Introduction to S12700+ACU2
As increasing laptops, tablet PCs, and Wi-Fi mobile phones are used to connect to the Internet, WLAN access has become an important access mode for enterprises, and therefore wireless access control and switching are indispensable on enterprise networks. The Access Controller Unit 2 (ACU2) can be used on an S12700 switch to provide wireless access control capabilities on wired networks of enterprises. The S12700 switch with the ACU2 provides both wireless and wired service capabilities, reducing space occupied and cables in equipment rooms and lowering network construction cost.
Configuration Notes
l In this example, the security policy is WPA2-PSK-CCMP. To ensure network security, configure an appropriate security policy according to service requirements.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. In direct forwarding mode, you are advised not to configure the management VLAN and service VLAN to be the same.
l If direct forwarding is used, configure port isolation on the interfaces directly connected to APs. If port isolation is not configured, unnecessary broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.
l Configure the management VLAN and service VLAN:
− In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel, and then forwarded to the AC. The AC then forwards the packets to the upper-layer network or APs. Therefore, service packets and management packets can be normally forwarded as long as the network between the AC and APs is added to the management VLAN and the network between the AC and upper-layer network is added to the service VLAN.
− In direct forwarding mode, service packets are not encapsulated into a CAPWAP tunnel, but are directly forwarded to the upper-layer network or APs. Therefore, service packets and management packets can be normally forwarded only when the network between the AC and APs is added to the management VLAN and the network between the APs and upper-layer network is added to the service VLAN.
l Configure the source interface:
− For switches of V200R005 and V200R006, run the wlan ac source interface { loopback loopback-number | vlanif vlan-id } command in the WLAN view to configure the source interface.
− For switches of V200R007, run the capwap source interface { loopback loopback-number | vlanif vlan-id } command in the system view to configure the source interface.
l The following table lists applicable products and versions.
Table 1-1 Applicable products and versions
Software Version |
Product Model |
AP Model and Version |
V200R005C00 |
S12700 |
V200R005C00: AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, and AP7110SN-GN |
V200R006C00 |
S12700 |
V200R005C00: AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, and AP7110SN-GN |
V200R007C00 |
S12700 |
V200R005C10: AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP5030DN, AP5130DN, AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN, AP6610DN-AGN, AP7110DN-AGN, AP7110SN-GN, AP8030DN, and AP8130DN V200R005C20: AP7030DE and AP9330DN |
Networking Requirements
As shown in Figure 1-1, the S12700 connects to the AP through an access switch. An ACU2 is installed on slot 1 of the S12700 to manage the AP.
To enable employees to access the company network anytime anywhere on their mobile terminals, an enterprise branch needs to deploy WLAN basic services to implement mobile office.
Figure 1-2 Networking of a small-scale WLAN
Data Planning
Table 1-2 Data planning
Item |
Data |
Description |
Eth-Trunk 0 |
S12700: Add XGE1/0/1 and XGE1/0/2 to Eth-Trunk 0. ACU2: Add XGE0/0/1 and XGE0/0/2 to Eth-Trunk 0. |
Configure Eth-Trunk 0 between the ACU2 and S12700 to increase bandwidth and improve network reliability. |
Eth-Trunk 1 |
S12700: Add GE2/0/2 and GE2/0/3 to Eth-Trunk 1. Access switch: Add GE0/0/2 and GE0/0/3 to Eth-Trunk 1. |
Configure Eth-Trunk 1 between the ACU2 and access switch to increase bandwidth and improve network reliability. |
AC's source interface address |
10.23.10.1/24 |
None |
WMM profile |
Name: wmm |
None |
Radio profile |
Name: radio |
None |
Security profile |
l Name: security l Security and authentication policy: WPA2+PSK l Authentication key: huawei123 l Encryption mode: CCMP |
None |
Traffic profile |
Name: traffic |
None |
Service set |
l Name: huawei l SSID: huawei l WLAN virtual interface: WLAN-ESS 1 l Data forwarding mode: tunnel forwarding |
None |
DHCP server |
The ACU2 functions as the DHCP server to assign IP addresses to the AP and STAs. |
None |
AP gateway and IP address pool range |
VLANIF 10: 10.23.10.1/24 10.23.10.2-10.23.10.254/24 |
None |
STA gateway and IP address pool range |
VLANIF 101: 10.23.11.1/24 10.23.11.2-10.23.11.254/24 |
None |
Configuration Roadmap
A modular switch has been deployed on the current network. To simplify network deployment, ACU2 can be added to the modular switch to provide WLAN services.
2. Configure the AP, access switch, ACU2, and upper-layer network devices to communicate at Layer 2. Add XGE interfaces on the ACU2 and S12700 that are connected to an Eth-Trunk to increase link bandwidth and reliability.
3. Configure the ACU2 as a DHCP server to assign IP addresses to the STAs and AP from an IP address pool of an interface.
4. Configure ACU2 system parameters, including the country code, AC ID, carrier ID, and source interface used by the ACU2 to communicate with the AP.
5. Set the AP authentication mode and add the AP to an AP region.
6. Configure a VAP and deliver WLAN services to the AP to enable STAs to access the WLAN.
a. Configure a WMM profile and radio profile for the AP, retain the default settings of the profiles, and bind the WMM profile to the radio profile to enable STAs to communicate with the AP.
b. Configure a WLAN-ESS interface so that packets can be sent to the WLAN service processing module after reaching the ACU2.
c. Configure a security profile and traffic profile for the AP, and retain the default settings of the profiles. Configure a service set, bind the WLAN-ESS interface, security profile, and traffic profile to the service set to apply security and QoS policies to STAs.
d. Configure a VAP and deliver VAP parameters to the AP so that STAs can access the Internet through the WLAN.
Procedure
Step 2 Configure the access switch, ACU2, and S12700 to enable the AP and ACU2 to exchange CAPWAP packets.
# On the ACU2, create VLAN 100 (management VLAN), VLAN 101 (service VLAN), and Eth-Trunk 0, add Eth-Trunk 0 to VLAN 100 and VLAN 101 , and add interfaces XGigabitEthernet0/0/1 and XGigabitEthernet0/0/2 to Eth-Trunk 0.
<ACU2> system-view
[ACU2] sysname AC
[AC] vlan batch 100 101
[AC] interface eth-trunk 0 //Configure an Eth-Trunk to increase bandwidth and improve reliability.
[AC-Eth-Trunk0] port link-type trunk
[AC-Eth-Trunk0] port trunk allow-pass vlan 100 101
[AC-Eth-Trunk0] trunkport xgigabitethernet 0/0/1 0/0/2
[AC-Eth-Trunk0] quit
# On the S12700, create VLAN 100, VLAN 101, and Eth-Trunk 0, add Eth-Trunk 0 to VLAN 100 and VLAN 101, and add interfaces XGigabitEthernet1/0/1 and XGigabitEthernet1/0/2 to Eth-Trunk 0.
<HUAWEI> system-view
[HUAWEI] sysname S12700
[S12700] load-distribution mode slot 1 enhanced //Set the load balancing mode on the X1E card to enhanced mode. The default mode is normal.
[S12700] vlan batch 100 101
[S12700] interface eth-trunk 0
[S12700-Eth-Trunk0] port link-type trunk
[S12700-Eth-Trunk0] port trunk allow-pass vlan 100 101
[S12700-Eth-Trunk0] trunkport xgigabitethernet 1/0/1 1/0/2
[S12700-Eth-Trunk0] quit
# On the S12700, create Eth-Trunk 1, add Eth-Trunk 1 to VLAN 100, and add interfaces GigabitEthernet2/0/2 and GigabitEthernet2/0/3 to Eth-Trunk 1.
[S12700] interface eth-trunk 1
[S12700-Eth-Trunk1] port link-type trunk
[S12700-Eth-Trunk1] port trunk allow-pass vlan 100
[S12700-Eth-Trunk1] trunkport gigabitethernet 2/0/2 2/0/3
[S12700-Eth-Trunk1] quit
# On the access switch, create VLAN 100 and Eth-Trunk 1, add Eth-Trunk 1 to VLAN 100, and add interfaces GigabitEthernet0/0/2 and GigabitEthernet0/0/3 to Eth-Trunk 1. Add GE0/0/1 to VLAN 100.
In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on GE0/0/1 that connects the access switch to the AP. If port isolation is not configured, unnecessary broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface eth-trunk 1
[Switch-Eth-Trunk1] port link-type trunk
[Switch-Eth-Trunk1] port trunk allow-pass vlan 100
[Switch-Eth-Trunk1] trunkport gigabitethernet 0/0/2 0/0/3
[Switch-Eth-Trunk1] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100 //A PVID must be configured for the interface connected to the AP.
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] quit
Step 3 Configure the S12700 to communicate with upper-layer network devices.
Configure the S12700’s uplink interfaces to transparently transmit packets of service VLANs as required and communicate with upper-layer network devices.
# Add GE2/0/1 of the S12700 to VLAN 101.
[S12700] interface gigabitethernet 2/0/1
[S12700-GigabitEthernet2/0/1] port link-type trunk
[S12700-GigabitEthernet2/0/1] port trunk allow-pass vlan 101
[S12700-GigabitEthernet2/0/1] quit
Step 4 Configure the ACU2 as a DHCP server to assign IP addresses to the STAs and AP.
# Configure the ACU2 as the DHCP server to allocate an IP address to the AP from the IP address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on VLANIF 101.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.10.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.11.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
Step 5 Configure system parameters of the ACU2.
# Configure the country code.
[AC] wlan ac-global country-code cn //Configure the AC country code. Radio features of APs managed by the AC must conform to local laws and regulations. The default country code is CN.
Warning: Modifying the country code will clear channel configurations of the AP
radio using the country code and reset the AP. If the new country code does not
support the radio, all configurations of the radio are cleared. Continue?[Y/N]:y
# Configure the AC ID and carrier ID.
[AC] wlan ac-global ac id 1 carrier id other //The default AC ID is 0. Set the AC ID to 1.
Warning: Modify the carrier ID or AC ID may cause all of the AP offline, continu
e?[Y/N]:y
# Configure the source interface of the ACU2.
[AC] capwap source interface vlanif 100
[AC] wlan
Step 6 Manage APs on the ACU2.
# Check the AP type ID after obtaining the AP’s MAC address.
[AC-wlan-view] display ap-type all
All AP types information:
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Add the AP offline according to the AP type ID. Assume that the AP type is AP6010DN-AGN and its MAC address is 60de-4476-e360.
[AC-wlan-view] ap-auth-mode mac-auth
[AC-wlan-view] ap id 0 type-id 19 mac 60de-4476-e360 //Add an AP offline.
[AC-wlan-ap-0] quit
The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the auth-mode mac-auth command.
# Configure an AP region and add the AP to the AP region.
[AC-wlan-view] ap-region id 10 //Create the AP region 10.
[AC-wlan-ap-region-10] quit
[AC-wlan-view] ap id 0
[AC-wlan-ap-0] region-id 10 //Add the AP with ID 1 to AP region 10. An AP joins region 0 by default.
[AC-wlan-ap-0] quit
# Power on the AP and run the display ap all command to check the AP running status. If the AP State field displays as normal, the AP is online on the AC.
[AC-wlan-view] display ap all
All AP information:
Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
0 AP6010DN-AGN 60de-4476-e360 0/10 normal ap-0
------------------------------------------------------------------------------
Total number: 1,printed: 1
Step 7 Configure WLAN service parameters.
# Create the WMM profile wmm.
[AC-wlan-view] wmm-profile name wmm id 1
[AC-wlan-wmm-prof-wmm] quit
# Create the radio profile radio and bind the WMM profile wmm to the radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create WLAN-ESS interface 1.
[AC] interface wlan-ess 1
[AC-Wlan-Ess1] port hybrid pvid vlan 101
[AC-Wlan-Ess1] port hybrid untagged vlan 101
[AC-Wlan-Ess1] quit
# Create the security profile security.
[AC] wlan
[AC-wlan-view] security-profile name security id 1
[AC-wlan-sec-prof-security] security-policy wpa2 //Set the security policy to WPA2.
[AC-wlan-sec-prof-security] wpa2 authentication-method psk pass-phrase cipher huawei123 encryption-method ccmp //Set the encryption mode to PSK+CCMP.
[AC-wlan-sec-prof-security] quit
# Create the traffic profile traffic.
[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Create the service set huawei and bind the WLAN-ESS interface, security profile, and traffic profile to the service set.
[AC-wlan-view] service-set name huawei id 1
[AC-wlan-service-set-huawei] ssid huawei //Set the SSID name.
[AC-wlan-service-set-huawei] wlan-ess 1 //Bind the WLAN-ESS interface to the service set.
[AC-wlan-service-set-huawei] security-profile name security //Bind the security profile to the service set.
[AC-wlan-service-set-huawei] traffic-profile name traffic //Bind the traffic profile to the service set.
[AC-wlan-service-set-huawei] service-vlan 101 //Bind the service VLAN to the service set.
[AC-wlan-service-set-huawei] forward-mode tunnel //Set the forwarding mode to tunnel forwarding. The default forwarding mode is direct forwarding.
[AC-wlan-service-set-huawei] quit
Step 8 Configure a VAP and deliver the VAP configuration to the AP.
# Configure a VAP.
[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] radio-profile name radio //Bind the radio profile to the radio.
[AC-wlan-radio-0/0] service-set name huawei //Bind the service set to the radio. A VAP is generated after the binding.
[AC-wlan-radio-0/0] quit
# Deliver the configuration.
[AC-wlan-view] commit ap 0 //After the WLAN service configuration is complete on the AC, the configuration takes effect after you deliver it to the AP.
Warning: Committing configuration may cause service interruption, continue?[Y/N]
:y
Step 9 Verify the configuration.
After the configuration is complete, run the display vap ap 0 radio 0 command. The command output shows that the VAP has been created.
[AC-wlan-view] display vap ap 0 radio 0
All VAP Information(Total-1):
SS: Service-set BP: Bridge-profile MP: Mesh-profile
----------------------------------------------------------------------
AP ID Radio ID SS ID BP ID MP ID WLAN ID BSSID Type
----------------------------------------------------------------------
0 0 1 - - 1 60DE-4476-E360 service
----------------------------------------------------------------------
Total: 1
STAs discover the WLAN with SSID huawei and associate with the WLAN. You can run the display station assoc-info command on the ACU2. The command output shows that the STAs have connected to the WLAN huawei.
[AC-wlan-view] display station assoc-info ap 0 radio 0
AP/Rf/WLAN: AP ID/Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------
STA MAC AP/Rf/WLAN Rx/Tx Mode RSSI IP address
SSID
------------------------------------------------------------------------------
9021-55dc-3e17 0/0/1 27/58 11n -45 10.23.11.254
huawei
------------------------------------------------------------------------------
Total stations: 1
----End
Summary
l The interface directly connected to the AP, such as GE0/0/1 of the access switch must be configured with a PVID.
l If the AP cannot go online, first check whether the server assigning an IP address to the AP is correctly configured.
This post was last edited by 交换机在江湖 at 2017-05-26 09:57.