Introduction to S12700+ACU2

As increasing laptops, tablet PCs, and Wi-Fi mobile phones are used to connect to the Internet, WLAN access has become an important access mode for enterprises, and therefore wireless access control and switching are indispensable on enterprise networks. The Access Controller Unit 2 (ACU2) can be used on an S12700 switch to provide wireless access control capabilities on wired networks of enterprises. The S12700 switch with the ACU2 provides both wireless and wired service capabilities, reducing space occupied and cables in equipment rooms and lowering network construction cost.

Configuration Notes

l   In this example, the security policy is WPA2-PSK-CCMP. To ensure network security, configure an appropriate security policy according to service requirements.

l   In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. In direct forwarding mode, you are advised not to configure the management VLAN and service VLAN to be the same.

l   If direct forwarding is used, configure port isolation on the interfaces directly connected to APs. If port isolation is not configured, unnecessary broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.

l   Configure the management VLAN and service VLAN:

−       In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel, and then forwarded to the AC. The AC then forwards the packets to the upper-layer network or APs. Therefore, service packets and management packets can be normally forwarded as long as the network between the AC and APs is added to the management VLAN and the network between the AC and upper-layer network is added to the service VLAN.

−       In direct forwarding mode, service packets are not encapsulated into a CAPWAP tunnel, but are directly forwarded to the upper-layer network or APs. Therefore, service packets and management packets can be normally forwarded only when the network between the AC and APs is added to the management VLAN and the network between the APs and upper-layer network is added to the service VLAN.

l   Configure the source interface:

−       For switches of V200R005 and V200R006, run the wlan ac source interface { loopback loopback-number | vlanif vlan-id } command in the WLAN view to configure the source interface.

−       For switches of V200R007, run the capwap source interface { loopback loopback-number | vlanif vlan-id } command in the system view to configure the source interface.

l   The following table lists applicable products and versions.

Table 1-1 Applicable products and versions

Networking Requirements

As shown in Figure 1-1, the S12700 connects to the AP through an access switch. An ACU2 is installed on slot 1 of the S12700 to manage the AP.

To enable employees to access the company network anytime anywhere on their mobile terminals, an enterprise branch needs to deploy WLAN basic services to implement mobile office.

Figure 1-2 Networking of a small-scale WLAN

Data Planning

Table 1-2 Data planning

Configuration Roadmap

A modular switch has been deployed on the current network. To simplify network deployment, ACU2 can be added to the modular switch to provide WLAN services.

2.         Configure the AP, access switch, ACU2, and upper-layer network devices to communicate at Layer 2. Add XGE interfaces on the ACU2 and S12700 that are connected to an Eth-Trunk to increase link bandwidth and reliability.

3.         Configure the ACU2 as a DHCP server to assign IP addresses to the STAs and AP from an IP address pool of an interface.

4.         Configure ACU2 system parameters, including the country code, AC ID, carrier ID, and source interface used by the ACU2 to communicate with the AP.

5.         Set the AP authentication mode and add the AP to an AP region.

6.         Configure a VAP and deliver WLAN services to the AP to enable STAs to access the WLAN.

a.         Configure a WMM profile and radio profile for the AP, retain the default settings of the profiles, and bind the WMM profile to the radio profile to enable STAs to communicate with the AP.

b.         Configure a WLAN-ESS interface so that packets can be sent to the WLAN service processing module after reaching the ACU2.

c.         Configure a security profile and traffic profile for the AP, and retain the default settings of the profiles. Configure a service set, bind the WLAN-ESS interface, security profile, and traffic profile to the service set to apply security and QoS policies to STAs.

d.         Configure a VAP and deliver VAP parameters to the AP so that STAs can access the Internet through the WLAN.

Procedure

                               Step 2     Configure the access switch, ACU2, and S12700 to enable the AP and ACU2 to exchange CAPWAP packets.

# On the ACU2, create VLAN 100 (management VLAN), VLAN 101 (service VLAN), and Eth-Trunk 0, add Eth-Trunk 0 to VLAN 100 and VLAN 101 , and add interfaces XGigabitEthernet0/0/1 and XGigabitEthernet0/0/2 to Eth-Trunk 0.

<ACU2> system-view

[ACU2] sysname AC

[AC] vlan batch 100 101

[AC] interface eth-trunk 0 //Configure an Eth-Trunk to increase bandwidth and improve reliability.

[AC-Eth-Trunk0] port link-type trunk

[AC-Eth-Trunk0] port trunk allow-pass vlan 100 101

[AC-Eth-Trunk0] trunkport xgigabitethernet 0/0/1 0/0/2

[AC-Eth-Trunk0] quit

# On the S12700, create VLAN 100, VLAN 101, and Eth-Trunk 0, add Eth-Trunk 0 to VLAN 100 and VLAN 101, and add interfaces XGigabitEthernet1/0/1 and XGigabitEthernet1/0/2 to Eth-Trunk 0.

<HUAWEI> system-view

[HUAWEI] sysname S12700

[S12700] load-distribution mode slot 1 enhanced //Set the load balancing mode on the X1E card to enhanced mode. The default mode is normal.

[S12700] vlan batch 100 101

[S12700] interface eth-trunk 0

[S12700-Eth-Trunk0] port link-type trunk

[S12700-Eth-Trunk0] port trunk allow-pass vlan 100 101

[S12700-Eth-Trunk0] trunkport xgigabitethernet 1/0/1 1/0/2

[S12700-Eth-Trunk0] quit

# On the S12700, create Eth-Trunk 1, add Eth-Trunk 1 to VLAN 100, and add interfaces GigabitEthernet2/0/2 and GigabitEthernet2/0/3 to Eth-Trunk 1.

[S12700] interface eth-trunk 1

[S12700-Eth-Trunk1] port link-type trunk

[S12700-Eth-Trunk1] port trunk allow-pass vlan 100  

[S12700-Eth-Trunk1] trunkport gigabitethernet 2/0/2 2/0/3

[S12700-Eth-Trunk1] quit

# On the access switch, create VLAN 100 and Eth-Trunk 1, add Eth-Trunk 1 to VLAN 100, and add interfaces GigabitEthernet0/0/2 and GigabitEthernet0/0/3 to Eth-Trunk 1. Add GE0/0/1 to VLAN 100.

In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on GE0/0/1 that connects the access switch to the AP. If port isolation is not configured, unnecessary broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.

In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.

<HUAWEI> system-view

[HUAWEI] sysname Switch

[Switch] vlan batch 100

[Switch] interface eth-trunk 1

[Switch-Eth-Trunk1] port link-type trunk

[Switch-Eth-Trunk1] port trunk allow-pass vlan 100  

[Switch-Eth-Trunk1] trunkport gigabitethernet 0/0/2 0/0/3

[Switch-Eth-Trunk1] quit

[Switch] interface gigabitethernet 0/0/1

[Switch-GigabitEthernet0/0/1] port link-type trunk

[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100 //A PVID must be configured for the interface connected to the AP.

[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100

[Switch-GigabitEthernet0/0/1] quit

                               Step 3     Configure the S12700 to communicate with upper-layer network devices.

Configure the S12700’s uplink interfaces to transparently transmit packets of service VLANs as required and communicate with upper-layer network devices.

# Add GE2/0/1 of the S12700 to VLAN 101.

[S12700] interface gigabitethernet 2/0/1

[S12700-GigabitEthernet2/0/1] port link-type trunk

[S12700-GigabitEthernet2/0/1] port trunk allow-pass vlan 101

[S12700-GigabitEthernet2/0/1] quit

                               Step 4     Configure the ACU2 as a DHCP server to assign IP addresses to the STAs and AP.

# Configure the ACU2 as the DHCP server to allocate an IP address to the AP from the IP address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on VLANIF 101.

[AC] dhcp enable

[AC] interface vlanif 100

[AC-Vlanif100] ip address 10.23.10.1 24

[AC-Vlanif100] dhcp select interface

[AC-Vlanif100] quit

[AC] interface vlanif 101

[AC-Vlanif101] ip address 10.23.11.1 24

[AC-Vlanif101] dhcp select interface

[AC-Vlanif101] quit

                               Step 5     Configure system parameters of the ACU2.

# Configure the country code.

[AC] wlan ac-global country-code cn  //Configure the AC country code. Radio features of APs managed by the AC must conform to local laws and regulations. The default country code is CN.

Warning: Modifying the country code will clear channel configurations of the AP 

radio using the country code and reset the AP. If the new country code does not 

support the radio, all configurations of the radio are cleared. Continue?[Y/N]:y

# Configure the AC ID and carrier ID.

[AC] wlan ac-global ac id 1 carrier id other  //The default AC ID is 0. Set the AC ID to 1.

Warning: Modify the carrier ID or AC ID may cause all of the AP offline, continu

e?[Y/N]:y

# Configure the source interface of the ACU2.

[AC] capwap source interface vlanif 100

[AC] wlan

                               Step 6     Manage APs on the ACU2.

# Check the AP type ID after obtaining the AP’s MAC address.

[AC-wlan-view] display ap-type all

  All AP types information:     

  ------------------------------------------------------------------------------

  ID     Type                   

  ------------------------------------------------------------------------------

  17     AP6010SN-GN            

  19     AP6010DN-AGN           

  21     AP6310SN-GN            

  23     AP6510DN-AGN           

  25     AP6610DN-AGN           

  27     AP7110SN-GN            

  28     AP7110DN-AGN           

  29     AP5010SN-GN            

  30     AP5010DN-AGN           

  31     AP3010DN-AGN           

  33     AP6510DN-AGN-US        

  34     AP6610DN-AGN-US        

  35     AP5030DN                

  36     AP5130DN               

  37     AP7030DE

  38     AP2010DN 

  39     AP8130DN 

  40     AP8030DN

  42     AP9330DN

  43     AP4030DN                          

  44     AP4130DN                      

  45     AP3030DN                     

  46     AP2030DN

  ------------------------------------------------------------------------------

  Total number: 23  

# Add the AP offline according to the AP type ID. Assume that the AP type is AP6010DN-AGN and its MAC address is 60de-4476-e360.

[AC-wlan-view] ap-auth-mode mac-auth

[AC-wlan-view] ap id 0 type-id 19 mac 60de-4476-e360 //Add an AP offline.

[AC-wlan-ap-0] quit

The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the auth-mode mac-auth command.

# Configure an AP region and add the AP to the AP region.

[AC-wlan-view] ap-region id 10  //Create the AP region 10.

[AC-wlan-ap-region-10] quit

[AC-wlan-view] ap id 0

[AC-wlan-ap-0] region-id 10  //Add the AP with ID 1 to AP region 10. An AP joins region 0 by default.

[AC-wlan-ap-0] quit

# Power on the AP and run the display ap all command to check the AP running status. If the AP State field displays as normal, the AP is online on the AC.

[AC-wlan-view] display ap all

  All AP information:           

  Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]       

  Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]         

  ------------------------------------------------------------------------------

  AP    AP               AP              Profile   AP              AP           

                                         /Region                                

  ID    Type             MAC             ID        State           Sysname      

  ------------------------------------------------------------------------------

  0     AP6010DN-AGN     60de-4476-e360  0/10      normal          ap-0         

  ------------------------------------------------------------------------------

  Total number: 1,printed: 1   

                               Step 7     Configure WLAN service parameters.

# Create the WMM profile wmm.

[AC-wlan-view] wmm-profile name wmm id 1

[AC-wlan-wmm-prof-wmm] quit

# Create the radio profile radio and bind the WMM profile wmm to the radio profile.

[AC-wlan-view] radio-profile name radio id 1 

[AC-wlan-radio-prof-radio] wmm-profile name wmm 

[AC-wlan-radio-prof-radio] quit

[AC-wlan-view] quit

# Create WLAN-ESS interface 1.

[AC] interface wlan-ess 1

[AC-Wlan-Ess1] port hybrid pvid vlan 101

[AC-Wlan-Ess1] port hybrid untagged vlan 101

[AC-Wlan-Ess1] quit

# Create the security profile security.

[AC] wlan

[AC-wlan-view] security-profile name security id 1

[AC-wlan-sec-prof-security] security-policy wpa2 //Set the security policy to WPA2.

[AC-wlan-sec-prof-security] wpa2 authentication-method psk pass-phrase cipher huawei123 encryption-method ccmp //Set the encryption mode to PSK+CCMP.

[AC-wlan-sec-prof-security] quit

# Create the traffic profile traffic.

[AC-wlan-view] traffic-profile name traffic id 1

[AC-wlan-traffic-prof-traffic] quit

# Create the service set huawei and bind the WLAN-ESS interface, security profile, and traffic profile to the service set.

[AC-wlan-view] service-set name huawei id 1

[AC-wlan-service-set-huawei] ssid huawei  //Set the SSID name.

[AC-wlan-service-set-huawei] wlan-ess 1 //Bind the WLAN-ESS interface to the service set.

[AC-wlan-service-set-huawei] security-profile name security //Bind the security profile to the service set.

[AC-wlan-service-set-huawei] traffic-profile name traffic //Bind the traffic profile to the service set.

[AC-wlan-service-set-huawei] service-vlan 101 //Bind the service VLAN to the service set.

[AC-wlan-service-set-huawei] forward-mode tunnel //Set the forwarding mode to tunnel forwarding. The default forwarding mode is direct forwarding.

[AC-wlan-service-set-huawei] quit

                               Step 8     Configure a VAP and deliver the VAP configuration to the AP.

# Configure a VAP.

[AC-wlan-view] ap 0 radio 0

[AC-wlan-radio-0/0] radio-profile name radio //Bind the radio profile to the radio.

[AC-wlan-radio-0/0] service-set name huawei //Bind the service set to the radio. A VAP is generated after the binding.

[AC-wlan-radio-0/0] quit

# Deliver the configuration.

[AC-wlan-view] commit ap 0 //After the WLAN service configuration is complete on the AC, the configuration takes effect after you deliver it to the AP.

Warning: Committing configuration may cause service interruption, continue?[Y/N]

:y

                               Step 9     Verify the configuration.

After the configuration is complete, run the display vap ap 0 radio 0 command. The command output shows that the VAP has been created.

[AC-wlan-view] display vap ap 0 radio 0

  All VAP Information(Total-1):                                                 

  SS: Service-set     BP: Bridge-profile     MP: Mesh-profile                   

  ----------------------------------------------------------------------        

  AP ID  Radio ID  SS ID  BP ID  MP ID  WLAN ID  BSSID           Type           

  ----------------------------------------------------------------------

  0      0         1      -      -      1        60DE-4476-E360  service        

  ----------------------------------------------------------------------

  Total: 1

STAs discover the WLAN with SSID huawei and associate with the WLAN. You can run the display station assoc-info command on the ACU2. The command output shows that the STAs have connected to the WLAN huawei.

[AC-wlan-view] display station assoc-info ap 0 radio 0

  AP/Rf/WLAN: AP ID/Radio ID/WLAN ID                                             

  Rx/Tx: link receive rate/link transmit rate(Mbps)                             

  ------------------------------------------------------------------------------

  STA MAC         AP/Rf/WLAN Rx/Tx     Mode  RSSI   IP address                   

  SSID                                                                          

  ------------------------------------------------------------------------------

  9021-55dc-3e17  0/0/1      27/58     11n   -45    10.23.11.254              

  huawei                                                                  

  ------------------------------------------------------------------------------

  Total stations: 1  

----End

Summary

l   The interface directly connected to the AP, such as GE0/0/1 of the access switch must be configured with a PVID.

l   If the AP cannot go online, first check whether the server assigning an IP address to the AP is correctly configured.