Got it
Huawei Enterprise Support Community
Community Forums WLAN
Wired and Wireless Client...

Wired and Wireless Clients (AC6605 Configuration)

Created: Sep 23, 2016 09:56:53Latest reply: Oct 24, 2018 11:43:46 1404 2 1 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#
Hi all!


Please see the image:


What configurations should be made in the AC so that wired and wireless clients will be assigned to different VLANs?


Thanks!
Attachment: You need to log in to download or view. No account? Register

Like (1) Dislike (0) Favorite(0) Share Report
Previous: Re: AP8150DN compatibility
Next: AC to IP phone packets dropped
Featured Answers

Recommended answer

(0) (0)
Sergio93
Created Oct 24, 2018 11:43:46

Hello,

I'm not sure exactly if you want to connect the wired users to the port of APs or to AC directly. but the wired PVID should be different from the service VLAN configured in the VAP profile. In this way, the wired users will request IP in the VLAN configured as PVID of the port. In this example wired uses have 201 as the service VLAN while the wireless users have 101 VLAN.
fig_dc_wlan_example_basic_002701.png


Networking Requirements

As shown in Figure 1, the AC connects to the egress gateway Router in the uplink direction. In the downlink direction, the AC connects to and manages APs through S5700-1 and S5700-2 access switches. The S5700-1 and S5700-2 are deployed in the first and second floors, respectively. An AP2010DN is deployed in each room to provide both wired and wireless access. The AP5030DN is deployed in the corridor to providwireless network coverage. The S5700-1 and S5700-2 are PoE switches directly providing power to connected APs.

The AC functions as a DHCP server to assign IP addresses to APs, STAs, and PCs.

Configuration Roadmap

  1. Configure network interworking of the AC, APs, S5700-1, S5700-2, and other network devices.
  2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users, and wireless users.
  3. Configure a RADIUS server template, configure authentication, accounting, and authorization in the template, and configure Portal authentication.
  4. Configure basic WLAN services, including AC system parameters, AP management, and WLAN service parameters.
  5. Configure VAPs and deliver VAP parameters to APs.
  6. Verify the configuration to ensure that both wired and wireless users can access the Internet.

Configuration Notes

  • No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
    • In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
    • In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
    For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.

  • Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessa****roadcast packets may be generated in the VLAN, blocking the network and degrading user experience.

  • In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only packets from the management VLAN are transmitted between the AC and APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure

  1. Configure network devices to communicate with each other.

    # Add GE0/0/1 to GE0/0/4 of the S5700-1 to VLAN 100 (management VLAN) and VLAN 201 (VLAN for wired service packets), and add GE0/0/1 to GE0/0/4 of the S5700-2 to VLAN 100 and VLAN 202 (VLAN for wireless service packets). Set PVIDs for interfaces directly connected to APs. You are advised to configure port isolation on these interfaces to reduce unnecessa****roadcast traffic. The S5700-1 is used as an example here. The configuration on the S5700-2 is similar. For details, see the configuration file of the S5700-2.

    [HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1] interface gigabitethernet 0/0/2
[S5700-1-GigabitEthernet0/0/2] port link-type trunk
[S5700-1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 100   //Set a PVID for the interface directly connected to the AP.
[S5700-1-GigabitEthernet0/0/2] port-isolate enable   //Configure port isolation to reduce broadcast packets.
[S5700-1-GigabitEthernet0/0/2] quit
[S5700-1] interface gigabitethernet 0/0/3
[S5700-1-GigabitEthernet0/0/3] port link-type trunk
[S5700-1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/3] quit
[S5700-1] interface gigabitethernet 0/0/4
[S5700-1-GigabitEthernet0/0/4] port link-type trunk
[S5700-1-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/4] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/4] port-isolate enable
[S5700-1-GigabitEthernet0/0/4] quit

    # On the AC, add GE1/0/1 (connected to the S5700-1) to VLAN 100 and VLAN 201, GE1/0/2 (connected to the S5700-2) to VLAN 100 and VLAN 202, GE1/0/4 (connected to the upper-layer network) to VLAN 300, and GE1/0/3 (connected to the Agile Controller) to VLAN 200.

    [AC6605] sysname AC
[AC] vlan batch 100 200 201 202 300
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 201
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 202
[AC-GigabitEthernet1/0/2] quit
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 200
[AC-GigabitEthernet1/0/3] quit
[AC] interface gigabitethernet 1/0/4
[AC-GigabitEthernet1/0/4] port link-type trunk
[AC-GigabitEthernet1/0/4] port trunk allow-pass vlan 300
[AC-GigabitEthernet1/0/4] quit

    # Configure VLANIF 200 for communication between the AC and Agile Controller.

    [AC] interface vlanif 200
[AC-Vlanif200] ip address 10.23.200.2 24  //Configure an IP address for communication between the AC and Agile Controller.
[AC-Vlanif200] quit

  2. Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.

    Configure the DNS server as required. The common methods are as follows:
    • In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
    • In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.

    # Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface address pool.

    [AC] dhcp enable
[AC] vlan batch 101 102
[AC] interface vlanif 100  //Configure an interface address pool to assign IP addresses to APs.
[AC-Vlanif100] description manage_ap
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101  //Configure an interface address pool to assign IP addresses to STAs on the first floor.
[AC-Vlanif101] description manage_floor1_sta
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102  //Configure an interface address pool to assign IP addresses to STAs on the second floor.
[AC-Vlanif102] description manage_floor2_sta
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
[AC] interface vlanif 201  //Configure an interface address pool to assign IP addresses to PCs on the first floor.
[AC-Vlanif201] description manage_floor1_pc
[AC-Vlanif201] ip address 10.23.201.1 24
[AC-Vlanif201] dhcp select interface
[AC-Vlanif201] quit
[AC] interface vlanif 202  //Configure an interface address pool to assign IP addresses to PCs on the second floor.
[AC-Vlanif202] description manage_floor2_pc
[AC-Vlanif202] ip address 10.23.202.1 24
[AC-Vlanif202] dhcp select interface
[AC-Vlanif202] quit

  3. Configure a RADIUS server template, configure authentication, accounting, and authorization in the template, and configure Portal authentication.

    # Configure a RADIUS server template on the AC, and configure authentication, accounting, and authorization in the template.

    [AC] radius-server template radius1  //Create the RADIUS server template radius1
[AC-radius-radius1] radius-server authentication 10.23.200.1 1812 source ip-address 10.23.200.2 weight 80   //Configure the RADIUS authentication server and authentication port 1812. The AC uses the IP address 10.23.200.2 to communicate with the RADIUS server.
[AC-radius-radius1] radius-server accounting 10.23.200.1 1813 source ip-address 10.23.200.2 weight 80   //Configure the RADIUS accounting server to collect user login and logout information and set the accounting port number to 1813. The AC uses the IP address 10.23.200.2 to communicate with the RADIUS server
[AC-radius-radius1] radius-server shared-key cipher Admin@123   //Configure the shared key for the RADIUS server.
[AC-radius-radius1] undo radius-server user-name domain-included   //The user name that the device sends to the RADIUS server does not carry the domain name. Configure the command when the RADIUS server does not accept the user name with the domain name.
[AC-radius-radius1] quit
[AC] radius-server authorization 10.23.200.1 shared-key cipher Admin@123   //Configure an IP address for the RADIUS authorization server, set the shared key to Admin@123, same as the authentication and accounting keys. Configure the authorization server so that the RADIUS server can deliver authorization rules to the AC.
[AC] aaa
[AC-aaa] authentication-scheme radius1  //Create the authentication scheme radius1.
[AC-aaa-authen-radius1] authentication-mode radius  //If the Agile Controller functions as the RADIUS server, the authentication mode must be set to RADIUS.
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1  //Create the accounting scheme radius 1.
[AC-aaa-accounting-radius1] accounting-mode radius   //Set the accounting mode to RADIUS. To facilitate account status information maintenance on the RADIUS server, including the login and logout information, and forced logout information, the accounting mode must be set to radius.
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1   //Create the domain portal1.
[AC-aaa-domain-portal1] authentication-scheme radius1  //Bind the authentication scheme radius1.
[AC-aaa-domain-portal1] accounting-scheme radius1  //Bind the accounting scheme radius1.
[AC-aaa-domain-portal1] radius-server radius1  //Bind the RADIUS server template radius1.
[AC-aaa-domain-portal1] quit
[AC-aaa] quit

    # Configure the Portal server.

    [AC] web-auth-server portal1  //Create the Portal server template portal1.
[AC-web-auth-server-portal1] server-ip 10.23.200.1  //Configure an IP address for the Portal server.
[AC-web-auth-server-portal1] port 50100  //Set the destination port number used by the device to send packets to the Portal server to 50100 (default setting).
[AC-web-auth-server-portal1] shared-key cipher Admin@123  //Configure the shared key for message exchange between the AC and Portal server.
[AC-web-auth-server-portal1] url http://10.23.200.1:8080/portal  //Configure the URL for a Portal server.
[AC-web-auth-server-portal1] quit

    # Enable Portal authentication for wireless users, and configure non-authentication for wired users.

    [AC] portal-access-profile name portal1
[AC-portal-acces-profile-portal1] web-auth-server portal1 direct //Bind the Portal server template portal1 and specify Layer 2 authentication as the Portal authentication mode.
[AC-portal-acces-profile-portal1] quit
[AC] authentication-profile name portal1
[AC-authen-profile-portal1] portal-access-profile portal1
[AC-authen-profile-portal1] access-domain portal1 force  //Configure the forcible user domain portal1.
[AC-authen-profile-portal1] quit

  4. Configure APs to go online.

    # Create AP groups.

    [AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] quit

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP groups.

    [AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn  //Configure the AC country code. Radio features of APs managed by the AC must conform to local laws and regulations. The default country code is CN.
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y 
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y 
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit

    # Configure the AC's source interface.

    [AC] capwap source interface vlanif 100

    # Import the APs offline on the AC.

    [AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 101 ap-mac 60de-4476-e320
[AC-wlan-ap-101] ap-name ap-101
[AC-wlan-ap-101] ap-group ap-group1  //Add APs on the first floor to ap-group1.
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102 ap-mac 60de-4476-e340
[AC-wlan-ap-102] ap-name ap-102
[AC-wlan-ap-102] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 103 ap-mac dcd2-fc04-b520
[AC-wlan-ap-103] ap-name ap-103
[AC-wlan-ap-103] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-103] quit
[AC-wlan-view] ap-id 201 ap-mac 60de-4476-e360
[AC-wlan-ap-201] ap-name ap-201
[AC-wlan-ap-201] ap-group ap-group2  //Add APs on the second floor to ap-group2.
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-201] quit
[AC-wlan-view] ap-id 202 ap-mac 60de-4476-e380
[AC-wlan-ap-202] ap-name ap-202
[AC-wlan-ap-202] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-202] quit
[AC-wlan-view] ap-id 203 ap-mac dcd2-fc04-b540
[AC-wlan-ap-203] ap-name ap-203
[AC-wlan-ap-203] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-203] quit

    # Power on the APs and run the display ap all command to check the AP state. If the State field is nor, the APs have gone online.

    [AC-wlan-view] display ap all
Total AP information:
nor  : normal          [6]
-------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime
-------------------------------------------------------------------------------------------------
101  60de-4476-e320 ap-101 ap-group1 10.23.101.254 AP2010DN        nor   0   10S
102  60de-4476-e340 ap-102 ap-group1 10.23.101.253 AP2010DN        nor   0   15S
103  dcd2-fc04-b520 ap-103 ap-group1 10.23.101.252 AP2010DN        nor   0   23S
201  60de-4476-e360 ap-201 ap-group2 10.23.102.254 AP2010DN        nor   0   45S
202  60de-4476-e380 ap-202 ap-group2 10.23.102.253 AP2010DN        nor   0   49S
203  dcd2-fc04-b540 ap-203 ap-group2 10.23.102.252 AP2010DN        nor   0   55S
-------------------------------------------------------------------------------------------------
Total: 6

    # Configure an AP2010DN's uplink interface GE0/0/0 and downlink interfaces Eth0/0/0 and Eth0/0/1 to allow wired service packets to pass.

    wired-port-profile name wired1wirewirewirewirewirewirewirewirewirequitwired-port-profile name wired2wirewirevlan tagged 201wirewirequitwired-port-profile name wired3wirewirevlan pvid 202wirewirewirewirevlan untagged 202wirewirequitwired-port-profile name wired4wirewirevlan tagged 202wirewirequitap-id 101wired-port-profile wired1 ethernet 0wired-port-profile wired1 ethernet 1wired-port-profile wired2 gigabitethernet 0quitap-id 102wired-port-profile wired1 ethernet 0wired-port-profile wired1 ethernet 1wired-port-profile wired2 gigabitethernet 0quitap-id 201wired-port-profile wired3 ethernet 0wired-port-profile wired3 ethernet 1wired-port-profile wired4 gigabitethernet 0quitap-id 202wired-port-profile wired3 ethernet 0wired-port-profile wired3 ethernet 1wired-port-profile wired4 gigabitethernet 0quit

  5. Configure WLAN service parameters.

    # Create RRM profile rrm1.

    [AC-wlan-view] rrm-profile name rrm1
[AC-wlan-rrm-prof-rrm1] calibrate auto-channel-select disable  //Set the channel selection mode of the radio to fixed.
[AC-wlan-rrm-prof-rrm1] calibrate auto-txpower-select disable  //Set the channel mode of the radio to fixed.
[AC-wlan-rrm-prof-rrm1] quit

    # Create radio profiles radio-2g and radio-5g and bind rrm1 to the radio files.

    [AC-wlan-view] radio-2g-profile name radio-2g
[AC-wlan-radio-2g-prof-radio-2g] rrm-profile rrm1
[AC-wlan-radio-2g-prof-radio-2g] quit
[AC-wlan-view] radio-5g-profile name radio-5g
[AC-wlan-radio-5g-prof-radio-5g] rrm-profile rrm1
[AC-wlan-radio-5g-prof-radio-5g] quit

    # Create security profile wlan-security and set the security policy in the profile.

    [AC-wlan-view] security-profile name wlan-security  //Portal authentication has been enabled on the interface. Set the security policy to OPEN (default setting), that is, no authentication and no encryption.
[AC-wlan-sec-prof-wlan-security] quit

    # Create SSID profile wlan-ssid and set the SSID name to hospital-wlan.

    [AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid hospital-wlan  //Set the SSID to hospital-wlan.
[AC-wlan-ssid-prof-wlan-ssid] quit

    # Create traffic profile traffic1 and configure Layer 2 user isolation.

    [AC-wlan-view] traffic-profile name traffic1
[AC-wlan-traffic-prof-traffic1] user-isolate l2
Warning: This action may cause service interruption. Continue?[Y/N]y

    # Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel  //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101  //Set the VLAN ID to 101. The default VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security 
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap1] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-view] vap-profile name wlan-vap2
[AC-wlan-vap-prof-wlan-vap2] forward-mode tunnel  //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102 
[AC-wlan-vap-prof-wlan-vap2] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap2] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap2] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap2] quit

    # Bind the VAP profile and radio profile to the AP group.

    [AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio-2g radio all
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio-5g radio all
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 1 radio 0
[AC-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 1 radio 1
[AC-wlan-ap-group-ap-group2] radio-2g-profile radio-2g radio all
[AC-wlan-ap-group-ap-group2] radio-5g-profile radio-5g radio all
[AC-wlan-ap-group-ap-group2] quit

Hope it helps you.
View more
  • x
  • convention:
All Answers
(0) (0)
2#
Torrent
Torrent Created Oct 24, 2018 06:17:50

Hi, please find below link , it it very similar to your request. PC~VLAN101 AP~VLAN100Wired and Wireless Clients (AC6605 Configuration)-2784341-1

http://support.huawei.com/hedex/pages/EDOC1000153688AEG06285/05/EDOC1000153688AEG06285/05/resources/dc/dc_wlan_example_basic_0010_copyto.html?ft=0&fe=10&hib=10.1.14.1.10.1&id=dc_wlan_example_basic_0010&text=Example%20for%20Configuring%20Back-to-Back%20WDS&docid=EDOC1000153688
View more
  • x
  • convention:
(0) (0)
3#
Sergio93
Sergio93 Created Oct 24, 2018 11:43:46

Hello,

I'm not sure exactly if you want to connect the wired users to the port of APs or to AC directly. but the wired PVID should be different from the service VLAN configured in the VAP profile. In this way, the wired users will request IP in the VLAN configured as PVID of the port. In this example wired uses have 201 as the service VLAN while the wireless users have 101 VLAN.
fig_dc_wlan_example_basic_002701.png


Networking Requirements

As shown in Figure 1, the AC connects to the egress gateway Router in the uplink direction. In the downlink direction, the AC connects to and manages APs through S5700-1 and S5700-2 access switches. The S5700-1 and S5700-2 are deployed in the first and second floors, respectively. An AP2010DN is deployed in each room to provide both wired and wireless access. The AP5030DN is deployed in the corridor to providwireless network coverage. The S5700-1 and S5700-2 are PoE switches directly providing power to connected APs.

The AC functions as a DHCP server to assign IP addresses to APs, STAs, and PCs.

Configuration Roadmap

  1. Configure network interworking of the AC, APs, S5700-1, S5700-2, and other network devices.
  2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users, and wireless users.
  3. Configure a RADIUS server template, configure authentication, accounting, and authorization in the template, and configure Portal authentication.
  4. Configure basic WLAN services, including AC system parameters, AP management, and WLAN service parameters.
  5. Configure VAPs and deliver VAP parameters to APs.
  6. Verify the configuration to ensure that both wired and wireless users can access the Internet.

Configuration Notes

  • No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
    • In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
    • In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
    For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.

  • Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessa****roadcast packets may be generated in the VLAN, blocking the network and degrading user experience.

  • In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only packets from the management VLAN are transmitted between the AC and APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure

  1. Configure network devices to communicate with each other.

    # Add GE0/0/1 to GE0/0/4 of the S5700-1 to VLAN 100 (management VLAN) and VLAN 201 (VLAN for wired service packets), and add GE0/0/1 to GE0/0/4 of the S5700-2 to VLAN 100 and VLAN 202 (VLAN for wireless service packets). Set PVIDs for interfaces directly connected to APs. You are advised to configure port isolation on these interfaces to reduce unnecessa****roadcast traffic. The S5700-1 is used as an example here. The configuration on the S5700-2 is similar. For details, see the configuration file of the S5700-2.

    [HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1] interface gigabitethernet 0/0/2
[S5700-1-GigabitEthernet0/0/2] port link-type trunk
[S5700-1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 100   //Set a PVID for the interface directly connected to the AP.
[S5700-1-GigabitEthernet0/0/2] port-isolate enable   //Configure port isolation to reduce broadcast packets.
[S5700-1-GigabitEthernet0/0/2] quit
[S5700-1] interface gigabitethernet 0/0/3
[S5700-1-GigabitEthernet0/0/3] port link-type trunk
[S5700-1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/3] quit
[S5700-1] interface gigabitethernet 0/0/4
[S5700-1-GigabitEthernet0/0/4] port link-type trunk
[S5700-1-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/4] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/4] port-isolate enable
[S5700-1-GigabitEthernet0/0/4] quit

    # On the AC, add GE1/0/1 (connected to the S5700-1) to VLAN 100 and VLAN 201, GE1/0/2 (connected to the S5700-2) to VLAN 100 and VLAN 202, GE1/0/4 (connected to the upper-layer network) to VLAN 300, and GE1/0/3 (connected to the Agile Controller) to VLAN 200.

    [AC6605] sysname AC
[AC] vlan batch 100 200 201 202 300
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 201
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 202
[AC-GigabitEthernet1/0/2] quit
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 200
[AC-GigabitEthernet1/0/3] quit
[AC] interface gigabitethernet 1/0/4
[AC-GigabitEthernet1/0/4] port link-type trunk
[AC-GigabitEthernet1/0/4] port trunk allow-pass vlan 300
[AC-GigabitEthernet1/0/4] quit

    # Configure VLANIF 200 for communication between the AC and Agile Controller.

    [AC] interface vlanif 200
[AC-Vlanif200] ip address 10.23.200.2 24  //Configure an IP address for communication between the AC and Agile Controller.
[AC-Vlanif200] quit

  2. Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.

    Configure the DNS server as required. The common methods are as follows:
    • In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
    • In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.

    # Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface address pool.

    [AC] dhcp enable
[AC] vlan batch 101 102
[AC] interface vlanif 100  //Configure an interface address pool to assign IP addresses to APs.
[AC-Vlanif100] description manage_ap
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101  //Configure an interface address pool to assign IP addresses to STAs on the first floor.
[AC-Vlanif101] description manage_floor1_sta
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102  //Configure an interface address pool to assign IP addresses to STAs on the second floor.
[AC-Vlanif102] description manage_floor2_sta
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
[AC] interface vlanif 201  //Configure an interface address pool to assign IP addresses to PCs on the first floor.
[AC-Vlanif201] description manage_floor1_pc
[AC-Vlanif201] ip address 10.23.201.1 24
[AC-Vlanif201] dhcp select interface
[AC-Vlanif201] quit
[AC] interface vlanif 202  //Configure an interface address pool to assign IP addresses to PCs on the second floor.
[AC-Vlanif202] description manage_floor2_pc
[AC-Vlanif202] ip address 10.23.202.1 24
[AC-Vlanif202] dhcp select interface
[AC-Vlanif202] quit

  3. Configure a RADIUS server template, configure authentication, accounting, and authorization in the template, and configure Portal authentication.

    # Configure a RADIUS server template on the AC, and configure authentication, accounting, and authorization in the template.

    [AC] radius-server template radius1  //Create the RADIUS server template radius1
[AC-radius-radius1] radius-server authentication 10.23.200.1 1812 source ip-address 10.23.200.2 weight 80   //Configure the RADIUS authentication server and authentication port 1812. The AC uses the IP address 10.23.200.2 to communicate with the RADIUS server.
[AC-radius-radius1] radius-server accounting 10.23.200.1 1813 source ip-address 10.23.200.2 weight 80   //Configure the RADIUS accounting server to collect user login and logout information and set the accounting port number to 1813. The AC uses the IP address 10.23.200.2 to communicate with the RADIUS server
[AC-radius-radius1] radius-server shared-key cipher Admin@123   //Configure the shared key for the RADIUS server.
[AC-radius-radius1] undo radius-server user-name domain-included   //The user name that the device sends to the RADIUS server does not carry the domain name. Configure the command when the RADIUS server does not accept the user name with the domain name.
[AC-radius-radius1] quit
[AC] radius-server authorization 10.23.200.1 shared-key cipher Admin@123   //Configure an IP address for the RADIUS authorization server, set the shared key to Admin@123, same as the authentication and accounting keys. Configure the authorization server so that the RADIUS server can deliver authorization rules to the AC.
[AC] aaa
[AC-aaa] authentication-scheme radius1  //Create the authentication scheme radius1.
[AC-aaa-authen-radius1] authentication-mode radius  //If the Agile Controller functions as the RADIUS server, the authentication mode must be set to RADIUS.
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1  //Create the accounting scheme radius 1.
[AC-aaa-accounting-radius1] accounting-mode radius   //Set the accounting mode to RADIUS. To facilitate account status information maintenance on the RADIUS server, including the login and logout information, and forced logout information, the accounting mode must be set to radius.
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1   //Create the domain portal1.
[AC-aaa-domain-portal1] authentication-scheme radius1  //Bind the authentication scheme radius1.
[AC-aaa-domain-portal1] accounting-scheme radius1  //Bind the accounting scheme radius1.
[AC-aaa-domain-portal1] radius-server radius1  //Bind the RADIUS server template radius1.
[AC-aaa-domain-portal1] quit
[AC-aaa] quit

    # Configure the Portal server.

    [AC] web-auth-server portal1  //Create the Portal server template portal1.
[AC-web-auth-server-portal1] server-ip 10.23.200.1  //Configure an IP address for the Portal server.
[AC-web-auth-server-portal1] port 50100  //Set the destination port number used by the device to send packets to the Portal server to 50100 (default setting).
[AC-web-auth-server-portal1] shared-key cipher Admin@123  //Configure the shared key for message exchange between the AC and Portal server.
[AC-web-auth-server-portal1] url http://10.23.200.1:8080/portal  //Configure the URL for a Portal server.
[AC-web-auth-server-portal1] quit

    # Enable Portal authentication for wireless users, and configure non-authentication for wired users.

    [AC] portal-access-profile name portal1
[AC-portal-acces-profile-portal1] web-auth-server portal1 direct //Bind the Portal server template portal1 and specify Layer 2 authentication as the Portal authentication mode.
[AC-portal-acces-profile-portal1] quit
[AC] authentication-profile name portal1
[AC-authen-profile-portal1] portal-access-profile portal1
[AC-authen-profile-portal1] access-domain portal1 force  //Configure the forcible user domain portal1.
[AC-authen-profile-portal1] quit

  4. Configure APs to go online.

    # Create AP groups.

    [AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] quit

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP groups.

    [AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn  //Configure the AC country code. Radio features of APs managed by the AC must conform to local laws and regulations. The default country code is CN.
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y 
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y 
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit

    # Configure the AC's source interface.

    [AC] capwap source interface vlanif 100

    # Import the APs offline on the AC.

    [AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 101 ap-mac 60de-4476-e320
[AC-wlan-ap-101] ap-name ap-101
[AC-wlan-ap-101] ap-group ap-group1  //Add APs on the first floor to ap-group1.
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102 ap-mac 60de-4476-e340
[AC-wlan-ap-102] ap-name ap-102
[AC-wlan-ap-102] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 103 ap-mac dcd2-fc04-b520
[AC-wlan-ap-103] ap-name ap-103
[AC-wlan-ap-103] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-103] quit
[AC-wlan-view] ap-id 201 ap-mac 60de-4476-e360
[AC-wlan-ap-201] ap-name ap-201
[AC-wlan-ap-201] ap-group ap-group2  //Add APs on the second floor to ap-group2.
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-201] quit
[AC-wlan-view] ap-id 202 ap-mac 60de-4476-e380
[AC-wlan-ap-202] ap-name ap-202
[AC-wlan-ap-202] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-202] quit
[AC-wlan-view] ap-id 203 ap-mac dcd2-fc04-b540
[AC-wlan-ap-203] ap-name ap-203
[AC-wlan-ap-203] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y 
[AC-wlan-ap-203] quit

    # Power on the APs and run the display ap all command to check the AP state. If the State field is nor, the APs have gone online.

    [AC-wlan-view] display ap all
Total AP information:
nor  : normal          [6]
-------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime
-------------------------------------------------------------------------------------------------
101  60de-4476-e320 ap-101 ap-group1 10.23.101.254 AP2010DN        nor   0   10S
102  60de-4476-e340 ap-102 ap-group1 10.23.101.253 AP2010DN        nor   0   15S
103  dcd2-fc04-b520 ap-103 ap-group1 10.23.101.252 AP2010DN        nor   0   23S
201  60de-4476-e360 ap-201 ap-group2 10.23.102.254 AP2010DN        nor   0   45S
202  60de-4476-e380 ap-202 ap-group2 10.23.102.253 AP2010DN        nor   0   49S
203  dcd2-fc04-b540 ap-203 ap-group2 10.23.102.252 AP2010DN        nor   0   55S
-------------------------------------------------------------------------------------------------
Total: 6

    # Configure an AP2010DN's uplink interface GE0/0/0 and downlink interfaces Eth0/0/0 and Eth0/0/1 to allow wired service packets to pass.

    wired-port-profile name wired1wirewirewirewirewirewirewirewirewirequitwired-port-profile name wired2wirewirevlan tagged 201wirewirequitwired-port-profile name wired3wirewirevlan pvid 202wirewirewirewirevlan untagged 202wirewirequitwired-port-profile name wired4wirewirevlan tagged 202wirewirequitap-id 101wired-port-profile wired1 ethernet 0wired-port-profile wired1 ethernet 1wired-port-profile wired2 gigabitethernet 0quitap-id 102wired-port-profile wired1 ethernet 0wired-port-profile wired1 ethernet 1wired-port-profile wired2 gigabitethernet 0quitap-id 201wired-port-profile wired3 ethernet 0wired-port-profile wired3 ethernet 1wired-port-profile wired4 gigabitethernet 0quitap-id 202wired-port-profile wired3 ethernet 0wired-port-profile wired3 ethernet 1wired-port-profile wired4 gigabitethernet 0quit

  5. Configure WLAN service parameters.

    # Create RRM profile rrm1.

    [AC-wlan-view] rrm-profile name rrm1
[AC-wlan-rrm-prof-rrm1] calibrate auto-channel-select disable  //Set the channel selection mode of the radio to fixed.
[AC-wlan-rrm-prof-rrm1] calibrate auto-txpower-select disable  //Set the channel mode of the radio to fixed.
[AC-wlan-rrm-prof-rrm1] quit

    # Create radio profiles radio-2g and radio-5g and bind rrm1 to the radio files.

    [AC-wlan-view] radio-2g-profile name radio-2g
[AC-wlan-radio-2g-prof-radio-2g] rrm-profile rrm1
[AC-wlan-radio-2g-prof-radio-2g] quit
[AC-wlan-view] radio-5g-profile name radio-5g
[AC-wlan-radio-5g-prof-radio-5g] rrm-profile rrm1
[AC-wlan-radio-5g-prof-radio-5g] quit

    # Create security profile wlan-security and set the security policy in the profile.

    [AC-wlan-view] security-profile name wlan-security  //Portal authentication has been enabled on the interface. Set the security policy to OPEN (default setting), that is, no authentication and no encryption.
[AC-wlan-sec-prof-wlan-security] quit

    # Create SSID profile wlan-ssid and set the SSID name to hospital-wlan.

    [AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid hospital-wlan  //Set the SSID to hospital-wlan.
[AC-wlan-ssid-prof-wlan-ssid] quit

    # Create traffic profile traffic1 and configure Layer 2 user isolation.

    [AC-wlan-view] traffic-profile name traffic1
[AC-wlan-traffic-prof-traffic1] user-isolate l2
Warning: This action may cause service interruption. Continue?[Y/N]y

    # Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel  //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101  //Set the VLAN ID to 101. The default VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security 
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap1] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-view] vap-profile name wlan-vap2
[AC-wlan-vap-prof-wlan-vap2] forward-mode tunnel  //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102 
[AC-wlan-vap-prof-wlan-vap2] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap2] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap2] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap2] quit

    # Bind the VAP profile and radio profile to the AP group.

    [AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio-2g radio all
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio-5g radio all
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 1 radio 0
[AC-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 1 radio 1
[AC-wlan-ap-group-ap-group2] radio-2g-profile radio-2g radio all
[AC-wlan-ap-group-ap-group2] radio-5g-profile radio-5g radio all
[AC-wlan-ap-group-ap-group2] quit

Hope it helps you.
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.