Configuring a management VLAN on a WLAN device

9

To use a remote network management system to centrally manage APs, create a VLANIF interface on each AP and configure a management IP address for the VLANIF interface. You can then log in to an AP through STelnet and manage it using its management IP address. If a user-side interface is added to the VLAN, users connected to the interface can also log in to the APs. This brings security risks to the AP.
In this case, you can configure the VLAN as a management VLAN to prohibit access or dot1q-tunnel interfaces from being added to the VLAN. An access interface or a dot1q-tunnel interface is connected to users. The management VLAN forbids users connected to access and dot1q-tunnel interfaces from logging in to the AP, improving AP security.
You can configure a management VLAN as follows:
1. Run the system-view command to enter the system view.
2. Run the vlan xx command to enter the VLAN view.
3. Run the management-vlan command to configure a management VLAN. After a management VLAN is configured, only trunk or hybrid interfaces can be added to the management VLAN. VLAN 1 cannot be configured as a management VLAN.
4. Run the quit command to exit from the VLAN view.
5. Run the interface vlanif xx command to enter the VLANIF interface view.
6. Run the ip address ip-address { mask | mask-length } [ sub ] command to configure an IP address for the VLANIF interface. After the configuration is complete, you can run the stelnet command to log in to the AC to manage APs.
7. Check the configuration. Run the display vlan command to view information about the management VLAN in the line starting with an asterisk sign (*).

Other related questions:
Configuring a management VLAN on a WLAN device
To use a remote network management system to centrally manage APs, create a VLANIF interface on each AP and configure a management IP address for the VLANIF interface. You can then log in to an AP through STelnet and manage it using its management IP address. If a user-side interface is added to the VLAN, users connected to the interface can also log in to the APs. This brings security risks to the AP. In this case, you can configure the VLAN as a management VLAN to prohibit access or dot1q-tunnel interfaces from being added to the VLAN. An access interface or a dot1q-tunnel interface is connected to users. The management VLAN forbids users connected to access and dot1q-tunnel interfaces from logging in to the AP, improving AP security. You can configure a management VLAN as follows: 1. Run the system-view command to enter the system view. 2. Run the vlan xx command to enter the VLAN view. 3. Run the management-vlan command to configure a management VLAN. After a management VLAN is configured, only trunk or hybrid interfaces can be added to the management VLAN. VLAN 1 cannot be configured as a management VLAN. 4. Run the quit command to exit from the VLAN view. 5. Run the interface vlanif xx command to enter the VLANIF interface view. 6. Run the ip address ip-address { mask | mask-length } [ sub ] command to configure an IP address for the VLANIF interface. After the configuration is complete, you can run the stelnet command to log in to the AC to manage APs. 7. Check the configuration. Run the display vlan command to view information about the management VLAN in the line starting with an asterisk sign (*).

Creating a VLAN on a WLAN device
The following example describes how to configure a VLAN on a WLAN device: [HUAWEI] vlan batch 2 4 to 10 15 //Create VLANs 2, 4-10, and 15. [HUAWEI] interface vlanif 10 // Enter the view of VLANIF 10. [HUAWEI-Vlanif10]

Configure the service VLAN and management VLAN
Configure the service VLAN and management VLAN. 1. Service VLAN - Command output on the AC: [HUAWEI]wlan [HUAWEI-wlan-view]service-set name test [HUAWEI-wlan-service-set-test]service-vlan 100 Multiple service sets have access to different service VLANs. 2. Management VLAN - Configure PVID and untag for the management VLAN on the switch connected to the AP. Allow packets from the management VLAN to pass through. - On Fit APs, no configuration is required for the interfaces connected to the switch. - On Fat APs, the configurations for wired-side interfaces are the same as the configurations for the interfaces on the switch. Note: 1. It is recommended that you configure the service VLAN and management VLAN differently, and do not use VLAN 1 for both VLANs. 2. In normal cases, there is only one management VLAN, but multiple service VLANs can be configured as required. 3. A service set can contain only one service VLAN. 4. In tunnel forwarding, the switch between the AP and AC does not allow packets from service VLANs to pass through, but in direct forwarding, the switch must allow packets to pass through. 5. If the service VLAN or management VLAN is changed, VLAN configurations on the devices along the path must be modified. If the network is newly deployed, you are advised to dial 400-822-9999 to seek assistance from Huawei's presale team to perform the network planning first.

Configuring access interfaces on WLAN devices
The following example describes how to configure an access interface on a WLAN device: An access interface can connect to a user host. [HUAWEI]vlan batch 2 //Create a VLAN. [HUAWEI]interface gigabitethernet0/0/1 [HUAWEI-GigabitEthernet0/0/1]port link-type access //Set the interface type to access. [HUAWEI-GigabitEthernet0/0/1]port default vlan 2 //Add the interface to VLAN 2. [HUAWEI-GigabitEthernet0/0/1]quit

Configuring a trunk interface on a WLAN device
The following example describes how to configure a trunk interface on an AC: A trunk interface connects an AC to a switch. [HUAWEI]vlan batch 2 3 //Create VLANs. [HUAWEI]interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1]port link-type trunk //Set the link type of the interface to trunk. The link type of the interface is hybrid by default. [HUAWEI-GigabitEthernet0/0/1]port trunk allow-pass vlan all //Allow packets from all VLANs to pass through. By default, the interface allows only packets from VLAN 1 to pass through. [HUAWEI-GigabitEthernet0/0/1]port trunk pvid vlan 2 //(Optional) Specify VLAN 2 as the default VLAN of the interface (default: VLAN 1).

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top