN 101 to pass through, and set their
PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 101
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/2] quit
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/1] quit
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and
GE0/0/1 to allow packets from VLAN 100 and VLAN 101 to pass through, and
set the PVID of GE0/0/1 to VLAN 100.
# Configure other interfaces on Switch_C connected to trackside APs
according to the configuration for GE0/0/1. Configure these interfaces to
allow packets from VLAN 100 and VLAN 101 to pass through, and set their
PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 101
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/2] quit
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/1] quit
6. Enable Layer 2 multicast on Switch_A, Switch_B, and Switch_C to allow them
to properly forward multicast data.
# Enable IGMP snooping globally on Switch_A.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 505
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[Switch_A] igmp-snooping enable
# Enable IGMP snooping in VLAN 101 on Switch_A.
[Switch_A] vlan 101
[Switch_A-vlan101] igmp-snooping enable
[Switch_A-vlan101] quit
# Configure multicast group filter policies on Switch_A.
[Switch_A] acl 2000
[Switch_A-acl-basic-2000] rule permit source 225.1.1.1 0
[Switch_A-acl-basic-2000] rule permit source 225.1.1.2 0
[Switch_A-acl-basic-2000] rule permit source 225.1.1.3 0
[Switch_A-acl-basic-2000] quit
# Apply the multicast group filter policies in VLAN 101 on Switch_A.
[Switch_A] vlan 101
[Switch_A-vlan101] igmp-snooping group-policy 2000
[Switch_A-vlan101] quit
[Switch_A] quit
# Complete multicast configuration on Switch_B and Switch_C according to
the multicast configuration procedure of Switch_A.
# Configure the fast leave function on Switch_B and Switch_C.
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast
services. If the trackside APs are not directly connected to the switches or
Layer 3 multicast is configured, you cannot configure the fast leave function
because this function may interrupt multicast services.
[Switch_B] vlan 101
[Switch_B-vlan101] igmp-snooping prompt-leave group-policy 2000
[Switch_C] vlan 101
[Switch_C-vlan101] igmp-snooping prompt-leave group-policy 2000
Step 2 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 506
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 507
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 508
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Configure trackside APs.
1. Choose Configuration > Config Wizard > Mesh.
2. Create the AP group mesh-mpp for the MPPs.
# In AP Group List, click Create. The Create AP Group page is displayed.
# Set the AP group name to mesh-mpp and click OK.
3. Configure Mesh parameters for the MPPs.
# In AP Group List, select the AP group mesh-mpp.
# Click the Service Settings tab and configure Mesh parameters.
– Set the Mesh role to Mesh-portal.
– Set the Mesh ID to mesh-net.
– Select Radio 1 as the radio used by Mesh links. Set the bandwidth of
radio 1 to 40+MHz and channel to 157.
– In Security Settings, set Key type to Pass-phrase, and enter the key
a1234567.
– In the Mesh Whitelist area, click Edit and add the MAC addresses of
vehicle-mounted APs. In this example, MAC addresses 0046-4b59-2e10
and 0046-4b59-2e20 are added. Click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 509
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Add MAC addresses of vehicle-mounted APs on other trains to the Mesh
whitelist whitelist01 according to the preceding procedure.
# After configuring Mesh parameters, click Apply.
4. Add MPPs.
# In AP Group List, select the AP group mesh-mpp.
# On the AP List tab page, click Add. The Add AP page is displayed.
# Set Mode to Manually add and manually add APs.
# In this example, APs with MAC addresses 0046-4b59-1d10,
0046-4b59-1d20, 0046-4b59-1d30, 0046-4b59-1d40, 0046-4b59-1d50, and
0046-4b59-1d60 are added. Set AP ID to 1, 2, 3, 101, 102, and 103 for the
APs respectively. Set the AP names to L1_001, L1_003, L1_010, L1_150,
L1_160, and L1_170, respectively. Click OK. The APs are added as MPPs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 510
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. Configure a Mesh profile.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click the AP group mesh-mpp. Select Display all
profiles. Choose Mesh > Mesh Profile. The Mesh Profile List page is
displayed.
# Click Create. The Create Mesh Profile page is displayed. Set Profile name
to mesh-net.
# Click OK.
6. Configure a Mesh handover profile.
# Choose Mesh > Mesh Profile > mesh-net > Mesh Handover Profile. The
Mesh Handover Profile page is displayed.
# Click Create. The Create Mesh Handover Profile page is displayed. Set
Profile name to hand-over and click OK. The Mesh handover profile
configuration page is displayed.
# Set Position-based handover algorithm to ON.
# Click Apply. In the dialog box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 511
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
7. Configure the AP's wired port profile.
# Choose AP > AP Wired Port Settings. Click GE0. The GE0 profile
management page is displayed.
# Click Create. The Create AP Wired Port Profile page is displayed. Set
Profile name to wired-port and click OK. The configuration page of the
wired port profile is displayed.
# On the Advanced Configuration page of the AP wired port profile, set Port
mode to Endpoint, add the wired port to VLAN 101 in tagged mode, and set
Port PVID to 101.
# Click OK. In the dialog box that is displayed, click OK.
Step 4 Configure depot APs.
1. Choose Configuration > Config Wizard > Mesh.
2. Create the AP group mesh-depot for depot APs.
# In AP Group List, click Create. The Create AP Group page is displayed.
# Set the AP group name to mesh-depot and click OK.
3. Configure Mesh parameters for the MPPs.
# In AP Group List, select the AP group mesh-depot.
# Click the Service Settings tab and configure Mesh parameters.
– Set the Mesh role to Mesh-portal.
– Set the Mesh ID to mesh-net.
– Select Radio 1 as the radio used by Mesh links. Set the bandwidth of
radio 1 to 40+MHz and channel to 157.
– In Security Settings, set Key type to Pass-phrase, and enter the key
a1234567.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 512
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
– In the Mesh Whitelist area, click Edit and add the MAC addresses of
vehicle-mounted APs. In this example, MAC addresses 0046-4b59-2e10
and 0046-4b59-2e20 are added. Click OK.
Add MAC addresses of vehicle-mounted APs on other trains to the Mesh
whitelist whitelist01 according to the preceding procedure.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 513
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# After configuring Mesh parameters, click Apply.
4. Add MPPs.
# In AP Group List, select the AP group mesh-depot.
# On the AP List tab page, click Add. The Add AP page is displayed.
# Set Mode to Manually add and manually add APs.
# In this example, APs with MAC addresses 0046-4b59-1d70 and
0046-4b59-1d80 are added. Set AP IDs to 201 and 202 for the APs,
respectively, and their names to L1_180 and L1_190, respectively. Click OK.
The depot APs are added.
5. Configure a Mesh profile
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click the AP group mesh-depot. Select Display all
profiles. Choose Mesh > Mesh Profile. The Mesh Profile List page is
displayed.
# Click Create. The Create Mesh Profile page is displayed. Set Profile name
to mesh-client and enable Client Mode.
# Click OK.
6. Configure the AP's wired port profile.
# Choose AP > AP Wired Port Settings. Click GE0. The GE0 profile
management page is displayed.
# Click Create. The Create AP Wired Port Profile page is displayed. Set
Profile name to wired-port and click OK. The configuration page of the
wired port profile is displayed.
# On the Advanced Configuration page of the AP wired port profile, set Port
mode to Endpoint, add the wired port to VLAN 101 in tagged mode, and set
Port PVID to 101.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 514
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK. In the dialog box that is displayed, click OK.
Step 5 Configure vehicle-mounted APs (running V200R020C10 or later).
NOTE
This example provides the detailed procedure for configuring the vehicle-mounted AP in the
front of the train. The procedure for configuring the vehicle-mounted AP in the rear is similar.
The configuration differences are described in the subsequent steps.
1. Create VLAN 101 on the vehicle-mounted AP, configure GE0/0/0 on the
vehicle-mounted AP to allow packets from VLAN 101 to pass through, and set
the PVID of GE0/0/0 to VLAN 101.
# Choose Advanced > Interface > VLAN. On the VLAN tab page, click
Create. On the Create VLAN page, set VLAN ID to 101.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 515
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Choose Advanced > Interface > ETH Interface. Click
GigabitEthernet0/0/0. The page for modifying the interface configuration is
displayed.
# Set Default VLAN to 101 and add the interface to VLAN 101 in tagged
mode.
# Click OK.
2. Configure the Mesh network.
# Choose Configuration > Mesh Configuration.
# In Mesh ID List, click Create. The Create Mesh ID page is displayed.
# Set Mesh ID to mesh-net, Location-based enhanced link handover
algorithm to ON, Direction to Forward, Security policy to WPA2-PSK-AES,
Key type to PASS-PHRASE, and Key to a1234567.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 516
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Create a Mesh ID for connecting to depot APs in the same way.
3. Bind the Mesh profile to the AP radio and configure IGMP snooping on the AP
wired interface.
# Choose Configuration > Mesh Configuration.
# In AP List, select the AP with the AP ID of 0. The Mesh Configuration page
is displayed.
# In Mesh ID(Radio1), set Index0 to the Mesh ID for setting up Mesh links
with trackside APs, and Index1 to the Mesh ID for setting up Mesh links with
depot APs.
# In AP Wired Port Settings, enable IGMP snooping of the interface.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 517
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Add proxied devices on the vehicle-mounted AP.
# Add proxied ground devices. Add MAC addresses of Switch_A, network
management device, and multicast source on the vehicle-mounted AP.
# Choose Advanced > Other Services > Proxied Devices for Train To
Ground COMM > Proxied Ground Device. Click Create and add MAC
addresses of proxied ground devices. In this example, set the MAC addresses
of proxied ground devices to 707b-e8e9-d328, 286e-d488-12cd, and 286e-
d488-b6ab, and click OK.
# Add proxied vehicle-mounted devices. Add MAC addresses of the vehicle-
mounted devices on the vehicle-mounted AP.
# Choose Advanced > Other Services > Proxied Devices for Train To
Ground COMM > Proxied Vehicle-mounted Device. Click Create and add
MAC addresses of proxied vehicle-mounted devices. In this example, set the
MAC addresses of proxied vehicle-mounted devices to 286e-d488-d359 and
286e-d488-d270, and click OK.
Step 6 Configure vehicle-mounted APs (running V200R019C00 or earlier).
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 518
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
This example provides the detailed procedure for configuring the vehicle-mounted AP in the
front of the train. The procedure for configuring the vehicle-mounted AP in the rear is similar.
The configuration differences are described in the subsequent steps.
1. Create VLAN 101 on the vehicle-mounted AP, configure GE0/0/0 on the
vehicle-mounted AP to allow packets from VLAN 101 to pass through, and set
the PVID of GE0/0/0 to VLAN 101.
# Choose Configuration > Interface > VLAN. On the VLAN tab page, click
Create. On the Create VLAN page, set VLAN ID to 101.
# Click OK.
# Choose Configuration > Interface > ETH Interface. Click
GigabitEthernet0/0/1. The page for modifying the interface configuration is
displayed.
# Set Default VLAN to 101 and add the interface to VLAN 101 in tagged
mode.
# Click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 519
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Configure a Mesh profile.
# Choose Configuration > WLAN Service > WLAN Config. Click Radio1.
# Choose Mesh > Mesh Profile. The Mesh Profile page is displayed.
# Click Create. The Create Mesh Profile page is displayed.
# Set Profile name to mesh-net and click OK. The Mesh Profile page is
displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Configure a security profile.
# Choose Mesh > Mesh Profile > Security Profile. The Security Profile page
is displayed.
# Click Create. The Create Security Profile page is displayed.
# Set Profile name to sp01 and click OK. The Security Profile page is
displayed.
# Set Security Mode to WPA2-PSK-AES, Password type to PASS-PHRASE,
and Password to a1234567.
# Click Apply. In the dialog box that is displayed, click OK.
4. Configure a Mesh handover profile.
# Choose Mesh > Mesh Profile > Mesh Handover Profile. The Mesh
Handover Profile page is displayed.
# Click Create. The Create Mesh Handover Profile page is displayed. Set
Profile name to hand-over and click OK. The Mesh handover profile
configuration page is displayed.
# Set Position-based handover algorithm to ON and Moving direction to
forward, and click Apply. In the dialog box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 520
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. Add proxied devices on the vehicle-mounted AP.
# Add proxied ground devices. Add MAC addresses of Switch_A, network
management device, and multicast source on the vehicle-mounted AP.
# Choose Advanced > Other Services > Proxied Devices for Train To
Ground COMM > Proxied Ground Device. Click Create and add MAC
addresses of proxied ground devices. In this example, set the MAC addresses
of proxied ground devices to 707b-e8e9-d328, 286e-d488-12cd, and 286e-
d488-b6ab, and click OK.
# Add proxied vehicle-mounted devices. Add MAC addresses of the vehicle-
mounted devices on the vehicle-mounted AP.
# Choose Advanced > Other Services > Proxied Devices for Train To
Ground COMM > Proxied Vehicle-mounted Device. Click Create and add
MAC addresses of proxied vehicle-mounted devices. In this example, set the
MAC addresses of proxied vehicle-mounted devices to 286e-d488-d359 and
286e-d488-d270, and click OK.
6. Configure IGMP snooping for vehicle-mounted APs.
# Choose Configuration > Other Services > IGMP-Snooping > IGMP-
Snooping. In Global Setting, set IGMP-Snooping to ON.
# On the IGMP-Snooping page, select VLAN 101 in the VLAN List area and
click Enable.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 521
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Step 7 Verify the configuration.
1. Verify the configuration on the AC. Choose Monitoring > Mesh&WDS >
Mesh Link Information to view Mesh link information. Detailed information
about the Mesh links that are successfully established is displayed on this
page.
2. Verify the configuration on the vehicle-mounted AP.
# Choose Maintenance > Train To Ground COMM > Mesh Link Information
to view Mesh link information. Displayed information is the same as that
checked on the AC.
# Choose Maintenance > Train To Ground COMM > Vehicle-mounted AP
Field Strength to view field strength of the vehicle-mounted AP.
# Choose Maintenance > Train To Ground COMM > Vehicle-mounted AP
Roaming Trace to view the roaming trace of the vehicle-mounted AP.
----End
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 522
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.6 Radio Resource Management Configuration
Examples
3.6.1 Example for Configuring Dynamic Load Balancing
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. The enterprises also need to prevent one AP radio
from being heavily loaded. Furthermore, users' services are not affected during
roaming in the coverage area.
For the WLAN access configuration, see Related Topics.
As shown in Figure 3-43, before load balancing is configured, 30 users are
connected to AP area_1, and 10 users are connected to AP area_2.
Networking Requirements
AP area_1 and AP area_2 form a dynamic load balancing group to balance loads
on the APs to prevent excessive user access to a single AP. A dynamic load
balancing group can be set up only when:
● AP area_1 and AP area_2 are managed by the same AC.
● STAs can detect SSIDs of both the APs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 523
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-43 Networking for configuring dynamic load balancing
Data Planning
Table 3-44 AC data planning
Item Data
RRM profile ● Name: wlan-net
● Start threshold for dynamic load
balancing: 15
● Load difference threshold for
dynamic load balancing: 25%
2G radio profile ● Name: wlan-radio2g
● Referenced profile: RRM profile
wlan-net
5G radio profile ● Name: wlan-radio5g
● Referenced profile: RRM profile
wlan-net
Configuration Roadmap
Configure dynamic load balancing to prevent one AP from being heavily loaded.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 524
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
1. Choose Configuration > AP Config > AP Group > AP Group, and confirm
that the AP group ap-group1 already exists.
2. Click ap-group1. Choose VAP Configuration, confirm that the VAP profile
wlan-net already exists, and check all referenced profiles.
Step 2 Configure dynamic load balancing.
1. In the RRM profile, enable dynamic load balancing, and set the start threshold
for dynamic load balancing to 15 and load difference threshold to 25%.
# Choose Radio Management > Radio 0 > 2G Radio Profile > RRM Profile.
Click Create. The Create RRM Profile page that is displayed
# Enter the profile name wlan-net and click OK. The RRM Profile page is
displayed.
# On the Advanced Configuration tab, enable dynamic load balancing, and
set the start threshold for dynamic load balancing to 15 and load difference
threshold to 25%.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 525
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Choose Radio Management > Radio 1 > 5G Radio Profile > RRM Profile.
The RRM Profile page is displayed. Configure dynamic load balancing for
radio 1. The configuration is similar to that of radio 0 and is not mentioned
here.
Step 3 Verify the configuration.
1. Choose Monitoring > User > User Distribution. The number of STAs on
different APs is displayed under User Statistics List by AP.
2. When a new STA requests to connect to AP area_1, the AC uses a dynamic
load balancing algorithm to redirect the STA to the AP area_2 with a light
load according to the information reported by APs.
----End
Related Topics
● 3.1.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
● 3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
● 3.1.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
● 3.1.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode
● 3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode
● 3.1.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode
● 3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode
3.6.2 Example for Configuring Static Load Balancing
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. The enterprises also need to prevent one AP radio
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 526
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
from being heavily loaded. Furthermore, users' services are not affected during
roaming in the coverage area.
For the WLAN access configuration, see Related Topics.
As shown in Figure 3-44, before load balancing is configured, 30 users are
connected to AP area_1, and 10 users are connected to AP area_2.
Networking Requirements
AP area_1 and AP area_2 form a static load balancing group to balance loads on
the APs to prevent excessive user access to a single AP. A static load balancing
group can be set up only when:
● AP area_1 and AP area_2 are managed by the same AC.
● STAs can detect SSIDs of both the APs.
Figure 3-44 Networking for configuring static load balancing
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 527
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-45 AC data planning
Item Data
Static load balancing group ● Name: wlan-static
● Start threshold for load balancing
based on the number of users: 10
● Load difference threshold for load
balancing based on the number of
users: 5%
Configuration Roadmap
Configure static load balancing based on the number of users to prevent one AP
from being heavily loaded.
Configuration Notes
● If dual-band APs are used, traffic is load balanced among APs working on the
same frequency band.
● Each load balancing group supports a maximum of 16 AP radios.
● Under the agile distributed network architecture composed of the central AP
and RUs, you only need to add radios of the RUs to a static load balancing
group.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 528
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Procedure
Step 1 Configure static load balancing.
1. Create the static load balancing group wlan-static and set the start threshold
for static load balancing to 10 and load difference threshold to 5%.
# Choose Configuration > AP Config > AP Group > Static Load Balancing
Group. The Static Load Balancing Group page is displayed.
# Click Create. On the page that is displayed, enter the profile name wlan-
static, and set the start threshold for static load balancing to 10 and load
difference threshold to 5%. Add AP area_1 and AP area_2 to the static load
balancing group.
# Click OK.
Step 2 Verify the configuration.
1. Choose Monitoring > User > User Distribution. The number of STAs on
different APs is displayed under User Statistics List by AP.
2. When a new STA requests to connect to AP area_1, the AC uses a static load
balancing algorithm to redirect the STA to the AP area_2 with a light load
based on the configured load balancing group.
----End
Related Topics
● 3.1.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
● 3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
● 3.1.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
● 3.1.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode
● 3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode
● 3.1.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode
● 3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 529
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.6.3 Example for Configuring Band Steering (5G-Prior Access)
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area. To relieve pressure on the 2.4 GHz frequency band,
enable STAs to connect to the 5 GHz frequency band.
For the WLAN access configuration, see Related Topics.
Networking Requirements
Use APs that support both 5 GHz and 2.4 GHz frequency bands.
Figure 3-45 Networking for configuring Band Steering
Data Planning
Table 3-46 AC data planning
Item Data
VAP ● Name: wlan-net
profile ● Band steering function: enabled
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 530
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
RRM ● Name: wlan-rrm
profile ● Start threshold for load balancing between radios: 15
● Load difference threshold for load balancing between radios: 25
2G radio ● Name: wlan-radio2g
profile ● Referenced profile: RRM profile wlan-rrm
Configuration Roadmap
Configure the band steering function and proper band steering parameters so that
STAs can preferentially access the 5 GHz frequency band.
Configuration Notes
● Use APs that support both 5 GHz and 2.4 GHz frequency bands and configure
the same SSID and security policy on the 5 GHz and 2.4 GHz radios.
● To allow a STA to preferentially associate with the 5 GHz radio and achieve a
better access effect, configure larger power for the 5 GHz radio than the 2.4
GHz radio.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 531
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
1. Choose Configuration > AP Config > AP Group > AP Group, and confirm
that the AP group ap-group1 already exists.
2. Click ap-group1. Choose VAP Configuration, confirm that the VAP profile
wlan-net already exists, and check all referenced profiles.
Step 2 Configure the band steering function.
1. Enable the band steering function in the VAP profile wlan-net. By default, the
band steering function is enabled.
# Choose VAP Configuration > wlan-net. The VAP profile page is displayed.
# On the Advanced Configuration tab, enable the band steering function.
# Click Apply. In the dialog box that is displayed, click OK.
2. In the RRM profile, configure load balancing between radios to prevent heavy
load on a single radio. Set the start threshold for load balancing between
radios to 15, and the load difference threshold to 25%.
# Choose Radio Management > Radio 0 > 2G Radio Profile > RRM Profile.
Click Create. The Create RRM Profile page that is displayed
# Enter the profile name wlan-rrm and click OK. The RRM profile
configuration page is displayed.
# On the Advanced Configuration tab, set the start threshold for load
balancing between radios to 15, and the load difference threshold to 25%.
# Click Apply. In the dialog box that is displayed, click OK.
# Choose Radio Management > Radio 1 > 5G Radio Profile > RRM Profile >
wlan-rrm. The RRM profile configuration page is displayed. Configure inter-
frequency load balancing for radio 1. The configuration is similar to that of
radio 0 and is not mentioned here.
NOTE
If different RRM profiles are bound to the 2G and 5G radio profiles and configured with
different band steering parameters, parameters in the 2G radio profile preferentially take
effect.
Step 3 Verify the configuration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 532
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Choose Monitoring > User > User Distribution. Most STAs can connect to the 5
GHz frequency band, and users enjoy good service experience.
----End
Related Topics
● 3.1.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
● 3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
● 3.1.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
● 3.1.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode
● 3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode
● 3.1.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode
● 3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode
3.6.4 Example for Configuring Smart Roaming
Networking Requirements
To ensure optimal user experience, a stadium requires that users associate with
the nearest APs when moving on the stadium stand. Furthermore, users' services
are not affected during roaming in the coverage area.
For the WLAN access configuration, see Related Topics.
Figure 3-46 Networking for configuring smart roaming
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 533
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-47 AC data planning
Item Data
RRM profile ● Name: wlan-rrm
● Smart roaming threshold type: SNR-
based
● SNR threshold for smart roaming:
15
2G radio profile ● Name: wlan-radio2g
● Referenced profile: RRM profile
wlan-rrm
5G radio profile ● Name: wlan-radio5g
● Referenced profile: RRM profile
wlan-rrm
Configuration Roadmap
Configure smart roaming and adjust smart roaming parameters to steer STAs
(especially sticky STAs) to reconnect or roam to APs with strong signals.
NOTE
Some STAs on live networks have low roaming aggressiveness. As a result, they stick to the
initially connected APs regardless of whether they move far from the APs, and have weak
signals or low rates. The STAs fail to roam to neighbor APs with better signals. They are called
sticky STAs.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 534
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Check the basic configuration of the WLAN.
1. Choose Configuration > AP Config > AP Group > AP Group, and confirm
that the AP group ap-group1 already exists.
2. Click ap-group1. Choose VAP Configuration, confirm that the VAP profile
wlan-net already exists, and check all referenced profiles.
Step 2 Configure smart roaming.
1. In the RRM profile wlan-rrm, enable smart roaming, configure SNR-based
roaming trigger mode and roaming threshold to 15 dB.
# Choose Radio Management > Radio 0 > 2G Radio Profile > RRM Profile.
Click Create. The Create RRM Profile page that is displayed
# Enter the profile name wlan-rrm and click OK. The RRM Profile page is
displayed.
# On the Advanced Configuration tab, enable smart roaming, configure
SNR-based roaming trigger mode and roaming threshold to 15 dB.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 535
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Choose Radio Management > Radio 1 > 5G Radio Profile > RRM Profile >
wlan-rrm. The RRM Profile page is displayed. Configure smart roaming for
radio 1. The configuration is similar to that of radio 0 and is not mentioned
here.
Step 3 Verify the configuration.
When a large number of users in the stadium access the WLAN, they can still
enjoy good Internet experience.
----End
Related Topics
● 3.1.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
● 3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
● 3.1.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
● 3.1.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode
● 3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode
● 3.1.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode
● 3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode
3.6.5 Example for Configuring Dynamic Bandwidth Selection
for the 5GHz Radio
Service Requirements
Enterprise users can access the Internet through a WLAN (in non-high-density
scenarios) to meet the basic requirements of mobile office. The Dynamic
bandwidth selection (DBS) function can improve utilization of 5 GHz bandwidth
resources and expand the network capacity.
For the WLAN access configuration, see Related Topics.
Networking Requirements
APs use the 5 GHz radio to provide wireless network coverage.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 536
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-47 Networking diagram for configuring the DFS function
Data Planning
Table 3-48 AC data planning
Item Data
Radio list ● Radio ID: 1
● Frequency band: 5G
● Automatic frequency bandwidth adjustment: enabled
Configuration Roadmap
Configure the DBS function to enable APs to automatically adjust the channel
bandwidth, improving the network capacity.
Procedure
Step 1 Check the basic configuration of the WLAN.
1. Choose Configuration > AP Config > AP Group > AP Group, and confirm
that the AP group ap-group1 already exists.
2. Click ap-group1. Choose VAP Configuration, confirm that the VAP profile
wlan-net already exists, and check all referenced profiles.
Step 2 Configure the DBS function.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 537
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● DBS based on a single AP
# Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Planning.
# In Radio List, find the 5G radio of the target AP, and click . Set Automatic
Frequency Bandwidth Adjustment to on and click .
# Click Apply.
● DBS based on an AP group
# Choose Configuration > AP Config > AP Group > AP Group.
# Click the AP group name. Click a radio under Radio Management.
# Set Automatic Frequency Bandwidth Adjustment to ON.
NOTE
The DBS function is supported only for 5 GHz radios. For radios supporting frequency band
switching, set Switch to 5G to ON.
Before enabling DFS, set Automatic channel optimization to ON.
# Click Apply.
Step 3 Verify the configuration.
When a large number of users in a stadium access the WLAN, they can still enjoy
good Internet experience.
----End
Related Topics
● 3.1.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
● 3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 538
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● 3.1.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
● 3.1.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode
● 3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode
● 3.1.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode
● 3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode
3.6.6 Example for Configuring Radio Calibration (Student
Dormitory Scenarios)
Networking Requirements
AirEngine 5762-16W APs are deployed in a student dormitory building (a tube-
shaped building) to provide wireless Internet access. Each AP covers three adjacent
rooms and connects to the AC through the access switch Switch_A.
For details about how to configure wireless network access, see Related Topics.
Figure 3-48 Networking diagram for configuring radio calibration
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 539
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-49 AC data plan
Item Data
5G radio profile ● Name: wlan-radio5g
● Referenced profile: air scan profile
wlan-airscan
2G radio profile ● Name: wlan-radio2g
● Referenced profile: air scan profile
wlan-airscan
Air scan profile ● Name: wlan-airscan
Configuration Roadmap
Configure radio calibration so that the AC can automatically allocate proper
working channels to APs.
Configuration Notes
When the AirEngine 5762-16W is configured, set the parameters as follows:
● 5 GHz frequency band: 80 MHz
● Interference threshold for a calibration group: –70 dBm
● Maximum transmit power of an AP
You can use the preset scenario profile multi-partition-cross-room to enable the
AP to automatically obtain the parameter settings that meet the preceding
requirements.
NOTE
When AirEngine 5762-16W APs are used to provide wireless coverage in a tube-shaped
building scenario:
● If there is no bathroom at the door of a room, it is recommended that one AP be
deployed to cover three adjacent rooms. The corridor is covered by the side lobe of the
AP and therefore requires no additional AP.
● If there is a bathroom at the door of a room, the recommended plan is to use one AP to
cover two adjacent rooms and deploy APs with omnidirectional antennas in the corridor
at spacing of 25 m.
There are other network construction requirements and network planning constraints in
this scenario. For details, see Scenario-based WLAN Planning Design for Education.
Procedure
Step 1 Check the basic configuration of the WLAN.
1. Choose Configuration > AP Config > AP Group > AP Group, and confirm
that the AP group ap-group1 already exists.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 540
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Click ap-group1. Choose VAP Configuration, confirm that the VAP profile
wlan-net already exists, and check all referenced profiles.
Step 2 Configure a scenario profile.
1. Select Display all profiles. Choose Scenario-Specific Configuration >
Scenario Profile.
2. Select multi-partition-cross-room from the Scenario Profile drop-down list
box and click Apply.
3. In the dialog box that is displayed, click OK.
Step 3 Manually trigger radio calibration.
1. Choose Configuration > AP Config > Radio Planning/Calibration > Radio
Planning.
2. Click Immediate Calibrate.
3. In the dialog box that is displayed, specify the AP group ap-group1 and click
OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 541
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Step 4 Verify the configuration.
Check the effective AP configuration in Radio List. The requirements described in
Configuration Notes are met.
----End
3.6.7 Example for Configuring Channel Switching Without
Service Interruption
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
The enterprise requires that WLAN services not be interrupted even when the APs
change their working channels.
Networking Requirements
● AC networking mode: Layer 2 networking in bypass mode
● DHCP deployment mode: Switch functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 542
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-49 Networking for configuring channel switching without service
interruption
Data Planning
Table 3-50 AC data planning
Item Data
Management VLAN for APs VLAN 100
Service VLAN for STAs VLAN 101
DHCP server Switch functions as a DHCP server to assign IP
addresses to APs and STAs.
IP address pool for APs 10.1.1.3-10.1.1.254/24
IP address pool for STAs 10.1.2.3-10.1.2.254/24
Gateway address for APs 10.1.1.1/24
Gateway address for STAs 10.1.2.1/24
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 543
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AC's source interface address VLANIF 100: 10.1.1.2/24
AP group ● Name: ap-group1
● Referenced profiles: 2G radio profile wlan-
radio2g, 5G radio profile wlan-radio5g, VAP
profile wlan-net, and regulatory domain
profile default
Regulatory domain profile ● Name: default
● Country code: China
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net
and security profile wlan-net
2G radio profile ● Name: wlan-radio2g
● Channel switch announcement: enabled
● Channel switch announcement mode:
continue-transmitting
5G radio profile ● Name: wlan-radio5g
● Channel switch announcement: enabled
● Channel switch announcement mode:
continue-transmitting
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Configure channel switching without service interruption to improve WLAN
service reliability so that services are not interrupted even when APs change
their working channels.
6. Deliver the WLAN services to the APs and verify the configuration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 544
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100 and VLAN 101, and GE0/0/3
to VLAN 100. VLAN 100 is the default VLAN of GE0/0/1 and GE0/0/2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/2] port-isolate enable
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On Switch, configure VLANIF 100 to assign IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.1.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.1.1.2
[Switch-Vlanif100] quit
# On Switch, configure VLANIF 101 to assign IP addresses to STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.1.2.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
Step 3 Configure system parameters for the AC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 545
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.1.1.2/24.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 546
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK. An address pool for VLANIF 100 is configured.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 547
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 548
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personal networks), select the AES
mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Create radio profiles and configure channel switching without service interruption.
NOTE
The following example configures a 2G radio profile. The configuration of the 5G radio profile is
similar.
# Choose Configuration > AP Config > AP Group. The AP Group page is
displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.
# Choose Radio Management > Radio 0 > 2G Radio Profile. The 2G Radio
Profile page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 549
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the
profile name wlan-radio2g and click OK. The 2G radio profile configuration page
is displayed.
# On the Advanced Configuration tab, enable channel switching announcement
and configure the AP to continue transmitting data on the current channel when
the channel is switched.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Verify the configuration.
The WLAN with the SSID wlan-net is available, and STAs can access the WLAN
properly. When the channel of AP1 or AP2 is changed, service data forwarding of
STAs in Area A is not affected.
----End
3.6.8 Example for Configuring WLAN-based E-Schoolbag
Service Requirements
E-schoolbag is a digital teaching method. In a class, teachers and students use
smart terminals such as PCs, tablets, and mobile phones to participate in teaching
and learning activities online.
A teacher can teach students in multiple classrooms without space limitation.
To ensure successful teaching activities, three-radio APs are used to deploy basic
WLAN services to support access of many students and provide sufficient
bandwidth.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: direct forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 550
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-50 Networking for configuring the WLAN-based e-schoolbag service
Data Planning
Table 3-51 AC data planning
Item Data
Managem VLAN 100
ent VLAN
for APs
Service VLAN 101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs.
server SwitchB functions as a DHCP server to assign IP addresses to STAs.
The default gateway address of STAs is 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 551
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, 2G radio profile wlan-radio2g, and 5G radio
profile wlan-radio5g
Regulatory ● Name: default
domain ● Country code: China
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
● Maximum number of users: 128
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Band steering: enabled
● Broadcast flood detection: enabled
● Rate threshold for broadcast flood detection: 50 pps
● Referenced profiles: SSID profile wlan-net, security profile
wlan-net, and traffic profile wlan-traffic
RRM ● Name: wlan-rrm
profile ● Airtime fair scheduling: enabled
● Dynamic EDCA parameter adjustment: enabled
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 552
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
2G radio ● Name: wlan-radio2g
profile ● RTS-CTS operation mode: rts-cts
● RTS-CTS threshold: 1400 bytes
● Beacon interval: 160 TUs
● Short preamble: enabled
● GI mode: short
● 802.11bg basic rate: 6, 9, 12, 18, 24, 36, 48, 54, in Mbit/s
● Multicast rate: 11 Mbit/s
● Referenced profile: RRM profile wlan-rrm
5G radio ● Name: wlan-radio5g
profile ● RTS-CTS operation mode: rts-cts
● RTS-CTS threshold: 1400 bytes
● Beacon interval: 160 TUs
● GI mode: short
● Multicast rate: 6 Mbit/s
● Referenced profile: RRM profile wlan-rrm
Traffic ● Name: wlan-traffic
profile ● Uplink rate limit for a STA: 4000 kbit/s
● Downlink rate limit for a STA: 4000 kbit/s
● Multicast to unicast: enabled
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure AC system parameters.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Adjust network parameters for e-schoolbag.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 553
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN 101. The default
VLAN of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 554
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway
for the STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the
default gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
Step 3 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 555
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 556
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 557
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 558
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personal networks), select the AES
mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Adjust network parameters for e-schoolbag.
1. Adjust VAP profile parameters.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Choose VAP Configuration > wlan-
net. The VAP Profile page is displayed.
# On the Advanced Configuration tab, enable the band steering function
and the broadcast flood attack function and configure the rate threshold for
broadcast flood detection.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 559
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
2. Adjust SSID profile parameters.
# Choose VAP Configuration > wlan-net > SSID Profile. The SSID Profile
page is displayed.
# On the Advanced Configuration tab, set the maximum number of users to
128.
# Click Apply. In the dialog box that is displayed, click OK.
3. Create a traffic profile and adjust traffic profile parameters.
# Choose VAP Configuration > wlan-net > Traffic Profile. The Traffic
Profile page is displayed.
# Click Create. On the Create Traffic Profile page that is displayed, enter the
profile name wlan-traffic and click OK. The traffic profile configuration page
is displayed.
# Set the upstream and downstream rate limits to 4000 kbit/s and 4000 kbit/s
for STAs, respectively.
On the Advanced Configuration tab, enable the IGMP-Snooping function
and the Multicast-to-unicast function.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 560
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
4. Create a 2G radio profile and adjust 2G radio profile parameters.
# Choose Radio Management > Radio 0 > 2G Radio Profile. The 2G Radio
Profile page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter
the profile name wlan-radio2g and click OK. The 2G radio profile
configuration page is displayed.
# On the Advanced Configuration tab, perform the following configurations:
– Set the RTS-CTS mode to rts-cts.
– Set the interval for sending Beacon frames to 160 TUs.
– Set the GI mode to short.
– Set the 802.11bg basic rate to 6, 9, 12, 18, 24, 36, 48, or 54, in Mbit/s.
– Set the multicast rate to 11 Mbit/s.
# Click Apply. In the dialog box that is displayed, click OK.
5. Create a 5G radio profile and adjust 5G radio profile parameters.
# Choose Radio Management > Radio 1 > 5G Radio Profile. The 5G Radio
Profile page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 561
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Create. On the Create 5G Radio Profile page that is displayed, enter
the profile name wlan-radio5g and click OK. The 5G radio profile
configuration page is displayed.
# On the Advanced Configuration tab, perform the following configurations:
– Set the RTS-CTS mode to rts-cts.
– Set the interval for sending Beacon frames to 160 TUs.
– Set the GI mode to short.
– Set the multicast rate to 6 Mbit/s.
# Click Apply. In the dialog box that is displayed, click OK.
# Choose Radio Management > Radio 2 > 5G Radio Profile. The 5G Radio
Profile page is displayed.
# On the 5G radio profile configuration page that is displayed, set 5G Radio
Profile to wlan-radio5g and click Apply. In the dialog box that is displayed,
click OK.
6. Create the RRM profile and adjust RRM profile parameters.
# Choose Radio Management > Radio 0 > 2G Radio Profile > RRM Profile.
The RRM Profile page is displayed.
# Click Create. On the Create RRM Profile page that is displayed, enter the
profile name wlan-rrm and click OK. The RRM profile configuration page is
displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 562
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
On the Advanced Configuration tab, enable airtime fair scheduling, and
enable the dynamic EDCA parameter adjustment.
# Click Apply. In the dialog box that is displayed, click OK.
# Choose Radio Management > Radio 1 > 5G Radio Profile > RRM Profile.
The RRM Profile page is displayed.
# On the RRM profile configuration page that is displayed, set RRM Profile to
wlan-rrm and click Apply. In the dialog box that is displayed, click OK.
# The configuration of Radio 2 is similar to that of Radio 1 and is not
mentioned here.
Step 7 Set the AP channel and power.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management
are displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel
to 20-MHz channel 6 and transmit power to 127 dBm. Disable automatic channel
and power calibration functions.
# Click Radio1 and Radio2 to set the channel to 20-MHz channel 149 and 20-
MHz channel 153 respectively and transmit power to 127 dBm. The configuration
is similar to that of Radio0.
# Click Apply. In the dialog box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 563
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Step 8 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
----End
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 564
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.6.9 Example for Configuring High-Density WLAN Services
Service Requirements
The WLAN of a stadium needs to provide access for a large number of users;
therefore, APs are placed in close proximity, causing severe interference. The IT
department of the stadium requires that the interference be eliminated to
maximize Internet experience for users.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: direct forwarding
Figure 3-51 Networking diagram for configuring a high-density WLAN
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 565
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-52 Data planning
Item Data
Management VLAN for APs VLAN 10 and VLAN 100
Service VLAN for STAs VLAN pool
● Name: sta-pool
● VLANs in the VLAN pool: VLAN 101
and VLAN 102
DHCP server The AC functions as a DHCP server to
assign IP addresses to APs.
The aggregation switch (SwitchB)
functions as a DHCP server to assign
IP addresses to STAs.
IP address pool for APs 10.23.10.2-10.23.10.254/24
IP address pool for STAs 10.23.101.3-10.23.101.254/24
10.23.102.3-10.23.102.254/24
AC's source interface address VLANIF 100: 10.23.100.1/24
AP group ● Name: ap-group1
● Referenced profiles: VAP profile
wlan-net, regulatory domain
profile default, 2G radio profile
default, and 5G radio profile wlan-
radio5g
Regulatory domain profile ● Name: default
● Country code: China
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: YsHsjx_202206
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLANs in the VLAN
pool
● Referenced profiles: SSID profile
wlan-net, security profile wlan-
net, and traffic profile wlan-traffic
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 566
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
RRM profile ● Name: wlan-rrm
● Airtime fair scheduling: enable
● Smart roaming: enable
2G radio profile ● Name: wlan-radio2g
● Referenced profile: RRM profile
wlan-rrm
5G radio profile ● Name: wlan-radio5g
● Referenced profile: RRM profile
wlan-rrm
Traffic profile ● Name: wlan-traffic
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Adjust WLAN high-density parameters.
You are advised to adjust WLAN high-density parameters according to Table
3-53.
Table 3-53 Adjustment recommendations
Adjustm Purpose Recommendation
ent Item
Configur To reduce the burden on Enable band steering. By default,
e 5G- the 2.4 GHz radio by band steering is enabled.
prior preferentially connecting
access 5G-capable STAs to the
5 GHz radio when a
large number of 2.4 GHz
STAs exist on the
network.
Remove To make an AP offer Increase the maximum number of
the limit wireless services to more access users to 128 for an SSID
on the users. profile.
number
of access
users
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 567
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Adjustm Purpose Recommendation
ent Item
Reduce To prevent users who Set the association aging time to 1
the user frequently disconnect minute.
associati from the wireless
on aging network.
time
User To prevent mobile Enable user isolation on the AC.
isolation terminals from
exchanging a large
number of ARP packets.
Limit To prevent advantaged Limit the downstream rate of each
user STAs from occupying too STA to 2000 kbit/s in a VAP. Adjust
rates many rate sources and the upstream rate according to
deteriorating service actual situations. In this example, the
experience of upstream rate is set to 1000 kbit/s.
disadvantaged STAs.
Adjust To reduce interference ● Channel: Prevent adjacent APs
AP between APs. from working on overlapping
channel channels. It is recommended that
and you configure channels 1, 9, 5,
power and 13 in a high-density WLAN
environment.
● Power: Minimize AP power while
ensuring that the RSSI is greater
than -65 dBm at the edge of the
AP's coverage area.
Configur To prevent weak-signal Enable smart roaming and set the
e smart STAs from degrading SNR threshold to 15 dB.
roaming user experience.
Enable To ensure that wireless Enable airtime fair scheduling.
airtime channel resources can
fair be equally allocated to
scheduli users.
ng
Set the To prevent hidden STAs. Set the RTS-CTS operation mode to
RTS-CTS rts-cts and the RTS threshold to 1400
threshol bytes.
d
Adjust To improve the overall Set the interval for sending Beacon
the data traffic of APs. frames to 160 TUs.
interval
at which
Beacon
frames
are sent
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 568
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Adjustm Purpose Recommendation
ent Item
Adjust To reduce wireless Set the transmit rate of 2.4 GHz
the resource occupation of management frames to 11 Mbit/s.
transmit management frames
rate of and improve channel
2.4 GHz usage efficiency.
manage
ment
frames
Set the To reduce extra Set the GI mode to short GI.
guard overhead and improve
interval AP transmission
(GI) efficiency.
mode to
short GI
Configur To improve the overall Delete low rates from the basic rate
e the AP throughput. set.
basic
rate set
Configur To improve air interface Use the default values. By default,
e the efficiency. the multicast transmit rate of
multicast wireless packets is 11 Mbit/s for the
rate 2.4 GHz radio and 6 Mbit/s for the 5
GHz radio.
Configur To improve the network Configure the short preamble. If
e the synchronization some legacy NICs exist on the
short performance. network, disable the short preamble
preambl function.
e for a
radio
Dynamic To improve user Enable the dynamic EDCA parameter
EDCA experience. adjustment, and keep the default
paramet threshold for the dynamic EDCA
er Best-Effort service.
adjustme
nt
7. Deliver the WLAN services to the APs and verify the configuration.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLANs 10, 101, and 102. The default
VLAN of GE0/0/1 and GE0/0/3 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 569
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and
VLAN 102, GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create
VLANIF 100 and set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and
VLANIF 102, and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP
address of VLANIF 102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
Step 2 Configure the DHCP services to assign IP addresses to APs and STAs.
# On SwitchB, configure DHCP relay to assign IP addresses on behalf of the AC.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to
STAs and set the default gateways.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 570
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 571
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network connectivity.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click OK.
# Click Create under DHCPv4 Address Pool List and configure a global
address pool named huawei.
– IP address pool subnet: 10.23.10.0
– Option 43: ASCII, IP address of 10.23.100.1
– Gateway IP address: 10.23.10.1
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 572
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 10.23.10.0, Subnet Mask to 24(255.255.255.0), and
Next hop address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 573
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 574
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to
VLAN Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is
displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add
VLANs 101 and 102.
# Click OK. In the dialog box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 575
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Adjust WLAN high-density parameters.
1. Adjust VAP profile parameters.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of VAP
Configuration.
# Click the VAP profile wlan-net. The VAP Profile page is displayed.
On the Advanced Configuration tab, enable band steering.
# Click Apply. In the dialog box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 576
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Adjust SSID profile parameters.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of VAP
Configuration. Under it, click in front of wlan-net. Click SSID Profile. The
SSID Profile page is displayed.
# On the Advanced Configuration tab, set the maximum number of users to
128 and association aging time to 1 minute. Set the Beacon frame rate on
2.4G radio to 11 Mbps.
# Click Apply. In the dialog box that is displayed, click OK.
3. Create a traffic profile and adjust traffic profile parameters.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of VAP
Configuration. Under it, click in front of wlan-net. Click Traffic Profile.
The Traffic Profile page is displayed.
# Click Create. The Create Traffic Profile page is displayed.
# Enter the profile name wlan-traffic in Profile name and click OK. The new
traffic profile configuration page is displayed.
# Set the user isolation mode to All isolation, and the upstream and
downstream rate limits to 1000 kbit/s and 2000 kbit/s for STAs, respectively.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 577
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
4. Set the AP channel and power.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP Customized Settings page is displayed.
# Click next to Radio Management. The profiles in Radio Management
are displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Set the AP
channel to 20-MHz channel 1 and transmit power to 127 dBm. Disable
automatic channel and power calibration functions. The configuration of
Radio1 is similar to the configuration of Radio 0, and is not mentioned here.
# Click Apply. In the dialog box that is displayed, click OK.
5. Configure the AP to work in dual-5G mode. This step is only for APs that
support switching between 2.4G and 5G radios.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click the AP group ap-group1 and click next to
Radio Management. The profiles in Radio Management are displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Enable the
dual-5G mode. In the dialog box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 578
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
6. Create the 2G radio profile and adjust 2G radio profile parameters. Skip this
step if the AP has been configured to work in dual-5G mode. Go to the next
step to create the 5G radio profile and bind the 5G radio profile to radio 0.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Choose Radio Management > Radio
0 > 2G Radio Profile. The 2G Radio Profile page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter
the profile name wlan-radio2g and click OK. The 2G radio profile
configuration page is displayed.
# On the Advanced Configuration tab, perform the following configurations:
– Set the RTS-CTS mode to rts-cts.
– Set the interval for sending Beacon frames to 160 TUs.
– Set the GI mode to short.
– Set the 802.11bg basic rate to 6, 9, 12, 18, 24, 36, 48, or 54, in Mbit/s.
– Set the multicast rate to 11 Mbit/s.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 579
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
7. Create a 5G radio profile and adjust 5G radio profile parameters.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Choose Radio Management > Radio
1 > 5G Radio Profile. The 5G Radio Profile page is displayed.
# Click Create. On the Create 5G Radio Profile page that is displayed, enter
the profile name wlan-radio5g and click OK. The 5G radio profile
configuration page is displayed.
# On the Advanced Configuration tab, perform the following configurations:
– Set the RTS-CTS mode to rts-cts.
– Set the interval for sending Beacon frames to 160 TUs.
– Set the GI mode to short.
– Set the multicast rate to 6 Mbit/s.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 580
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
8. Create the RRM profile and adjust RRM profile parameters.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Choose Radio Management > Radio
0 > 2G Radio Profile. Click in front of 2G Radio Profile. Profiles in the 2G
radio profile are displayed.
# Click RRM Profile. The RRM Profile page is displayed.
# Click Create. The Create RRM Profile page is displayed.
# Enter the profile name wlan-rrm in Profile name and click OK. The new
RRM profile configuration page is displayed.
# On the Advanced Configuration tab, enable airtime fair scheduling, enable
the dynamic EDCA parameter adjustment, enable smart roaming; configure
the SNR-based roaming trigger mode, and set the SNR threshold to 15 dB.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 581
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# In the AP group list, click ap-group1. Choose Radio Management > Radio
1 > 5G Radio Profile. Click in front of 5G Radio Profile. Profiles in the 5G
radio profile are displayed.
# Click RRM Profile. The RRM Profile page is displayed.
# In the RRM profile, select wlan-rrm and click Apply. In the dialog box that
is displayed, click OK.
Step 7 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 582
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
5. When a large number of users connect to the network in the stadium, the
users still have good Internet experience.
----End
3.7 Spectrum Analysis Configuration Examples
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 583
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.7.1 Example for Configuring Spectrum Analysis
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area. The enterprise is located in an open place, and the
WLAN is vulnerable to interference. When discovering severe interference on the
WLAN, the network administrator can detect whether non-Wi-Fi interference
exists on the WLAN through the spectrum analysis function.
For the WLAN access configuration, see Related Topics.
Networking Requirements
Figure 3-52 Networking for configuring spectrum analysis
After a spectrum server is deployed on the network, the AP reports the spectrum
scanning data and sampling data to the spectrum server through the AC. Ensure
that the AC and the spectrum server can communicate with each other.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 584
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-54 AC data planning
Item Data
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, 2G radio profile wlan-radio2g, 5G radio profile
wlan-radio5g, and AP system profile wlan-spectrum
Air scan ● Name: wlan-airscan
profile ● Air scan interval: 8000 ms
● Air scan duration: 100 ms
2G radio ● Name: wlan-radio2g
profile ● Referenced profiles: air scan profile wlan-airscan
5G radio ● Name: wlan-radio5g
profile ● Referenced profiles: air scan profile wlan-airscan
AP system ● Name: wlan-spectrum
profile ● IP address of the spectrum server: 10.137.43.4
● Port number of the spectrum server: 27371
● Port number used by the AC to receive spectrum information
(encapsulated in UDP packets) from APs when the AC is used to
send data to the spectrum server: 5001
● Aging time of non-Wi-Fi devices on an AC during spectrum
analysis: 5 minutes
Configuration Roadmap
Configure spectrum analysis so that the APs can detect non-Wi-Fi devices and
send alarms to the AC.
Configuration Notes
● If a radio works in normal mode and has air scan functions (such as WIDS,
spectrum analysis, and terminal location) enabled, the radio transmits
common WLAN services and also provides the monitoring function. A
transient increase in the WLAN service latency may occur, which does not
affect network access. However, if any latency-sensitive service (such as
videoconferencing) is running, it is recommended that a separate radio be
used for air scan.
● When spectrum analysis is used, the air scan interval range of 2s to 10s and
the air scan period of 100 ms are recommended. This helps you obtain
sufficient sampled data without compromising normal services.
● The channels to be scanned for spectrum analysis are fixed as all channels
supported by the corresponding country code of an AP and are irrelevant to
the configuration in an air scan profile.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 585
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
Procedure
Step 1 Configure spectrum analysis.
1. Set spectrum analysis parameters.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Choose AP > AP System Profile. The
AP System Profile page is displayed.
# Click Create. The Create AP System Profile page is displayed. Enter the
profile name wlan-spectrum and click OK. On the ap system profile
configuration page that is displayed.
# On the Advanced Configuration tab, set related parameters.
# Click Apply. In the dialog box that is displayed, click OK.
2. Create radio profiles.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio
profile is similar.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 586
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Choose Radio Management > Radio
0 > 2G Radio Profile. The 2G Radio Profile page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter
the profile name wlan-radio2g and click OK. The 2G radio profile
configuration page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Create an air scan profile and configure the scan channel set, scan interval,
and scan duration.
# Choose 2G Radio Profile > Air Scan Profile. The Air Scan Profile page is
displayed. Click Create. On the Create Air Scan Profile page that is displayed,
enter the profile name wlan-airscan and click OK. The air scan profile
configuration page is displayed.
# Enable scanning, and configure the scan channel set, scan interval, and scan
duration.
# Click Apply. In the dialog box that is displayed, click OK.
4. Enable spectrum analysis on a radio.
# Click Radio 0. On the Radio 0 Settings(2.4G) page that is displayed, set
the radio parameters.
# Click Apply. In the dialog box that is displayed, click OK. The 5G radio
configuration is similar and not mentioned here.
Step 2 Verify the configuration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 587
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
1. View AP spectrum on the web platform to learn AP channel interference in
deployment sites.
a. Choose Monitoring > Spectrum Analysis. The Radio List page is
displayed.
b. Select an AP and click Start.
c. In the AP radio list, click View Drawing in the Operation column. The
related spectrum charts are displayed. A maximum of four spectrum
charts can be displayed.
d. Select your desired spectrum chart from the drop-down list box in the
upper left corner. You can select Lower or Upper on the spectrum charts
of a 5G radio to view spectrum charts of different frequencies.
e. The Real-Time FFT chart shows that the signal strength of interference is
mostly within the range of -80 dBm to -40 dBm. On the Swept
Spectrogram chart, click Modify, set the signal strength scope at both
ends of the color bar, and click Apply. The Swept Spectrogram chart
shows that channel 149 has the most severe interference.
f. On the Active Devices chart, click . A list of the detected non-Wi-Fi
devices is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 588
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
----End
Related Topics
● 3.1.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
● 3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
● 3.1.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
● 3.1.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode
● 3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode
● 3.1.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode
● 3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode
3.8 WLAN Security Configuration Examples
3.8.1 Example for Configuring Rogue Device Detection and
Containment
Service Requirements
An enterprise branch needs to deploy WLAN services for mobile office so that
branch users can access the enterprise network from anywhere at any time.
Furthermore, users' services are not affected during roaming in the coverage area.
The branch is located in an open place, making the WLAN vulnerable to attacks.
For example, an attacker deploys a rogue AP (area_2) with SSID wlan-net on the
WLAN to establish connections with STAs to intercept enterprise information,
posing great threats to the enterprise network. To prevent such attack, the
detection and containment function can be configured for authorized APs. In this
way, the AC can detect rogue AP area_2 (neither managed by the AC nor in the
authorized AP list), preventing STAs from associating with the rogue AP.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 589
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Networking Requirements
● AC networking mode: Layer 2 networking in bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: tunnel forwarding
Figure 3-53 Networking for configuring rogue device detection and containment
Data Planning
Table 3-55 AC data planning
Item Data
Managem VLAN 100
ent VLAN
for APs
Service VLAN 101
VLAN for
STAs
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 590
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to APs.
server SwitchB functions as a DHCP server to assign IP addresses to STAs.
The default gateway address of STAs is 10.23.101.2.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, and WIDS profile wlan-wids
● Working mode of the AP radio: normal
● Rogue device detection and containment: enabled
Regulatory ● Name: default
domain ● Country code: China
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
WIDS ● Name: default
profile ● Rogue device containment mode: containment against rogue
APs using spoofing SSIDs
Configuration Roadmap
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 591
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Configure rogue device detection and containment so that APs can detect
wireless device information and report it to the AC. In addition, APs can
contain detected rogue devices, enabling STAs to disassociate from them.
NOTE
In this example, the authorized APs work in normal mode and have the detection function
enabled. In addition to transmitting WLAN service data, AP radios need to perform the
monitoring function. A transient increase in the WLAN service latency may occur, which does
not affect network access. However, if any latency-sensitive service (such as videoconferencing)
is running, it is recommended that a separate radio be used for air scan.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 592
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and
GE0/0/2 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway
for the STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the
default gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 593
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
Step 3 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 594
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 595
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 596
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 597
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 598
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Configure rogue device detection and containment.
1. Configure radio 0 of AP group ap-group1 to work in normal mode, and
enable rogue device detection and containment.
# Choose Configuration > AP Config > AP Group. The AP Group page is
displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.
# Choose Radio Management > Radio 0. The Radio 0 Settings(2.4G) page
is displayed.
# Configure radio 0 to work in normal mode, and enable rogue device
detection and containment.
# Click Apply. In the Info dialog box that is displayed, click OK.
# Configure radio 1 to work in normal mode, and enable rogue device
detection and containment in the same way.
2. Configure the containment mode against rogue APs using spoofing SSIDs.
# Click in front of WIDS. Under it, click WIDS Profile. The WIDS Profile
page is displayed.
# Configure the containment mode against rogue APs using spoofing SSIDs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 599
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the Info dialog box that is displayed, click OK.
Step 8 Verify the configuration.
Choose Monitoring > WIDS. In the Device Detection area, view the detection
result.
● Click a number in the detection result list. The detected device information is
displayed in Device Detection Information.
● Select a device in the detected device list and click View Discovered APs.
Information about the APs that detect the device is displayed.
● In the list of APs that detect the device, select an AP and click View Whitelist
to view the whitelist of the AP.
----End
3.8.2 Example for Configuring Attack Detection
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
To ensure network stability and security, network administrators can configure
attack detection and dynamic blacklist to prevent flood attacks and brute force
PSK cracking. Detected attack devices are added to the dynamic blacklist, and
packets from them are discarded, preventing attacks.
Networking Requirements
● AC networking mode: Layer 2 networking in bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: tunnel forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 600
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-54 Networking for configuring attack detection
Data Planning
Table 3-56 AC data planning
Item Data
Managem VLAN100
ent VLAN
for APs
Service VLAN101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs.
server SwitchB functions as a DHCP server to assign IP addresses to STAs.
The default gateway address of STAs is 10.23.101.2.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 601
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, WIDS profile wlan-wids, and AP system profile
wlan-system
● Attack detection type of the AP radio: brute force PSK cracking
attack detection for WPA2-PSK authentication and flood attack
detection
Regulatory ● Name: default
domain ● Country code: China
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
WIDS ● Name: default
profile ● Interval for brute force PSK cracking attack detection: 70s
● Quiet time for brute force PSK cracking attack detection: 700s
● Maximum number of key negotiation failures allowed within a
brute force PSK cracking attack detection period: 25
● Flood attack detection interval: 70s
● Quiet time for flood attack detection: 700s
● Flood attack detection threshold: 350
● Dynamic blacklist: enabled
AP system ● Name: wlan-system
profile ● Aging time of a dynamic blacklist: 200s
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 602
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Configure brute force PSK cracking attack detection for WPA2-PSK
authentication and flood attack detection so that WLAN devices can detect
attack devices.
3. Configure the dynamic blacklist function to add attack devices to the dynamic
blacklist and to reject packets from these devices within the aging time of the
dynamic blacklist.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 603
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and
GE0/0/2 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway
for the STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the
default gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 604
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Step 3 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 605
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 606
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 607
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 608
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 609
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Configure the attack detection function.
1. Enable brute force PSK cracking attack detection for WPA2-PSK authentication
and flood attack detection.
# Choose Configuration > AP Config > AP Group > AP Group. The AP Group
page is displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.
# Choose Radio Management > Radio 0. The Radio 0 Settings(2.4G) page
is displayed.
# Enable brute force PSK cracking attack detection for WPA2-PSK
authentication and flood attack detection on radio 0.
# Click Apply. In the Info dialog box that is displayed, click OK.
# Enable brute force PSK cracking attack detection for WPA2-PSK
authentication and flood attack detection on radio 1 in the same way.
2. Set parameters for attack detection.
# Click in front of WIDS. Under it, click WIDS Profile. The WIDS Profile
page is displayed.
# Click Advanced Configuration and set parameters for the brute force PSK
cracking attack detection for WPA2-PSK authentication and flood attack
detection WPA2-PSK. Enable the dynamic blacklist function.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 610
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the Info dialog box that is displayed, click OK.
3. Create AP system profile wlan-system, and set the aging time of the dynamic
blacklist.
# Choose AP > AP System Profile. The AP System Profile List page is
displayed.
# Click Create. The Create AP System Profile page is displayed.
# Enter the name of the new AP system profile wlan-system in Profile
name, and click OK. The parameter setting page of the new AP system profile
is displayed. Click Advanced Configuration.
# Set the aging time of the dynamic blacklist to 200 seconds.
# Click Apply. In the Info dialog box that is displayed, click OK.
# Click Apply. In the Info dialog box that is displayed, click OK.
Step 8 Verify the configuration.
Choose Monitoring > WIDS and view attack detection result in the Attack
Detection area.
● Click a number in the attack detection result list to view details.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 611
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● Click View Dynamic Blacklist. The View Dynamic Blacklist page is
displayed.
----End
3.8.3 Example for Configuring a WPA/WPA2-PPSK Security
Policy
Service Requirements
A hotel provides wireless Internet access services for guests and uses WPA/WPA2-
PSK (personal edition) as the security policy. However, this policy has low security.
All guests in the hotel use the same password for Internet access, which is
insecure. Attackers may access the network using this password without
authorization. To improve network security, the hotel can configure PPSK
authentication, so that different passwords are assigned to guests, and the
passwords are easy to manage and maintain.
Networking Requirements
PPSK authentication has no specific requirements on the networking. After setting
the security policy of an SSID to PPSK on the AC, the network administrator needs
to configure a lobby administrator account for hotel receptionists. The hotel
receptionists can use this account to log in to the AC's web platform to assign
passwords to guests for accessing the Internet.
Data Planning
Table 3-57 Data planning
Item Data
Network administrator account ● User name: admin123
● Password: YsHsjx_202206
Lobby administrator account ● User name: lobby123
● Password: YsHsjx_202206
AP group ● Name: default
● Referenced profile: VAP profile
webCreate_0
SSID profile ● Name: webCreate_0
● SSID name: wlan-net
Security profile ● Name: webCreate_0
● Security policy: WPA-WPA2+PPSK
+TKIP-AES
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 612
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
VAP profile ● Name: webCreate_0
● Referenced profiles: SSID profile
webCreate_0 and security profile
webCreate_0
PPSK user Method 1: automatically generating a
group of passwords
● User name: automatically
generated (For example, user
names prefixed with room2 are
automatically generated for guests
on the second floor, such as
room20001 and room20002.)
● Password: randomly generated
Method 2: manual configuration
● User name: vip
● Password: YsHsjx_202206
Configuration Roadmap
1. The network administrator configures the AC, APs, and other network devices
based on the wireless network plan to ensure network connectivity.
2. The network administrator logs in to the AC's web platform and configures
WLAN services using the configuration wizard. PPSK authentication cannot be
configured using the configuration wizard. The network administrator can
configure key authentication and then change the security policy to PPSK.
3. The network administrator creates a lobby administrator account for hotel
receptionists.
4. A hotel receptionist logs in to the AC's web platform to configure and
manage guest passwords for accessing the Internet.
For details about network interworking and WLAN service deployment, see
the WLAN basic networking configuration examples. This example focuses on
the PPSK authentication configuration.
Configuration Notes
● PPSK users are counted as local users managed by the AC. Configure a proper
number of PPSK users based on the actual user specifications of the AC
model, and delete expired and unused user accounts periodically.
● After a receptionist assigns passwords to guests, a user password list is
automatically generated. The receptionist should save this list properly. If this
list is not saved, the passwords will be displayed in ciphertext when this list is
manually exported later.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 613
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Procedure
Step 1 Set the security policy to PPSK as the network administrator.
# Choose Configuration > AP Config > AP Group. Click the AP group name. The
AP group configuration page is displayed.
Figure 3-55 AP group
# Expand the profile tree of the AP group and find Security Profile. Set
Authentication policy to PPSK and click Apply.
Figure 3-56 Security profile
Step 2 Create a lobby administrator account for hotel receptionists as the network
administrator.
# Choose Maintenance > Administrator. The administrator configuration page is
displayed.
# Click Create. Create a lobby administrator account and click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 614
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-57 Creating a lobby administrator account
Step 3 Assign passwords to guests as a receptionist.
# Use the lobby administrator account to log in to the AC's web platform and click
PPSK Management.
Figure 3-58 PPSK management
# Create users and randomly generate a group of user passwords. In this example,
user names and passwords are generated by room. Alternatively, different
passwords can be generated for each guest or STA.
Figure 3-59 Randomly generating PPSK users
# Click Confirm and Export. A QR code is generated for user login. The
receptionist needs to print the QR code information (including the QR code, user
name, SSID, and expiration time) and provide the information for guests in each
room to access the Internet.
# Check the passwords randomly generated for each user in the automatically
exported table, and keep the passwords secure.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 615
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-60 PPSK user list and automatically exported PPSK table
# Create a single user, and set the user name and password.
Figure 3-61 Creating a PPSK user
Step 4 Verify the configuration.
# When a guest checks in, a receptionist searches for the QR code information
based on the room number and provides the information to the guest. The guest
then can scan the QR code to access the Internet.
# The user is displayed in online state in the user list of on the AC's web platform.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 616
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-62 User list
----End
3.8.4 Example for Configuring a WPA3-SAE Security Policy
Service Requirements
Because the WLAN is open to users, there are potential security risks to service
data if no security policy is configured for the WLAN. Users do not require high
WLAN security, so no authentication server is required. A WPA/WPA2-PSK or
WPA3-SAE security policy can be configured. WLAN terminals in use on the
network are of new models that support WPA3. Therefore, more secure WPA3-SAE
authentication is used to ensure service data security.
Networking Requirements
WPA3-SAE authentication has no special requirements for networking. Before
configuring this security policy, ensure that the network is connected and APs can
go online.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 617
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-58 Data planning
Item Data
AP group ● Name: ap-group1
● Referenced profile: VAP profile
wlan-vap
SSID profile ● Name: wlan-ssid
● SSID name: wlan-net
Security profile ● Name: wlan-security
● Security policy: WPA3-SAE
● Password: YsHsjx_202206
VAP profile ● Name: wlan-vap
● Forwarding mode: tunnel
forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-ssid and security profile
wlan-security
Configuration Roadmap
1. Configure basic WLAN services using the WLAN configuration wizard so that
STAs can access the WLAN. For details about how to configure basic WLAN
services, see WLAN Basic Networking Configuration Examples.
2. Configure WPA3-SAE authentication in a security profile.
Procedure
Step 1 Set the security policy to WPA3-SAE.
# Choose Configuration > AP Config > AP Group. Click the AP group name. The
AP group configuration page is displayed.
# Expand the profile tree of the AP group and find Security Profile. Set Security
policy to WPA3, Authentication policy to SAE, and Key to YsHsjx_202206, and
click Apply.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 618
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-63 Security profile
----End
3.8.5 Example for Configuring the OWE Transition Mode
Service Requirements
Because the WLAN is open to users, there are potential security risks to service
data if no security policy is configured for the WLAN. If STAs support OWE
authentication, you can configure an OWE security policy to ensure network
openness as well as data transmission security. The OWE transition mode provides
backward compatibility with STAs that do not support OWE authentication. That
is, these STAs access the network in open-system authentication mode, while
OWE-capable STAs access the network in OWE authentication mode.
Networking Requirements
The OWE transition mode has no special requirements for networking. Before
configuring this security policy, ensure that the network is connected and APs can
go online.
Data Planning
Table 3-59 Data planning
Item Data
AP group ● Name: ap-group1
● Referenced profiles: VAP profiles
wlan-vap-open and wlan-vap-owe
SSID profile ● Name: wlan-ssid
● SSID name: wlan-net
Security profile ● Name: wlan-security-open
● Security policy: Open system
authentication
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 619
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
● Name: wlan-security-owe
● Security policy: Authentication in
OWE transition mode
VAP profile ● Name: wlan-vap-open
● Forwarding mode: tunnel
forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-ssid and security profile
wlan-security-open
● Name: wlan-vap-owe
● Forwarding mode: tunnel
forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-ssid and security profile
wlan-security-owe
Configuration Roadmap
1. Configure basic WLAN services using the WLAN configuration wizard so that
STAs can access the WLAN. For details about how to configure basic WLAN
services, see WLAN Basic Networking Configuration Examples.
2. Configure open system authentication in the VAP profile wlan-vap-open and
security profile wlan-security-open so that STAs that do not support OWE
authentication can access the network in open system authentication mode.
3. Configure OWE transition authentication in the VAP profile wlan-vap-owe
and security profile wlan-security-owe so that OWE-capable STAs can access
the network in OWE authentication mode.
NOTE
In OWE transition mode, you need to configure two VAP profiles on the same radio and set
their authentication modes to OWE and open-system, respectively. The transition SSID must
be the same as the SSID in the VAP profile using the open-system authentication mode. If
no other VAP profile uses the open-system authentication mode and has the same SSID as
the VAP profile using the OWE authentication mode on the same radio, the OWE transition
mode does not take effect. In this case, the device uses OWE authentication.
Procedure
Step 1 Configure open-system authentication.
# Choose Configuration > AP Config > AP Group. Click the AP group name. The
AP group configuration page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 620
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Expand the profile tree of the AP group, choose VAP Profile > wlan-vap-open,
and choose Security Profile > wlan-security-open. On the security profile page
that is displayed, set Security policy to OPEN and click Apply.
Figure 3-64 Configuring open-system authentication
Step 2 Configure the OWE transition mode.
# Expand the profile tree of the AP group, choose VAP Profile > wlan-vap-owe,
and choose Security Profile > wlan-security-owe. On the security profile page
that is displayed, set Security policy to OWE, set Transition SSID to wlan-net,
and click Apply.
Figure 3-65 Configuring the OWE transition mode
----End
3.8.6 Example for Configuring the STA Blacklist and Whitelist
Service Requirements
An enterprise needs to provide WLAN services for management personnel so that
they can connect to the enterprise network from anywhere at any time.
Furthermore, users' services are not affected during roaming in the coverage area.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 621
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Due to a small number of management personnel in the enterprise, MAC
addresses of their STAs can be added to a STA whitelist. In this manner, STAs of
other employees cannot connect to the WLAN.
In addition, network administrators have detected unauthorized access of some
STAs and need to deny access of them. The administrators can add MAC addresses
of these STAs to the blacklist, while other authorized STAs can still connect to the
WLAN.
Networking Requirements
● AC networking mode: Layer 2 networking in bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: tunnel forwarding
Figure 3-66 Networking for configuring the STA blacklist and whitelist
Data Planning
Table 3-60 AC data planning
Item Data
Managem VLAN 100
ent VLAN
for APs
Service VLAN 101
VLAN for
STAs
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 622
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to APs.
server SwitchB functions as a DHCP server to assign IP addresses to STAs.
The default gateway address of STAs is 10.23.101.2.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, and AP system profile wlan-system
Regulatory ● Name: default
domain ● Country code: China
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net, security profile
wlan-net, and STA whitelist profile sta-whitelist
STA ● Name: sta-whitelist
whitelist ● STAs added to the STA whitelist: STA1 (0011-2233-4455) and
profile STA2 (0011-2233-4466)
STA ● Name: sta-blacklist
blacklist ● STAs added to the STA blacklist: STA3 (0011-2233-4477) and
profile STA4 (0011-2233-4488)
AP system ● Name: wlan-system
profile ● Referenced profile: STA blacklist profile sta-blacklist
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 623
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure a STA whitelist. Add MAC addresses of management personnel's
wireless terminals to the whitelist. To prevent configuration impacts on other
VAPs, configure the STA whitelist for a VAP, instead of an AP.
3. Configure a STA blacklist for an AP. Add MAC addresses of some STAs to the
blacklist to prevent the STAs from associating with the AP, ensuing WLAN
network security.
NOTE
The STA whitelist and blacklist cannot be configured simultaneously for a VAP or an AP, that is,
the STA whitelist and blacklist cannot take effect at the same time in a VAP profile or an AP
system profile.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 624
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and
GE0/0/2 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway
for the STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the
default gateway address of STAs to 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 625
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
Step 3 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 626
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 627
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 628
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 629
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 630
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Configure a STA whitelist for VAPs.
1. Configure STA whitelist profile sta-whitelist and add MAC addresses of STA1
and STA2 to the whitelist.
# Choose Configuration > AP Config > AP Group. The AP Group page is
displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.
# Choose VAP Configuration > wlan-net > STA Blacklist And Whitelist
Profile. On the STA Blacklist And Whitelist Profile page, select Whitelist.
# Click Create. The Create STA Whitelist Profile page is displayed.
# Enter the name of the new STA whitelist profile sta-whitelist in Profile
name, and click OK. The parameter setting page of the new STA whitelist
profile is displayed.
# Click Add. The Add Address page is displayed.
# Add MAC addresses of STA1 and STA2 to the whitelist.
# Click OK.
Step 8 Configure a global STA blacklist.
1. Create AP system profile wlan-system.
# Click in front of AP. Under it, click AP System Profile. The AP System
Profile page is displayed.
# Click Create. On the Create AP System Profile page that is displayed, enter
the profile name wlan-system and click OK. The AP System Profile
configuration page is displayed.
# Click Apply. In the Info dialog box that is displayed, click OK.
2. Configure STA blacklist profile sta-blacklist and add MAC addresses of STA3
and STA4 to the blacklist.
# Click in front of AP System Profile. Under it, click STA Blacklist Profile.
On the STA Blacklist Profile page, select Blacklist.
# Click Create. The Create STA Blacklist Profile page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 631
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Enter the name of the new STA blacklist profile sta-blacklist in Profile
name, and click OK. The parameter setting page of the new STA blacklist
profile is displayed.
# Click Add. The Add MAC Address page is displayed.
# Add MAC addresses of STA3 and STA4 to the blacklist.
# Click OK.
Step 9 Verify the configuration.
The WLAN with SSID wlan-net is available for STAs connected to the AP.
STA1 and STA2 can connect to the WLAN. STA3 and STA4 cannot connect to the
WLAN.
----End
3.8.7 Example for Configuring an AP to Protect STAs From
Obtaining Bogus IP Addresses
Service Requirements
An enterprise deploys WLAN area to provide WLAN services for users. The
enterprise requires that STAs not obtain incorrect IP addresses or fail to
communicate even if a bogus DHCP server is deployed on the user side to improve
WLAN security.
Networking Requirements
● AC networking mode: Layer 2 bypass mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: tunnel forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 632
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-67 Networking for configuring an AP to protect STAs from obtaining
bogus IP addresses
Data planning
Table 3-61 AC data planning
Item Data
Management VLAN for APs VLAN 100
Service VLAN for STAs VLAN 101
DHCP server The AC functions as a DHCP server to
assign IP addresses to STAs and APs.
IP address pool for APs 10.23.100.2-10.23.100.254/24
IP address pool for STAs 10.23.101.2-10.23.101.254/24
AC's source interface VLANIF 100
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 633
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AP group ● Name: ap-group1
● Country code: CHINA
● Referenced profile: VAP profile
wlan-net and AP system profile
wlan-net
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA-WPA2+PSK
+AES
● Password: YsHsjx_202206
VAP profile ● Name: wlan-net
● Forwarding mode: tunnel
forwarding
● Service VLAN: VLAN 101
● Strict IP learning: IPv4
● Dynamic blacklist of strict IP
learning: ON
● Referenced profile: SSID profile
wlan-net and security profile wlan-
net
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure WLAN services.
2. Configure an AP to protect STAs from obtaining bogus IP addresses to
improve network security.
Procedure
Step 1 Configure the switches and router.
# Add GE0/0/1 and GE0/0/2 on the switch to VLAN 100 (default VLAN of
GE0/0/1).
Step 2 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 634
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 635
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way. The IP address
10.23.101.2 cannot be assigned.
NOTE
Configure the DNS server address as required.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop
address to 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 636
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 637
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 638
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 4 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 5 In a VAP profile, configure an AP to protect STAs from obtaining bogus IP
addresses.
# Choose Configuration > AP Config > Profile.
# Choose Wireless Service > VAP Profile in Profile Management. The VAP
Profile List page is displayed.
# Click the VAP profile wlan-net. The VAP profile configuration page is displayed.
Click Advanced Configuration. On IP Services, set IP learning to IPv4, Strict IP
learning to ON, and Dynamic blacklist of static IPv4 addresses to ON.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 639
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply.
Step 6 Verify the configuration.
If a bogus DHCP server is deployed on the user side, APs discard the DHCP OFFER,
ACK, and NAK packets sent by the bogus server and report to the AC about the IP
address of the bogus DHCP server.
----End
3.9 WLAN QoS Configuration Examples
3.9.1 Example for Configuring WMM and Priority Mapping
Networking Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
After accessing the network, users encounter poor experience in voice and video
services. The administrator wants to preferentially ensure forwarding of voice and
video service traffic to improve user experience.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 640
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
For the WLAN access configuration, see Related Topics.
Figure 3-68 Networking for configuring WMM and priority mapping
Data Planning
Table 3-62 AC data planning
Item Data
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, 2G radio profile wlan-radio2g, and 5G radio
profile wlan-radio5g
VAP ● Name: wlan-net
profile ● Referenced profiles: traffic profile wlan-traffic
2G radio ● Name: wlan-radio2g
profile ● WMM: Enable
5G radio ● Name: wlan-radio5g
profile ● WMM: Enable
Traffic ● Name: wlan-traffic
profile ● Downstream mapping on the air interface: DSCP
● Upstream tunnel mapping on the air interface: 802.11e
● Priority mapping: specified to provide higher priorities for voice
and video services
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 641
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Roadmap
1. Configure the WMM function so that network bandwidth is preferentially
allocated to voice and video services at the wireless side.
2. Configure priority mapping to ensure a higher priority of voice and video
services so that network bandwidth is preferentially allocated to these
services.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the WMM function.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 642
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
1. In the radio profile, enable the WMM function.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio
profile is similar.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of Radio
Management. Under it, click in front of Radio 0. Click 2G Radio Profile.
The 2G Radio Profile page is displayed.
# On the Advanced Configuration tab, enable the WMM function. Click
Apply. In the dialog box that is displayed, click OK.
2. Enable the dynamic EDCA function in the RRM profile. This function can
detect the number of users to flexibly adjust parameters for physical channel
contention, reducing the collision probability, greatly increasing the overall
throughput, and improving user experiences.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Choose Radio Management > Radio
0 > 2G Radio Profile. Click in front of 2G Radio Profile. Profiles in the 2G
radio profile are displayed.
# Click RRM Profile. The RRM Profile page is displayed.
# Click Create. The Create RRM Profile page is displayed.
# Enter the profile name wlan-rrm in Profile name and click OK. The new
RRM profile configuration page is displayed.
# On the Advanced Configuration tab page of the RRM profile, enable
dynamic EDCA.
# Click Apply. In the dialog box that is displayed, click OK.
# In the AP group list, click ap-group1. Choose Radio Management > Radio
1 > 5G Radio Profile. Click in front of 5G Radio Profile. Profiles in the 5G
radio profile are displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 643
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click RRM Profile. The RRM Profile page is displayed.
# In the RRM profile, select wlan-rrm and click Apply. In the dialog box that
is displayed, click OK.
Step 2 Configuring priority mapping.
This example requires that voice and video packets have the highest priority so
that these packets are preferentially transmitted. By default, the uplink and
downlink mapping modes on the air interface are 802.11e and DSCP, respectively.
The uplink and downlink priority mapping on the air interface can ensure that
voice and video packets have the highest tunnel DSCP priority. Therefore, you do
not need to modify default priority mapping.
To change the default priority mapping, for example, to enable video packets with
a higher priority than voice packets, you can refer to this step.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of VAP Configuration.
Under it, click in front of wlan-net. Click Traffic Profile. The Traffic Profile
page is displayed.
# Click Create. The Create Traffic Profile page is displayed.
# Enter the traffic profile name wlan-traffic in Profile name and click OK. The
parameter setting page of the new traffic profile is displayed.
# On the Advanced Configuration tab, configure priority mapping and set the
mapped priority of video packets higher than that of the voice packets.
NOTE
By default, the user priority of voice packets is set to 6 or 7, and that of the video packets is set
to 4 or 5.
In the following figure, the DSCP priorities of video packets are 48 and 56, and those of the
voice packets are 32 and 40. Based on the settings, video packets will be preferentially
transmitted.
# Click Apply. In the Info dialog box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 644
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Step 3 Verify the configuration.
1. Normal voice and video communication improves user experience in voice and
video services.
----End
Related Topics
● 3.1.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
● 3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
● 3.1.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
● 3.1.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode
● 3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode
● 3.1.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode
● 3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode
3.9.2 Example for Configuring Traffic Policing
Networking Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
To prevent STAs from maliciously occupying network resources and reduce
network congestion, the administrator requires that the uplink rate limit of each
STA be 2 Mbit/s and the total uplink rate limit of all STAs on a VAP be 30 Mbit/s.
For the WLAN access configuration, see Related Topics.
Figure 3-69 Networking for configuring traffic policing
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 645
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-63 AC data planning
Item Data
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net
VAP ● Name: wlan-net
profile ● Referenced profiles: traffic profile wlan-traffic
Traffic ● Name: wlan-traffic
profile ● Uplink rate limit of a single STA: 2 Mbit/s
● Uplink rate limit of all STAs on a VAP: 30 Mbit/s
Configuration Roadmap
1. Configure the uplink rate limits of a single STA and all STAs on a VAP in a
traffic profile to achieve traffic policing.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 646
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure traffic policing.
Create traffic profile wlan-traffic. Set the uplink rate limit of a single AP to 2
Mbit/s and the total uplink rate limit of all STAs on the VAP to 30 Mbit/s.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of VAP Configuration.
Under it, click in front of wlan-net. Click Traffic Profile. The Traffic Profile
page is displayed.
# Click Create. The Create Traffic Profile page is displayed.
# Enter the traffic profile name wlan-traffic in Profile name and click OK. The
parameter setting page of the new traffic profile is displayed.
# On the Advanced Configuration tab, set the uplink rate limit to 2 Mbit/s for
STAs and to 30 Mbit/s for VAPs.
# Click Apply. In the Info dialog box that is displayed, click OK.
Step 2 Verify the configuration.
1. STAs efficiently utilize network resources, reducing network congestion.
----End
Related Topics
● 3.1.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 647
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● 3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
● 3.1.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
● 3.1.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode
● 3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode
● 3.1.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode
● 3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode
3.9.3 Example for Configuring Airtime Fair Scheduling
Networking Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
The administrator requires that multiple users on the network be able to fairly use
network bandwidth to improve overall user experience.
For the WLAN access configuration, see Related Topics.
Figure 3-70 Networking for configuring airtime fair scheduling
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 648
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-64 AC data planning
Item Data
AP group ● Name: ap-group1
● Referenced profiles: 2G radio profile wlan-radio2g, and 5G
radio profile wlan-radio5g
RRM ● Name: wlan-rrm
profile ● Airtime fair scheduling: enabled
2G radio ● Name: wlan-radio2g
profile ● Referenced profiles: RRM profile wlan-rrm
5G radio ● Name: wlan-radio5g
profile ● Referenced profiles: RRM profile wlan-rrm
Configuration Roadmap
1. Enable airtime fair scheduling to ensure that multiple users on a radio can
fairly use network bandwidth to improve overall user experience.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 649
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure airtime fair scheduling.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of Radio Management.
Under it, click in front of radio 0.
# Click in front of 2G Radio Profile, and click RRM Profile. Click Create. On
the page that is displayed, set Profile name to wlan-rrm and click OK. The RRM
Profile configuration page is displayed.
# Enable airtime fair scheduling in the RRM profile.
# Click Apply. In the dialog box that is displayed, click OK.
Step 2 Verify the configuration.
1. Users can fairly use network bandwidth, improving overall user experience.
----End
Related Topics
● 3.1.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 650
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● 3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
● 3.1.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
● 3.1.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode
● 3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode
● 3.1.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode
● 3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode
3.9.4 Example for Configuring ACL-based Packet Filtering
Networking Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
To control network traffic, the administrator requires that packets with source IP
address 10.23.101.10 and destination IP address 10.23.101.11 be forbidden to pass.
For the WLAN access configuration, see Related Topics.
Figure 3-71 Networking for configuring ACL-based packet filtering
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 651
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-65 AC data planning
Item Data
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net
VAP ● Name: wlan-net
profile ● Referenced profiles: traffic profile wlan-traffic
Traffic ● Name: wlan-traffic
profile ● Configuration of ACL-based IPv4 packet filtering
Configuration Roadmap
1. Configure ACL-based packet filtering in a traffic profile.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 652
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure ACL-based packet filtering.
1. Create ACL 3001 and forbid packets with source IP address 10.23.101.10 and
destination IPv4 address 10.23.101.11 to pass.
# Choose Configuration > Security > ACL > Advanced ACL Settings. The
Advanced ACL Settings page is displayed.
# Click Create. In the Create Advanced ACL dialog box that is displayed, set
the ACL name to ACL3001 and ACL number to 3001. Click OK.
# Click Add Rule in the new ACL.
# Click OK.
2. Create traffic profile wlan-traffic and apply the ACL to it.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of VAP
Configuration. Under it, click in front of wlan-net. Click Traffic Profile.
The Traffic Profile page is displayed.
# Click Create. The Create Traffic Profile page is displayed.
# Enter the traffic profile name wlan-traffic in Profile name and click OK.
The parameter setting page of the new traffic profile is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 653
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# On the Advanced Configuration tab, expand Packet Filtering. In Inbound
ACL, click Add. Set Packet Filtering Type to IPv4 and ACL used to filter
incoming packets to ACL3001. Click to save the settings.
# Click Apply. In the Info dialog box that is displayed, click OK.
Step 2 Verify the configuration.
1. Packets with the source IP address of 10.23.101.10 and destination IP address
of 10.23.101.11 are forbidden to pass, achieving network traffic control.
----End
Related Topics
● 3.1.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
● 3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
● 3.1.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
● 3.1.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode
● 3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode
● 3.1.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode
● 3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode
3.9.5 Example for Configuring Optimization for Voice and
Video Services
Networking Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
Voice, video, and data services are transmitted on the WLAN. The administrator
requires that voice and video services of QQ and WeChat have a higher priority to
ensure good user experience in these services.
For the WLAN access configuration, see Related Topics.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 654
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-72 Networking for configuring WMM and priority mapping
Data Planning
Table 3-66 AC data planning
Item Data
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, 2G radio profile
wlan-radio2g, and 5G radio profile wlan-radio5g
VAP ● Name: wlan-net
profile ● Referenced profile: SAC profile wlan-sac
2G radio ● Name: wlan-radio2g
profile ● Referenced profile: RRM profile wlan-net
5G radio ● Name: wlan-radio5g
profile ● Referenced profile: RRM profile wlan-net
RRM ● Name: wlan-rrm
profile ● Multimedia air interface optimization: enabled
SAC Name: wlan-sac
profile
Voice and Application protocols: QQ and WeChat
video
optimizati
on
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 655
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Roadmap
1. Enable the SAC function.
2. Configure optimization for voice and video services so that the QQ and
WeChat services have a higher priority than data services.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
Procedure
Step 1 Enable the security engine.
NOTE
After the security engine is enabled, the system automatically loads the default signature
database.
# Choose Configuration > Security > Attack Defense. The Attack Defense page
is displayed.
# Set Security Engine to ON. Click OK.
Step 2 # Create an SAC profile and bind it to the VAP profile mapping the AP group ap-
group1.
# Choose Configuration > AP Config > AP Group > AP Group.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 656
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# In the AP group list, click the AP group name ap-group1. Click next to VAP
Configuration and next to wlan-net, and select SAC Profile.
# Click SAC Profile and enter wlan-sac in Profile name. Click OK. The SAC
Profile page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
Step 3 Enable optimization for voice and video services on QQ and WeChat.
# Choose Configuration > QoS > App Identification & Optimization >
Voice&Video Optimization. The Voice & Video Optimization page is displayed.
# Set Voice optimization and Video optimization to ON.
# Set the applications' Voice optimization and Video optimization to OFF except
qq and weixin.
# Click Apply. In the dialog box that is displayed, click OK.
NOTE
By default, dynamic optimization for voice and video services is enabled for all applications in
Application Detection Optimization List. To modify the status of the function for an
application, select the application and set Voice Detection Optimization and Video Detection
Optimization to ON or OFF.
Step 4 Enable the multimedia air interface optimization function.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click the AP group name ap-group1. Click next to Radio
Management and next to Radio 0.
# Click next to 2G Radio Profile and select RRM Profile. Click Create, enter
wlan-rrm in Profile name, and then click OK. The RRM Profile configuration
page is displayed.
# On the Advanced Configuration tab, disable Dynamic EDCA and enable
Multimedia air interface optimization.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 657
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Click next to Radio 0 and next to 5G Radio Management, and select
RRM Profile. The RRM Profile configuration page is displayed.
# Click the drop-down list box next to RRM Profile and select wlan-rrm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 5 Verify the configuration.
1. Normal voice and video communication of QQ and WeChat ensures good
user experience in voice and video services of QQ and WeChat.
----End
Related Topics
● 3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
● 3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
● 3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode
● 3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode
3.9.6 Example for Configuring Priorities for Skype4B Packets
Networking Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
The administrator requires that voice and video packets of the Skype4B software
have a higher priority than desktop sharing and file transfer packets to ensure
good user experience in voice and video services.
For the WLAN access configuration, see Related Topics.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 658
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-73 Networking for configuring WMM and priority mapping
Data Planning
Table 3-67 AC data planning
Item Data
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net
VAP ● Name: wlan-net
profile ● Referenced profiles: UCC profile wlan-ucc
UCC ● Name: wlan-ucc
profile ● 802.1p priority of Skype4B voice packets: 6
● 802.1p priority of Skype4B video packets: 5
● 802.1p priority of Skype4B desktop sharing packets: 4
● 802.1p priority of Skype4B file transfer packets: 3
Skype4B 9000
server port
number
Configuration Roadmap
1. Configure priorities for Skype4B packets to set higher priorities for voice and
video packets than those of desktop sharing and file transfer packets.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 659
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Configure the AC to interact with the Skype4B server.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
Procedure
Step 1 Configure priorities for Skype4B packets.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of VAP Configuration.
Under it, click in front of wlan-net. Click UCC Profile. The UCC Profile page is
displayed.
# Click Create. The Create UCC Profile page is displayed.
# Enter the UCC profile name wlan-ucc in Profile name and click OK. The
parameter setting page of the new UCC profile is displayed.
# Configure priorities for Skype4B packets according to the following figure.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 660
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
Step 2 Configure the AC to interact with the Skype4B server.
# Choose Configuration > QoS > App Identification & Optimization > Skype4B.
The Skype4B page is displayed.
# On the Skype4B page, set Skype4B listener to ON, Type to HTTP, and HTTP
port to 9000.
NOTE
● The port number of the HTTP service specified on the AC must be consistent with the port
number on the Skype4B server.
● You need to specify the IP address of the AC for the Skype4B server and the port number of
the Skype4B server.
# Click Apply. In the dialog box that is displayed, click OK.
Step 3 Verify the configuration.
1. The priorities of Skype4B voice and video packets are higher than those of
Skype4B desktop sharing and file transfer packets. Therefore, users are
provided with good voice and video service experience.
----End
Related Topics
● 3.1.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
● 3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
● 3.1.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
● 3.1.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode
● 3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode
● 3.1.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode
● 3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode
3.9.7 Example for Configuring a QoS Policy Based on
Application Protocols (Direct Forwarding)
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 661
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Networking Requirements
As shown in the following figure, an enterprise has deployed a WLAN with the
direct data forwarding mode. To regulate online behavior of employees on the
network, the administrator needs to configure QoS policies based on application
protocols.
Voice, video, and data services are involved on the WLAN, including FaceTime,
SkypeForBusiness, QQ_VoIP. The administrator wants to learn the application
traffic usage to plan the network capacity and locate faults. For example, discard
FaceTime packets, specify the SkypeForBusiness priority, and limit the rate of
QQ_VoIP traffic.
For configurations of the WLAN access function, see Related Topics.
Figure 3-74 Networking for configuring QoS policies based on application
protocols
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the security engine and update the signature database.
2. Configure application visualization, including specifying the priority for Skype
for Business packets, discarding FaceTime packets, and limiting the rate of QQ
VoIP packets.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 662
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Table 3-68 AC data planning
Item Data
AP group ● Name: ap-group1
● Referenced profile: VAP profile wlan-net
VAP ● Name: wlan-net
profile ● Forwarding mode: direct forwarding
● Referenced profile: SAC profile wlan-sac
SAC Name: wlan-sac
profile SAC policy: Discard FaceTime packets, set the DSCP priority of
Skype for Business packets to 40, and limit the rate of QQ VoIP
packets to 1000 kbit/s.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
Procedure
Step 1 Enable the security engine.
NOTE
In this example, the direct data forwarding mode is used. Therefore, you need to enable the
security engine on both the AC and the AP. If tunnel forwarding is used, you only need to
enable the security engine on the AC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 663
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Choose Configuration > QoS > App Identification & Optimization > SAC >
SAC Configuration.
# Enable Loading the SAC signature database on the AC.
# Disable Loading the SAC signature database on the AP. In Loading the SAC
Signature Database for APs by AP Group, enable SAC for a specified AP group.
# Click Apply.
Step 2 Update the SAC signature database.
# visit Huawei Security Center (https://isecurity.huawei.com/sec/web/
freesignature.do) and download the SAC signature databases of the AC and AP.
# Choose Maintenance > AC Maintenance > Signature DB.
# Under Signature Database List, click Local upgrade mapping AC SAC
Signature Database. In the dialog box that is displayed, click Upload. In the
dialog box that is displayed, select the corresponding SAC signature database and
click OK. In the dialog box that is displayed, click OK.
# After the update is successful, a dialog box is displayed, where you can click OK.
# The method for updating AP SAC Signature Database is similar to that for
updating the AC SAC signature database, and is not mentioned here.
Step 3 Create an SAC profile and bind it to the VAP profile corresponding to the AP group
ap-group1.
# Choose Configuration > AP Config > AP Group > AP Group.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 664
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# In the AP group list, click the AP group ap-group1, click next to VAP
Configuration, click next to wlan-net, and select SAC Profile.
# Click Create, set Profile name to wlan-sac. Click OK. The page for configuring
SAC Profile is displayed.
# Under Configuration Policy, set Application protocol group to
instant_message, Application protocol to skypeforbusiness, Policy type to
Priority policy, Priority policy mode to DSCP, and the priority to 40. Click .
# Under Configuration Policy, set Application protocol group to voip,
Application protocol to qq_voip, Policy type to Rate limit policy, and Rate limit
message application strategy (Kbit/s) to 1000. Click .
# Under Configuration Policy, set Application protocol group to voip,
Application protocol to facetime, and Policy type to Drop policy. Click .
# After the policy is configured, it is displayed as follows.
# Click Apply. In the dialog box that is displayed, click OK.
Step 4 After the configuration is complete, the FaceTime service cannot be used, the
DSCP priority of the Skype for Business packets is 40, and the rate of QQ VoIP
packets is limited to 1000 kbit/s.
----End
Related Topics
● 3.1.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 665
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● 3.1.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.1.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode
● 3.1.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode
3.9.8 Example for Configuring Flow-based iPCA 2.0 to
Implement Network Packet Loss and Delay Measurement
Networking Requirements
An enterprise wants to enable users to access the Internet through a WLAN,
meeting the basic mobile office requirements. Furthermore, users' services are not
affected during roaming in the coverage area.
You can use iMaster NCE-CampusInsight to monitor network traffic in real time to
quickly detect abnormal traffic and demarcate faults.
For details about how to configure wireless network access, see Related Topics.
Figure 3-75 Networking diagram of configuring iPCA 2.0
Data Planning
Table 3-69 AC data planning
Configura Data
tion Item
AP group ● Name: ap-group1
● Referenced profile: VAP profile wlan-net
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 666
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configura Data
tion Item
VAP ● Name: wlan-net
profile ● iPCA 2.0: enabled
iPCA 2.0 Flow ID: 1
measurem Source address: 1.1.1.0/24
ent flow
Destination address: 5.5.5.0/24
Measurement range: packet loss and delay
Configuration Roadmap
1. Define an iPCA 2.0 measurement flow.
2. On the AC, configure the in-point in the VAP profile view, and specify the AC
as the mid-point and the AC's uplink physical interface GE0/0/1 as the out-
point.
3. Configure the function of periodically reporting wireless traffic measurement
information to iMaster NCE-CampusInsight.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 667
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Before configuring iPCA 2.0 to implement packet loss measurement, ensure that
the following configurations have been completed on network devices:
● NTP has been configured to implement time synchronization between devices.
● The AC and AP have been connected to iMaster NCE-CampusInsight.
Step 2 Create an iPCA 2.0 measurement flow.
# Choose Configuration > QoS > App Identification & Optimization > iPCA2.0.
# On the iPCA2.0 page, click Create.
# Create an iPCA 2.0 measurement flow.
# Click OK.
Step 3 Enable iPCA 2.0 in the VAP profile wlan-net.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of VAP Configuration,
and click wlan-net.
# Click Advanced Configuration. Click iPCA2.0 and set parameters as required.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 668
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
Step 4 Enable iPCA 2.0 on an interface of the AC.
# Choose Configuration > AC Config > Interface > Physical Interface.
# Select an interface, click Advanced, and set iPCA 2.0 parameters as required.
# Click OK. In the dialog box that is displayed, click OK.
Step 5 Configure the function of periodically reporting wireless traffic measurement
information to iMaster NCE-CampusInsight.
# By default, ACs and APs are enabled to report iPCA 2.0 measurement
information to a WMI server. To modify the configuration, see 3.12.2 Example for
Configuring an AC and APs to Report KPI Information.
----End
Related Topics
● 3.1.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
● 3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
● 3.1.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
● 3.1.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode
● 3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode
● 3.1.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode
● 3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 669
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.9.9 Example for Configuring Application-based iPCA 2.0 to
Implement Network Packet Loss and Delay Measurement
Networking Requirements
An enterprise wants to enable users to access the Internet through a WLAN,
meeting the basic mobile office requirements. Furthermore, users' services are not
affected during roaming in the coverage area.
You can use iMaster NCE-CampusInsight to monitor network traffic in real time to
quickly detect abnormal traffic and demarcate faults.
For details about how to configure wireless network access, see Related Topics.
Figure 3-76 Networking diagram of configuring iPCA 2.0
Data Planning
Table 3-70 AC data planning
Configura Data
tion Item
AP group ● Name: ap-group1
● Referenced profile: VAP profile wlan-net
SAC ● Name: wlan-sac
profile
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 670
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configura Data
tion Item
Applicatio ● When an AP functions as the in-point:
n-based – VAP profile name: wlan-net
iPCA 2.0
measurem – Application for which iPCA 2.0 measurement is performed:
ent WeLink
– Referenced profile: SAC profile wlan-sac
● When the AC functions as the out-point:
– Interface: GE0/0/1
– Direction: egress and bidirectional
Configuration Roadmap
1. Configure the SAC function for application identification.
2. On the AC, configure the in-point in the VAP profile view and specify the AC's
uplink physical interface GE0/0/1 as the out-point.
3. Configure the function of periodically reporting wireless traffic measurement
information to iMaster NCE-CampusInsight.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 671
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Before configuring iPCA 2.0 to implement packet loss measurement, ensure that
the following configurations have been completed on network devices:
● NTP has been configured to implement time synchronization between devices.
● The AC and AP have been connected to iMaster NCE-CampusInsight.
Step 2 Configure SAC to identify applications.
# Choose Configuration > QoS > App Identification & Optimization > SAC >
SAC Configuration.
# Enable Loading the SAC signature database on the AC.
# Disable Loading the SAC signature database on the AP. In Loading the SAC
Signature Database for APs by AP Group, enable SAC for a specified AP group.
# Click Apply.
Step 3 Specify an application for which iPCA 2.0 measurement is performed in the VAP
profile view wlan-net.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of VAP Configuration,
and click wlan-net.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 672
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Advanced Configuration. Click iPCA2.0 and set parameters as required.
Step 4 Enable iPCA 2.0 in-band flow measurement on an AC interface.
# Choose Configuration > AC Config > Interface > Physical Interface.
# Select the interface, click Advanced, and enable the in-band flow measurement
function.
# Click OK. In the dialog box that is displayed, click OK.
Step 5 Configure the function of periodically reporting wireless traffic measurement
information to iMaster NCE-CampusInsight.
# By default, ACs and APs are enabled to report iPCA 2.0 measurement
information to a WMI server. To modify the configuration, see 3.12.2 Example for
Configuring an AC and APs to Report KPI Information.
----End
Related Topics
● 3.1.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode
● 3.1.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode
● 3.1.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode
● 3.1.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode
● 3.1.5 Example for Configuring Layer 3 Direct Forwarding in Inline Mode
● 3.1.6 Example for Configuring Layer 3 Tunnel Forwarding in Inline Mode
● 3.1.7 Example for Configuring Layer 3 Direct Forwarding in Bypass Mode
● 3.1.8 Example for Configuring Layer 3 Tunnel Forwarding in Bypass Mode
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 673
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.9.10 Example for Configuring CAC Based on the Number of
Multicast Group Memberships
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area.
The multicast source for video conferences is deployed on the enterprise network
to provide enterprise video conferencing services. The multicast source address
ranges from 225.1.1.1 to 225.1.1.5. To restrict the access of employees when the
number of multicast group memberships reaches the maximum, administrators
need to configure CAC based on the number of multicast group memberships,
ensuring the conference access quality.
Networking Requirements
● AC networking mode: Layer 2 networking in inline mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: tunnel forwarding
Figure 3-77 Networking for configuring CAC based on the number of multicast
group memberships
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 674
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-71 AC data planning
Item Data
Managem VLAN 100
ent VLAN
for APs
Service VLAN 101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs
server and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
AC's VLANIF 100: 10.23.100.1/24
source
interface
address
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, and traffic profile wlan-traffic
Regulatory ● Name: default
domain ● Country code: China
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 675
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Traffic ● Name: wlan-traffic
profile ● Maximum number of multicast group memberships for a VAP:
20
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure multicast-to-unicast conversion to convert multicast packets into
unicast packets to improve the efficiency of multicast data transmission.
3. Configure CAC based on the number of multicast group memberships to
control the access of multicast users.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 676
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 677
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Set Interface type of GigabitEthernet0/0/2 to Trunk and add the interface
to VLAN 101 in the same way.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List, select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 678
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way. The IP address
10.23.101.2 cannot be assigned.
NOTE
Configure the DNS server address as required.
# Under Static Route Table, click Create. The Create Static Route Table
page is displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop
address to 10.23.101.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 679
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 680
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 4 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 681
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 5 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 682
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 6 Configure CAC based on the number of multicast group memberships.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Click in front of VAP Configuration.
Under it, click in front of wlan-net. Click Traffic Profile. The Traffic Profile
page is displayed.
# Click Create. The Create Traffic Profile page is displayed.
# Enter the profile name wlan-traffic in Profile name and click OK. The new
traffic profile configuration page is displayed.
# On the Advanced Configuration tab, enable the function of converting
multicast packets into unicast packets and the function of sending packets to all
users in unicast mode when broadcast or multicast packets fail to be converted
into unicast packets. Enable IGMP snooping and set the number of multicast
group memberships for a VAP to 20.
# Click Apply. In the Info dialog box that is displayed, click OK.
Step 7 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 683
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.1.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 684
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. Run the display wlan igmp-snooping vap-cac ap-id 0 command on the AC
to view the configuration and usage of multicast CAC of the VAP.
----End
3.10 WLAN Hotspot2.0 Configuration Examples
3.10.1 Example for Configuring WLAN Hotspot2.0 Services
Service Requirements
Enterprise users can access the network through WLANs, which is the basic
requirement of mobile office. Furthermore, users' services are not affected during
roaming in the coverage area. On a traditional WLAN, users need to manually
select an SSID and set authentication information to access the WLAN, causing
poor user experience. To enhance user experience, Hotspot 2.0 services are
deployed using a subscriber identity module (SIM) card for authentication. In this
way, users can access the WLAN automatically without awareness.
Networking Requirements
● AC networking mode: Layer 2 networking in bypass mode
● DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: direct forwarding
Figure 3-78 Networking for configuring WLAN Hotspot 2.0 services
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 685
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-72 Data planning on the AC
Item Data
Management VLAN for APs VLAN 100
Service VLAN for STAs VLAN 101
DHCP server The AC functions as a DHCP server to
assign IP addresses to APs and STAs.
The aggregation switch (Switch_B)
functions as a DHCP server to assign
IP addresses to STAs. The default
gateway address of STAs is
10.23.101.2.
IP address pool for APs 10.23.100.2-10.23.100.254/24
IP address pool for STAs 10.23.101.3-10.23.101.254/24
AC's source interface address VLANIF 100: 10.23.101.1/24
AP group ● Name: ap-group1
● Country code: China
● Referenced profile: VAP profile
wlan-net
SSID profile ● Name: wlan-net
● SSID name: wlan-net
Security profile ● Name: wlan-net
● Security policy: WPA2-802.1X-AES
Authentication profile ● Name: wlan-net
● Access authentication mode: 802.1X
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 686
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Hotspot2.0 profile Hotspot2.0 profile
● Name: wlan-net
● Network type: free public network
● Internet access: supported
● Venue type and name: Assembly
and Coffee Shop
● HESSID: 60de-4476-e360
● IP address availability: available
● Network authentication type:
acceptance
● P2P cross connection: disabled
● Cellular network profile: wlan-net
– 46000
● Roaming consortium profile: wlan-
net
– 50-6f-9a
● NAI realm profile: wlan-net
– www.mobileA.com
● Network connection capability
profile: wlan-net
– HTTP service: enabled
● Operator domain profile: wlan-net
– www.mobileA.com
● Operator name profile: wlan-net
– eng, mobileA
● Venue name profile: wlan-net
– eng, Coffee
● Operating class profile: wlan-net
– 81
VAP profile ● Name: wlan-net
● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile
wlan-net, security profile wlan-
net, authentication profile wlan-
net, and Hotspot2.0 profile wlan-
net
RADIUS server ● IP address: 10.23.102.1
● Port number: 1812
● Shared key: YsHsjx_202206
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 687
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Roadmap
1. Select Config Wizard to configure the APs to go online on the AC.
2. Select Config Wizard to configure WLAN services on the AC. When
configuring the security policy, select 802.1X and RADIUS authentication, and
set the RADIUS server parameters.
3. In Profile Management, change the security policy to WPA2, and complete
the Hotspot2.0 service configuration based on the data planning.
4. Complete service verification.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN 101, and set the
PVID of GE0/0/1 to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101,
GE0/0/2 to VLAN100 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address
to 10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 688
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Step 2 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the
default gateway address of STAs to 10.23.101.2.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
Step 3 Configure system parameters for the AC.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 689
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 690
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 691
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
Click Next. The Security Authentication page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 692
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Configure security authentication.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
Click Finish.
Step 6 Set the AP channel and power.
1. Disable automatic channel and power calibration functions of AP radios, and
manually configure the AP channel and power.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List
page is displayed.
# Click the ID of the AP whose channel and power need to be configured. The
AP customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio
Management are displayed.
# Click Radio 0. On the radio 0 configuration page that is displayed, disable
the automatic channel and power calibration functions, and set the channel
to 20-MHz channel 6 and transmit power to 127 dBm.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 693
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# The configuration of Radio 1 is similar to that of Radio0. Disable automatic
channel and power calibration functions, and set the AP channel to 20-MHz
channel 149 and transmit power to 127 dBm.
# Click Apply. In the dialog box that is displayed, click OK.
Step 7 Configure Hotspot2.0 services.
1. Choose Configuration > AP Config > AP Group > AP Group. Click ap-
group1. The AP group configuration page is displayed.
2. Choose VAP Configuration > wlan-net > Security Profile, set the security
policy to WPA2, and click Apply. In the dialog box that is displayed, click OK.
3. Choose VAP Configuration > wlan-net > Hotspot2.0 Profile. The Hotspot2.0
profile page is displayed. Click Create. On the Create Hotspot2.0 Profile
page that is displayed, set Profile name to wlan-net and click OK. Configure
parameters and click Apply. In the dialog box that is displayed, click OK.
4. Click in front of Hotspot2.0 Profile and select Cellular Network Profile.
The Cellular Network Profile page is displayed. Click Create. The Create
Cellular Network Profile page is displayed. Set Profile name to wlan-net,
and click OK. Set PLMN ID, and click Apply. In the dialog box that is
displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 694
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. Select Roaming Consortium Profile, the Roaming Consortium Profile page
is displayed. Click Create. The Create Roaming Consortium Profile page is
displayed. Set Profile name to wlan-net, and click OK. Set Roaming
consortium OI, and click Apply. In the dialog box that is displayed, click OK.
6. Select NAI Realm Profile. The NAI Realm Profile page is displayed. Click
Create. The Create NAI Realm Profile page is displayed. Set Profile name to
wlan-net, and click OK. Set Realm name, and click Apply. In the dialog box
that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 695
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
7. Select Network Connection Capability Profile. The Network Connection
Capability Profile page is displayed. Click Create. The Create Network
Connection Capability Profile page is displayed. Set Profile name to wlan-
net, and click OK. Set HTTP to ON, and click Apply. In the dialog box that is
displayed, click OK.
8. Select Operator Domain Profile. The Operator Domain Profile page is
displayed. Click Create, the Create Operator Domain Profile page is
displayed. Set Profile name to wlan-net, and click OK. Set Domain name,
and click Apply. In the dialog box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 696
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
9. Select Carrier Name Profile. The Carrier Name Profile page is displayed.
Click Create. The Create Carrier Name Profile page is displayed. Set Profile
name to wlan-net, and click OK. Set Operator name, and click Apply. In the
dialog box that is displayed, click OK.
10. Select Venue Name Profile. The Venue Name Profile page is displayed. Click
Create. The Create Venue Name Profile page is displayed. Set Profile name
to wlan-net, and click OK. Set Venue name, and click Apply. In the dialog
box that is displayed, click OK.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 697
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
11. Select Operating Class Profile. The Operating Class Profile page is
displayed. Click Create. The Create Operating Class Profile page is displayed.
Set Profile name to wlan-net, and click OK. Set Frequency band indication
No., and click Apply. In the dialog box that is displayed, click OK.
Step 8 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.2.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 698
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
----End
3.11 IoT Configuration Examples
3.11.1 Example for Configuring the Smart Retail IoT Solution -
ESL
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 699
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Service Requirements
A supermarket wants to deploy a network to expand IoT applications while
providing the wireless network access service to display and manage commodity
prices using ESLs.
Networking Requirements
● AC networking mode: Layer 2 networking in bypass mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
Figure 3-79 Networking diagram for configuring an ESL network
Data Planning
Table 3-73 AC data planning
Item Data
Managem VLAN100
ent VLAN
Service VLAN101
VLAN
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 700
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
Interworki VLAN102
ng VLAN
of the ESL
managem
ent system
and ESLs
AC's VLANIF100
source
interface
DHCP The AC functions as a DHCP server to assign IP addresses to APs
server and STAs.
IP address 10.23.100.2 to 10.23.100.254/24
pool for
APs
IP address 10.23.101.2 to 10.23.101.254/24
pool for
STAs
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, radio profile wlan-radio2g, AP system profile
ap-system, and AP wired port profiles wired1 and wired2
Regulatory ● Name: default
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
Radio ● Name: wlan-radio2g
profile ● Time range during which the VAP is disabled as scheduled:
23:00 to 6:00
AP system ● Name: ap-system
profile ● Connection type between IoT cards and APs: Ethernet port
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 701
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AP wired ● Name: wired1
port – Working mode of the AP's wired interface: root
profile
– VLAN of the AP's wired interface: 102 (tagged)
● Name: wired2
– Working mode of the AP's wired interface: endpoint
– VLAN of the AP's wired interface: 102 (untagged)
– PVID of the AP's wired interface: 102
Configuration Roadmap
1. Configure network interworking of the AC, AP, and switch.
2. Configure the AP to go online.
3. Configure WLAN service parameters.
4. Configure interworking between the ERP system and ESL management
system.
5. Configure interworking between the ESL management system and ESLs.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 702
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Configure the access switch. Add GE0/0/1 and GE0/0/2 to VLAN 100
(management VLAN) and VLAN 101 (service VLAN).
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
Step 2 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 703
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 704
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way.
NOTE
Configure the DNS server address as required.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 705
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 706
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 4 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks) select the
AES mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1, and Valid radio to 0 and 1.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 707
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Finish.
# Choose Configuration > AP Config > AP Group. In the AP group list, click ap-
group1. Choose Radio Management > Radio 0 > 2G Radio Profile. Click Create
to create a 2G radio profile named wlan-radio2g.
# Click OK. The radio profile configuration page is displayed.
# Enable the scheduled radio disabling function and set the time range in which
radio 0 is to be automatically disabled. Click Apply.
Step 5 Configure interworking between the ERP system and ESL management system.
The detailed operations are not described here.
Step 6 Configure Layer 2 interworking between ESL cards and the ESL management
system.
1. Configure Switch.
# Add GE0/0/3 on the switch connected to the ESL management system to
VLAN 102.
[Switch] vlan batch 102
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 102
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 102
[Switch-GigabitEthernet0/0/3] quit
# Add GE0/0/2 on the switch connected to the AP to VLAN 102.
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[Switch-GigabitEthernet0/0/2] quit
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 708
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Add GE0 connecting the AP to Switch to VLAN 102.
# Choose Configuration > AP Config > AP Group. In the AP group list, click
ap-group1. Then, choose AP > AP Wired Port Settings, and click GE0. The
GE0 Profile page is displayed.
# Click Create to create an AP wired port profile named wired1. Click OK.
# Click Advanced Configuration. Add GE0 to VLAN 102 in tagged mode, set
Port mode to Root, and click OK.
# Choose AP > AP System Profile. The AP System Profile page is displayed.
# Click Create to create an AP system profile named ap-system. Click OK.
# Click Advanced Configuration and set Working mode of the IoT card to
Ethernet. Click Apply.
# Select Display all profiles and choose IoT > Card 1 > AP Wired Port
Profile. The AP Wired Port Profile page is displayed.
# Click Create to create an AP wired port profile named wired2. Click OK.
# Click Advanced Configuration. Set Port PVID to 102, add the port to VLAN
102 in untagged mode, set Port mode to Endpoint, and click Apply.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 709
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. Restart the AP.
# Choose Maintenance > AP Maintenance > AP Restart. Click Restart All to
restart all APs.
Step 7 Initialize the ESL card, register ESLs, associate ESL IDs with commodity codes, and
configure ESL services. For detailed operations, see the operation guides provided
by vendors, which are not described here.
Step 8 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.1.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 710
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
----End
3.11.2 Example for Configuring the Healthcare IoT Solution
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 711
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Service Requirements
A hospital wants to deploy a network to expand IoT applications while providing
the wireless network access service to prevent infant abductions.
Networking Requirements
● AC networking mode: Layer 2 networking in bypass mode
● DHCP deployment mode: The AC functions as a DHCP server to assign IP
addresses to STAs.
● Service data forwarding mode: direct forwarding
Figure 3-80 Networking diagram for configuring the Healthcare IoT Solution
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 712
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-74 AC data planning
Item Data
Managem VLAN100
ent VLAN
Service VLAN101
VLAN
AC's VLANIF100
source
interface
DHCP The AC functions as a DHCP server to assign IP addresses to STAs.
server
AP's IP Static IP address: 10.23.100.2
address
IP address 10.23.101.2 to 10.23.101.254/24
pool for
STAs
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile domain1
● Local UDP port mapping the IoT card interface: 50200
Regulatory ● Name: domain1
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 713
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
IoT profile ● Name: wlan-iot
● IP address of the host computer: 10.23.100.254
● Port number of the host computer: 3000
● Trusted host: 10.23.102.253/255.255.255.0
● Shared key: YsHsjx_202206
Configuration Roadmap
1. Configure network interworking of the APs, switch, AC, and host computer
(on which the infant protection system is deployed).
2. Configure the AC as a DHCP server to assign IP addresses to STAs.
3. Configure the APs to go online and configure WLAN services.
4. Configure parameters for the APs to communicate with RFID cards.
5. Configure parameters for the APs to communicate with the host computer.
6. Add the APs' IP addresses to the host computer and configure the same
shared key as that on the APs.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 714
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Configure the access switch. Add GE0/0/1 through GE0/0/3 to VLAN 100
(management VLAN) and VLAN 101 (service VLANs).
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/3] quit
# Add GE0/0/4 on the switch connected to the host computer to VLAN 100 and
VLAN 101.
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/4] quit
Step 2 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 715
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 716
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way.
NOTE
Configure the DNS server address as required.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 717
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 718
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 4 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1, and Valid radio to 0 and 1.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 719
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Finish.
# Choose Configuration > AP Config > AP Group. In the AP group list, click ap-
group1 and select Display all profiles. Choose IoT > Card1 > IoT Profile. Click
Create to create an IoT profile named wlan-iot.
# Click OK. The IoT profile configuration page is displayed. Set parameters as
follows:
● Protocol: UDP
● Port number: 50200
● Communication key: aabb0011@11
● IP address of a trusted host computer: 10.23.102.253
● Mask of a trusted host computer: 255.255.255.0
● Host Computer Address: 10.23.100.254
● Host Computer Port Number: 3000
# Click Apply.
Step 5 Configure static IP addresses for APs.
# Choose Configuration > AP Config > AP Config. Select an AP and click Modify.
The AP modification page is displayed.
# Set AC IP address list to 10.23.100.1, IP Obtaining Mode to Static, IP Address
to 10.23.100.2, Mask to 255.255.255.0, and Gateway to 10.23.100.1.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 720
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Step 6 Add the AP's IP address to the host computer and configure the same shared key
as that on the AP.
Step 7 Configure exit monitors to connect to the network in wired mode and interwork
with the infant protection system. The detailed operations are not described here.
Step 8 Use the infant protection function according to operation methods of the infant
protection system. For details, see the operation guides provided by vendors.
Step 9 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.1.
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 721
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
----End
3.11.3 Example for Configuring the Education IoT Solution -
Student Health and Safety
Service Requirements
A school pays much attention to health and safety of its students, and desires to
use technical methods to monitor and query students' health and safety
information.
To meet these requirements, Huawei provides the Student Health and Safety IoT
Solution that reuses the existing WLAN.
Networking Requirements
● AC networking mode: Layer 2 in bypass mode
● DHCP deployment mode: Configure an AC as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 722
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-81 Networking for configuring the Student Health and Safety IoT
Solution
Data Planning
Table 3-75 AC data planning
Item Data
Managem VLAN100
ent VLAN
Service VLAN101
VLAN
AC's VLANIF100
source
interface
DHCP The AC functions as a DHCP server to assign IP addresses to APs
server and STAs.
IP address 10.23.101.2 to 10.23.101.254/24
pool for
STAs
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 723
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net and regulatory
domain profile default
● Local TCP port mapping the IoT card interface: 50200
Regulatory ● Name: default
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
IoT profile ● Name: wlan-iot
● IP address of the host computer: 10.23.200.1
● Port number of the host computer: 3000
● Trusted host: 10.23.102.253/255.255.255.0
● Shared key: YsHsjx_202206
Configuration Roadmap
1. Configure network interworking of the APs, switch, AC, and host computer.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
3. Configure the APs to go online.
4. Configure WLAN services.
5. Configure communication parameters between the APs and host computer.
6. Add IP addresses of the APs to the host computer and configure the same
shared key as that on the APs.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 724
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure the network devices.
# Configure the access switch. Add GE0/0/1 through GE0/0/4 to VLAN 100
(management VLAN) and VLAN 101 (service VLANs).
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 to 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/3] quit
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 725
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/4] quit
Step 2 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 726
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way.
NOTE
Configure the DNS server address as required.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 727
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 3 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 728
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 4 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 729
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1, and Valid radio to 0 and 1.
# Click Finish.
# Choose Configuration > AP Config > AP Group. In the AP group list, click ap-
group1 and select Display all profiles. Choose IoT > Card1 > IoT Profile. Click
Create to create an IoT profile named wlan-iot.
# Click OK. The IoT profile configuration page is displayed.
# Set parameters as follows:
● Protocol: TCP
● Port number: 50200
● Communication key: aabb0011@11
● IP address of a trusted host computer: 10.23.102.253
● Mask of a trusted host computer: 255.255.255.0
● Host Computer Address: 10.23.200.1
● Host Computer Port Number: 3000
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 730
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply.
Step 5 Configure network interworking between the APs and server.
Configure routes based on the actual networking situation to ensure network
interworking between the APs and host computer.
Step 6 Add IP addresses of the APs to the host computer and configure the same shared
key as that on the APs.
Step 7 Verify the configuration.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see
that the status of the VAP in wlan-net is normal.
2. The WLAN with the SSID wlan-net is available.
3. The STA can associate with the WLAN and obtain an IP address
10.23.101.x/24, and its gateway address is 10.23.101.1.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 731
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
4. Choose Monitoring > User > User List. All online users are displayed in User
List. You can use the filtering function to filter the display results. For
example, click next to SSID. Set the filtering condition, enter wlan-net,
and click OK. Users connected to the SSID wlan-net are displayed. Multi-
column filtering is supported to accurately query online users.
----End
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 732
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
3.11.4 Example for Configuring the Shopping Mall and
Supermarket IoT Solution - Hotspot Service and Customer
Flow Analysis
Service Requirements
To improve sales and increase profits, a shopping mall wants to promote
consumption by pushing customized advertisements to customers.
To meet these requirements, Huawei provides the hotspot service and customer
flow analysis solution. This solution provides secure and easy Wi-Fi access for
customers and improves user experience. Additionally, the shopping mall can
analyze data to find shops that customers are interested in and then push
customized advertisements to their mobile phones, promoting consumption.
Networking Requirements
● AC networking mode: Layer 2 in bypass mode
● DHCP deployment mode: Configure an AC as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
Figure 3-82 Network for configuring the hotspot service and customer flow
analysis
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 733
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-76 Data planning
Item Data
RADIUS Name of the RADIUS authentication scheme: wlan-net
authentica Name of the RADIUS accounting scheme: wlan-net
tion
parameter Name of the RADIUS server template: wlan-net
s ● IP address: 10.23.200.1
● Authentication port number: 1812
● Shared key: YsHsjx_202206
SSL policy ● Name: example
● PKI domain: default
Portal ● Name: wlan-net
server ● IP address: 10.23.200.2
template
● URL: https://10.23.200.2:8445/portal
Portal ● Name: wlan-net
access ● Bound template: Portal server template wlan-net
profile
Authentica ● Name: default_free_rule
tion-free ● Authentication-free resource: IP address of the DNS server
rule profile (10.23.200.3)
Authentica ● Name: wlan-net
tion ● Bound profile and authentication scheme: Portal access profile
profile wlan-net, RADIUS server template wlan-net, RADIUS
authentication scheme wlan-net, and authentication-free rule
profile default_free_rule
Managem VLAN100
ent VLAN
Service VLAN 101
VLAN
AC's VLANIF 100
source
interface
DHCP The AC functions as a DHCP server to assign IP addresses to APs
server and STAs.
IP address 10.23.100.2 to 10.23.100.254/24
pool for
APs
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 734
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
IP address 10.23.101.2 to 10.23.101.254/24
pool for
STAs
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, location profile wlan-location, and radio
profiles wlan-radio-2g and wlan-radio-5g
Regulatory ● Name: default
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net, security profile
wlan-net, and authentication profile wlan-net
Air scan ● Name: wlan-air-scan
profile ● Probe channel set: channels supported by the country code
2G radio ● Name: wlan-radio-2g
profile ● Referenced profile: air scan profile wlan-air-scan
5G radio ● Name: wlan-radio-5g
profile ● Referenced profile: air scan profile wlan-air-scan
Location ● Name: wlan-location
profile ● Wi-Fi terminal location: enabled
● Mode in which terminal information is reported: through the AC
● Destination IP address and port number for the AC to report
terminal information to the server: 10.23.201.1/32180
● Destination port number for APs to report terminal information
to the AC: 10001
Host Customer flow analysis server
computer IP address: 10.23.201.1
Port number: 32180
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 735
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Roadmap
1. Configure the AC to communicate with servers.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
3. Configure the APs to go online.
4. Configure Portal authentication.
5. Configure WLAN services.
6. Configure communication parameters between APs and the host computer.
7. Configure APs' IP addresses on the host computer.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 736
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Procedure
Step 1 Configure the AC to communicate with servers.
Configure routes based on the actual networking to ensure network interworking
between the AC and servers.
Step 2 Configure the network devices.
# Configure the access switch. Add GE0/0/1 through GE0/0/4 to VLAN 100 and
VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 to 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/4] quit
Step 3 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 737
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 738
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way.
NOTE
Configure the DNS server address as required.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 739
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 740
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Portal (applicable to enterprise networks) and
deselect MAC address-prioritized. Under External Portal Server Configuration,
set Server template name, Server IP address, Shared key, Port number, and
Server URL. Under External RADIUS Server Configuration, set Server template
name, Authentication server IP, Shared key, and Port number.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1, and Valid radio to 0 and 1.
# Click Finish.
Step 6 Configure Portal authentication.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 741
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
1. Configure the HTTPS protocol for Portal authentication.
# Choose Configuration > Security > SSL. The SSL page is displayed.
# Click Create. On the Create SSL policy page that is displayed, set SSL
policy name to huawei and Certificate name to default. Click OK.
# Choose Configuration > Security > AAA > Portal Server Global
Configuration > External Portal. The External Portal page is displayed.
# Click wlan-net under Portal Authentication Server List. Set Protocol type
to HTTP/HTTPS, and deselect all parameter settings under URL Option
Settings. Click OK.
# Choose Configuration > AP Config > AP Group. In the AP group list, click
ap-group1. Then, choose VAP Configuration > wlan-net > Authentication
Profile > External Portal Authentication. The Portal configuration page is
displayed.
# Set Interoperation protocol to HTTP and Primary Portal server group to
wlan-net.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 742
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Set next to External Portal server global parameters. Select HTTP
protocol, set SSL policy to huawei, and click OK.
# Click Apply.
2. Configure an accounting scheme.
# Choose VAP Configuration > wlan-net > Authentication Profile >
RADIUS server. The RADIUS server configuration page is displayed.
# Enable Real-time accounting and click Apply.
3. Configure an authentication-free rule to allow users to access specified
network resources without authentication.
# Choose Configuration > AP Config > Profile, and then choose Wireless
Service > VAP Profile > wlan-net > Authentication Profile >
Authentication-free Rule Profile. The Authentication-free Rule Profile
page is displayed.
# Set Authentication-free Rule Profile to default_free_rule and Control
mode to Authentication-free rule.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 743
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Create. On the Create Authentication-free Rule page that is
displayed, set Rule ID to 1 and set Destination IP address.
# Click OK.
# Select authentication-free rule 1 and click Apply. In the dialog box that is
displayed, click OK.
Step 7 Configure the air scan function.
# Choose Configuration > AP Config > AP Group. In the AP group list, click ap-
group1. Then, choose Radio Management > Radio 0 > 2G Radio Profile. The 2G
Radio Profile page is displayed.
# Click Create to create a 2G radio profile named wlan-radio-2g. Click OK.
# Click Apply.
# Expand 2G Radio Profile. Click Air Scan Profile. The Air Scan Profile page is
displayed.
# Click Create to create an air scan profile named wlan-air-scan. Click OK.
# Set Probe channel set to Country code channels and click Apply.
# Create a 5G radio profile named wlan-radio-5g in the same way, and bind the
air scan profile wlan-air-scan to this 5G radio profile.
Step 8 Configure the Wi-Fi terminal location function.
# Select Display all profiles. Choose WLAN Location > WLAN Location Profile.
Click Create to create a location profile named wlan-location.
# Click OK. The location profile configuration page is displayed.
# Enable STA location, and set Data report mode to Through AC, Server
connection to IP, the IP address to 10.23.201.1/32180, and AC port number to
10001. Click Apply.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 744
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Step 9 Add IP addresses of the APs to the host computer and configure the same shared
key as that on the APs.
Step 10 Verify the configuration.
STAs can search for the WLAN with the SSID wlan-net and connect to the WLAN
through Portal authentication.
----End
3.11.5 Example for Configuring the Shopping Mall and
Supermarket IoT Solution - Indoor Navigation
Service Requirements
In a shopping mall with large areas and complex environment, it is difficult for
customers to find parked cars and shops. To help customers to easily find shops or
parked cars, improve customer satisfaction, and promote customers' buying
intention, the shopping mall expects to provide navigation services.
To meet these requirements of the shopping mall, Huawei provides the indoor
navigation solution. This solution provides customers with easy and secure Wi-Fi
network access and improves customers' network experience. Additionally, an
indoor navigation app is provided for customers to find shops or parked cars,
improving customer satisfaction.
Networking Requirements
● AC networking mode: Layer 2 in bypass mode
● DHCP deployment mode: Configure an AC as the DHCP server to assign IP
addresses to APs and STAs.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 745
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
● Service data forwarding mode: direct forwarding
Figure 3-83 Network for configuring indoor navigation
Data Planning
Table 3-77 Data planning
Item Data
Managem VLAN100
ent VLAN
Service VLAN101
VLAN
AC's VLANIF100
source
interface
DHCP The AC functions as a DHCP server to assign IP addresses to APs
server and STAs.
IP address 10.23.101.2 to 10.23.101.254/24
pool for
STAs
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 746
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, and BLE profile wlan-ble
Regulatory ● Name: default
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
BLE Profile ● Name: wlan-ble
● Bluetooth monitoring function of APs' built-in Bluetooth
modules: enabled
● Bluetooth broadcast function of APs' built-in Bluetooth
modules: enabled
● Mode in which an AP reports data: through an AC
● Destination port number on the AC through which APs send
Bluetooth
packets: 32180
● IP address/Port number of the location server:
10.23.102.1/10001
Configuration Roadmap
1. Configure network interworking between the AC and location server, and
between the location server and app server.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
3. Configure the APs to go online.
4. Configure WLAN services.
5. Configure the Bluetooth terminal location function.
6. Configure the location server.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 747
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Procedure
Step 1 Configure network interworking between the AC and location server, and between
the location server and app server.
Configure routes based on the actual networking to ensure network interworking.
Step 2 Configure the network devices.
# Configure the access switch. Add GE0/0/1 through GE0/0/4 to VLAN 100 and
VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname Switch
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 748
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
[Switch] vlan batch 100 to 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/4] quit
Step 3 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 749
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 750
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way.
NOTE
Configure the DNS server address as required.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 751
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 752
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1, and Valid radio to 0 and 1.
# Click Finish.
# Choose Configuration > AP Config > AP Group. In the AP group list, click ap-
group1 and select Display all profiles. Choose Bluetooth Service > BLE Profile.
Click Create to create a BLE profile named wlan-ble.
# Click OK. The BLE profile configuration page is displayed.
# Enable Broadcast and Monitoring surrounding BLE devices. Set Monitoring
mode to iBeacon, and set Data reporting mode, IPv4 address/Port number, and
AC port number. Click Apply.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 753
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Choose Configuration > Other Services > BLE. Click Create and add MAC
addresses of BLE base stations within the AP's coverage area to the monitoring
list.
Step 6 Configure the location server.
Configure Bluetooth terminal location parameters on the location server.
Step 7 Verify the configuration.
A Bluetooth terminal can discover the wireless network with the SSID wlan-net,
and can associate with it after successful authentication. After opening the indoor
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 754
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
navigation app and obtaining location information from the app server, you can
use the car seeking and shop seeking functions.
----End
3.11.6 Example for Configuring the Shopping Mall and
Supermarket Solution - Personnel and Asset Management
Service Requirements
A shopping mall often suffers from asset losses or fails to find assets. To reduce
property loss and facilitate asset management, the shopping mall wants to
monitor the locations and moving paths of assets.
To meet these requirements, Huawei offers the personnel and asset management
IoT solution.
Networking Requirements
● AC networking mode: Layer 2 in bypass mode
● DHCP deployment mode: Configure an AC as a DHCP server to assign IP
addresses to APs and STAs.
● Service data forwarding mode: direct forwarding
Figure 3-84 Network for configuring the personnel and asset management
solution
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 755
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Data Planning
Table 3-78 Data planning
Item Data
Managem VLAN100
ent VLAN
Service VLAN101
VLAN
AC's VLANIF100
source
interface
DHCP The AC functions as a DHCP server to assign IP addresses to APs
server and STAs.
IP address 10.23.101.2 to 10.23.101.254/24
pool for
STAs
AP group ● Name: ap-group1
● Referenced profiles: VAP profile wlan-net, regulatory domain
profile default, and BLE profile wlan-ble
Regulatory ● Name: default
domain ● Country code: CN
profile
SSID ● Name: wlan-net
profile ● SSID name: wlan-net
Security ● Name: wlan-net
profile ● Security policy: WPA-WPA2+PSK+AES
● Password: YsHsjx_202206
VAP ● Name: wlan-net
profile ● Forwarding mode: direct forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-net and security profile
wlan-net
BLE Profile ● Name: wlan-ble
● Reporting of Bluetooth tag packets: enabled
● Domain name/Port number of the location server: testabc.com/
10001
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 756
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Roadmap
1. Configure the AC to communicate with the location server.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
3. Configure the APs to go online.
4. Configure WLAN services.
5. Configure the Bluetooth tag location function.
6. Configure the location server.
Configuration Notes
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● Configure port isolation on the interfaces of the device directly connected to
APs. If port isolation is not configured and direct forwarding is used, a large
number of unnecessary broadcast packets may be generated in the VLAN,
blocking the network and degrading user experience.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. Only packets from the management VLAN are transmitted
between the AC and APs. Packets from the service VLAN are not allowed
between the AC and APs.
● From V200R021C00, when the CAPWAP source interface or source address is
configured, the system checks whether security-related configurations exist,
including the PSK for DTLS encryption, PSK for DTLS encryption between ACs,
user name and password for logging in to the AP, and password for logging in
to the global offline management VAP, the configuration can be successful
only when both of them exist. Otherwise, the system prompts you to
complete the configuration first.
● From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels
on the AC by default. After this function is enabled, an AP will fail to go
online when it is added. In this case, you need to enable CAPWAP DTLS non-
authentication (capwap dtls no-auth enable) for the AP so that the AP can
obtain a security credential. After the AP goes online, disable this function
(undo capwap dtls no-auth enable) to prevent unauthorized APs from going
online.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 757
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Procedure
Step 1 Configure the AC to communicate with the location server.
Configure routes based on the actual networking to ensure network interworking
between the AC and location server.
Step 2 Configure the network devices.
# Configure the access switch. Add GE0/0/1 through GE0/0/4 to VLAN 100 and
VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 to 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/4] quit
Step 3 Configure AC system parameters.
1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration
page is displayed.
# Set Country/Region based on actual situations. For example, set Country/
Region to China. Set System time to Manual and Date and time to PC.
# Click Next. The Port Configuration page is displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type
to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN)
and VLAN 101 (service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected
to the APs to management VLAN 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 758
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configure network interconnections.
# Set DHCP status to ON.
# Click Create under Interface Configuration. The Create Interface
Configuration page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24.
# Click Create under DHCPv4 Address Pool List. Select Interface address
pool and select VLANIF 100.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 759
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way.
NOTE
Configure the DNS server address as required.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF, click the selection icon, select Vlanif100
in the dialog box that is displayed, and click the + icon to add the selected
VLANIF interface to the list.
NOTE
From V200R021C00, you need to configure CAPWAP security parameters, including the
PSK for DTLS encryption, PSK for DTLS encryption of inter-WAC tunnels, user name
and password for logging in to an AP, and password for logging in to the global offline
management VAP.
From V200R021C00, DTLS encryption for CAPWAP control tunnels is enabled by
default, and APs of earlier versions may fail to access the network. In this case, you
can set AC-AP DTLS authentication mode to None authentication to allow APs to
go online first. After the subsequent configurations are complete and the APs go
online normally, disable this function. Specifically, choose Configuration > AC Config
> Basic Config > AC Configuration > Advanced > CAPWAP Tunnel Setup
Configuration, and deselect Allow APs to perform DTLS session with the AC in
non-authentication mode.
# Click Next. The Confirm Settings page is displayed.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 760
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
Step 4 Configure APs to go online.
1. Configure APs to go online.
# Click Batch Import. The Batch Import page is displayed. Click to
download an AP template file to your local computer.
# Fill in the AP template file with AP information according to the following
example. To add multiple APs, fill in the file with information of the APs.
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC
address is mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory
and the AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power
planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set
the longitude and latitude as required.
# Click next to Import AP File, select the AP template file, and click
Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next.
The Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service
Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 761
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Key (applicable to personnel networks), select the
AES mode, and set the key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1, and Valid radio to 0 and 1.
# Click Finish.
# Choose Configuration > AP Config > AP Group. In the AP group list, click ap-
group1 and select Display all profiles. Choose Bluetooth Service > BLE Profile.
Click Create to create a BLE profile named wlan-ble.
# Click OK. The BLE profile configuration page is displayed.
# Enable Monitoring surrounding BLE devices, set Monitoring mode to Tag,
enable Data reporting, set Server connection to Domain name, and set Domain
name/Port number. Click Apply.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 762
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Choose Configuration > Other Services > BLE. Click Create and add MAC
addresses of BLE base stations within the AP's coverage area to the monitoring
list.
Step 6 Configure the location server.
Configure the location server based on its usage guide.
Step 7 Verify the configuration.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 763
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
STAs can search for the WLAN with the SSID wlan-net and connect to the WLAN
after passing authentication. Location information about personnel and assets can
be queried on the location server.
----End
3.12 Other WLAN Service Configuration Examples
3.12.1 Example for Configuring AP Loopback
Networking Requirements
As shown in Figure 3-85, the AC is connected to the aggregation switch in bypass
mode. To test connectivity between the AP and Router, configure AP loopback.
Figure 3-85 Networking diagram
Data Preparation
Table 3-79 WLAN data planning
Item Data
IP address pool for the AP 10.23.100.2-10.23.100.254/24
Gateway address of the AP 10.23.100.1/24
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 764
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Item Data
IP address of the Router 10.23.101.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure wireless services on the AP. For details, see Example for
Configuring Layer 2 Tunnel Forwarding in Bypass Mode.
2. Configure AP loopback parameters and start the AP loopback test.
Procedure
Step 1 Configure a route to the AP on the Router.
Step 2 Choose Diagnosis > AP-Ping. The AP-Ping page is displayed.
Step 3 Configure AP ping parameters. After the configuration is complete, click Start to
start the AP loopback test.
Step 4 Verify the configuration.
The test result is displayed after the loopback test is complete. The test result
"Success count: 4; Failure count: 0" indicates that the network between the AP and
Router is reachable.
----End
3.12.2 Example for Configuring an AC and APs to Report KPI
Information
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 765
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Service Requirements
In the cloud managed AC + Fit AP networking, KPI information of an AC and APs
is reported to iMaster NCE-Campus and CampusInsight through the WMI report
mechanism.
Networking Requirements
Some models of APs directly report KPI information, while other models of APs
transparently report KPI information through an AC. Figure 3-86 and Figure 3-87
show the two KPI information report modes.
Figure 3-86 Direct KPI information report
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 766
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Figure 3-87 Transparent KPI information report through an AC
Data Planning
Item Data
AP group ap-group1
AP system default
profile
KPI ● The AC reports the following KPI information to iMaster NCE-
informatio Campus:
n reported – Destination IP address: 10.1.2.3
by the AC
– Port number: 10032
● The AC reports the following KPI information to CampusInsight:
– Destination IP address: 10.2.3.4
– Port number: 27371
KPI ● The AP reports the following KPI information to iMaster NCE-
informatio Campus:
n reported – WMI profile name: cloudmng
by an AP
– Destination IP address: 10.1.2.3
– Port number: 10032
● The AP reports the following KPI information to CampusInsight:
– WMI profile name: campusinsight
– Destination IP address: 10.2.3.4
– Port number: 27371
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 767
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Configuration Roadmap
1. Configure basic WLAN services so that APs can go online.
2. Configure parameters for interconnecting the AC with the WMI server.
3. Configure parameters for interconnecting APs with the WMI server using the
WMI profile and bind WMI profile to the AP group using the AP system
profile.
Configuration Notes
● KPI information to be reported by an AP depends on the AP model. For
details, see Licensing Requirements and Limitations for KPI Information
Report in CLI-based Configuration Guide.
– For an AP that directly reports KPI information, if KPI information of the
AC does not need to be reported, you can omit the step of configuring
parameters for interconnecting the AC with the WMI server.
– For an AP that transparently reports KPI information through an AC, you
must configure parameters for interconnecting the AC with the WMI
server.
● If the KPI information needs to be reported to only one WMI server, do not
configure multiple information report channels to avoid resource waste of the
target server.
● To ensure that KPI information can be successfully reported, pre-configure
network connectivity to make the AC and APs properly communicate with the
WMI server.
Procedure
Step 1 Configure basic WLAN services to make APs go online. The AP group name is ap-
group1.
Step 2 Configure parameters for interconnecting the AC with the WMI server.
1. Configure parameters for interconnecting the AC with iMaster NCE-Campus.
Choose Maintenance > AC Maintenance > WMI from the main menu on the
AC web platform, configure parameters for interconnecting the AC with
iMaster NCE-Campus on the Channel 1 tab page, and click Apply.
Typically, the port number of iMaster NCE-Campus is 10032.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 768
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
2. Configure parameters for interconnecting the AC with CampusInsight.
Choose Maintenance > AC Maintenance > WMI from the main menu on the
AC web platform, configure parameters for interconnecting the AC with
CampusInsight on the Channel 2 tab page, and click Apply.
Typically, the port number of CampusInsight is 27371.
Step 3 Configure parameters for interconnecting APs with the WMI server.
1. Configure parameters for interconnecting APs with iMaster NCE-Campus.
# Choose Configuration > AP Config > AP Group from the main menu on
the AC web platform, and click ap-group1 on the AP Group tab page.
# Choose AP > AP System Profile > WMI Profile (Channel 1) and click
Create to create the WMI profile cloudmng.
# Configure parameters for interconnecting APs with iMaster NCE-Campus
according to the data plan and click Apply.
2. Configure parameters for interconnecting APs with CampusInsight.
# Choose Configuration > AP Config > AP Group from the main menu on
the AC web platform, and click ap-group1 on the AP Group tab page.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 769
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
# Choose AP > AP System Profile > WMI Profile (Channel 2) and click
Create to create the WMI profile campusinsight.
# Configure parameters for interconnecting APs with CampusInsight
according to the data plan and click Apply.
----End
3.12.3 Intelligent Upgrade (AC+Fit AP)
Context
Huawei devices support automatic download and self-service upgrade to help you
learn about the mainstream versions of the devices and quickly perform device
upgrade and repair. After enabling the smart upgrade function on the web
platform of devices, you hereby authorize Huawei Technologies Co., Ltd. to
exchange information with your devices through the Huawei Online Upgrade
Platform (s.houp.huawei.com) to collect information such as device models, basic
software versions and patches, and device ESNs. The information will be used to
match the versions or patches that can be upgraded and return the information
such as the upgrade versions or patches and the download URLs of software
packages to your devices. After you confirm the upgrade, the devices will
automatically download the software packages and implement an upgrade. When
the upgrade is completed, the upgrade result will be uploaded to Huawei online
upgrade platform. You are advised to enter your email and phone number for
emergency contact upon any upgrade error. We will contact you if necessary so
that your network services can work properly after the upgrade.
Prerequisites
An AC is able to access the Huawei Online Upgrade Platform (s.houp.huawei.com).
A DNS server has been configured to resolve the IP address corresponding to
HOUP's domain name.
The device's software version is V200R010C00 or later.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 770
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
Precautions
On the smart upgrade page, you can check the connectivity between the AC and
HOUP and obtain the recommended version. If the AC cannot connect to the
HOUP, perform the following operations:
● If a DNS server has been deployed on the intranet, add the DNS server IP
address to the AC's DNS configuration. If no DNS server is deployed on the
intranet, add the IP address of the public DNS server (for example,
114.114.114.114) to the AC's DNS configuration.
● If a security device such as a firewall exists on the network, ensure that the
existing security policy allows the AC to access the HOUP and can download
files.
Procedure
The following example describes how to perform an intelligent upgrade of an
AC6800V.
Step 1 Log in to the web platform and access the Intelligent Upgrade page.
Step 2 After Automatic version upgrade check is enabled, the recommended target
software versions are displayed. Click Immediate Upgrade or Scheduled Upgrade
to perform an upgrade.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 771
Wireless Access Controller (AC and Fit AP)
Web-based Configuration Guide 3 Configuration Examples
----End
Other Functions
Upgrade by segment is supported from V200R020C10. During an upgrade by
segment, the device automatically downloads all the pushed software packages to
the AC (requiring the AC to have sufficient storage memory), and specifies the
startup software package. Then you need to manually restart APs on the AP
Upgrade page. After all the APs are restarted, manually restart the AC on the AC
Maintenance > AC Restart page.
Issue 01 (2023-04-12) Copyright © Huawei Technologies Co., Ltd. 772
You might also like
- 4.2.9 Example For Configuring Wlan Services On A Small-Scale Network (Ipv4 Network)No ratings yet4.2.9 Example For Configuring Wlan Services On A Small-Scale Network (Ipv4 Network)16 pages
- Example For Configuring WLAN Services On A SmallNo ratings yetExample For Configuring WLAN Services On A Small13 pages
- Example For Configuring A Layer 2 Switch To Work With A Router For Internet Access - 014914No ratings yetExample For Configuring A Layer 2 Switch To Work With A Router For Internet Access - 0149147 pages
- 01 02 Campus Configuration Examples 14 33No ratings yet01 02 Campus Configuration Examples 14 3320 pages
- IGW500 Series Internet Gateway Web Configuration Manual (V1.1-20220223)No ratings yetIGW500 Series Internet Gateway Web Configuration Manual (V1.1-20220223)223 pages
- Wireless Access Points (Fat AP) Web-Based Configuration GuideNo ratings yetWireless Access Points (Fat AP) Web-Based Configuration Guide2 pages
- ACT Mod 2 Altai AP Basic Config v3.1 20200911No ratings yetACT Mod 2 Altai AP Basic Config v3.1 20200911131 pages
- Huawei ICT Competition Network Lab ExamNo ratings yetHuawei ICT Competition Network Lab Exam15 pages
- ENG - CCNA - Lab InterVLAN DHCP Longbao87No ratings yetENG - CCNA - Lab InterVLAN DHCP Longbao8712 pages
- Creating A Switched Ethernet Network-Lab 3No ratings yetCreating A Switched Ethernet Network-Lab 310 pages
- Wireless Access Controller (AC and Fit AP) V200R019C00 Web-Based Configuration Guide PDFNo ratings yetWireless Access Controller (AC and Fit AP) V200R019C00 Web-Based Configuration Guide PDF846 pages
- How To Configure Huawei Router-On-A-stickNo ratings yetHow To Configure Huawei Router-On-A-stick4 pages
- SRWE Practice PT Skills Assessment (PTSA) - Part 2 AnswersNo ratings yetSRWE Practice PT Skills Assessment (PTSA) - Part 2 Answers47 pages
- HCIP-WLAN V1.0 CEWA Constructing Enterprise WLAN ArchitectureNo ratings yetHCIP-WLAN V1.0 CEWA Constructing Enterprise WLAN Architecture629 pages
- Fat AP and Cloud AP V200R019C00 Web-Based Configuration GuideNo ratings yetFat AP and Cloud AP V200R019C00 Web-Based Configuration Guide106 pages
- Fat AP and Cloud AP V200R019C00 Web-Based Configuration GuideNo ratings yetFat AP and Cloud AP V200R019C00 Web-Based Configuration Guide109 pages
- Quick Configuration: HUAWEI S Series Campus SwitchesNo ratings yetQuick Configuration: HUAWEI S Series Campus Switches74 pages
- Lab 6-1 Configuring A WLAN Controller: Topology Diagram100% (1)Lab 6-1 Configuring A WLAN Controller: Topology Diagram11 pages
- Huawei Quidway S5700 How-To: Configuring Vlan AggregationNo ratings yetHuawei Quidway S5700 How-To: Configuring Vlan Aggregation9 pages
- Cisco Wireless LAN Controller Configuration Best PracticesNo ratings yetCisco Wireless LAN Controller Configuration Best Practices57 pages
- Vlans On Aironet Access Points Configuration ExampleNo ratings yetVlans On Aironet Access Points Configuration Example9 pages
- 02 8.3.1.2 Packet Tracer - CCNA Skills Integration Challenge Instructions - ILMNo ratings yet02 8.3.1.2 Packet Tracer - CCNA Skills Integration Challenge Instructions - ILM12 pages
- EDS - ExtremeWireless Cloud Exam - Dojo (Pass)No ratings yetEDS - ExtremeWireless Cloud Exam - Dojo (Pass)13 pages
- Stream Control Transmission Protocol - SCTP: Randall Stewart NSSTG Prof. Paul AmerNo ratings yetStream Control Transmission Protocol - SCTP: Randall Stewart NSSTG Prof. Paul Amer28 pages
- Understanding ACL On Catalyst 6500 Series Switches (Also TCAM) PDFNo ratings yetUnderstanding ACL On Catalyst 6500 Series Switches (Also TCAM) PDF32 pages
- Router Configuration and Default Route GuideNo ratings yetRouter Configuration and Default Route Guide77 pages
- 7.1.3.4 Packet Tracer - Propagating A Default Route in EIGRP For IPv4 and IPv6 Instructions0% (1)7.1.3.4 Packet Tracer - Propagating A Default Route in EIGRP For IPv4 and IPv6 Instructions2 pages
- Comparative Study of Messaging Protocols Paper - It231519 - GruberNo ratings yetComparative Study of Messaging Protocols Paper - It231519 - Gruber4 pages
- ATN 910 910I 910B 950B V200R003C00 Configuration Guide 02 CLI PDF50% (4)ATN 910 910I 910B 950B V200R003C00 Configuration Guide 02 CLI PDF4,459 pages
- Open Systems Interconnection Open Systems Interconnection (OSI) (OSI)No ratings yetOpen Systems Interconnection Open Systems Interconnection (OSI) (OSI)33 pages
