HCIP-WLAN Lab Guide: Wireless Network Certification Training

HUAWEI WLAN Certification Training HCIP-WLAN Lab Guide ISSUE: 2.0 HUAWEI TECHNOLOGIES CO., LTD 1 Copyright © HUAWEI Technologies Co., Ltd. 2025. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of HUAWEI Technologies Co., Ltd. Trademarks and Permissions and other HUAWEI trademarks are trademarks of HUAWEI Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between HUAWEI and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. HUAWEI Technologies Co., Ltd. Address: HUAWEI Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: https://e.huawei.com HUAWEI Proprietary and Confidential Copyright © HUAWEI Technologies Co.,Ltd HCIP-WLAN V2.0 Lab Guide Page 1 HUAWEI Certification System Huawei Certification is an integral part of the company's Platform + Ecosystem strategy. It supports the development of ICT infrastructure that features Cloud-PipeDevice synergy. Our certification is always evolving to reflect the latest trends in ICT development. Huawei Certification consists of three categories: ICT Infrastructure Certification, Basic Software & Hardware Certification, and Cloud Platform & Services Certification, making it the most extensive technical certification program in the industry. HUAWEI offers three levels of certification: HUAWEI Certified ICT Associate (HCIA), HUAWEI Certified ICT Professional (HCIP), and HUAWEI Certified ICT Expert (HCIE). HUAWEI Certification covers all ICT fields and adapts to the industry trend of ICT convergence. With its leading talent development system and certification standards, it is committed to fostering new ICT talent in the digital era, and building a sound ICT talent ecosystem. HCIP-WLAN (HUAWEI Certified ICT Professional-Wireless Local Area Network, HUAWEI Certified Senior Network Communications Engineer WLAN direction) is intended for frontline engineers of HUAWEI local offices and representative offices, and other technical personnel who want to learn about HUAWEI WLAN products. The HCIPWLAN certification covers HUAWEI WLAN networking architecture, WLAN roaming, radio resource management, access authentication, WLAN network planning, WLAN network optimization, and troubleshooting. HUAWEI certification helps you open the window of the industry, open the door to change, and stand on the top of the tide in the WLAN network world. HCIP-WLAN V2.0 Lab Guide Page 2 HCIP-WLAN V2.0 Lab Guide Page 3 About This Document Overview This document is applicable to the candidates who are preparing for the HCIA-WLAN exam and the readers who want to understand the WLAN networking architecture, WLAN roaming, RRM, access authentication, WLAN planning and optimization, and WLAN fault troubleshooting. Description This lab guide consists of 12 labs, covering basic configurations, and configurations and implementation of WLAN networking, reliability, cloud management, access authentication, roaming, network planning, O&M, and troubleshooting. ⚫ Lab 1: WAC + Fit AP networking. Through basic operations and configurations, this lab helps readers further understand the WAC + Fit AP networking and understand basic AP onboarding configurations. ⚫ Lab 2: Leader AP networking. Through basic networking configurations, this lab helps readers further understand the WAC + Fit AP networking and understand basic AP onboarding configurations. ⚫ Lab 3: VRRP HSB. This lab focuses on the VRRP HSB networking in the WAC reliability networking, helping you understand the WLAN reliability networking architecture and construction method. ⚫ Lab 4: Cloud management networking. This lab helps you get familiar with the architecture of HUAWEI cloud management solution and master the methods of managing WACs and APs on the cloud management platform. ⚫ Lab 5: 802.1X authentication. This lab describes 802.1X authentication security features and instructs you to deploy 802.1X authentication. ⚫ Lab 6: Portal authentication. This lab describes Portal authentication security features and instructs you to deploy Portal authentication. ⚫ Lab 7: WLAN roaming. This lab focuses on inter-WAC Layer 3 roaming and its deployment, helping you get familiar with the WLAN roaming solutions. ⚫ Lab 8: radio resource management. This lab focuses on WLAN radio calibration, band steering, load balancing, and user CAC, helping you get familiar with network optimization methods and implementation methods. ⚫ Lab 9: Indoor WLAN planning. This lab provides instructions on designing an indoor WLAN so that you can understand how to use the network planning tool and learn network planning details. ⚫ Lab 10: Outdoor WLAN planning. This lab provides instructions on designing an outdoor WLAN so that you can understand how to use the network planning tool and learn network planning details. HCIP-WLAN V2.0 Lab Guide Page 4 ⚫ Lab 11: CampusInsight intelligent O&M. This lab uses CampusInsight to perform O&M management, helping you get familiar with CampusInsight functions. ⚫ Lab 12: Comprehensive troubleshooting. This lab focuses on troubleshooting faults in Portal authentication scenarios, helping you rectify faults on a WLAN. Background Knowledge Required This course is for HUAWEI Certification HCIP training course. To fully understand this course, you need to: ⚫ Have a good grasp of advanced WLAN knowledge and basic datacom knowledge. ⚫ Be familiar with HUAWEI software and hardware configurations, including switches, WACs, APs, iMaster NCE-Campus, and iMaster NCE-CampusInsight. ⚫ Be familiar with the WLAN project planning process and understand the basic usage of the network planning tool WLAN Planner. Common Icons Lab Environment Description Networking Description This lab environment is prepared for WLAN engineers who are preparing for the HCIPWLAN exam. Each lab environment consists of three WACs, five APs, one core switch, one access switch, one iMaster NCE-Campus server, and one iMaster NCE-CampusInsight server. Each set of lab environment is applicable to one trainee at a time. HCIP-WLAN V2.0 Lab Guide Page 5 Device Introduction To meet the HCIP-WLAN lab requirements, it is recommended that each lab environment adopt the following configurations. The following table lists the devices, models, and versions. Device Name Device Model Software Version Core switch CloudEngine S5732-H24UM2CC V200R022C00SPC500 Access switch CloudEngine S5732-H24UM2CC V200R022C00SPC500 WAC AirEngine 9700-M1 V200R022C00SPC100 AP AirEngine8760-X1-PRO V200R022C00SPC100 iMaster NCE-CampusInsight V100R022C00SPC1b0 iMaster NCE-Campus V300R022C00SPC201 Server Note: To ensure that devices can be purchased properly, the AP model in the device list may be different from that provided in the lab. This does not affect the lab operation. The AP model displayed when the AP goes online is different. Trainees can perform the lab normally. Lab Environment Preparation Checking Devices Before carrying out labs, make sure that all required devices are ready and allow for proper logins. The following table lists the devices. Device Name Quantity Remarks iMaster NCE-Campus 1 Shared by all groups iMaster NCE-CampusInsight 1 Shared by all groups Core switch One for each group Access switch One for each group AirEngine 9700-M1 Three for each group AirEngine8760-X1-PRO Five for each group Laptop Two for each group PoE power supply Used to test the WLAN. HCIP-WLAN V2.0 Lab Guide Page 6 Lab Topology The lab topology is described as follows: AP1 through AP5 are connected to the access switch SW-Access. SW-Access provides PoE power for APs. The access switch SW-Access is connected to the core switch SW-Core through the MultiGE0/0/9 interface. WAC1 through WAC3 are connected to the core switch SW-Core in off-path mode. The core switch SW-Core is connected to the iMaster NCE-Campus and iMaster NCECampusInsight servers. The interconnection network segment is 172.18.0.0/17 (which can be adjusted based on the site requirements). HCIP-WLAN V2.0 Lab Guide Page 7 Contents About This Document .......................................................................................................................... 3 Overview ............................................................................................................................................................................................. 3 Description ......................................................................................................................................................................................... 3 Background Knowledge Required ............................................................................................................................................. 4 Common Icons .................................................................................................................................................................................. 4 Lab Environment Description ...................................................................................................................................................... 4 Lab Environment Preparation ..................................................................................................................................................... 5 1 WAC + Fit AP Networking Lab ..................................................................................................... 13 1.1 Introduction ..............................................................................................................................................................................13 1.1.1 About This Lab .....................................................................................................................................................................13 1.1.2 Objectives ..............................................................................................................................................................................13 1.1.3 Networking Topology ........................................................................................................................................................13 1.1.4 Lab Planning .........................................................................................................................................................................14 1.2 Lab Configuration ..................................................................................................................................................................15 1.2.1 Configuration Roadmap ...................................................................................................................................................15 1.2.2 Configuration Procedure ..................................................................................................................................................15 1.3 Verification ................................................................................................................................................................................21 1.3.1 Checking the AP Onboarding Status and SSID Information ...............................................................................21 1.3.2 Associating a STA with the WLAN and Testing Network Connectivity ...........................................................21 1.4 Reference Configuration ......................................................................................................................................................22 1.4.1 WAC1 Configuration ..........................................................................................................................................................22 1.4.2 SW-Core Configuration .....................................................................................................................................................23 1.4.3 SW-Access Configuration .................................................................................................................................................24 1.5 Quiz .............................................................................................................................................................................................24 2 Leader AP Networking Lab ........................................................................................................... 25 2.1 Introduction ..............................................................................................................................................................................25 2.1.1 About This Lab .....................................................................................................................................................................25 2.1.2 Objectives ..............................................................................................................................................................................25 2.1.3 Networking Topology ........................................................................................................................................................25 2.1.4 Lab Planning .........................................................................................................................................................................26 2.2 Lab Configuration ..................................................................................................................................................................27 2.2.1 Configuration Roadmap ...................................................................................................................................................27 2.2.2 Configuration Procedure ..................................................................................................................................................27 2.3 Verification ................................................................................................................................................................................35 HCIP-WLAN V2.0 Lab Guide Page 8 2.3.1 Checking the AP Onboarding Status and SSID Information ...............................................................................35 2.3.2 Checking the Radio Status ...............................................................................................................................................37 2.3.3 Checking VLAN Information ...........................................................................................................................................37 2.3.4 Associating a STA with the WLAN and Testing Network Connectivity ...........................................................38 2.4 Reference Configuration ......................................................................................................................................................38 2.4.1 SW-Core Configuration .....................................................................................................................................................38 2.4.2 SW-Access Configuration .................................................................................................................................................39 2.4.3 Leader AP Configuration ..................................................................................................................................................39 2.5 Quiz .............................................................................................................................................................................................41 3 VRRP HSB Lab ................................................................................................................................... 42 3.1 Introduction ..............................................................................................................................................................................42 3.1.1 About This Lab .....................................................................................................................................................................42 3.1.2 Objectives ..............................................................................................................................................................................42 3.1.3 Networking Topology ........................................................................................................................................................42 3.1.4 Lab Planning .........................................................................................................................................................................43 3.2 Lab Configuration ..................................................................................................................................................................44 3.2.1 Configuration Roadmap ...................................................................................................................................................44 3.2.2 Configuration Procedure ..................................................................................................................................................44 3.3 Verification ................................................................................................................................................................................53 3.3.1 Checking the AP Onboarding Status ...........................................................................................................................53 3.3.2 Checking VAP Information ..............................................................................................................................................53 3.3.3 Checking the VRRP Status ...............................................................................................................................................54 3.3.4 Checking the HSB Service Status ..................................................................................................................................55 3.3.5 Checking the HSB Group Status ....................................................................................................................................56 3.3.6 Checking the Wireless Configuration Synchronization Status ...........................................................................56 3.3.7 Associating a STA with the WLAN and Testing Network Connectivity ...........................................................57 3.4 Reference Configuration ......................................................................................................................................................58 3.4.1 WAC1 Configuration ..........................................................................................................................................................58 3.4.2 WAC2 Configuration ..........................................................................................................................................................60 3.4.3 SW-Core Configuration .....................................................................................................................................................61 3.4.4 SW-Access Configuration .................................................................................................................................................62 3.5 Quiz .............................................................................................................................................................................................62 4 Cloud Management Networking Lab ......................................................................................... 63 4.1 Introduction ..............................................................................................................................................................................63 4.1.1 About This Lab .....................................................................................................................................................................63 4.1.2 Objectives ..............................................................................................................................................................................63 4.1.3 Networking Topology ........................................................................................................................................................63 4.1.4 Lab Planning .........................................................................................................................................................................64 4.2 Lab Configuration ..................................................................................................................................................................66 HCIP-WLAN V2.0 Lab Guide Page 9 4.2.1 Configuration Roadmap ...................................................................................................................................................66 4.2.2 Configuration Procedure ..................................................................................................................................................66 4.3 Verification ................................................................................................................................................................................82 4.3.1 Checking Cloud Management Information on WAC3 ...........................................................................................82 4.3.2 Associating a STA with the WLAN and Testing Network Connectivity ...........................................................82 4.3.3 Checking the Device Running Status on NCE ...........................................................................................................83 4.3.4 Checking the STA Access Status on NCE ....................................................................................................................84 4.4 Reference Configuration ......................................................................................................................................................85 4.4.1 WAC3 Configuration ..........................................................................................................................................................85 4.4.2 AP5 Configuration ..............................................................................................................................................................86 4.4.3 SW-Core Configuration .....................................................................................................................................................89 4.4.4 SW-Access Configuration .................................................................................................................................................90 4.5 Quiz .............................................................................................................................................................................................91 5 802.1X Authentication Lab ............................................................................................................ 92 5.1 Introduction ..............................................................................................................................................................................92 5.1.1 About This Lab .....................................................................................................................................................................92 5.1.2 Objectives ..............................................................................................................................................................................92 5.1.3 Networking Topology ........................................................................................................................................................92 5.1.4 Lab Planning .........................................................................................................................................................................93 5.2 Lab Configuration ..................................................................................................................................................................94 5.2.1 Configuration Roadmap ...................................................................................................................................................94 5.2.2 Configuration Procedure ..................................................................................................................................................95 5.3 Verification ............................................................................................................................................................................. 107 5.3.1 Checking the AP Onboarding Status ........................................................................................................................ 107 5.3.2 Checking VAP Information ........................................................................................................................................... 108 5.3.3 Associating a STA with the WLAN and Verifying Authentication .................................................................. 108 5.3.4 Checking Terminal Authentication Logs on NCE ................................................................................................. 113 5.3.5 Checking Terminal Authentication on WAC1 ........................................................................................................ 115 5.4 Reference Configuration ................................................................................................................................................... 115 5.4.1 WAC1 Configuration ....................................................................................................................................................... 115 5.4.2 SW-Core Configuration .................................................................................................................................................. 117 5.4.3 SW-Access Configuration .............................................................................................................................................. 118 5.5 Quiz .......................................................................................................................................................................................... 119 6 Portal Authentication Lab .......................................................................................................... 120 6.1 Introduction ........................................................................................................................................................................... 120 6.1.1 About This Lab .................................................................................................................................................................. 120 6.1.2 Objectives ........................................................................................................................................................................... 120 6.1.3 Networking Topology ..................................................................................................................................................... 120 6.1.4 Lab Planning ...................................................................................................................................................................... 121 HCIP-WLAN V2.0 Lab Guide Page 10 6.2 Lab Configuration ............................................................................................................................................................... 123 6.2.1 Configuration Roadmap ................................................................................................................................................ 123 6.2.2 Configuration Procedure ............................................................................................................................................... 123 6.3 Verification ............................................................................................................................................................................. 134 6.3.1 Checking the AP Onboarding Status ........................................................................................................................ 134 6.3.2 Checking VAP Information ........................................................................................................................................... 135 6.3.3 Verifying STA Access to a WLAN in Portal Authentication Mode .................................................................. 135 6.3.4 Checking Terminal Authentication Logs on NCE ................................................................................................. 137 6.3.5 Checking Terminal Authentication on WAC1 ........................................................................................................ 138 6.4 Reference Configuration ................................................................................................................................................... 139 6.4.1 WAC1 Configuration ....................................................................................................................................................... 139 6.4.2 SW-Core Configuration .................................................................................................................................................. 141 6.4.3 SW-Access Configuration .............................................................................................................................................. 142 6.5 Quiz .......................................................................................................................................................................................... 142 7 WLAN Roaming Lab ..................................................................................................................... 144 7.1 Introduction ........................................................................................................................................................................... 144 7.1.1 About This Lab .................................................................................................................................................................. 144 7.1.2 Objectives ........................................................................................................................................................................... 144 7.1.3 Networking Topology ..................................................................................................................................................... 144 7.1.4 Lab Planning ...................................................................................................................................................................... 145 7.2 Lab Configuration ............................................................................................................................................................... 147 7.2.1 Configuration Roadmap ................................................................................................................................................ 147 7.2.2 Configuration Procedure ............................................................................................................................................... 147 7.3 Verification ............................................................................................................................................................................. 155 7.3.1 Checking the AP Onboarding Status ........................................................................................................................ 155 7.3.2 Checking the VAP Status ............................................................................................................................................... 156 7.3.3 Checking the Mobility Group Status ......................................................................................................................... 156 7.3.4 Observing the STA Roaming Status .......................................................................................................................... 157 7.4 Reference Configuration ................................................................................................................................................... 158 7.4.1 WAC1 Configuration ....................................................................................................................................................... 158 7.4.2 WAC2 Configuration ....................................................................................................................................................... 160 7.4.3 SW-Core Configuration .................................................................................................................................................. 161 7.4.4 SW-Access Configuration .............................................................................................................................................. 162 7.5 Quiz .......................................................................................................................................................................................... 163 8 RRM Lab .......................................................................................................................................... 164 8.1 Introduction ........................................................................................................................................................................... 164 8.1.1 About This Lab .................................................................................................................................................................. 164 8.1.2 Objectives ........................................................................................................................................................................... 164 8.1.3 Networking Topology ..................................................................................................................................................... 164 HCIP-WLAN V2.0 Lab Guide Page 11 8.1.4 Lab Planning ...................................................................................................................................................................... 165 8.2 Lab Configuration ............................................................................................................................................................... 166 8.2.1 Configuration Roadmap ................................................................................................................................................ 166 8.2.2 Configuration Procedure ............................................................................................................................................... 166 8.3 Verification ............................................................................................................................................................................. 168 8.3.1 Checking RRM Profile Information ............................................................................................................................ 168 8.3.2 Checking the 2.4 GHz Radio Profile Configuration ............................................................................................. 170 8.3.3 Checking the 5 GHz Radio Profile Configuration ................................................................................................. 171 8.3.4 Checking the Radio Status ............................................................................................................................................ 172 8.4 Reference Configuration ................................................................................................................................................... 173 8.4.1 WAC1 Configuration ....................................................................................................................................................... 173 8.4.2 SW-Core Configuration .................................................................................................................................................. 175 8.4.3 SW-Access Configuration .............................................................................................................................................. 175 8.5 Quiz .......................................................................................................................................................................................... 176 9 Indoor WLAN Planning Lab ....................................................................................................... 177 9.1 Introduction ........................................................................................................................................................................... 177 9.1.1 About This Lab .................................................................................................................................................................. 177 9.1.2 Objectives ........................................................................................................................................................................... 177 9.1.3 Lab Scenarios..................................................................................................................................................................... 177 9.1.4 Preparations ....................................................................................................................................................................... 178 9.2 Lab Configuration ............................................................................................................................................................... 180 9.2.1 Configuration Roadmap ................................................................................................................................................ 180 9.2.2 Configuration Procedure ............................................................................................................................................... 181 9.3 Quiz .......................................................................................................................................................................................... 201 10 Outdoor WLAN Planning Lab ................................................................................................. 203 10.1 Introduction ........................................................................................................................................................................ 203 10.1.1 About This Lab ............................................................................................................................................................... 203 10.1.2 Objectives ......................................................................................................................................................................... 203 10.1.3 Lab Scenarios .................................................................................................................................................................. 203 10.1.4 Preparations .................................................................................................................................................................... 204 10.2 Lab Configuration ............................................................................................................................................................. 205 10.2.1 Configuration Roadmap .............................................................................................................................................. 205 10.2.2 Configuration Procedure ............................................................................................................................................. 205 10.3 Quiz ........................................................................................................................................................................................ 219 11 CampusInsight O&M Lab ......................................................................................................... 221 11.1 Introduction ........................................................................................................................................................................ 221 11.1.1 About This Lab ............................................................................................................................................................... 221 11.1.2 Objectives ......................................................................................................................................................................... 221 HCIP-WLAN V2.0 Lab Guide Page 12 11.1.3 Networking Topology .................................................................................................................................................. 221 11.1.4 Lab Planning ................................................................................................................................................................... 222 11.2 Lab Configuration ............................................................................................................................................................. 223 11.2.1 Configuration Roadmap .............................................................................................................................................. 223 11.2.2 Configuration Procedure ............................................................................................................................................. 223 11.3 Verification .......................................................................................................................................................................... 234 11.3.1 Checking the SNMP Configuration on WAC1 ..................................................................................................... 234 11.3.2 Checking VAP information on WAC1 ..................................................................................................................... 234 11.4 Reference Configuration................................................................................................................................................. 235 11.4.1 WAC1 Configuration .................................................................................................................................................... 235 11.4.2 SW-Core Configuration ............................................................................................................................................... 237 11.4.3 SW-Access Configuration............................................................................................................................................ 238 11.5 Quiz ........................................................................................................................................................................................ 238 12 WLAN Troubleshooting Lab .................................................................................................... 240 12.1 Introduction ........................................................................................................................................................................ 240 12.1.1 About This Lab ............................................................................................................................................................... 240 12.1.2 Objectives ......................................................................................................................................................................... 240 12.1.3 Networking Topology .................................................................................................................................................. 240 12.1.4 Lab Planning ................................................................................................................................................................... 241 12.2 Lab Configuration ............................................................................................................................................................. 243 12.2.1 Configuration Roadmap .............................................................................................................................................. 243 12.2.2 Configuration Procedure ............................................................................................................................................. 243 12.3 Verification .......................................................................................................................................................................... 251 12.3.1 Checking VAP Information ......................................................................................................................................... 251 12.3.2 Associating a STA with the WLAN and Verifying Authentication ............................................................... 252 12.4 Reference Configuration................................................................................................................................................. 253 12.4.1 WAC1 Configuration .................................................................................................................................................... 253 12.4.2 SW-Core Configuration ............................................................................................................................................... 255 12.4.3 SW-Access Configuration............................................................................................................................................ 256 12.5 Quiz ........................................................................................................................................................................................ 256 HCIP-WLAN V2.0 Lab Guide 1 Page 13 WAC + Fit AP Networking Lab 1.1 Introduction 1.1.1 About This Lab This lab instructs you to configure WAC + Fit AP networking to enable APs and STAs to go online on the WLAN. 1.1.2 Objectives ⚫ Understand the basic configuration process of the WLAN service. ⚫ Configure APs and STAs to go online. ⚫ Describe the WAC + Fit AP networking architecture. 1.1.3 Networking Topology Figure 1-1 WAC + Fit AP networking topology HCIP-WLAN V2.0 Lab Guide Page 14 1.1.4 Lab Planning Table 1-1 VLAN planning Device Port Port Type MultiGE0/0/1 Trunk MultiGE0/0/9 Trunk MultiGE0/0/9 Trunk MultiGE0/0/1 Trunk MultiGE0/0/2 Trunk MultiGE0/0/3 Trunk GE0/0/1 Trunk PVID: 1 Allow-pass: VLANs 100 and 101 SW-Core PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 SW-Access WAC1 VLAN Settings PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 100 and 101 Table 1-2 IP address planning Device Port SW-Core WAC1 IP Address VLANIF 100 10.23.100.254/24 VLANIF 101 10.23.101.254/24 VLANIF 100 10.23.100.1/24 Table 1-3 WLAN service parameter planning WLAN Service Parameter Forwarding mode Direct forwarding Management VLAN 100 Service VLAN 101 AP group ap-group1 VAP profile wlan-net Security profile wlan-net HCIP-WLAN V2.0 Lab Guide WLAN Service Page 15 Parameter Security policy WPA/WPA2+PSK+AES Password a12345678 SSID profile wlan-net SSID wlan-net 1.2 Lab Configuration 1.2.1 Configuration Roadmap 1. Configure VLAN information for SW-Core, SW-Access, and WAC1. 2. Configure IP addresses for network devices to ensure network connectivity. 3. Configure the DHCP server on SW-Core to ensure that APs can obtain management IP addresses. 4. On WAC1, configure the CAPWAP source interface or source address and the AP authentication mode. 5. Configure WLAN service parameters to implement STA access. 1.2.2 Configuration Procedure Step 1 Configure VLAN information. # Configure the access switch SW-Access. Create VLANs 100 and 101. Configure the downlink interface to allow packets from VLANs 100 and 101 to pass through, and set the PVID to 100. Configure the uplink interface to allow packets from VLANs 100 and 101 to pass through and set the PVID to 1. # Create VLANs 100 and 101 on SW-Access. <HUAWEI> system-view [HUAWEI] sysname SW-Access [SW-Access] vlan batch 100 101 # Configure the type of the downlink interface on SW-Access and the VLAN to which the interface belongs. [SW-Access] interface MultiGE 0/0/1 [SW-Access-MultiGE0/0/1] port link-type trunk [SW-Access-MultiGE0/0/1] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/1] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/1] quit [SW-Access] interface MultiGE 0/0/2 [SW-Access-MultiGE0/0/2] port link-type trunk [SW-Access-MultiGE0/0/2] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/2] port trunk pvid vlan 100 HCIP-WLAN V2.0 Lab Guide Page 16 [SW-Access-MultiGE0/0/2] quit [SW-Access] interface MultiGE 0/0/3 [SW-Access-MultiGE0/0/3] port link-type trunk [SW-Access-MultiGE0/0/3] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/3] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/3] quit # Configure the type of the uplink interface on SW-Access and the allowed VLANs for the interface. [SW-Access] interface MultiGE 0/0/9 [SW-Access-MultiGE0/0/9] port link-type trunk [SW-Access-MultiGE0/0/9] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/9] quit # Configure the core switch SW-Core. Create VLANs 100 and 101. Configure the downlink interface and MultiGE0/0/1 connected to WAC1 to allow packets from VLANs 100 and 101 to pass through. # Create VLANs 100 and 101 on SW-Core. <HUAWEI> system-view [HUAWEI] sysname SW-Core [SW-Core] vlan batch 100 101 # Configure the type of the downlink interface on SW-Core and the allowed VLANs for the interface. [SW-Core] interface MultiGE 0/0/9 [SW-Core-MultiGE 0/0/9] port link-type trunk [SW-Core-MultiGE 0/0/9] port trunk allow-pass vlan 100 101 [SW-Core-MultiGE 0/0/9] quit # Configure the type of the interface connecting SW-Core to WAC1 and the allowed VLANs for the interface. [SW-Core] interface MultiGE 0/0/1 [SW-Core-MultiGE 0/0/1] port link-type trunk [SW-Core-MultiGE 0/0/1] port trunk allow-pass vlan 100 101 [SW-Core-MultiGE 0/0/1] quit # Configure WAC1. Create VLANs 100 and 101. Change the type of GE0/0/1 to trunk and configure the interface to allow packets from VLANs 100 and 101 to pass through. # Create VLANs 100 and 101 on WAC1. <AirEngine9700-M1> system-view [AirEngine9700-M1] sysname WAC1 [WAC1] vlan batch 100 101 # Configure the type of GE0/0/1 on WAC1 and the allowed VLANs for the interface. [WAC1] interface GigabitEthernet 0/0/1 HCIP-WLAN V2.0 Lab Guide Page 17 [WAC1-GigabitEthernet /0/1] port link-type trunk [WAC1-GigabitEthernet /0/1] port trunk allow-pass vlan 100 101 [WAC1-GigabitEthernet /0/1] quit Step 2 Configure IP addresses for devices. # Configure IP addresses for SW-Core. [SW-Core] interface vlanif 100 [SW-Core-Vlanif100] ip address 10.23.100.254 24 [SW-Core-Vlanif100] quit [SW-Core] interface vlanif 101 [SW-Core-Vlanif101] ip address 10.23.101.254 24 [SW-Core-Vlanif101] quit # Configure an IP address for WAC1. [WAC1] interface vlan 100 [WAC1-Vlanif100] ip address 10.23.100.1 24 [WAC1-Vlanif100] quit Step 3 Configure a DHCP server. # Enable the DHCP service and configure VLANIF 100 on SW-Core to assign IP addresses to APs. [SW-Core] dhcp enable [SW-Core] interface vlanif 100 [SW-Core-Vlanif100] dhcp select interface [SW-Core-Vlanif100] quit # Configure VLANIF 101 on SW-Core to assign IP addresses to STAs. [SW-Core] interface vlanif 101 [SW-Core-Vlanif101] dhcp select interface [SW-Core-Vlanif101] quit Step 4 Configure AP onboarding. # Enable the function of establishing CAPWAP DTLS sessions in none authentication mode. (V200R021C00 and later versions) [WAC1] capwap dtls no-auth enable Warning: This operation allows for device access in non-DTLS encryption mode even when DTLS is enabled and brings security risks. After the device goes online for the first time, disable this function to prevent security risks. Continue? [Y/N]: y # Configure the CAPWAP source interface on WAC1. Ensure that the following parameters have been configured in advance: DTLS PSK: a1234567 Inter-WAC DTLS PSK: a1234567 HCIP-WLAN V2.0 Lab Guide Page 18 Fit AP management parameters (user name/password): admin/HUAWEI@123 Global login password of the offline management VAP: a1234567 [WAC1] capwap dtls psk a1234567 [WAC1] capwap dtls inter-controller psk a1234567 [WAC1] capwap source interface vlanif 100 Set the user name for FIT APs(The value is a string of 4 to 31 characters, which can contain letters, underscores, and digits, and must start with a letter): admin Set the password for FIT APs(plain-text password of 8-128 characters or cipher-text password of 48188 characters that must be a combination of at least three of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters): HUAWEI@123 Confirm password: HUAWEI@123 Set the global temporary-management psk(contains 8-63 plain-text characters, or 48-108 cipher-text characters that must be a combination of at least two of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters): a1234567 Confirm PSK: a1234567 Warning: Ensure that the management VLAN and service VLAN are different. Otherwise, services may be interrupted. Warning: Before an added device goes online for the first time, enable DTLS no-auth if it runs a version earlier than V200R021C00 or enable DTLS certificate-mandatory-match if it runs V200R021C00 or later. # Create an AP group. [WAC1] wlan [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] quit [WAC1-wlan-view] quit # On WAC1, set the AP authentication mode to MAC address authentication. [WAC1] wlan [WAC1-wlan-view] ap auth-mode mac-auth [WAC1-wlan-view] quit # Add APs on WAC1. (The APs' MAC addresses here are for reference only. Replace them as required.) [WAC1] wlan [WAC1-wlan-view] ap-id 0 ap-mac 6ce8-748d-7540 [WAC1-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC1-wlan-ap-0] ap-name AP1 Warning: The AP name cannot be the MAC address of another AP. Otherwise, the AP name may be lost after the device restarts. Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than V200R009C00. Warning: This operation may cause AP reset. Continue? [Y/N]: y [WAC1-wlan-ap-0] quit [WAC1-wlan-view] ap-id 1 ap-mac 6ce8-748d-6d20 [WAC1-wlan-ap-1] ap-group ap-group1 HCIP-WLAN V2.0 Lab Guide Page 19 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC1-wlan-ap-1] ap-name AP2 Warning: The AP name cannot be the MAC address of another AP. Otherwise, the AP name may be lost after the device restarts. Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than V200R009C00. Warning: This operation may cause AP reset. Continue? [Y/N]: y [WAC1-wlan-ap-1] quit [WAC1-wlan-view] ap-id 2 ap-mac 6ce8-748d-6f00 [WAC1-wlan-ap-2] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC1-wlan-ap-2] ap-name AP3 Warning: The AP name cannot be the MAC address of another AP. Otherwise, the AP name may be lost after the device restarts. Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than V200R009C00. Warning: This operation may cause AP reset. Continue? [Y/N]: y [WAC1-wlan-ap-2] quit [WAC1-wlan-view] quit # Run the display ap all command to verify that the three APs are online and in normal state. [WAC1] display ap all Total AP information: nor : normal [3] ExtraInfo : Extra information ----------------------------------------------------------------------------------------------------------ID MAC Name Group IP Type State STA Uptime ExtraInfo ----------------------------------------------------------------------------------------------------------0 6ce8-748d-7540 AP1 ap-group1 10.23.100.134 AirEngine8760-X1-PRO nor 0 5M:36S 1 6ce8-748d-6d20 AP2 ap-group1 10.23.100.105 AirEngine8760-X1-PRO nor 0 17S 2 6ce8-748d-6f00 AP3 ap-group1 10.23.100.71 AirEngine8760-X1-PRO nor 0 48S ----------------------------------------------------------------------------------------------------------Total: 3 Step 5 Configure WLAN services. # Configure the country code in a regulatory domain profile. The default country code is CN. (If the device is located outside China, change the country code accordingly.) [WAC1] wlan [WAC1-wlan-view] regulatory-domain-profile name domain1 [WAC1-wlan-regulate-domain-domain1] country-code CN [WAC1-wlan-regulate-domain-domain1] quit # Bind the regulatory domain profile to the AP group. [WAC1-wlan-view] ap-group name ap-group1 HCIP-WLAN V2.0 Lab Guide Page 20 [WAC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: This configuration change will clear the channel and power configurations of radios, and may restart APs. Continue?[Y/N]: y [WAC1-wlan-ap-group-ap-group1] quit # Create the security profile wlan-net and configure a security policy in the profile. [WAC1-wlan-view] security-profile name wlan-net [WAC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a12345678 aes [WAC1-wlan-sec-prof-wlan-net] quit # Create the SSID profile wlan-net and set the SSID name to wlan-net. [WAC1-wlan-view] ssid-profile name wlan-net [WAC1-wlan-ssid-prof-wlan-net] ssid wlan-net [WAC1-wlan-ssid-prof-wlan-net] quit # Create the VAP profile wlan-net, set the data forwarding mode and service VLAN, and bind the security profile and SSID profile to the VAP profile. [WAC1-wlan-view] vap-profile name wlan-net [WAC1-wlan-vap-prof-wlan-net] forward-mode direct-forward [WAC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101 [WAC1-wlan-vap-prof-wlan-net] security-profile wlan-net [WAC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net [WAC1-wlan-vap-prof-wlan-net] quit # Bind the VAP profile to the AP group and apply configurations in the VAP profile wlannet to radios 0 and 1 on APs in the AP group. [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0 [WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1 [WAC1-wlan-ap-group-ap-group1] quit [WAC1-wlan-view] quit # Check the VAP status. [WAC1] display vap all Info: This operation may take a few seconds, please wait. WID : WLAN ID -----------------------------------------------------------------------------AP ID AP name RfID WID BSSID Status Auth type STA SSID -----------------------------------------------------------------------------0 AP1 0 1 6CE8-748D-7540 ON WPA/WPA2-PSK 0 wlan-net 0 AP1 1 1 6CE8-748D-7550 ON WPA/WPA2-PSK 0 wlan-net 1 AP2 0 1 6CE8-748D-6D20 ON WPA/WPA2-PSK 0 wlan-net 1 AP2 1 1 6CE8-748D-6D30 ON WPA/WPA2-PSK 0 wlan-net 2 AP3 0 1 6CE8-748D-6F00 ON WPA/WPA2-PSK 0 wlan-net 2 AP3 1 1 6CE8-748D-6F10 ON WPA/WPA2-PSK 0 wlan-net -----------------------------------------------------------------------------Total: 6 HCIP-WLAN V2.0 Lab Guide Page 21 1.3 Verification 1.3.1 Checking the AP Onboarding Status and SSID Information # Run the display ap all command on WAC1 to check the AP onboarding result. [WAC1] display ap all Total AP information: nor : normal [3] ExtraInfo : Extra information ----------------------------------------------------------------------------------------------------------ID MAC Name Group IP Type State STA Uptime ExtraInfo ----------------------------------------------------------------------------------------------------------0 6ce8-748d-7540 AP1 ap-group1 10.23.100.134 AirEngine8760-X1-PRO nor 0 9M:55S 1 6ce8-748d-6d20 AP2 ap-group1 10.23.100.105 AirEngine8760-X1-PRO nor 0 4M:36S 2 6ce8-748d-6f00 AP3 ap-group1 10.23.100.71 AirEngine8760-X1-PRO nor 0 5M:7S ----------------------------------------------------------------------------------------------------------Total: 3 # The preceding command output shows AP information, including the MAC address, AP group, dynamically obtained IP address, model, and onboarding status of each AP on WAC1. # Run the display vap all command on WAC1 to check VAP information. [WAC1] display vap all Info: This operation may take a few seconds, please wait. WID : WLAN ID -----------------------------------------------------------------------------AP ID AP name RfID WID BSSID Status Auth type STA SSID -----------------------------------------------------------------------------0 AP1 0 1 6CE8-748D-7540 ON WPA/WPA2-PSK 0 wlan-net 0 AP1 1 1 6CE8-748D-7550 ON WPA/WPA2-PSK 0 wlan-net 1 AP2 0 1 6CE8-748D-6D20 ON WPA/WPA2-PSK 0 wlan-net 1 AP2 1 1 6CE8-748D-6D30 ON WPA/WPA2-PSK 1 wlan-net 2 AP3 0 1 6CE8-748D-6F00 ON WPA/WPA2-PSK 0 wlan-net 2 AP3 1 1 6CE8-748D-6F10 ON WPA/WPA2-PSK 0 wlan-net -----------------------------------------------------------------------------Total: 6 # The preceding command output shows VAP information, including the AP name, BSSID name, SSID name, and authentication mode of a VAP. 1.3.2 Associating a STA with the WLAN and Testing Network Connectivity # Enable a STA to scan and connect to the WLAN wlan-net. HCIP-WLAN V2.0 Lab Guide Page 22 # Test the network connectivity between the STA and the service gateway. 1.4 Reference Configuration 1.4.1 WAC1 Configuration Software Version V200R022C00SPC100 # sysname WAC1 # vlan batch 100 to 101 # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 to 101 # capwap source interface vlanif100 capwap dtls psk %^%#j';2Q@^/vCxm!*M2itl4_TPX-r{LkKUwRi~>}Bv/%^%# capwap dtls inter-controller psk %^%#=%m!*#C-:C)PpbFNaztMD%Bk,.<E.!-BW4LuK0<A%^%# capwap dtls no-auth enable # wlan temporary-management psk %^%#z(~nG]v0DEvE%7$[n=~(S-keCUJ5oU{Nt'GRR*\=%^%# ap username admin password cipher %^%#JD{AQA6LMS`>8S4vv,T3YTjC$_|8^-(cYC!5.ta&%^%# security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#+"mT(X&\y(bS|$R-<L5A}y*8Xh^m"=Gm)P3jx|qH%^%# aes HCIP-WLAN V2.0 Lab Guide ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net regulatory-domain-profile name domain1 ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 125 ap-mac 6ce8-748d-7540 ap-sn 2102353GSG10N7100245 ap-name AP1 ap-group ap-group1 ap-id 1 type-id 125 ap-mac 6ce8-748d-6d20 ap-sn 2102353GSG10N7100219 ap-name AP2 ap-group ap-group1 ap-id 2 type-id 125 ap-mac 6ce8-748d-6f00 ap-sn 2102353GSG10N7100225 ap-name AP3 ap-group ap-group1 provision-ap # return 1.4.2 SW-Core Configuration !Software Version V200R022C00SPC500 # sysname SW-Core # vlan batch 18 100 to 101 # dhcp enable # interface Vlanif100 ip address 10.23.100.254 255.255.255.0 dhcp select interface # interface Vlanif101 ip address 10.23.101.254 255.255.255.0 dhcp select interface # interface MEth0/0/1 ip address 192.168.1.253 255.255.255.0 # interface MultiGE0/0/1 port link-type trunk port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 Page 23 HCIP-WLAN V2.0 Lab Guide Page 24 # return 1.4.3 SW-Access Configuration !Software Version V200R022C00SPC500 # sysname SW-Access # vlan batch 100 to 101 # interface MultiGE0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/2 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/3 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 # return 1.5 Quiz During the WLAN service configuration on a WAC, engineers usually group APs and configure services based on AP groups. Why is it not recommended that WLAN services be configured based on a single AP? Answer: To configure WLAN services on a single AP, the administrator needs to configure WLAN service parameters on each AP. When there are a large number of APs, the configuration workload increases. Additionally, when the configuration changes, the administrator needs to modify the configuration of each AP one by one, which is inconvenient for O&M and management. This problem can be easily resolved by performing configurations based on AP groups. HCIP-WLAN V2.0 Lab Guide 2 Page 25 Leader AP Networking Lab 2.1 Introduction 2.1.1 About This Lab This lab instructs you to configure and verify the leader AP networking to enable APs and STAs to go online. 2.1.2 Objectives ⚫ Describe the leader AP networking architecture. ⚫ Understand the WLAN service configuration method in the leader AP networking. ⚫ Understand the service check method of the leader AP. 2.1.3 Networking Topology Figure 2-1 Leader AP networking topology In the leader AP networking topology, AP1, AP2, and AP3 are Fit APs, and AP4 is the leader AP. The leader AP manages the WLAN in a unified manner. SW-Core is a core switch and also functions as a DHCP server to assign IP addresses to APs and STAs. SW-Access is an access switch that provides PoE power supply for APs. HCIP-WLAN V2.0 Lab Guide Page 26 2.1.4 Lab Planning Table 2-1 VLAN planning Device SW-Core SW-Access Port Port Type MultiGE0/0/9 Trunk MultiGE0/0/9 Trunk MultiGE0/0/1 Trunk MultiGE0/0/2 Trunk MultiGE0/0/3 Trunk MultiGE0/0/4 Trunk VLAN Settings PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 Table 2-2 IP address planning Device Port SW-Core Leader AP IP Address VLANIF 100 10.23.100.254/24 VLANIF 101 10.23.101.254/24 VLANIF 100 Dynamically obtained through DHCP Table 2-3 WLAN service parameter planning WLAN Service Parameter Forwarding mode Direct forwarding Management VLAN 100 Service VLAN 101 AP group default VAP profile Automatically generated Security profile Automatically generated Security policy WPA/WPA2+PSK+AES Password HUAWEI@123 HCIP-WLAN V2.0 Lab Guide WLAN Service Page 27 Parameter SSID profile Automatically generated SSID HCIP-WLAN AP Zone default 2.2 Lab Configuration 2.2.1 Configuration Roadmap 1. Configure VLAN information and interface modes for SW-Core and SW-Access. 2. Configure SW-Core as a DHCP server to ensure that APs can obtain IP addresses. 3. Set the working mode of AP4 to Fat. 4. Configure the name and system time of AP4 and check the AP onboarding status. 5. Configure WLAN service parameters to implement STA access. 2.2.2 Configuration Procedure Step 1 Configure VLAN information. # Configure the access switch SW-Access. Create VLANs 100 and 101. Configure the downlink interface to allow packets from VLANs 100 and 101 to pass through, and set the PVID to 100. Configure the uplink interface to allow packets from VLANs 100 and 101 to pass through and set the PVID to 1. # Create VLANs 100 and 101 on SW-Access. <HUAWEI> system-view [HUAWEI] sysname SW-Access [SW-Access] vlan batch 100 101 # Configure the type of the downlink interface on SW-Access and the VLAN to which the interface belongs. [SW-Access] interface MultiGE 0/0/1 [SW-Access-MultiGE0/0/1] port link-type trunk [SW-Access-MultiGE0/0/1] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/1] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/1] quit [SW-Access] interface MultiGE 0/0/2 [SW-Access-MultiGE0/0/2] port link-type trunk [SW-Access-MultiGE0/0/2] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/2] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/2] quit [SW-Access] interface MultiGE 0/0/3 [SW-Access-MultiGE0/0/3] port link-type trunk [SW-Access-MultiGE0/0/3] port trunk allow-pass vlan 100 101 HCIP-WLAN V2.0 Lab Guide Page 28 [SW-Access-MultiGE0/0/3] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/3] quit [SW-Access] interface MultiGE 0/0/4 [SW-Access-MultiGE0/0/4] port link-type trunk [SW-Access-MultiGE0/0/4] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/4] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/4] quit # Configure the type of the uplink interface on SW-Access and the allowed VLANs for the interface. [[SW-Access] interface MultiGE 0/0/9 [SW-Access-MultiGE0/0/9] port link-type trunk [SW-Access-MultiGE0/0/9] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/9] quit # Configure the core switch SW-Core. Create VLANs 100 and 101, and configure the downlink interface to allow packets from VLANs 100 and 101 to pass through. # Create VLANs 100 and 101 on SW-Core. <HUAWEI> system-view [HUAWEI] sysname SW-Core [SW-Core] vlan batch 100 101 # Configure the type of the downlink interface on SW-Core and the VLAN to which the interface belongs. [SW-Core] interface MultiGE 0/0/9 [SW-Core-MultiGE 0/0/9] port link-type trunk [SW-Core-MultiGE 0/0/9] port trunk allow-pass vlan 100 101 [SW-Core-MultiGE 0/0/9] quit Step 2 Configure a DHCP server. # Configure SW-Core as a DHCP server to assign IP addresses to STAs and APs. # Enable the DHCP service and configure VLANIF 100 on SW-Core to assign IP addresses to APs. [SW-Core] dhcp enable [SW-Core] interface vlanif 100 [SW-Core-Vlanif100] ip address 10.23.100.254 24 [SW-Core-Vlanif100] dhcp select interface [SW-Core-Vlanif100] quit # Configure VLANIF 101 on SW-Core to assign IP addresses to STAs. [SW-Core] interface vlanif 101 [SW-Core-Vlanif101] ip address 10.23.101.254 24 [SW-Core-Vlanif101] dhcp select interface [SW-Core-Vlanif101] quit # On SW-Core, check the IP addresses obtained by AP1, AP2, AP3, and AP4. HCIP-WLAN V2.0 Lab Guide [SW-Core] display ip pool interface Vlanif100 used Pool-name : Vlanif100 Pool-No :0 Lease : 1 Days 0 Hours 0 Minutes Domain-name :DNS-server0 :NBNS-server0 :Netbios-type :Position : Interface Status : Unlocked Gateway-0 :Network : 10.23.100.0 Mask : 255.255.255.0 VPN instance : -Logging : Disable Conflicted address recycle interval: Address Statistic: Total :254 Used Idle :250 Expired Conflict :0 Disabled Page 29 :4 :0 :0 ------------------------------------------------------------------------------------Network section Start End Total Used Idle(Expired) Conflict Disabled ------------------------------------------------------------------------------------10.23.100.1 10.23.100.254 254 4 250(0) 0 0 ------------------------------------------------------------------------------------Client-ID format as follows: DHCP : mac-address PPPoE : mac-address IPSec : user-id/portnumber/vrf PPP : interface index L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id ------------------------------------------------------------------------------------Index IP Client-ID Type Left Status ------------------------------------------------------------------------------------12 10.23.100.13 6ce8-748d-7540 DHCP 86363 Used 131 10.23.100.132 6ce8-748d-6f00 DHCP 86333 Used 147 10.23.100.148 6ce8-748d-6690 DHCP 86375 Used 200 10.23.100.201 6ce8-748d-6d20 DHCP 86381 Used ------------------------------------------------------------------------------------- # The command output shows that AP1 through AP4 have obtained IP addresses. Step 3 Switch the AP4's working mode. # By default, an AP works in Fit AP mode. You need to switch AP4 to the Fat AP mode first. # This lab assumes the MAC address of AP4 as 6ce8-748d-6690 and the default IP address of the leader AP as 169.254.2.1/24. # Enable the management PC to search for the WLAN with the SSID hw_manage_6690 and connect the PC to the WLAN. The wireless network adapter of the management PC automatically obtains an IP address on the 169.254.2.0/24 network segment. If the IP address cannot be automatically obtained, manually set the IP address of the management PC, for example, to 169.254.2.100/24. HCIP-WLAN V2.0 Lab Guide Page 30 # Visit https://169.254.2.1 on a browser to manage AP4. Upon your first login to AP4, you need to configure the user name and password. In this lab, the user name is admin and the password is HUAWEI@123. HCIP-WLAN V2.0 Lab Guide Page 31 # Change the working mode of AP4 to Fat, set the service Wireless network name and Key to HCIP-WLAN and HUAWEI@123, and click Apply. Then AP4 automatically restarts. # After AP4 restarts, enable the PC to search for the SSID HCIP-WLAN and the login page is automatically displayed. If the login page is not automatically displayed, visit https://192.168.254.254. HCIP-WLAN V2.0 Lab Guide Page 32 # Login to the leader AP, and enter user name and password. In this lab, set the username and password to admin/HUAWEI@123. # On the home page of the leader AP, click the IP address of the AP to access the management plane. In this lab, the leader AP address is 10.23.100.148. # After the management page is displayed, enter the user name and password again. In this lab, the password is admin/HUAWEI@123. HCIP-WLAN V2.0 Lab Guide Step 4 Page 33 Check the AP onboarding status. # The default AP authentication mode of the leader AP is non-authentication. Therefore, AP1, AP2, and AP3 automatically go online on the leader AP after obtaining IP addresses. # Choose Configuration > AP Configuration. On the AP Configuration tab page, you can find that all APs are online. The AP with the ID of 0 is the leader AP itself. By default, all APs are in the default AP zone. # On the AP Configuration page, click the modify icon in the Operation column to change the AP name. The following figure shows AP names after the modification. Step 5 Configure WLAN service parameters. # Set Internet access mode to Bridging. In this lab, SW-Core serves as both the AP gateway and service gateway, the management VLAN of the AP is VLAN 100, and the service VLAN is VLAN 101. HCIP-WLAN V2.0 Lab Guide Page 34 # # Configure WLAN service parameters. Choose Configuration > WLAN Configuration, and click the SSID HCIP-WLAN. Then configure Wi-Fi signals. Set Wireless network name to HCIP-WLAN, Service VLAN ID to 101, Encryption mode to Password authentication, and Key to HUAWEI@123. Then click Finish. HCIP-WLAN V2.0 Lab Guide Page 35 2.3 Verification 2.3.1 Checking the AP Onboarding Status and SSID Information # On the web page, choose Monitoring > Summary. The onboarding status, SSID, and device status of each AP on the leader AP are displayed. HCIP-WLAN V2.0 Lab Guide Page 36 HCIP-WLAN V2.0 Lab Guide Page 37 2.3.2 Checking the Radio Status # Choose Advanced > Radio Config > Radio Planning to check the radio status. 2.3.3 Checking VLAN Information # During the leader AP configuration, the management VLAN and service VLAN are automatically created and do not need to be configured separately. # Choose Advanced > Interface > VLAN to view VLAN information. HCIP-WLAN V2.0 Lab Guide Page 38 2.3.4 Associating a STA with the WLAN and Testing Network Connectivity # Enable a STA to scan and connect to the WLAN HCIP-WLAN, and Key to HUAWEI@123. # Test the network connectivity between the STA and the service gateway. 2.4 Reference Configuration 2.4.1 SW-Core Configuration !Software Version V200R022C00SPC500 # sysname SW-Core # vlan batch 100 to 101 # dhcp enable # interface Vlanif100 ip address 10.23.100.254 255.255.255.0 dhcp select interface # interface Vlanif101 ip address 10.23.101.254 255.255.255.0 dhcp select interface # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 HCIP-WLAN V2.0 Lab Guide return 2.4.2 SW-Access Configuration !Software Version V200R022C00SPC500 # sysname SW-Access # vlan batch 100 to 101 # interface MultiGE0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/2 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/3 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/4 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 # return 2.4.3 Leader AP Configuration Software Version V200R022C00SPC100 # vlan batch 100 to 101 # dhcp enable # interface Vlanif100 ip address 169.254.2.1 255.255.255.0 dhcp select interface dhcp server dns-list 169.254.2.1 # interface Vlanif101 # interface Ethernet0/0/47 ip address 169.254.3.1 255.255.255.0 Page 39 HCIP-WLAN V2.0 Lab Guide Page 40 # interface LoopBack1023 ip address 192.168.254.254 255.255.255.255 # capwap dtls control-link encrypt off # wlan temporary-management psk %^%#UOXe!_-TT"rNC0+NkX@F';'_S-7hp0u*]7SEVR"R%^%# ap username admin password cipher %^%#9^\&Hw:@-Xv%kT4<]uKTCesB@Z^cL44&5OUIm"95%^%# traffic-profile name default traffic-profile name huawei-leaderap traffic-profile name huawei-leaderap-business security-profile name default security-profile name huawei-leaderap security open security-profile name huawei-leaderap-business security wpa-wpa2 psk pass-phrase %^%#s07uS\P_u.e)e+KG^#1T^XLTXI87I0okp>U~LKN)%^%# aes ssid-profile name default ssid-profile name huawei-leaderap ssid HUAWEI-LeaderAP-6690 ssid-hide enable ssid-profile name huawei-leaderap-business ssid HCIP-WLAN vap-profile name huawei-leaderap service-vlan vlan-id 100 ssid-profile huawei-leaderap security-profile huawei-leaderap traffic-profile huawei-leaderap type leaderap-management radio 0 1 2 vap-profile name huawei-leaderap-business service-vlan vlan-id 101 ssid-profile huawei-leaderap-business security-profile huawei-leaderap-business traffic-profile huawei-leaderap-business ap-zone default radio 0 1 2 regulatory-domain-profile name default dca-channel 5g bandwidth 80mhz dca-channel 6g bandwidth 80mhz air-scan-profile name default rrm-profile name default smart-roam roam-threshold snr 30 radio-2g-profile name default radio-5g-profile name default wids-spoof-profile name default wids-whitelist-profile name default wids-profile name default ap-system-profile name default port-link-profile name default wired-port-profile name default ap-group name default radio 0 calibrate auto-txpower-select disable radio 1 HCIP-WLAN V2.0 Lab Guide Page 41 channel 160mhz 36 calibrate auto-channel-select disable calibrate auto-txpower-select disable radio 2 calibrate auto-txpower-select disable ap-id 0 type-id 125 ap-mac 6ce8-748d-6690 ap-sn 2102353GSG10N7100198 ap-name AP4 ap-id 1 type-id 125 ap-mac 6ce8-748d-6d20 ap-sn 2102353GSG10N7100219 ap-id 2 type-id 125 ap-mac 6ce8-748d-6f00 ap-sn 2102353GSG10N7100225 ap-name AP3 ap-id 3 type-id 125 ap-mac 6ce8-748d-7540 ap-sn 2102353GSG10N7100245 provision-ap uplink multige 1 # return 2.5 Quiz What are the differences between the bridge mode and gateway mode in the leader AP networking? Answer: A leader AP in bridge mode functions as a network bridge and works with an independent gateway in the uplink direction. The leader AP and Fit APs communicate with each other on a Layer 2 network. The independent gateway has the DHCP service enabled to assign IP addresses to STAs and APs. The direct forwarding mode is used, which reduces the load on the leader AP. A leader AP in gateway mode functions as a gateway, and no independent gateway is required. The leader AP and Fit APs communicate with each other on a Layer 2 network. In the uplink direction, the leader AP has NAT enabled and connects to the Internet. In the downlink direction, the leader AP connects to a switch and communicates with Fit APs. The leader AP has the DHCP service enabled and allocates IP addresses to Fit APs and STAs. The networking is more simplified than that in bridge mode. The tunnel forwarding is used, and all service traffic is forwarded to the leader AP through a tunnel for processing. HCIP-WLAN V2.0 Lab Guide 3 Page 42 VRRP HSB Lab 3.1 Introduction 3.1.1 About This Lab This lab provides instructions on configuring and commissioning WLAN reliability networking so that you can understand how to deploy HUAWEI WLAN reliability networking solutions. 3.1.2 Objectives ⚫ Describe WLAN reliability networking modes. ⚫ Understand how to configure VRRP HSB networking. 3.1.3 Networking Topology Figure 3-1 VRRP HSB networking topology HCIP-WLAN V2.0 Lab Guide Page 43 3.1.4 Lab Planning Table 3-1 VLAN planning Device Port Port Type MultiGE0/0/1 Trunk MultiGE0/0/2 Trunk MultiGE0/0/9 Trunk MultiGE0/0/9 Trunk MultiGE0/0/1 Trunk MultiGE0/0/2 Trunk MultiGE0/0/3 Trunk WAC1 GE0/0/1 Trunk WAC2 GE0/0/1 Trunk SW-Core VLAN Settings PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 SW-Access PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 100 and 101 Table 3-2 IP address planning Device Port IP Address Remarks WAC1 VLANIF 100 10.23.100.1/24 Used for wireless configuration synchronization WAC2 VLANIF 100 10.23.100.2/24 Used for wireless configuration synchronization VLANIF 100 10.23.100.254/24 Management VLAN, with DHCP enabled VLANIF 101 10.23.101.254/24 Service VLAN, with DHCP enabled / 10.23.100.33 Used for establishing SW-Core VRRP virtual HCIP-WLAN V2.0 Lab Guide Device Port Page 44 IP Address Remarks address CAPWAP tunnels with APs Table 3-3 WLAN service parameter planning WLAN Service Parameter Forwarding mode Direct forwarding Management VLAN 100 Service VLAN 101 HSB channel VLAN 100 AP group ap-group1 VAP profile wlan-net Security profile wlan-net Security policy WPA/WPA2+PSK+AES Password a12345678 SSID profile wlan-net SSID wlan-net PSK for wireless configuration synchronization HUAWEI@123 3.2 Lab Configuration 3.2.1 Configuration Roadmap 1. Configure network connectivity among WAC1, WAC2, APs, SW-Core, and SW-Access. 2. Configure a DHCP server. 3. Configure VRRP HSB. 4. Configure the wireless configuration synchronization function. 5. Configure WLAN services. 3.2.2 Configuration Procedure Step 1 Configure network connectivity. # Configure the core switch SW-Core. Create VLANs 100 and 101, configure the modes of interfaces, and configure the interfaces to allow packets from VLANs 100 and 101 to pass through. # Create VLANs 100 and 101 on SW-Core. HCIP-WLAN V2.0 Lab Guide Page 45 <HUAWEI> system-view [HUAWEI] sysname SW-Core [SW-Core] vlan batch 100 101 # Configure the type of the downlink interface on SW-Core and the allowed VLANs for the interface. [SW-Core] interface MultiGE 0/0/9 [SW-Core-MultiGE 0/0/9] port link-type trunk [SW-Core-MultiGE 0/0/9] port trunk allow-pass vlan 100 101 [SW-Core-MultiGE 0/0/9] quit # Configure the types of the interfaces connecting SW-Core to WAC1 and WAC2, and the allowed VLANs for the interface. [SW-Core] interface MultiGE 0/0/1 [SW-Core-MultiGE 0/0/1] port link-type trunk [SW-Core-MultiGE 0/0/1] port trunk allow-pass vlan 100 101 [SW-Core-MultiGE 0/0/1] quit [SW-Core] interface MultiGE 0/0/2 [SW-Core-MultiGE 0/0/2] port link-type trunk [SW-Core-MultiGE 0/0/2] port trunk allow-pass vlan 100 101 [SW-Core-MultiGE 0/0/2] quit # Configure the access switch SW-Access. Create VLANs 100 and 101. Configure the downlink interface to allow packets from VLANs 100 and 101 to pass through, and set the PVID to 100. Configure the uplink interface to allow packets from VLANs 100 and 101 to pass through and set the PVID to 1. # Create VLANs 100 and 101 on SW-Access. <HUAWEI> system-view [HUAWEI] sysname SW-Access [SW-Access] vlan batch 100 101 # Configure the types, PVIDs, and allowed VLANs for the downlink interfaces on SWAccess. [SW-Access] interface MultiGE 0/0/1 [SW-Access-MultiGE0/0/1] port link-type trunk [SW-Access-MultiGE0/0/1] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/1] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/1] quit [SW-Access] interface MultiGE 0/0/2 [SW-Access-MultiGE0/0/2] port link-type trunk [SW-Access-MultiGE0/0/2] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/2] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/2] quit [SW-Access] interface MultiGE 0/0/3 [SW-Access-MultiGE0/0/3] port link-type trunk [SW-Access-MultiGE0/0/3] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/3] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/3] quit HCIP-WLAN V2.0 Lab Guide Page 46 # Configure the type of the uplink interface on SW-Access and the allowed VLANs for the interface. [SW-Access] interface MultiGE 0/0/9 [SW-Access-MultiGE0/0/9] port link-type trunk [SW-Access-MultiGE0/0/9] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/9] quit # Configure WAC1. Create VLANs 100 and 101. Change the type of GE0/0/1 to trunk and configure the interface to allow packets from VLANs 100 and 101 to pass through. # Create VLANs 100 and 101 on WAC1. <AirEngine9700-M1> system-view [AirEngine9700-M1] sysname WAC1 [WAC1] vlan batch 100 101 # Configure the type of GE0/0/1 on WAC1 and the allowed VLANs for the interface. [WAC1] interface GigabitEthernet 0/0/1 [WAC1-GigabitEthernet /0/1] port link-type trunk [WAC1-GigabitEthernet /0/1] port trunk allow-pass vlan 100 101 [WAC1-GigabitEthernet /0/1] quit # Configure WAC2. Create VLANs 100 and 101. Change the type of GE0/0/1 to trunk and configure the interface to allow packets from VLANs 100 and 101 to pass through. # Create VLANs 100 and 101 on WAC2. <AirEngine9700-M1> system-view [AirEngine9700-M1] sysname WAC2 [WAC2] vlan batch 100 101 # Configure the type of GE0/0/1 on WAC2 and the allowed VLANs for the interface. [WAC2] interface GigabitEthernet 0/0/1 [WAC2-GigabitEthernet /0/1] port link-type trunk [WAC2-GigabitEthernet /0/1] port trunk allow-pass vlan 100 101 [WAC2-GigabitEthernet /0/1] quit # Configure IP addresses for SW-Core, WAC1, and WAC2. # Configure IP addresses for SW-Core. [SW-Core] interface vlan 100 [SW-Core-Vlanif100] ip address 10.23.100.254 24 [SW-Core-Vlanif100] quit [SW-Core] interface vlan 101 [SW-Core-Vlanif101] ip address 10.23.101.254 24 [SW-Core-Vlanif101] quit # Configure an IP address for WAC1. [WAC1] interface vlan 100 HCIP-WLAN V2.0 Lab Guide Page 47 [WAC1-Vlanif100] ip address 10.23.100.1 24 [WAC1-Vlanif100] quit # Configure an IP address for WAC2. [WAC2] interface vlan 100 [WAC2-Vlanif100] ip address 10.23.100.2 24 [WAC2-Vlanif100] quit Step 2 Configure a DHCP server. # Configure SW-Core as a DHCP server to assign IP addresses to STAs and APs. Enable the DHCP service on SW-Core, configure VLANIF 100 to assign IP addresses (excluding some IP addresses reserved for VRRP) to APs. [SW-Core] dhcp enable [SW-Core] interface vlanif 100 [SW-Core-Vlanif100] dhcp select interface [SW-Core-Vlanif100] dhcp server excluded-ip-address 10.23.100.1 10.23.100.9 [SW-Core-Vlanif100] quit # Configure VLANIF 101 on SW-Core to assign IP addresses to STAs. [SW-Core] interface vlanif 101 [SW-Core-Vlanif101] dhcp select interface [SW-Core-Vlanif101] quit Step 3 Configure VRRP HSB on WAC1. # Set the recovery delay of the VRRP group to 60 seconds. [WAC1] vrrp recover-delay 60 # Create a management VRRP group on WAC 1. Set the priority of WAC 1 in the management VRRP group to 120 and the preemption delay to 1800 seconds. [WAC1] interface vlanif 100 [WAC1-Vlanif100] ip address 10.23.100.1 255.255.255.0 [WAC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.33 [WAC1 Vlanif100] vrrp vrid 1 priority 120 [WAC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800 [WAC1-Vlanif100] admin-vrrp vrid 1 [WAC1-Vlanif100] quit # Create an HSB service on WAC1 and configure the IP addresses and port numbers for the active and standby channels. Set the retransmission time and interval of the HSB service. [WAC1] hsb-service 0 [WAC1-hsb-service-0] service-ip-port local-ip 10.23.100.1 peer-ip 10.23.100.2 local-data-port 10241 peer-data-port 10241 [WAC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6 HCIP-WLAN V2.0 Lab Guide Page 48 [WAC1-hsb-service-0] quit # Create an HSB group on WAC1, and bind the HSB service and the management VRRP group to the HSB group. [WAC1] hsb-group 0 [WAC1-hsb-group-0] bind-service 0 [WAC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100 [WAC1-hsb-group-0] quit # Bind the NAC service to the HSB group. [WAC1] hsb-service-type access-user hsb-group 0 # Bind the WLAN service to the HSB group. [WAC1] hsb-service-type ap hsb-group 0 # Bind the DHCP service to the HSB group. [WAC1] hsb-service-type dhcp hsb-group 0 # Enable the HSB function. [WAC1] hsb-group 0 [WAC1-hsb-group-0] hsb enable [WAC1-hsb-group-0] quit Step 4 Configure VRRP HSB on WAC2. # Set the recovery delay of the VRRP group to 60 seconds. [WAC2] vrrp recover-delay 60 # Create a management VRRP group on WAC2. [WAC2] interface vlanif 100 [WAC2-Vlanif100] ip address 10.23.100.2 255.255.255.0 [WAC2-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.33 [WAC2-Vlanif100] admin-vrrp vrid 1 [WAC2-Vlanif100] quit # Create an HSB service on WAC2 and configure the IP addresses and port numbers for the active and standby channels. Set the retransmission time and interval of the HSB service. [WAC2] hsb-service 0 [WAC2-hsb-service-0] service-ip-port local-ip 10.23.100.2 peer-ip 10.23.100.1 local-data-port 10241 peer-data-port 10241 [WAC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6 [WAC2-hsb-service-0] quit HCIP-WLAN V2.0 Lab Guide Page 49 # Create an HSB group on WAC2, and bind the HSB service and the management VRRP group to the HSB group. [WAC2] hsb-group 0 [WAC2-hsb-group-0] bind-service 0 [WAC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100 [WAC2-hsb-group-0] quit # Bind the NAC service to the HSB group. [WAC2] hsb-service-type access-user hsb-group 0 # Bind the WLAN service to the HSB group. [WAC2] hsb-service-type ap hsb-group 0 # Bind the DHCP service to the HSB group. [WAC2] hsb-service-type dhcp hsb-group 0 # Enable the HSB function. [WAC2] hsb-group 0 [WAC2-hsb-group-0] hsb enable [WAC2-hsb-group-0] quit Step 5 Configure the wireless configuration synchronization function. # Configure wireless configuration synchronization on WAC1. [WAC1] wlan [WAC1-wlan-view] master controller [WAC1-master-controller] master-redundancy peer-ip ip-address 10.23.100.2 local-ip ip-address 10.23.100.1 psk HUAWEI@123 [WAC1-master-controller] master-redundancy track-vrrp vrid 1 interface Vlanif 100 [WAC1-master-controller] quit # Configure wireless configuration synchronization on WAC2. [WAC2] wlan [WAC2-wlan-view] master controller [WAC2-master-controller] master-redundancy peer-ip ip-address 10.23.100.1 local-ip ip-address 10.23.100.2 psk HUAWEI@123 [WAC2-master-controller] master-redundancy track-vrrp vrid 1 interface Vlanif 100 [WAC2-master-controller] quit Step 6 Configure the CAPWAP source address. # Configure parameters on WAC1. # Enable the function of establishing CAPWAP DTLS sessions in none authentication mode on WAC1. (V200R021C00 and later versions) HCIP-WLAN V2.0 Lab Guide Page 50 [WAC1] capwap dtls no-auth enable Warning: This operation allows for device access in non-DTLS encryption mode even when DTLS is enabled and brings security risks. After the device goes online for the first time, disable this function to prevent security risks. Continue? [Y/N]: y # Configure the CAPWAP source address on WAC1. Ensure that the following parameters have been configured in advance: DTLS PSK: a1234567 Inter-WAC DTLS PSK: a1234567 Fit AP management parameters (user name/password): admin/HUAWEI@123 Global login password of the offline management VAP: a1234567 [WAC1] capwap dtls psk a1234567 [WAC1] capwap dtls inter-controller psk a1234567 [WAC1] capwap source ip-address 10.23.100.33 Set the user name for FIT APs(The value is a string of 4 to 31 characters, which can contain letters, underscores, and digits, and must start with a letter):admin Set the password for FIT APs(plain-text password of 8-128 characters or cipher-text password of 48188 characters that must be a combination of at least three of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters):HUAWEI@123 Confirm password:HUAWEI@123 Set the global temporary-management psk(contains 8-63 plain-text characters, or 48-108 cipher-text characters that must be a combination of at least two of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters):a1234567 Confirm PSK:a1234567 Warning: Ensure that the management VLAN and service VLAN are different. Otherwise, services may be interrupted. Warning: Before an added device goes online for the first time, enable DTLS no-auth if it runs a version earlier than V200R021C00 or enable DTLS certificate-mandatory-match if it runs V200R021C00 or later. # Configure parameters on WAC2. # Enable the function of establishing CAPWAP DTLS sessions in none authentication mode on WAC2. (V200R021C00 and later versions) [WAC2] capwap dtls no-auth enable Warning: This operation allows for device access in non-DTLS encryption mode even when DTLS is enabled and brings security risks. After the device goes online for the first time, disable this function to prevent security risks. Continue? [Y/N]: y # Configure the CAPWAP source address on WAC2. Ensure that the following parameters have been configured in advance: DTLS PSK: a1234567 Inter-WAC DTLS PSK: a1234567 Fit AP management parameters (user name/password): admin/HUAWEI@123 Global login password of the offline management VAP: a1234567 [WAC2] capwap dtls psk a1234567 [WAC2] capwap dtls inter-controller psk a1234567 HCIP-WLAN V2.0 Lab Guide Page 51 [WAC2] capwap source ip-address 10.23.100.33 Set the user name for FIT APs(The value is a string of 4 to 31 characters, which can contain letters, underscores, and digits, and must start with a letter): admin Set the password for FIT APs(plain-text password of 8-128 characters or cipher-text password of 48188 characters that must be a combination of at least three of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters): HUAWEI@123 Confirm password: HUAWEI@123 Set the global temporary-management psk(contains 8-63 plain-text characters, or 48-108 cipher-text characters that must be a combination of at least two of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters): a1234567 Confirm PSK: a1234567 Warning: Ensure that the management VLAN and service VLAN are different. Otherwise, services may be interrupted. Warning: Before an added device goes online for the first time, enable DTLS no-auth if it runs a version earlier than V200R021C00 or enable DTLS certificate-mandatory-match if it runs V200R021C00 or later. Step 7 Configure AP onboarding on WAC1. # Create an AP group. [WAC1] wlan [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] quit [WAC1-wlan-view] quit # On WAC1, set the AP authentication mode to MAC address authentication. [WAC1] wlan [WAC1-wlan-view] ap auth-mode mac-auth [WAC1-wlan-view] quit # Add APs on WAC1. (The APs' MAC addresses here are for reference only. Replace them as required.) [WAC1] wlan [WAC1-wlan-view] ap-id 0 ap-mac 6ce8-748d-7540 [WAC1-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC1-wlan-ap-0] ap-name AP1 Warning: The AP name cannot be the MAC address of another AP. Otherwise, the AP name may be lost after the device restarts. Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than V200R009C00. Warning: This operation may cause AP reset. Continue? [Y/N]: y [WAC1-wlan-ap-0] quit [WAC1-wlan-view] ap-id 1 ap-mac 6ce8-748d-6d20 [WAC1-wlan-ap-1] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC1-wlan-ap-1] ap-name AP2 HCIP-WLAN V2.0 Lab Guide Page 52 Warning: The AP name cannot be the MAC address of another AP. Otherwise, the AP name may be lost after the device restarts. Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than V200R009C00. Warning: This operation may cause AP reset. Continue? [Y/N]: y [WAC1-wlan-ap-1] quit [WAC1-wlan-view] ap-id 2 ap-mac 6ce8-748d-6f00 [WAC1-wlan-ap-2] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC1-wlan-ap-2] ap-name AP3 Warning: The AP name cannot be the MAC address of another AP. Otherwise, the AP name may be lost after the device restarts. Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than V200R009C00. Warning: This operation may cause AP reset. Continue? [Y/N]: y [WAC1-wlan-ap-2] quit [WAC1-wlan-view] quit Step 8 Configure WLAN services on WAC1. # Create the security profile wlan-net and configure a security policy in the profile. [WAC1] wlan [WAC1-wlan-view] security-profile name wlan-net [WAC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a12345678 aes [WAC1-wlan-sec-prof-wlan-net] quit # Create the SSID profile wlan-net and set the SSID name to wlan-net. [WAC1-wlan-view] ssid-profile name wlan-net [WAC1-wlan-ssid-prof-wlan-net] ssid wlan-net [WAC1-wlan-ssid-prof-wlan-net] quit # Create the VAP profile wlan-net, set the data forwarding mode and service VLAN, and bind the security profile and SSID profile to the VAP profile. [WAC1-wlan-view] vap-profile name wlan-net [WAC1-wlan-vap-prof-wlan-net] forward-mode direct-forward [WAC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101 [WAC1-wlan-vap-prof-wlan-net] security-profile wlan-net [WAC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net [WAC1-wlan-vap-prof-wlan-net] quit # Bind the VAP profile to the AP group and apply configurations in the VAP profile wlannet to radios 0 and 1 on APs in the AP group. [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0 [WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1 [WAC1-wlan-ap-group-ap-group1] quit [WAC1-wlan-view] quit HCIP-WLAN V2.0 Lab Guide Step 9 Page 53 Trigger configuration synchronization. [WAC1] synchronize-configuration Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its configurations. Whether to continue? [Y/N]: y 3.3 Verification 3.3.1 Checking the AP Onboarding Status # Run the display ap all command on WAC1 to verify that the three APs are online and in normal state. [WAC1] display ap all Total AP information: nor : normal [3] ExtraInfo : Extra information ----------------------------------------------------------------------------------------------------------ID MAC Name Group IP Type State STA Uptime ExtraInfo ----------------------------------------------------------------------------------------------------------0 6ce8-748d-7540 AP1 ap-group1 10.23.100.100 AirEngine8760-X1-PRO nor 0 2M:31S 1 6ce8-748d-6d20 AP2 ap-group1 10.23.100.186 AirEngine8760-X1-PRO nor 0 1M:57S 2 6ce8-748d-6f00 AP3 ap-group1 10.23.100.110 AirEngine8760-X1-PRO nor 0 2M:7S ----------------------------------------------------------------------------------------------------------Total: 3 # Run the display ap all command on WAC2. The three APs are in standby state. [WAC2] display ap all Total AP information: stdby : standby [3] ExtraInfo : Extra information ----------------------------------------------------------------------------------------------------------ID MAC Name Group IP Type State STA Uptime ExtraInfo ----------------------------------------------------------------------------------------------------------0 6ce8-748d-7540 AP1 ap-group1 10.23.100.100 AirEngine8760-X1-PRO stdby 0 1 6ce8-748d-6d20 AP2 ap-group1 10.23.100.186 AirEngine8760-X1-PRO stdby 0 2 6ce8-748d-6f00 AP3 ap-group1 10.23.100.110 AirEngine8760-X1-PRO stdby 1 ----------------------------------------------------------------------------------------------------------Total: 3 3.3.2 Checking VAP Information # Check the VAP status on WAC1. [WAC1] display vap all Info: This operation may take a few seconds, please wait. WID : WLAN ID ------------------------------------------------------------------------------ HCIP-WLAN V2.0 Lab Guide Page 54 AP ID AP name RfID WID BSSID Status Auth type STA SSID -----------------------------------------------------------------------------0 AP1 0 1 6CE8-748D-7540 ON WPA/WPA2-PSK 0 wlan-net 0 AP1 1 1 6CE8-748D-7550 ON WPA/WPA2-PSK 0 wlan-net 1 AP2 0 1 6CE8-748D-6D20 ON WPA/WPA2-PSK 0 wlan-net 1 AP2 1 1 6CE8-748D-6D30 ON WPA/WPA2-PSK 0 wlan-net 2 AP3 0 1 6CE8-748D-6F00 ON WPA/WPA2-PSK 0 wlan-net 2 AP3 1 1 6CE8-748D-6F10 ON WPA/WPA2-PSK 1 wlan-net -----------------------------------------------------------------------------Total: 6 # Check the VAP status on WAC2. [WAC2] display vap all Info: This operation may take a few seconds, please wait. WID : WLAN ID -----------------------------------------------------------------------------AP ID AP name RfID WID BSSID Status Auth type STA SSID -----------------------------------------------------------------------------0 AP1 0 1 6CE8-748D-7540 ON WPA/WPA2-PSK 0 wlan-net 0 AP1 1 1 6CE8-748D-7550 ON WPA/WPA2-PSK 1 wlan-net 1 AP2 0 1 6CE8-748D-6D20 ON WPA/WPA2-PSK 0 wlan-net 1 AP2 1 1 6CE8-748D-6D30 ON WPA/WPA2-PSK 0 wlan-net 2 AP3 0 1 6CE8-748D-6F00 ON WPA/WPA2-PSK 0 wlan-net 2 AP3 1 1 6CE8-748D-6F10 ON WPA/WPA2-PSK 1 wlan-net -----------------------------------------------------------------------------Total: 6 3.3.3 Checking the VRRP Status # Run the display vrrp command on WAC1 and WAC2. The State field displayed on WAC1 is Master and that on WAC2 is Backup. # The command output on WAC1 is as follows: [WAC1] display vrrp Vlanif100 | Virtual Router 1 State : Master Virtual IP : 10.23.100.33 Master IP : 10.23.100.1 PriorityRun : 120 PriorityConfig : 120 MasterPriority : 120 Preempt : YES Delay Time : 1800 s TimerRun : 2 s TimerConfig : 2 s Auth type : NONE Virtual MAC : 0000-5e00-0101 Check TTL : YES Config type : admin-vrrp Backup-forward : disabled Track SysHealth Priority reduced : 254 SysHealth state : UP # The command output on WAC2 is as follows: HCIP-WLAN V2.0 Lab Guide Page 55 [WAC2] display vrrp Vlanif100 | Virtual Router 1 State : Backup Virtual IP : 10.23.100.33 Master IP : 10.23.100.1 PriorityRun : 100 PriorityConfig : 100 MasterPriority : 120 Preempt : YES Delay Time : 0 s TimerRun : 2 s TimerConfig : 2 s Auth type : NONE Virtual MAC : 0000-5e00-0101 Check TTL : YES Config type : admin-vrrp Backup-forward : disabled Track SysHealth Priority reduced : 254 SysHealth state : UP 3.3.4 Checking the HSB Service Status # Run the display hsb-service 0 command on WAC1 and WAC2 to check the HSB service status. The following command output shows that the Service State field displays Connected, indicating that the HSB channel has been established. # The command output on WAC1 is as follows: [WAC1] display hsb-service 0 Hot Standby Service Information: ---------------------------------------------------------Local IP Address : 10.23.100.1 Peer IP Address : 10.23.100.2 Source Port : 10241 Destination Port : 10241 Keep Alive Times :3 Keep Alive Interval :6 Service State : Connected Service Batch Modules : Shared-key :---------------------------------------------------------- # The command output on WAC2 is as follows: [WAC2] display hsb-service 0 Hot Standby Service Information: ---------------------------------------------------------Local IP Address : 10.23.100.2 Peer IP Address : 10.23.100.1 Source Port : 10241 Destination Port : 10241 Keep Alive Times :3 Keep Alive Interval :6 Service State : Connected Service Batch Modules : Shared-key :- HCIP-WLAN V2.0 Lab Guide Page 56 ---------------------------------------------------------- 3.3.5 Checking the HSB Group Status # Run the display hsb-group 0 command on WAC1 and WAC2 to check the running status of the HSB group. The following command output shows that the Group VRRP Status field displays Connected and the Group Status field displays Active on WAC1, and these fields display Backup and Inactive, respectively, on WAC2. # The command output on WAC1 is as follows: [WAC1] display hsb-group 0 Hot Standby Group Information: ---------------------------------------------------------HSB-group ID :0 Vrrp Group ID :1 Vrrp Interface : Vlanif100 Service Index :0 Group Vrrp Status : Master Group Status : Active Group Backup Process : Batch-Started Backup Start Time :Peer Group Device Name : AirEngine9700-M1 Peer Group Software Version : V200R022C00SPC100B215 Group Backup Modules : Access-user AP DHCP ---------------------------------------------------------- # The command output on WAC2 is as follows: [WAC2] display hsb-group 0 Hot Standby Group Information: ---------------------------------------------------------HSB-group ID :0 Vrrp Group ID :1 Vrrp Interface : Vlanif100 Service Index :0 Group Vrrp Status : Backup Group Status : Inactive Group Backup Process : Realtime Backup Start Time : XX, XX XX XX 12:08:02 Peer Group Device Name : AirEngine9700-M1 Peer Group Software Version : V200R022C00SPC100B215 Group Backup Modules : Access-user DHCP AP ---------------------------------------------------------- 3.3.6 Checking the Wireless Configuration Synchronization Status # Check the wireless configuration synchronization status on WAC1. The Status field displays up, indicating that the configurations have been synchronized. HCIP-WLAN V2.0 Lab Guide Page 57 [WAC1] display sync-configuration status Info: This operation may take a few seconds. Please wait for a moment.done. Controller role:Master/Backup/Local ---------------------------------------------------------------------------------------------------Controller IP Role Device Type Version Status Last synced ---------------------------------------------------------------------------------------------------10.23.100.2 Backup AirEngine9700-M1 V200R022C00SPC100B215 up XXXX-XX-XX/11:57:11 ---------------------------------------------------------------------------------------------------Total: 1 # Check the wireless configuration synchronization configuration on WAC1. [WAC1] display sync-configuration master-redundancy Master redundancy configuration: --------------------------------------------------------------------------------------Peer IP Version : IPV4 Peer IP : 10.23.100.2 VRRP Interface : Vlanif100 VRRP Vrid :1 VRRP Status : Master VRRP Type : VRRPv4 --------------------------------------------------------------------------------------- # Check the wireless configuration synchronization status on WAC2. The Status field displays up, indicating that the configurations have been synchronized. [WAC2] display sync-configuration status Info: This operation may take a few seconds. Please wait for a moment.done. Controller role:Master/Backup/Local ---------------------------------------------------------------------------------------------------Controller IP Role Device Type Version Status Last synced ---------------------------------------------------------------------------------------------------10.23.100.1 Master AirEngine9700-M1 V200R022C00SPC100B215 up XXXX-XX-XX/12:08:25 ---------------------------------------------------------------------------------------------------Total: 1 # Check the wireless configuration synchronization configuration on WAC2. [WAC2] display sync-configuration master-redundancy Master redundancy configuration: --------------------------------------------------------------------------------------Peer IP Version : IPV4 Peer IP : 10.23.100.1 VRRP Interface : Vlanif100 VRRP Vrid :1 VRRP Status : Backup VRRP Type : VRRPv4 --------------------------------------------------------------------------------------- 3.3.7 Associating a STA with the WLAN and Testing Network Connectivity # Enable a STA to scan and connect to the WLAN wlan-net. HCIP-WLAN V2.0 Lab Guide # Test the network connectivity between the STA and the service gateway. 3.4 Reference Configuration 3.4.1 WAC1 Configuration Software Version V200R022C00SPC100 # sysname WAC1 # vrrp recover-delay 60 # vlan batch 100 to 101 # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 vrrp vrid 1 virtual-ip 10.23.100.33 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1800 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 to 101 # capwap source ip-address 10.23.100.33 capwap dtls psk %^%#^zZq<D7&>Mc-euO[wdR)zrjY4I`*oJ%UcK6sn%t5%^%# Page 58 HCIP-WLAN V2.0 Lab Guide Page 59 capwap dtls inter-controller psk %^%#dKz03q"#ARJH__Pm`Yc(6QMF>dsn6M:M247\g!I&%^%# capwap dtls no-auth enable # hsb-service 0 service-ip-port local-ip 10.23.100.1 peer-ip 10.23.100.2 local-data-port 10241 peer-data-port 10241 service-keep-alive detect retransmit 3 interval 6 # hsb-group 0 track vrrp vrid 1 interface Vlanif100 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan temporary-management psk %^%#]=IoJfY9,RSF6n=j_GR*f{ezH4ZW@Yt,e9@B2(lQ%^%# ap username admin password cipher %^%#.@f7"VLLMM(GI+Hg1Y[EXSVn9Fb4ULu2c7Ik,~*T%^%# security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#o!yBW6ad6&3vHgWC"5`MN2q//vkIP#k6B'"}A$|4%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 125 ap-mac 6ce8-748d-7540 ap-sn 2102353GSG10N7100245 ap-name AP1 ap-group ap-group1 ap-id 1 type-id 125 ap-mac 6ce8-748d-6d20 ap-sn 2102353GSG10N7100219 ap-name AP2 ap-group ap-group1 ap-id 2 type-id 125 ap-mac 6ce8-748d-6f00 ap-sn 2102353GSG10N7100225 ap-name AP3 ap-group ap-group1 provision-ap master controller master-redundancy track-vrrp vrid 1 interface Vlanif100 master-redundancy peer-ip ip-address 10.23.100.2 local-ip ip-address 10.23.100.1 psk %^%#|~)q#J~^+$6.,2T)LEW#',X`=@}o,2NuzAQ<JW:M%^%# # return HCIP-WLAN V2.0 Lab Guide Page 60 3.4.2 WAC2 Configuration Software Version V200R022C00SPC100 # sysname WAC2 # vrrp recover-delay 60 # vlan batch 100 to 101 # interface Vlanif100 ip address 10.23.100.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.23.100.33 admin-vrrp vrid 1 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 to 101 # capwap source ip-address 10.23.100.33 capwap dtls psk %^%#^zZq<D7&>Mc-euO[wdR)zrjY4I`*oJ%UcK6sn%t5%^%# capwap dtls inter-controller psk %^%#vxg,A#,.H:Fy16L/[z1O-]Ey).1AJJUQ_e5Xv\UX%^%# capwap dtls no-auth enable # hsb-service 0 service-ip-port local-ip 10.23.100.2 peer-ip 10.23.100.1 local-data-port 10241 peer-data-port 10241 service-keep-alive detect retransmit 3 interval 6 # hsb-group 0 track vrrp vrid 1 interface Vlanif100 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan temporary-management psk %^%#]=IoJfY9,RSF6n=j_GR*f{ezH4ZW@Yt,e9@B2(lQ%^%# ap username admin password cipher %^%#.@f7"VLLMM(GI+Hg1Y[EXSVn9Fb4ULu2c7Ik,~*T%^%# security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#o!yBW6ad6&3vHgWC"5`MN2q//vkIP#k6B'"}A$|4%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 HCIP-WLAN V2.0 Lab Guide vap-profile wlan-net wlan 1 ap-id 0 type-id 125 ap-mac 6ce8-748d-7540 ap-sn 2102353GSG10N7100245 ap-name AP1 ap-group ap-group1 ap-id 1 type-id 125 ap-mac 6ce8-748d-6d20 ap-sn 2102353GSG10N7100219 ap-name AP2 ap-group ap-group1 ap-id 2 type-id 125 ap-mac 6ce8-748d-6f00 ap-sn 2102353GSG10N7100225 ap-name AP3 ap-group ap-group1 provision-ap master controller master-redundancy track-vrrp vrid 1 interface Vlanif100 master-redundancy peer-ip ip-address 10.23.100.1 local-ip ip-address 10.23.100.2 psk %^%#4Ss!;Fhj"RtZDU8QSRD4i.c3$S!<1Y[iQ);)(n@R%^%# # return 3.4.3 SW-Core Configuration !Software Version V200R022C00SPC500 # sysname SW-Core # vlan batch 100 to 101 # dhcp enable # interface Vlanif100 ip address 10.23.100.254 255.255.255.0 dhcp select interface dhcp server excluded-ip-address 10.23.100.1 10.23.100.9 # interface Vlanif101 ip address 10.23.101.254 255.255.255.0 dhcp select interface # interface MultiGE0/0/1 port link-type trunk port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/2 port link-type trunk port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 # return Page 61 HCIP-WLAN V2.0 Lab Guide Page 62 3.4.4 SW-Access Configuration !Software Version V200R022C00SPC500 # sysname SW-Access # vlan batch 100 to 101 # interface MultiGE0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/2 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/3 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 # return 3.5 Quiz In this lab, the hsb-service-type dhcp hsb-group 0 command is used to bind the DHCP service to an HSB group, and wireless configuration synchronization is configured. What information is synchronized in the preceding configuration? Answer: Two WACs function as DHCP servers in active/standby mode. If the active DHCP server fails, information about user address assignment will be synchronized to the standby DHCP server before traffic is switched to the standby DHCP server. This mechanism ensures that the standby DHCP server can assign IP addresses to users without IP address conflicts. HCIP-WLAN V2.0 Lab Guide 4 Page 63 Cloud Management Networking Lab 4.1 Introduction 4.1.1 About This Lab This lab instructs you to configure the cloud WAC + Fit AP and the cloud AP networking modes. 4.1.2 Objectives ⚫ Understand the basic configuration process of the WLAN service. ⚫ Understand the cloud WAC + Fit AP networking architecture and cloud-based WAC configuration. ⚫ Understand the cloud AP networking architecture and cloud-based AP configuration. 4.1.3 Networking Topology Figure 4-1 Cloud management networking topology HCIP-WLAN V2.0 Lab Guide Page 64 4.1.4 Lab Planning Table 4-1 VLAN planning Device SW-Core Port Port Type MultiGE0/0/3 Trunk MultiGE0/0/4 Trunk VLAN Settings PVID: 1 Allow-pass: VLANs 18 100 and 101 PVID: 1 Allow-pass: VLAN 18 PVID: 1 SW-Access MultiGE0/0/9 Trunk MultiGE0/0/1 Trunk MultiGE0/0/2 Trunk MultiGE0/0/3 Trunk MultiGE0/0/5 Trunk Allow-pass: VLANs 100, 101, 200, and 201 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLAN 200 201 PVID: 1 WAC3 MultiGE0/0/9 Trunk GE 0/0/1 Trunk Allow-pass: VLANs 100, 101, 200, and 201 PVID: 1 Allow-pass: VLANs 18 100 and 101 Table 4-2 IP address planning Device SW-Core WAC3 Port IP Address VLANIF 18 172.18.134.246/17 VLANIF 100 10.23.100.254/24 VLANIF 101 10.23.101.254/24 VLANIF 200 10.23.200.254/24 VLANIF 201 10.23.201.254/24 VLANIF 18 172.18.134.236/17 HCIP-WLAN V2.0 Lab Guide Device Port Page 65 IP Address VLANIF 100 10.23.100.3/24 AP5 / Automatically obtained through DHCP iMaster NCE-Campus (NCE for short) / 172.18.134.230/17 Table 4-3 WAC3 service parameter planning WLAN Service Parameter Forwarding mode Direct forwarding Management VLAN 100 Service VLAN 101 AP group ap-group1 VAP profile wlan-net Security profile wlan-net Security policy WPA/WPA2+PSK+AES Password a12345678 SSID profile wlan-net SSID wlan-net Table 4-4 AP5 service parameter planning WLAN Service Parameter Forwarding mode Direct forwarding Management VLAN 200 Service VLAN 201 AP group default VAP profile ap5 Security profile ap5 Security policy WPA/WPA2+PSK+AES Password a12345678 HCIP-WLAN V2.0 Lab Guide SSID profile ap5 SSID ap5 Page 66 4.2 Lab Configuration 4.2.1 Configuration Roadmap 1. Configure network connectivity of SW-Core, SW-Access, and WAC3. 2. Configure network connectivity between WAC3 and NCE. 3. Configure WAC3 to be managed by NCE. Enable AP1, AP2, and AP3 to go online on WAC3. 4. Configure WLAN services on WAC3. 5. Configure AP5 to go online on NCE. 6. Configure WLAN services on AP5. 7. Check WLAN service availability. 4.2.2 Configuration Procedure Step 1 Configure network connectivity. # Configure the access switch SW-Access. # Create VLANs 100, 101, 200, and 201 on SW-Access. <HUAWEI> system-view [HUAWEI] sysname SW-Access [SW-Access] vlan batch 100 101 200 201 # Configure the types, PVIDs, and allowed VLANs for the downlink interfaces on SWAccess. [SW-Access] interface MultiGE 0/0/1 [SW-Access-MultiGE0/0/1] port link-type trunk [SW-Access-MultiGE0/0/1] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/1] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/1] quit [SW-Access] interface MultiGE 0/0/2 [SW-Access-MultiGE0/0/2] port link-type trunk [SW-Access-MultiGE0/0/2] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/2] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/2] quit [SW-Access] interface MultiGE 0/0/3 [SW-Access-MultiGE0/0/3] port link-type trunk [SW-Access-MultiGE0/0/3] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/3] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/3] quit [SW-Access] interface MultiGE 0/0/5 HCIP-WLAN V2.0 Lab Guide Page 67 [SW-Access-MultiGE0/0/5] port link-type trunk [SW-Access-MultiGE0/0/5] port trunk allow-pass vlan 200 201 [SW-Access-MultiGE0/0/5] port trunk pvid vlan 200 [SW-Access-MultiGE0/0/5] quit # Configure the type of the uplink interface on SW-Access and the allowed VLANs for the interface. [SW-Access] interface MultiGE 0/0/9 [SW-Access-MultiGE0/0/9] port link-type trunk [SW-Access-MultiGE0/0/9] port trunk allow-pass vlan 100 101 200 201 [SW-Access-MultiGE0/0/9] quit # Configure the core switch SW-Core. # Create VLANs 100, 101, 200, and 201 on SW-Core. <HUAWEI> system-view [HUAWEI] sysname SW-Core [SW-Core] vlan batch 100 101 200 201 # Configure the type of the downlink interface on SW-Core and the VLAN to which the interface belongs. [SW-Core] interface MultiGE 0/0/9 [SW-Core-MultiGE 0/0/9] port link-type trunk [SW-Core-MultiGE 0/0/9] port trunk allow-pass vlan 100 101 200 201 [SW-Core-MultiGE 0/0/9] quit # Configure the type of the interface connecting SW-Core to WAC3 and the allowed VLANs for the interface. [SW-Core] interface MultiGE 0/0/3 [SW-Core-MultiGE0/0/3] port link-type trunk [SW-Core-MultiGE0/0/3] port trunk allow-pass vlan 100 101 [SW-Core-MultiGE0/0/3] quit # Configure WAC3. Create VLANs 100 and 101. Change the type of GE0/0/1 to trunk and configure the interface to allow packets from VLANs 100 and 101 to pass through. # Create VLANs 100 and 101 on WAC3. <AirEngine9700-M1> system-view [AirEngine9700-M1] sysname WAC3 [WAC3] vlan batch 100 101 # Configure the type of GE0/0/1 on WAC3 and the allowed VLANs for the interface. [WAC3] interface GigabitEthernet 0/0/1 [WAC3-GigabitEthernet0/0/1] port link-type trunk [WAC3-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 [WAC3-GigabitEthernet0/0/1] quit HCIP-WLAN V2.0 Lab Guide Page 68 # Configure IP addresses for SW-Core and WAC3. # Configure IP addresses for SW-Core. VLAN 100 is the management VLAN of WAC3, VLAN 101 is the service VLAN of WAC3, VLAN 200 is the management VLAN of AP5, and VLAN 201 is the service VLAN of AP5. [SW-Core] interface vlan 100 [SW-Core-Vlanif100] ip address 10.23.100.254 24 [SW-Core-Vlanif100] quit [SW-Core] interface vlan 101 [SW-Core-Vlanif101] ip address 10.23.101.254 24 [SW-Core-Vlanif101] quit [SW-Core] interface vlan 200 [SW-Core-Vlanif200] ip address 10.23.200.254 24 [SW-Core-Vlanif200] quit [SW-Core] interface vlan 201 [SW-Core-Vlanif201] ip address 10.23.201.254 24 [SW-Core-Vlanif201] quit # Configure an IP address for WAC3. [WAC3] interface Vlanif 100 [WAC3-Vlanif100] ip address 10.23.100.3 24 [WAC3-Vlanif100] quit Step 2 Configure network connectivity between NCE and WAC3. # The IP address and gateway of NCE have been configured during software installation and are not described in this lab. # The IP address of NCE is 172.18.134.230/17, and the gateway address is 172.18.128.1. # Configure VLAN and IP address information for SW-Core. [SW-Core] vlan 18 [SW-Core-vlan18] quit [SW-Core] interface MultiGE 0/0/3 [SW-Core-MultiGE0/0/3] port trunk allow-pass vlan 18 [SW-Core-MultiGE0/0/3] quit [SW-Core] interface MultiGE 0/0/4 [SW-Core-MultiGE0/0/4] port link-type trunk [SW-Core-MultiGE0/0/4] port trunk allow-pass vlan 18 [SW-Core-MultiGE0/0/4] quit [SW-Core] interface Vlanif 18 [SW-Core-Vlanif18] ip address 172.18.134.246 17 [SW-Core-Vlanif18] quit # Configure VLAN and IP address information for WAC3, and configure default route, with the next hop address pointing to the SW-Core device. [WAC3] vlan 18 [WAC3-vlan18] quit [WAC3] interface GigabitEthernet 0/0/1 [WAC3-GigabitEthernet0/0/1] port trunk allow-pass vlan 18 [WAC3-GigabitEthernet0/0/1] quit HCIP-WLAN V2.0 Lab Guide Page 69 [WAC3] interface Vlanif 18 [WAC3-Vlanif18] ip address 172.18.134.236 17 [WAC3-Vlanif18] quit [WAC3] ip route-static 172.19.0.0 16 172.18.128.1 [WAC3] ip route-static 0.0.0.0 0.0.0.0 10.23.100.254 Step 3 Configure WAC3 to work in cloud mode. # Configure WAC3 to work in cloud mode and specify the IP address and port number of NCE. [WAC3] ac-mode cloud Warning: This operation will switch the AC mode to cloud, Continue? [Y/N] y This operation will take several minutes, please wait... Warning: The authentication mode is switched to SN authentication. Ensure that the APs added offline have SN information. Otherwise, configurations of these APs may be lost.. [WAC3] cloud-mng controller ip-address 172.18.134.230 port 10020 source-interface Vlanif 100 [WAC3] pnp startup-vlan receive enable # Test network connectivity between WAC3 and NCE. [WAC3] ping -a 10.23.100.3 172.18.134.230 PING 172.18.134.230: 56 data bytes, press CTRL_C to break Reply from 172.18.134.230: bytes=56 Sequence=1 ttl=62 time=1 ms Reply from 172.18.134.230: bytes=56 Sequence=2 ttl=62 time=1 ms Reply from 172.18.134.230: bytes=56 Sequence=3 ttl=62 time=1 ms Reply from 172.18.134.230: bytes=56 Sequence=4 ttl=62 time=1 ms Reply from 172.18.134.230: bytes=56 Sequence=5 ttl=62 time=1 ms --- 172.18.134.230 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms Step 4 Configure NCE to manage WAC3. # Log in to NCE and choose Plan > Design > Site Design > Site Management from the main menu. Create a site named HCIP-WAC, select LSW and WAC in Device type, and click OK in the lower right corner. HCIP-WLAN V2.0 Lab Guide Page 70 # Query the device ESN on WAC3. [WAC3] display esn ESN of device: 102276079302 # Choose Design > Device Management from the main menu. Select the site HCIP-WAC and choose Add Device > Add. HCIP-WLAN V2.0 Lab Guide Page 71 # On the Manually Add page that is displayed, set Protocol type to NETCONF, Site to HCIP-WAC, and Mode to Device Model, and click Add. # On the page that is displayed, set the following parameters and click OK. # Change the device name to WAC3, enter the ESN, set the description to HCIP, and click OK. # On the Device Management page, the status of WAC3 is Alarm, indicating that it has been managed by NCE. HCIP-WLAN V2.0 Lab Guide Step 5 Page 72 Configure a DHCP server. # SW-Core functions as a DHCP server to assign IP addresses to AP1, AP2, AP3, and STAs. # On SW-Core, enable the DHCP service and configure VLANIF 100 on SW-Core to assign IP addresses to APs. [SW-Core] dhcp enable [SW-Core] interface vlanif 100 [SW-Core-Vlanif100] dhcp select interface [SW-Core-Vlanif100] quit # Configure VLANIF 101 on SW-Core to assign IP addresses to STAs. [SW-Core] interface vlanif 101 [SW-Core-Vlanif101] dhcp select interface [SW-Core-Vlanif101] quit Step 6 Configure WLAN services on WAC3. # After NCE manages WAC3, APs go online and WLAN services are still configured on WAC3. The following uses CLI commands as an example. # Configure AP1, AP2, and AP3 to go online on WAC3. Enable the function of establishing CAPWAP DTLS sessions in none authentication mode. (V200R021C00 and later versions) [WAC3] capwap dtls no-auth enable Warning: This operation allows for device access in non-DTLS encryption mode even when DTLS is enabled and brings security risks. After the device goes online for the first time, disable this function to prevent security risks. Continue? [Y/N]: y # Configure the CAPWAP source interface on WAC3. Ensure that the following parameters have been configured in advance: DTLS PSK: a1234567 Inter-WAC DTLS PSK: a1234567 Fit AP management parameters (user name/password): admin/HUAWEI@123 Global login password of the offline management VAP: a1234567 [WAC3] capwap dtls psk a1234567 [WAC3] capwap dtls inter-controller psk a1234567 [WAC3] capwap source interface vlanif 100 HCIP-WLAN V2.0 Lab Guide Page 73 Set the user name for FIT APs(The value is a string of 4 to 31 characters, which can contain letters, underscores, and digits, and must start with a letter): admin Set the password for FIT APs(plain-text password of 8-128 characters or cipher-text password of 48188 characters that must be a combination of at least three of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters): HUAWEI@123 Confirm password: HUAWEI@123 Set the global temporary-management psk(contains 8-63 plain-text characters, or 48-108 cipher-text characters that must be a combination of at least two of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters): a1234567 Confirm PSK: a1234567 Warning: Ensure that the management VLAN and service VLAN are different. Otherwise, services may be interrupted. Warning: Before an added device goes online for the first time, enable DTLS no-auth if it runs a version earlier than V200R021C00 or enable DTLS certificate-mandatory-match if it runs V200R021C00 or later. # Set the AP authentication mode to SN authentication on WAC3. (The WAC in cloud mode supports only SN authentication.) [WAC3] wlan [WAC3-wlan-view] ap auth-mode sn-auth [WAC3-wlan-view] quit # Choose Design > Device Management from the main menu. Select the site HCIP-WAC and click WAC3. The WAC3 management page is displayed. # Three devices are not managed. Select them and then click Repair. # In the dialog box that is displayed, select HCIP-WAC and click OK. HCIP-WLAN V2.0 Lab Guide Page 74 # In the Result dialog box that is displayed, the three devices have been repaired successfully and are managed by NCE. # On the WAC3 management page, the status of the three APs is Normal and the running status is normal. HCIP-WLAN V2.0 Lab Guide Page 75 # Identify and change the AP name based on the AP SN. For example, to change the name of AP1, click the modify icon in the Operation column corresponding to SN 2102353VUR10N5119370 on the device management page. HCIP-WLAN V2.0 Lab Guide Page 76 # After the names of AP1, AP2, and AP3 are changed, the following information is displayed. # Create the AP group ap-group1 on WAC3 and add AP1, AP2, and AP3 to the AP group. [WAC3] wlan [WAC3-wlan-view] ap-group name ap-group1 [WAC3-wlan-ap-group-ap-group1] quit [WAC3-wlan-view] ap-id 0 [WAC3-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC3-wlan-ap-0] quit [WAC3-wlan-view] ap-id 1 [WAC3-wlan-ap-1] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC3-wlan-ap-1] quit [WAC3-wlan-view] ap-id 2 [WAC3-wlan-ap-2] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC3-wlan-ap-2] quit [WAC3-wlan-view] quit # Run the display ap all command to verify that the three APs are online and in normal state. [WAC3] display ap all Total AP information: nor : normal [3] ExtraInfo : Extra information ----------------------------------------------------------------------------------------------------------ID MAC Name Group IP Type State STA Uptime ExtraInfo ----------------------------------------------------------------------------------------------------------0 6ce8-748d-6d20 AP1 ap-group1 10.23.100.201 AirEngine8760-X1-PRO nor 0 52S 1 6ce8-748d-6f00 AP2 ap-group1 10.23.100.132 AirEngine8760-X1-PRO nor 0 2 6ce8-748d-7540 AP3 ap-group1 10.23.100.13 AirEngine8760-X1-PRO nor 0 3S ----------------------------------------------------------------------------------------------------------Total: 3 HCIP-WLAN V2.0 Lab Guide Page 77 # Configure WLAN services. # Configure the country code in a regulatory domain profile. The default country code is CN. (If the device is located outside China, change the country code accordingly.) [WAC3] wlan [WAC3-wlan-view] regulatory-domain-profile name domain1 [WAC3-wlan-regulate-domain-domain1] country-code CN [WAC3-wlan-regulate-domain-domain1] quit # Bind the regulatory domain profile to the AP group. [WAC3-wlan-view] ap-group name ap-group1 [WAC3-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: This configuration change will clear the channel and power configurations of radios, and may restart APs. Continue?[Y/N]: y [WAC3-wlan-ap-group-ap-group1] quit # Create the security profile wlan-net and configure a security policy in the profile. [WAC3-wlan-view] security-profile name wlan-net [WAC3-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a12345678 aes [WAC3-wlan-sec-prof-wlan-net] quit # Create the SSID profile wlan-net and set the SSID name to wlan-net. [WAC3-wlan-view] ssid-profile name wlan-net [WAC3-wlan-ssid-prof-wlan-net] ssid wlan-net [WAC3-wlan-ssid-prof-wlan-net] quit # Create the VAP profile wlan-net, set the data forwarding mode and service VLAN, and bind the security profile and SSID profile to the VAP profile. [WAC3-wlan-view] vap-profile name wlan-net [WAC3-wlan-vap-prof-wlan-net] forward-mode direct-forward [WAC3-wlan-vap-prof-wlan-net] service-vlan vlan-id 101 [WAC3-wlan-vap-prof-wlan-net] security-profile wlan-net [WAC3-wlan-vap-prof-wlan-net] ssid-profile wlan-net [WAC3-wlan-vap-prof-wlan-net] quit # Bind the VAP profile to the AP group and apply configurations in the VAP profile wlannet to radios 0 and 1 on APs in the AP group. [WAC3-wlan-view] ap-group name ap-group1 [WAC3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0 [WAC3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1 [WAC3-wlan-ap-group-ap-group1] quit [WAC3-wlan-view] quit # Check the VAP status. [WAC3] display vap all Info: This operation may take a few seconds, please wait. HCIP-WLAN V2.0 Lab Guide Page 78 WID : WLAN ID -----------------------------------------------------------------------------AP ID AP name RfID WID BSSID Status Auth type STA SSID -----------------------------------------------------------------------------0 AP1 0 1 6CE8-748D-6D20 ON WPA/WPA2-PSK 0 wlan-net 0 AP1 1 1 6CE8-748D-6D30 ON WPA/WPA2-PSK 0 wlan-net 1 AP2 0 1 6CE8-748D-6F00 ON WPA/WPA2-PSK 0 wlan-net 1 AP2 1 1 6CE8-748D-6F10 ON WPA/WPA2-PSK 0 wlan-net 2 AP3 0 1 6CE8-748D-7540 ON WPA/WPA2-PSK 0 wlan-net 2 AP3 1 1 6CE8-748D-7550 ON WPA/WPA2-PSK 0 wlan-net -----------------------------------------------------------------------------Total: 6 Step 7 Configure a DHCP server. # Configure SW-Core as a DHCP server to assign IP addresses to AP5 and STAs. Configure VLANIF 200 on SW-Core to assign an IP address for AP5, change the AP5 mode to cloud mode through the DHCP Option 148 field, and carry the NCE's IP address and port number in DHCP messages. (AP5 has only delivery configuration and is not configured.) [SW-Core] interface Vlanif 200 [SW-Core-Vlanif200] dhcp select interface [SW-Core-Vlanif200] dhcp server option 148 ascii "agilemode=agile-cloud;agilemanagemode=ip;agilemanage-domain=172.18.134.230;agilemanage-port=10020;ap-agilemode=agile-cloud;" [SW-Core-Vlanif200] quit # Configure VLANIF 201 on SW-Core to assign IP addresses to STAs associated with AP5. [SW-Core] interface Vlanif 201 [SW-Core-Vlanif201] dhcp select interface [SW-Core-Vlanif201] quit # Check the IP address obtained by AP5 on SW-Core. [SW-Core] display ip pool interface Vlanif200 used Pool-name : Vlanif200 Pool-No :2 Lease : 1 Days 0 Hours 0 Minutes Domain-name :Option-code : 148 Option-subcode : -Option-type : ascii Option-value : "agilemode=agile-cloud;agilemanage-mode=ip;agilemanagedomain=172.18.134.230;agilemanage-port=10020;ap-agilemode=agile-cloud;" DNS-server0 :NBNS-server0 :Netbios-type :Position : Interface Status : Unlocked Gateway-0 :Network : 10.23.200.0 Mask : 255.255.255.0 VPN instance : -Logging : Disable HCIP-WLAN V2.0 Lab Guide Conflicted address recycle interval: Address Statistic: Total :254 Idle :253 Conflict :0 Used Expired Disabled Page 79 :1 :0 :0 ------------------------------------------------------------------------------------Network section Start End Total Used Idle(Expired) Conflict Disabled ------------------------------------------------------------------------------------10.23.200.1 10.23.200.254 254 1 253(0) 0 0 ------------------------------------------------------------------------------------Client-ID format as follows: DHCP : mac-address PPPoE : mac-address IPSec : user-id/portnumber/vrf PPP : interface index L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id ------------------------------------------------------------------------------------Index IP Client-ID Type Left Status ------------------------------------------------------------------------------------164 10.23.200.165 6ce8-748d-5dd0 DHCP 86273 Used ------------------------------------------------------------------------------------- Step 8 Configure NCE to manage AP5. # Obtain the device ESN of AP5. You can view the label on the rear of AP5 or run a command to obtain the ESN. <6ce8-748d-5dd0> display esn ESN of device: 2102353GSG10N7100170 # Choose Design > Site Management from the main menu of NCE. Create a site named HCIP-AP and select AP in Device type. In the Add Device area, click By Model, set Device Type to AP, Device Model to AirEngine8760-X1-PRO, Quantity to 1, and Role to AP, and click OK. HCIP-WLAN V2.0 Lab Guide Page 80 # Change the device name to AP5, enter the ESN, set the description to HCIP-AP5, and click OK. # Choose Design > Device Management. AP5 has been managed by NCE. Step 9 Configure WLAN services for AP5. # Choose Design > Device Management and click AP5. The AP5 management page is displayed. Click Command Line in the upper right corner to perform the CLI-based configuration for AP5. # Create VLAN information. <AP5> system-view HCIP-WLAN V2.0 Lab Guide Page 81 [AP5] vlan batch 200 201 # Create the security profile ap5 and configure a security policy in the profile. [AP5] wlan [AP5-wlan-view] security-profile name ap5 [AP5-wlan-sec-prof-ap5] security wpa-wpa2 psk pass-phrase a12345678 aes [AP5-wlan-sec-prof-ap5] quit # Create the SSID profile ap5 and set the SSID name to ap5. [AP5-wlan-view] ssid-profile name ap5 [AP5-wlan-ssid-prof-ap5] ssid ap5 [AP5-wlan-ssid-prof-ap5] quit # Create the VAP profile ap5, set the data forwarding mode and service VLAN, and bind the security profile and SSID profile to the VAP profile. [AP5-wlan-view] vap-profile name ap5 [AP5-wlan-vap-prof-ap5] forward-mode direct-forward [AP5-wlan-vap-prof-ap5] service-vlan vlan-id 201 [AP5-wlan-vap-prof-ap5] security-profile ap5 [AP5-wlan-vap-prof-ap5] ssid-profile ap5 [AP5-wlan-vap-prof-ap5] quit # Bind the VAP profile to AP5 (ap-id of AP5 is 0). [AP5-wlan-view] ap-id 0 [AP5-wlan-ap-0] vap-profile ap5 wlan 1 radio 0 [AP5-wlan-ap-0] vap-profile ap5 wlan 1 radio 1 [AP5-wlan-ap-0] quit [AP5-wlan-view] quit # Check AP5 onboarding information. [AP5] display ap all Total AP information: nor : normal [1] ExtraInfo : Extra information ---------------------------------------------------------------------------------------------------------ID MAC Name Group IP Type State STA Uptime ExtraInfo ---------------------------------------------------------------------------------------------------------0* 6ce8-748d-5dd0 AP5 default 10.23.200.165 AirEngine8760-X1-PRO nor 1 19M:34S ---------------------------------------------------------------------------------------------------------Total: 1 # Check the VAP status of AP5. [AP5] display vap all Info: This operation may take a few seconds, please wait. WID : WLAN ID ------------------------------------------------------------------------------ HCIP-WLAN V2.0 Lab Guide Page 82 AP ID AP name RfID WID BSSID Status Auth type STA SSID -----------------------------------------------------------------------------0 AP5 0 1 6CE8-748D-5DD0 ON WPA/WPA2-PSK 1 ap5 0 AP5 1 1 6CE8-748D-5DE0 ON WPA/WPA2-PSK 0 ap5 -----------------------------------------------------------------------------Total: 2 4.3 Verification 4.3.1 Checking Cloud Management Information on WAC3 # Run the display cloud-mng info command on WAC3 to check the cloud management configuration and status. [WAC3] display cloud-mng info -----------------------------------------------------------AC status : Online Current used address : 172.18.134.230 Current used port : 10020 Controller URL : Controller IP address : 172.18.134.230 Controller port : 10020 Controller backup URL : Controller backup IP address : Controller backup port : Source interface : Vlanif100 BootStrap server address : BootStrap server port : BootStrap backup server address : BootStrap backup server port : Controller address source : configuration ------------------------------------------------------------ 4.3.2 Associating a STA with the WLAN and Testing Network Connectivity # Connect a STA to the SSID wlan-net and test the connectivity. C:\Users\admin>ipconfig Wireless LAN adapter WLAN: Connection-specific DNS Suffix . . . . . . : Link-local IPv6 Address . . . . . . . : fe80::3ce1:b4f7:546e:45a1%14 IPv4 Address . . . . . . . . . . . : 10.23.101.40 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . . . . : 10.23.101.254 C:\Users\admin>ping 10.23.101.254 Pinging 10.23.101.254 with 32 bytes of data: Reply from 10.23.101.254: bytes=32 time=9ms TTL=254 HCIP-WLAN V2.0 Lab Guide Reply from 10.23.101.254: bytes=32 time=7ms TTL=254 Reply from 10.23.101.254: bytes=32 time=5ms TTL=254 Reply from 10.23.101.254: bytes=32 time=8ms TTL=254 Ping statistics for 10.23.101.254: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss); Approximate round trip times in milli-seconds: Minimum = 5ms, Maximum = 9ms, Average = 7ms # Connect the STA to the SSID ap5 and test the connectivity. C:\Users\admin>ipconfig Wireless LAN adapter WLAN: Connection-specific DNS Suffix . . . . . . : Link-local IPv6 Address . . . . . . . : fe80::3ce1:b4f7:546e:45a1%14 IPv4 Address . . . . . . . . . . . : 10.23.201.133 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . . . . : 10.23.201.254 C:\Users\admin>ping 10.23.201.254 Pinging 10.23.201.254 with 32 bytes of data: Reply from 10.23.201.254: bytes=32 time=5ms TTL=254 Reply from 10.23.201.254: bytes=32 time=8ms TTL=254 Reply from 10.23.201.254: bytes=32 time=6ms TTL=254 Reply from 10.23.201.254: bytes=32 time=4ms TTL=254 Ping statistics for 10.23.201.254: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss); Approximate round trip times in milli-seconds: Minimum = 4ms, Maximum = 8ms, Average = 5ms 4.3.3 Checking the Device Running Status on NCE # Choose Design > Device Management to check the device running status. Page 83 HCIP-WLAN V2.0 Lab Guide Page 84 4.3.4 Checking the STA Access Status on NCE # Choose O&M > Terminal to check STA information such as the user online duration and user list. HCIP-WLAN V2.0 Lab Guide Page 85 4.4 Reference Configuration 4.4.1 WAC3 Configuration Software Version V200R022C00SPC100 # sysname WAC3 # vlan batch 100 to 101 # interface Vlanif18 ip address 172.18.134.236 255.255.128.0 # interface Vlanif100 ip address 10.23.100.3 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 18 100 to 101 # cloud-mng controller ip-address 172.18.134.230 port 10020 source-interface Vlanif100 # ip route-static 0.0.0.0 0.0.0.0 10.23.100.254 ip route-static 172.19.0.0 255.255.0.0 172.18.128.1 # capwap source interface vlanif100 capwap dtls psk %^%#9,[q*R|]cHd+=v%C`T>Q7Y*P#&|_XD<[KRT5xZ$.%^%# capwap dtls inter-controller psk %^%#NL#JGz-s)N|_U$@PUtF#=]3!MeT*>1#$7RL=N^q@%^%# capwap dtls no-auth enable capwap dtls version1.0 enable capwap dtls cbc enable # wlan temporary-management psk %^%#mbP_-D^M[>COD"M[k=n@\6g_J=Bg~9dEnQNEv0uS%^%# ap username admin password cipher %^%#Kz#e6xN}34GN6G,CF@l0$J(T/51<ET49~i6m!*aY%^%# traffic-profile name default security-profile name default security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#^]&K99J\6WCt{(GG`^8+Q\GQNEEvfQ;ieT4Wfh;Y%^%# aes security-profile name default-wds security-profile name default-mesh ssid-profile name default ssid-profile name wlan-net ssid wlan-net vap-profile name default vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net wds-profile name default mesh-handover-profile name default mesh-profile name default regulatory-domain-profile name default HCIP-WLAN V2.0 Lab Guide dca-channel 5g bandwidth 20mhz dca-channel 6g bandwidth 20mhz regulatory-domain-profile name domain1 air-scan-profile name default rrm-profile name default smart-roam snr-margin high-level-margin 15 low-level-margin 6 smart-roam unable-roam-client expire-time 120 antenna-mode omnidirection radio-2g-profile name default radio-5g-profile name default wids-spoof-profile name default wids-whitelist-profile name default wids-profile name default wireless-access-specification tunnel-ap-group name default ap-system-profile name default port-link-profile name default wired-port-profile name default ap auth-mode sn-auth ap-group name default ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 125 ap-mac 6ce8-748d-6d20 ap-sn 2102353GSG10N7100219 ap-name AP1 ap-group ap-group1 ap-id 1 type-id 125 ap-mac 6ce8-748d-6f00 ap-sn 2102353GSG10N7100225 ap-name AP2 ap-group ap-group1 ap-id 2 type-id 125 ap-mac 6ce8-748d-7540 ap-sn 2102353GSG10N7100245 ap-name AP3 ap-group ap-group1 provision-ap # return 4.4.2 AP5 Configuration Software Version V200R022C00SPC100 # vlan batch 200 to 201 3911 # dhcp enable # acl name nat 2000 rule 5 deny source 169.254.2.0 0.0.0.255 rule 10 permit # ip pool mangpool network 169.254.2.0 mask 255.255.255.0 # Page 86 HCIP-WLAN V2.0 Lab Guide ip pool globaldhcp gateway-list 10.1.1.1 network 10.1.1.0 mask 255.255.255.0 dns-list 10.1.1.1 # interface Dialer1 ip address ppp-negotiate nat outbound 2000 # interface Vlanif1 nat outbound 2000 dhcp client default-route preference 1 ip address dhcp-alloc unicast # interface Vlanif3911 ip address 10.1.1.1 255.255.255.0 arp-proxy enable dhcp select global # interface Ethernet0/0/0 # interface Ethernet0/0/1 # interface Ethernet0/0/46 ip address 169.254.4.1 255.255.255.0 # interface Ethernet0/0/47 ip address 169.254.3.1 255.255.255.0 # interface XGigabitEthernet0/0/0 port hybrid tagged vlan 2 to 3910 3912 to 4094 dhcp snooping trusted # interface MultiGE0/0/0 port hybrid tagged vlan 2 to 3910 3912 to 4094 dhcp snooping trusted # interface MultiGE0/0/1 port hybrid tagged vlan 2 to 3910 3912 to 4094 dhcp snooping trusted # interface NULL0 # wmi-server server ip-address 172.18.134.230 port 10032 collect-item device-data interval 300 collect-item radio-data interval 300 collect-item ssid-data interval 300 collect-item interface-data interval 300 collect-item terminal-data interval 300 collect-item log-data disable collect-item location-data disable collect-item security-data disable collect-item application-statistics-data disable collect-item neighbor-device-data interval 300 Page 87 HCIP-WLAN V2.0 Lab Guide Page 88 collect-item emdi-data disable collect-item cpcar-data disable collect-item dns-data enable collect-item dns-data interval 300 collect-item non-wifi-data enable collect-item non-wifi-data interval 300 # wmi-server2 collect-item log-data disable # wlan temporary-management psk %^%#jc,#B<}8$Ab5L=5%I%++,ngV1M';Z.Y&Z!8qK!uA%^%# traffic-profile name default security-profile name ap5 security wpa-wpa2 psk pass-phrase %^%#!M:"&@Xp!C3U~($"IrK3'z*5.uZ>#Q!~6'3K@LE-%^%# aes security-profile name default security-profile name default-mesh ssid-profile name ap5 ssid ap5 ssid-profile name default vap-profile name ap5 service-vlan vlan-id 201 ssid-profile ap5 security-profile ap5 vap-profile name default mesh-profile name default regulatory-domain-profile name default dca-channel 5g bandwidth 20mhz air-scan-profile name 5G air-scan-profile name 2.4G air-scan-profile name default rrm-profile name 5G calibrate min-tx-power 12 airtime-fair-schedule enable smart-roam quick-kickoff-threshold disable smart-roam unable-roam-client expire-time 120 sta-load-balance dynamic disable antenna-mode omnidirection rrm-profile name 2.4G calibrate min-tx-power radio-5g 9 airtime-fair-schedule enable smart-roam quick-kickoff-threshold disable smart-roam unable-roam-client expire-time 120 sta-load-balance dynamic disable rrm-profile name default radio-2g-profile name 2.4G power auto-adjust enable rrm-profile 2.4G air-scan-profile 2.4G radio-2g-profile name default radio-5g-profile name 5G power auto-adjust enable rrm-profile 5G a-msdu disable air-scan-profile 5G HCIP-WLAN V2.0 Lab Guide radio-5g-profile name default wids-spoof-profile name default wids-whitelist-profile name default wids-profile name default wireless-access-specification ap-system-profile name default mesh-route aging-time 15 user-interface vty 0 idle-timeout 10 0 user-interface vty 1 idle-timeout 10 0 user-interface vty 2 idle-timeout 10 0 user-interface vty 3 idle-timeout 10 0 user-interface vty 4 idle-timeout 10 0 traffic-optimize broadcast-suppression other-broadcast rate-threshold 64 traffic-optimize broadcast-suppression other-multicast rate-threshold 64 ble-profile name default port-link-profile name default wired-port-profile name default ap-group name default ble-profile default radio 0 radio-2g-profile 2.4G antenna-gain 3 radio 1 radio-5g-profile 5G antenna-gain 3 radio 2 radio-5g-profile 5G antenna-gain 3 ap-id 0 type-id 125 ap-mac 6ce8-748d-5dd0 ap-sn 2102353GSG10N7100170 ap-name AP5 radio 0 vap-profile ap5 wlan 1 radio 1 vap-profile ap5 wlan 1 provision-ap # return 4.4.3 SW-Core Configuration !Software Version V200R022C00SPC500 # sysname SW-Core # vlan batch 18 100 to 101 200 to 201 # dhcp enable # interface Vlanif18 ip address 172.18.134.246 255.255.128.0 # interface Vlanif100 ip address 10.23.100.254 255.255.255.0 dhcp select interface Page 89 HCIP-WLAN V2.0 Lab Guide # interface Vlanif101 ip address 10.23.101.254 255.255.255.0 dhcp select interface # interface Vlanif200 ip address 10.23.200.254 255.255.255.0 dhcp select interface dhcp server option 148 ascii "agilemode=agile-cloud;agilemanage-mode=ip;agilemanagedomain=172.18.134.230;agilemanage-port=10020;ap-agilemode=agile-cloud;" # interface Vlanif201 ip address 10.23.201.254 255.255.255.0 dhcp select interface # interface MEth0/0/1 ip address 192.168.1.253 255.255.255.0 # interface MultiGE0/0/3 port link-type trunk port trunk allow-pass vlan 18 100 to 101 # interface MultiGE0/0/4 port link-type trunk port trunk allow-pass vlan 18 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 200 to 201 # return 4.4.4 SW-Access Configuration !Software Version V200R022C00SPC500 # sysname SW-Access # vlan batch 100 to 101 200 to 201 # interface MultiGE0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/2 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/3 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 Page 90 HCIP-WLAN V2.0 Lab Guide Page 91 # interface MultiGE0/0/5 port link-type trunk port trunk pvid vlan 200 port trunk allow-pass vlan 200 to 201 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 200 to 201 # return 4.5 Quiz In the preceding lab, AP5 is switched to the cloud mode through DHCP. In addition to the DHCP mode, what methods can be used to switch a Fit AP to the cloud mode? Answer: A cloud AP can switch the working mode and obtain the iMaster NCE-Campus address in the following ways: Using a DHCP server: This method has the highest priority and is preferred if the AP can use multiple methods to obtain the IP address of the iMaster NCE-Campus. Obtaining through the registration query center: Low priority. Through manual configuration on the CLI or web platform: The priority of this method is lower than that using a DHCP server but higher than that using the registration query center. HCIP-WLAN V2.0 Lab Guide 5 Page 92 802.1X Authentication Lab 5.1 Introduction 5.1.1 About This Lab This lab instructs you to master the basic implementation and configuration methods of 802.1X access authentication. 5.1.2 Objectives ⚫ Understand the basic configuration process of the WLAN service. ⚫ Understand the basic implementation and configuration methods of 802.1X access authentication. 5.1.3 Networking Topology Figure 5-1 802.1X authentication lab topology HCIP-WLAN V2.0 Lab Guide Page 93 5.1.4 Lab Planning Table 5-1 VLAN planning Device SW-Core Port Port Type MultiGE0/0/1 Trunk MultiGE0/0/9 Trunk MultiGE0/0/4 Trunk MultiGE0/0/9 Trunk MultiGE0/0/1 Trunk MultiGE0/0/2 Trunk MultiGE0/0/3 Trunk GE0/0/1 Trunk PVID: 1 Allow-pass: VLANs 18 100 and 101 PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLAN 18 PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 SW-Access WAC1 VLAN Settings PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 18 100 and 101 Table 5-2 IP address planning Device Port SW-Core WAC1 iMaster NCE-Campus IP Address VLANIF 100 10.23.100.254/24 VLANIF 101 10.23.101.254/24 VLANIF 18 172.18.134.246/17 VLANIF 18 172.18.134.236/17 VLANIF 100 10.23.100.1/24 / 172.18.134.230/17 Table 5-3 WLAN service parameter planning WLAN Service Forwarding mode Parameter Tunnel forwarding HCIP-WLAN V2.0 Lab Guide WLAN Service Page 94 Parameter Management VLAN 100 Service VLAN 101 AP group ap-group1 VAP profile wlan-net Security profile wlan-net Security policy WPA2+802.1X+AES SSID profile wlan-net SSID wlan-net Name of the RADIUS authentication scheme: radius_huawei Name of the RADIUS accounting scheme: scheme1 Name of a RADIUS server template: radius_huawei RADIUS authentication parameters The RADIUS server information is as follows: IP address: 172.18.134.230 Authentication port number: 1812 Accounting port number: 1813 Shared key: HUAWEI@123 802.1X access profile Name: d1 Authentication mode: EAP Name: p1 Bound profiles and schemes: Authentication profile 802.1X access profile: d1 RADIUS server template: radius_huawei RADIUS authentication scheme: radius_huawei RADIUS accounting scheme: scheme1 5.2 Lab Configuration 5.2.1 Configuration Roadmap 1. Configure the basic network to ensure network connectivity. 2. Configure SW-Core as a DHCP server to assign IP addresses to STAs and APs. 3. Configure network connectivity between NCE and WAC1. HCIP-WLAN V2.0 Lab Guide 4. Configure AP onboarding. 5. Configure 802.1X authentication on WAC1. 6. Configure basic WLAN services. 7. Configure 802.1X authentication on NCE. 8. Verify 802.1X access authentication. Page 95 5.2.2 Configuration Procedure Step 1 Configure network connectivity. Configure the access switch SW-Access. Create VLANs 100 and 101. Configure the downlink port to allow packets from VLANs 100 and 101 to pass through, and set the PVID to 100. Configure the uplink port to allow packets from VLANs 100 and 101 to pass through and set the PVID to 1. # Create VLANs 100 and 101 on SW-Access. <HUAWEI> system-view [HUAWEI] sysname SW-Access [SW-Access] vlan batch 100 101 # Configure the types, PVIDs, and allowed VLANs for the downlink interfaces on SWAccess. [SW-Access] interface MultiGE 0/0/1 [SW-Access-MultiGE0/0/1] port link-type trunk [SW-Access-MultiGE0/0/1] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/1] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/1] quit [SW-Access] interface MultiGE 0/0/2 [SW-Access-MultiGE0/0/2] port link-type trunk [SW-Access-MultiGE0/0/2] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/2] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/2] quit [SW-Access] interface MultiGE 0/0/3 [SW-Access-MultiGE0/0/3] port link-type trunk [SW-Access-MultiGE0/0/3] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/3] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/3] quit # Configure the type of the uplink interface on SW-Access and the allowed VLANs for the interface. [SW-Access] interface MultiGE 0/0/9 [SW-Access-MultiGE0/0/9] port link-type trunk [SW-Access-MultiGE0/0/9] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/9] quit Configure the core switch SW-Core. Create VLANs 100 and 101. Configure the downlink interface and MultiGE0/0/1 connected to WAC1 to allow packets from VLANs 100 and 101 to pass through. HCIP-WLAN V2.0 Lab Guide Page 96 # Create VLANs 100 and 101 on SW-Core. <HUAWEI> system-view [HUAWEI] sysname SW-Core [SW-Core] vlan batch 100 101 # Configure the type of the downlink interface on SW-Core and configure the interface to allow packets from VLANs 100 and 101 to pass through. [SW-Core] interface MultiGE 0/0/9 [SW-Core-MultiGE 0/0/9] port link-type trunk [SW-Core-MultiGE 0/0/9] port trunk allow-pass vlan 100 101 [SW-Core-MultiGE 0/0/9] quit # Configure the type of the interface connecting SW-Core to WAC1 and the allowed VLANs for the interface. [SW-Core] interface MultiGE 0/0/1 [SW-Core-MultiGE 0/0/1] port link-type trunk [SW-Core-MultiGE 0/0/1] port trunk allow-pass vlan 100 101 [SW-Core-MultiGE 0/0/1] quit Configure WAC1. Create VLANs 100 and 101. Change the type of GE0/0/1 to trunk and configure the interface to allow packets from VLANs 100 and 101 to pass through. # Create VLANs 100 and 101 on WAC1. <AirEngine9700-M1> system-view [AirEngine9700-M1] sysname WAC1 [WAC1] vlan batch 100 101 # Configure the type of GE0/0/1 on WAC1 and the allowed VLANs for the interface. [WAC1] interface GigabitEthernet 0/0/1 [WAC1-GigabitEthernet /0/1] port link-type trunk [WAC1-GigabitEthernet /0/1] port trunk allow-pass vlan 100 101 [WAC1-GigabitEthernet /0/1] quit Configure IP addresses for SW-Core and WAC1. # Configure IP addresses for SW-Core. [SW-Core] interface vlan 100 [SW-Core-Vlanif100] ip address 10.23.100.254 24 [SW-Core-Vlanif100] quit [SW-Core] interface vlan 101 [SW-Core-Vlanif101] ip address 10.23.101.254 24 [SW-Core-Vlanif101] quit # Configure an IP address for WAC1. [WAC1] interface vlan 100 [WAC1-Vlanif100] ip address 10.23.100.1 24 HCIP-WLAN V2.0 Lab Guide Page 97 [WAC1-Vlanif100] quit Step 2 Configure a DHCP server. # Configure SW-Core as a DHCP server to assign IP addresses to STAs and APs. Enable the DHCP service on SW-Core and configure VLANIF 100 on SW-Core to assign IP addresses to APs. [SW-Core] dhcp enable [SW-Core] interface vlanif 100 [SW-Core-Vlanif100] dhcp select interface [SW-Core-Vlanif100] quit # Configure VLANIF 101 on SW-Core to assign IP addresses to STAs. [SW-Core] interface vlanif 101 [SW-Core-Vlanif101] dhcp select interface [SW-Core-Vlanif101] quit Step 3 Configure network connectivity between NCE and WAC1. The IP address and gateway of NCE have been configured during software installation and are not described in this lab. The IP address of NCE is 172.18.134.230/17, and the gateway address is 172.18.128.1. # Configure VLAN and IP address information for SW-Core. [SW-Core] vlan 18 [SW-Core-vlan18] quit [SW-Core] interface MultiGE 0/0/1 [SW-Core-MultiGE0/0/1] port trunk allow-pass vlan 18 [SW-Core-MultiGE0/0/1] quit [SW-Core] interface MultiGE 0/0/4 [SW-Core-MultiGE0/0/4] port link-type trunk [SW-Core-MultiGE0/0/4] port trunk allow-pass vlan 18 [SW-Core-MultiGE0/0/4] quit [SW-Core] interface Vlanif 18 [SW-Core-Vlanif18] ip address 172.18.134.246 17 [SW-Core-Vlanif18] quit # Configure VLAN and IP address information for WAC1, and configure the default route with the next hop address pointing to the SW-Core. [WAC1] vlan 18 [WAC1-vlan18] quit [WAC1] interface GigabitEthernet 0/0/1 [WAC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 18 [WAC1-GigabitEthernet0/0/1] quit [WAC1] interface Vlanif 18 [WAC1-Vlanif18] ip address 172.18.134.236 17 [WAC1-Vlanif18] quit [WAC1] ip route-static 172.19.0.0 16 172.18.128.1 [WAC1] ip route-static 0.0.0.0 0.0.0.0 10.23.100.254 HCIP-WLAN V2.0 Lab Guide Step 4 Page 98 Configure AP onboarding. # Enable the function of establishing CAPWAP DTLS sessions in none authentication mode. (V200R021C00 and later versions) [WAC1] capwap dtls no-auth enable Warning: This operation allows for device access in non-DTLS encryption mode even when DTLS is enabled and brings security risks. After the device goes online for the first time, disable this function to prevent security risks. Continue? [Y/N]: y # Configure the CAPWAP source interface on WAC1. Ensure that the following parameters have been configured in advance: DTLS PSK: a1234567 Inter-WAC DTLS PSK: a1234567 Fit AP management parameters (user name/password): admin/HUAWEI@123 Global login password of the offline management VAP: a1234567 [WAC1] capwap dtls psk a1234567 [WAC1] capwap dtls inter-controller psk a1234567 [WAC1] capwap source interface vlanif 100 Set the user name for FIT APs(The value is a string of 4 to 31 characters, which can contain letters, underscores, and digits, and must start with a letter): admin Set the password for FIT APs(plain-text password of 8-128 characters or cipher-text password of 48188 characters that must be a combination of at least three of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters): HUAWEI@123 Confirm password: HUAWEI@123 Set the global temporary-management psk(contains 8-63 plain-text characters, or 48-108 cipher-text characters that must be a combination of at least two of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters): a1234567 Confirm PSK: a1234567 Warning: Ensure that the management VLAN and service VLAN are different. Otherwise, services may be interrupted. Warning: Before an added device goes online for the first time, enable DTLS no-auth if it runs a version earlier than V200R021C00 or enable DTLS certificate-mandatory-match if it runs V200R021C00 or later. # Create an AP group. [WAC1] wlan [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] quit [WAC1-wlan-view] quit # On WAC1, set the AP authentication mode to MAC address authentication. [WAC1] wlan [WAC1-wlan-view] ap auth-mode mac-auth [WAC1-wlan-view] quit # Add APs on WAC1. (The APs' MAC addresses here are for reference only. Replace them as required.) HCIP-WLAN V2.0 Lab Guide Page 99 [WAC1] wlan [WAC1-wlan-view] ap-id 0 ap-mac 6ce8-748d-7540 [WAC1-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC1-wlan-ap-0] ap-name AP1 Warning: The AP name cannot be the MAC address of another AP. Otherwise, the AP name may be lost after the device restarts. Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than V200R009C00. Warning: This operation may cause AP reset. Continue? [Y/N]: y [WAC1-wlan-ap-0] quit [WAC1-wlan-view] ap-id 1 ap-mac 6ce8-748d-6d20 [WAC1-wlan-ap-1] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC1-wlan-ap-1] ap-name AP2 Warning: The AP name cannot be the MAC address of another AP. Otherwise, the AP name may be lost after the device restarts. Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than V200R009C00. Warning: This operation may cause AP reset. Continue? [Y/N]: y [WAC1-wlan-ap-1] quit [WAC1-wlan-view] ap-id 2 ap-mac 6ce8-748d-6f00 [WAC1-wlan-ap-2] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC1-wlan-ap-2] ap-name AP3 Warning: The AP name cannot be the MAC address of another AP. Otherwise, the AP name may be lost after the device restarts. Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than V200R009C00. Warning: This operation may cause AP reset. Continue? [Y/N]: y [WAC1-wlan-ap-2] quit [WAC1-wlan-view] quit # Run the display ap all command to verify that the three APs are online and in normal state. [WAC1] display ap all Total AP information: nor : normal [3] ExtraInfo : Extra information ----------------------------------------------------------------------------------------------------------ID MAC Name Group IP Type State STA Uptime ExtraInfo ----------------------------------------------------------------------------------------------------------0 6ce8-748d-7540 AP1 ap-group1 10.23.100.13 AirEngine8760-X1-PRO nor 0 1 6ce8-748d-6d20 AP2 ap-group1 10.23.100.201 AirEngine8760-X1-PRO nor 0 2 6ce8-748d-6f00 AP3 ap-group1 10.23.100.132 AirEngine8760-X1-PRO nor 1 29S ----------------------------------------------------------------------------------------------------------Total: 3 HCIP-WLAN V2.0 Lab Guide Step 5 Page 100 Configure 802.1X authentication on WAC1. # Configure a RADIUS server template. [WAC1] radius-server template radius_huawei [WAC1-radius-radius_huawei] radius-server authentication 172.18.134.230 1812 source vlanif 100 [WAC1-radius-radius_huawei] radius-server accounting 172.18.134.230 1813 source vlanif 100 [WAC1-radius-radius_huawei] radius-server shared-key cipher HUAWEI@123 [WAC1-radius-radius_huawei] quit [WAC1] radius-server authorization 172.18.134.230 shared-key cipher HUAWEI@123 server-group radius_huawei [WAC1] radius-server authorization server-source all-interface Warning: All interface listening has security risks. If configured, the configuration of the specified listening IP address will be removed. Continue?[Y/N] y Info: This operation may take some time, please wait for a moment ..... # Configure a RADIUS authentication scheme. [WAC1] aaa [WAC1-aaa] authentication-scheme radius_huawei [WAC1-aaa-authen-radius_huawei] authentication-mode radius [WAC1-aaa-authen-radius_huawei] quit # Configure a RADIUS accounting scheme. [WAC1-aaa] accounting-scheme scheme1 [WAC1-aaa-accounting-scheme1] accounting-mode radius [WAC1-aaa-accounting-scheme1] accounting realtime 3 [WAC1-aaa-accounting-scheme1] quit [WAC1-aaa] quit # The accounting realtime command sets the real-time accounting interval, in minutes. # Configure the 802.1X access profile d1. [WAC1] dot1x-access-profile name d1 [WAC1-dot1x-access-profile-d1] dot1x authentication-method eap [WAC1-dot1x-access-profile-d1] quit # Configure the authentication profile p1. Create the authentication profile p1, and bind the 802.1X access profile d1, RADIUS server template radius_huawei, authentication scheme radius_huawei, and accounting scheme scheme1 to the authentication profile. [WAC1] authentication-profile name p1 [WAC1-authentication-profile-p1] dot1x-access-profile d1 [WAC1-authentication-profile-p1] radius-server radius_huawei [WAC1-authentication-profile-p1] authentication-scheme radius_huawei [WAC1-authentication-profile-p1] accounting-scheme scheme1 [WAC1-authentication-profile-p1] quit Step 6 Configuring WLAN Services # Create the security profile wlan-net and configure a security policy in the profile. HCIP-WLAN V2.0 Lab Guide Page 101 [WAC1] wlan [WAC1-wlan-view] security-profile name wlan-net [WAC1-wlan-sec-prof-wlan-net] security wpa2 dot1x aes Warning: This action may cause service interruption. Continue?[Y/N] y [WAC1-wlan-sec-prof-wlan-net] quit # Create the SSID profile wlan-net and set the SSID name to wlan-net. [WAC1-wlan-view] ssid-profile name wlan-net [WAC1-wlan-ssid-prof-wlan-net] ssid wlan-net [WAC1-wlan-ssid-prof-wlan-net] quit # Create the VAP profile wlan-net, set the data forwarding mode and service VLAN, and bind the security profile and SSID profile to the VAP profile. [WAC1-wlan-view] vap-profile name wlan-net [WAC1-wlan-vap-prof-wlan-net] forward-mode tunnel Warning: This action may cause service interruption. Continue?[Y/N] y [WAC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101 [WAC1-wlan-vap-prof-wlan-net] security-profile wlan-net [WAC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net [WAC1-wlan-vap-prof-wlan-net] authentication-profile p1 Warning: This action may cause service interruption. Continue?[Y/N] y [WAC1-wlan-vap-prof-wlan-net] quit # Bind the VAP profile to the AP group. [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0 [WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1 [WAC1-wlan-ap-group-ap-group1] quit [WAC1-wlan-view] quit Step 7 Configure 802.1X authentication on NCE. Before configuring access authentication on NCE, you need to create a tenant account and password, which is not described here. Create the user name and password for 802.1X authentication on NCE. # Choose Policy > NAC > Admission Resources > Admission User Management from the main menu. HCIP-WLAN V2.0 Lab Guide Page 102 # Choose User Management > User, click +, and create a user group named HCIP-WLAN. # Select the HCIP-WLAN user group and click Create. On the page that is displayed, set User name to dot1x-user, Password to Huawei@123, and Available login mode to 802.1X & Portal 2.0 for 802.1X authentication, and click OK. HCIP-WLAN V2.0 Lab Guide Page 103 Add an admission device (WAC1) to NCE. # Choose NAC > Admission Resources > Admission Device and configure an admission device. HCIP-WLAN V2.0 Lab Guide Page 104 # Click Third-party Admission Device and click Create to create a third-party admission device. # Set parameters according to the following figure. Set Accounting key and Authorization key both to HUAWEI@123, and Accounting interval (min) to 3, which are the same as those configured on WAC1. Create authentication and authorization, authorization rules, and authorization results on NCE. HCIP-WLAN V2.0 Lab Guide Page 105 # Choose NAC > Admission Policy > Authentication and Authorization from the main menu. # Click Authentication Rules, click Create, and configure an authentication rule according to the following figure. HCIP-WLAN V2.0 Lab Guide Page 106 # Click Authorization Rules, click Create, and configure an authorization rule according to the following figure. HCIP-WLAN V2.0 Lab Guide Page 107 5.3 Verification 5.3.1 Checking the AP Onboarding Status # Run the display ap all command on WAC1 to check AP information. [WAC1] display ap all Total AP information: nor : normal [3] ExtraInfo : Extra information -------------------------------------------------------------------------------------------------------------ID MAC Name Group IP Type State STA Uptime ExtraInfo -------------------------------------------------------------------------------------------------------------0 6ce8-748d-7540 AP1 ap-group1 10.23.100.13 AirEngine8760-X1-PRO nor 1 1H:2M:31S 1 6ce8-748d-6d20 AP2 ap-group1 10.23.100.201 AirEngine8760-X1-PRO nor 0 1H:2M:31S 2 6ce8-748d-6f00 AP3 ap-group1 10.23.100.132 AirEngine8760-X1-PRO nor 0 1H:3M:0S -------------------------------------------------------------------------------------------------------------Total: 3 HCIP-WLAN V2.0 Lab Guide Page 108 5.3.2 Checking VAP Information # Run the display vap all command on WAC1 to check VAP information. [WAC1] display vap all Info: This operation may take a few seconds, please wait. WID : WLAN ID ----------------------------------------------------------------------------AP ID AP name RfID WID BSSID Status Auth type STA SSID ----------------------------------------------------------------------------0 AP1 0 1 6CE8-748D-7540 ON WPA2+802.1X 0 wlan-net 0 AP1 1 1 6CE8-748D-7550 ON WPA2+802.1X 0 wlan-net 1 AP2 0 1 6CE8-748D-6D20 ON WPA2+802.1X 0 wlan-net 1 AP2 1 1 6CE8-748D-6D30 ON WPA2+802.1X 0 wlan-net 2 AP3 0 1 6CE8-748D-6F00 ON WPA2+802.1X 0 wlan-net 2 AP3 1 1 6CE8-748D-6F10 ON WPA2+802.1X 0 wlan-net ----------------------------------------------------------------------------Total: 6 5.3.3 Associating a STA with the WLAN and Verifying Authentication # Before associating a STA with the WLAN, you need to set 802.1X parameters. This lab describes how to set 802.1X parameters on Windows 10. # Choose Control Panel > Network and Internet > Network and Sharing Center. (Network and Internet is displayed when the view mode of Control Panel is set to Category.) Click Set up a new connection or network. # In the dialog box that is displayed, select Manually connect to a wireless network and click Next. HCIP-WLAN V2.0 Lab Guide # Enter a network name, set Security type and Encryption type, select Start this connection automatically, and click Next. # Successfully added wlan-net is displayed. Click Change connection settings. Page 109 HCIP-WLAN V2.0 Lab Guide Page 110 # Click the Security tab. Select Microsoft: Protected EAP (PEAP) from the drop-down list below Choose a network authentication method, and click Settings. # Deselect Verify the server's identity by validating the certificate, select Secure password (EAP-MSCHAP v2) from the drop-down list box below Select Authentication Method, and click Configure. In the dialog box that is displayed, deselect Automatically use my Windows logon name and password and click OK. HCIP-WLAN V2.0 Lab Guide # On the Security tab page, click Advanced settings. Page 111 HCIP-WLAN V2.0 Lab Guide Page 112 # On the 802.1X settings tab page, select User authentication from the drop-down list below Specify authentication mode, and click OK. # Click OK. The 802.1X parameters in the Windows 10 operating system are set. HCIP-WLAN V2.0 Lab Guide Page 113 # After all settings are complete, select the SSID wlan-net and click Connect. # Enter the correct user name and password (dot1x-user and Huawei@123, respectively, in this example). # After the connection is set up, run the ipconfig command to verify that the IP address obtained by the wireless network adapter is on the network segment 10.23.101.0/24. Run the ping command to test the network connectivity. 5.3.4 Checking Terminal Authentication Logs on NCE # On NCE, choose Policy > NAC > Diagnosis and Logs > Terminal Authentication Logs to check terminal authentication logs. HCIP-WLAN V2.0 Lab Guide Page 114 # Choose RADIUS Login and Logout logs > RADIUS Authentication Logs to check terminal authentication records. The authentication rule is 802.1X, the authorization rule is 802.1X, and the authentication result is Success. HCIP-WLAN V2.0 Lab Guide Page 115 5.3.5 Checking Terminal Authentication on WAC1 # Check detailed information about NAC access users on WAC1. Success indicates successful access of a user. [WAC1] display access-user detail Basic: User ID : 65613 User name : dot1x-user User MAC : 081f-7153-90b4 User IP address : 10.23.101.196 User vpn-instance :User IPv6 address :User access Interface : Wlan-Dbss17498 User vlan event : Success QinQVlan/UserVlan : 0/101 User vlan source : user request User access time : XXXX User accounting session ID : WAC1000000000001016a****0600012 User accounting mult session ID : 6CE8748D6D20E0E1A954AE6F676CB****A8249BD User access type : 802.1x AP name : AP1 Radio ID :1 AP MAC : 6ce8-748d-7540 SSID : wlan-net Online time : 788(s) User Group Priority :0 AAA: User authentication type : 802.1x authentication Current authentication method : RADIUS Current authorization method :Current accounting method : RADIUS -----------------------------------------------------------------------------Total: 1, printed: 1 5.4 Reference Configuration 5.4.1 WAC1 Configuration Software Version V200R021C00SPC100 # sysname WAC1 # vlan batch 18 100 to 101 # authentication-profile name p1 dot1x-access-profile d1 authentication-scheme radius_huawei accounting-scheme scheme1 radius-server radius_huawei # HCIP-WLAN V2.0 Lab Guide Page 116 management-port isolate enable management-plane isolate enable # radius-server template radius_huawei radius-server shared-key cipher %^%#I/N%8moVPUUFK%!cJb;M;|PZ~N],pQVb*u(KD:;+%^%# radius-server authentication 172.18.134.230 1812 source Vlanif 100 weight 80 radius-server accounting 172.18.134.230 1813 source Vlanif 100 weight 80 radius-server authorization 172.18.134.230 shared-key cipher %^%#FjuvX'1T<!rA8(3[m'-!d*Xt+vtm/K&8&DUTTuU.%^%# server-group radius_huawei radius-server authorization server-source all-interface # aaa authentication-scheme radius_huawei authentication-mode radius authorization-scheme default authorization-mode local accounting-scheme scheme1 accounting-mode radius accounting realtime 3 local-user admin password irreversible-cipher $1a$Z#*{";)Ik6$LUMXJS;VWR$p7mWZtx|EN3q#M`}27Bg+[8<)ELp.$ local-user admin privilege level 15 local-user admin service-type telnet ssh http # interface Vlanif18 ip address 172.18.134.236 255.255.128.0 # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 management-interface # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 18 100 to 101 # ip route-static 0.0.0.0 0.0.0.0 10.23.100.254 ip route-static 172.19.0.0 255.255.0.0 172.18.128.1 # capwap source interface vlanif100 capwap dtls psk %^%#EJVsX!hYu4YZ2_G4#DzXA@:RKv34&REZ}|-y_]mY%^%# capwap dtls inter-controller psk %^%#{9Wo7!%#BFZ<@EQ|:JG>Rp<|47s,v>YPa.#^!]A9%^%# capwap dtls no-auth enable # wlan calibrate enable manual temporary-management psk %^%#PwFE@vw_"@\n9{>}k<,-;9CD7K;0/%e,LB)9,^FX%^%# ap username admin password cipher %^%#PBMhAQ{@}1q,vb:X0*)B\.KXW7QH=Ogpvg'K*Y)I%^%# traffic-profile name default security-profile name default security-profile name wlan-net security wpa2 dot1x aes security-profile name default-wds security-profile name default-mesh ssid-profile name default ssid-profile name wlan-net HCIP-WLAN V2.0 Lab Guide ssid wlan-net vap-profile name default vap-profile name wlan-net forward-mode tunnel service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net authentication-profile p1 wds-profile name default mesh-handover-profile name default mesh-profile name default regulatory-domain-profile name default air-scan-profile name default rrm-profile name default radio-2g-profile name default radio-5g-profile name default wids-spoof-profile name default wids-whitelist-profile name default wids-profile name default wireless-access-specification ap-system-profile name default port-link-profile name default wired-port-profile name default ap-group name default ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 125 ap-mac 6ce8-748d-7540 ap-sn 2102353GSG10N7100245 ap-name AP1 ap-group ap-group1 ap-id 1 type-id 125 ap-mac 6ce8-748d-6d20 ap-sn 2102353GSG10N7100219 ap-name AP2 ap-group ap-group1 ap-id 2 type-id 125 ap-mac 6ce8-748d-6f00 ap-sn 2102353GSG10N7100225 ap-name AP3 ap-group ap-group1 # dot1x-access-profile name d1 dot1x-access-profile name dot1x_access_profile # mac-access-profile name mac_access_profile # return 5.4.2 SW-Core Configuration !Software Version V200R022C00SPC500 # sysname SW-Core # vlan batch 18 100 to 101 # Page 117 HCIP-WLAN V2.0 Lab Guide dhcp enable # interface Vlanif18 ip address 172.18.134.246 255.255.128.0 # interface Vlanif100 ip address 10.23.100.254 255.255.255.0 dhcp select interface # interface Vlanif101 ip address 10.23.101.254 255.255.255.0 dhcp select interface # interface MultiGE0/0/1 port link-type trunk port trunk allow-pass vlan 18 100 to 101 # interface MultiGE0/0/4 port link-type trunk port trunk allow-pass vlan 18 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 # return 5.4.3 SW-Access Configuration !Software Version V200R022C00SPC500 # sysname SW-Access # vlan batch 100 to 101 # interface MultiGE0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/2 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/3 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 # Page 118 HCIP-WLAN V2.0 Lab Guide Page 119 return 5.5 Quiz In this lab, the authentication mode for 802.1X users is set to EAP. What other authentication modes can be configured for 802.1X users? Answer: Run the dot1x authentication-method command to configure the authentication mode for 802.1X users. The authentication mode for 802.1X users can be set to EAP, CHAP, or PAP. EAP: indicates relay authentication using the Extensible Authentication Protocol (EAP). CHAP: indicates EAP termination authentication using the Challenge Handshake Authentication Protocol (CHAP). PAP: EAP termination authentication using the Password Authentication Protocol (PAP) HCIP-WLAN V2.0 Lab Guide 6 Page 120 Portal Authentication Lab 6.1 Introduction 6.1.1 About This Lab This lab instructs you to master the basic implementation and configuration methods of Portal access authentication. 6.1.2 Objectives ⚫ Understand the basic configuration process of the WLAN service. ⚫ Understand the basic implementation and configuration methods of Portal access authentication. 6.1.3 Networking Topology Figure 6-1 Portal authentication lab topology HCIP-WLAN V2.0 Lab Guide Page 121 6.1.4 Lab Planning Table 6-1 VLAN planning Device Port SW-Core Port Type MultiGE0/0/1 Trunk MultiGE0/0/9 Trunk MultiGE0/0/4 Trunk MultiGE0/0/9 Trunk MultiGE0/0/1 Trunk MultiGE0/0/2 Trunk MultiGE0/0/3 Trunk GE0/0/1 Trunk PVID: 1 Allow-pass: VLANs 18 100 and 101 PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLAN 18 PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 SW-Access WAC1 VLAN Settings PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 18 100 and 101 Table 6-2 IP address planning Device SW-Core WAC1 iMaster NCE-Campus Port IP Address VLANIF 100 10.23.100.254/24 VLANIF 101 10.23.101.254/24 VLANIF 18 172.18.134.246/17 VLANIF 18 172.18.134.236/17 VLANIF 100 10.23.100.1/24 / 172.18.134.230/17 Table 6-3 WLAN service parameter planning WLAN Service Forwarding mode Parameter Tunnel forwarding HCIP-WLAN V2.0 Lab Guide WLAN Service Page 122 Parameter Management VLAN 100 Service VLAN 101 AP group ap-group1 VAP profile wlan-net Security profile wlan-net Security policy OPEN SSID profile wlan-net SSID wlan-net Name of the RADIUS authentication scheme: radius_huawei Name of the RADIUS accounting scheme: scheme1 RADIUS authentication parameters Name of the RADIUS server template: radius_huawei IP address: 172.18.134.230 Authentication port number: 1812 Accounting port number: 1813 Shared key: HUAWEI@123 Name: abc IP address: 172.18.134.230 Portal server template URL: https://172.18.134.230:19008/portal Destination port number in the packets sent by WAC1 to the Portal server: 50200 Portal shared key: HUAWEI@123 Portal access profile Authentication-free rule profile Name: portal1 Bound profile: Portal server template abc Name: free1 Name: p1 Bound profiles and schemes: Portal access profile portal1 Authentication profile RADIUS server template radius_huawei RADIUS authentication scheme radius_huawei RADIUS accounting scheme scheme1 Authentication-free rule profile free1 HCIP-WLAN V2.0 Lab Guide Page 123 6.2 Lab Configuration 6.2.1 Configuration Roadmap 1. Configure the basic network to ensure network connectivity. 2. Configure SW-Core as a DHCP server to assign IP addresses to STAs and APs. 3. Configure network connectivity between NCE and WAC1. 4. Configure AP onboarding. 5. Configure Portal authentication on WAC1. 6. Configure basic WLAN services. 7. Configure Portal authentication on NCE. 8. Verify Portal authentication. 6.2.2 Configuration Procedure Step 1 Configure network connectivity. # For details, see Step 1 in section 5.2.2 "Configuration Procedure." Step 2 Configure a DHCP server. # For details, see Step 2 in section 5.2.2 "Configuration Procedure." Step 3 Configure network connectivity between NCE and WAC1. # For details, see Step 3 in section 5.2.2 "Configuration Procedure." Step 4 Configure AP onboarding. # For details, see Step 4 in section 5.2.2 "Configuration Procedure." Step 5 Configure Portal authentication on WAC1. # Configure a RADIUS server template. [WAC1] radius-server template radius_huawei [WAC1-radius-radius_huawei] radius-server authentication 172.18.134.230 1812 source vlanif 100 [WAC1-radius-radius_huawei] radius-server accounting 172.18.134.230 1813 source vlanif 100 [WAC1-radius-radius_huawei] radius-server shared-key cipher HUAWEI@123 [WAC1-radius-radius_huawei] quit [WAC1] radius-server authorization 172.18.134.230 shared-key cipher HUAWEI@123 server-group radius_huawei [WAC1] radius-server authorization server-source all-interface Warning: All interface listening has security risks. If configured, the configuration of the specified listening IP address will be removed. Continue?[Y/N] y Info: This operation may take some time, please wait for a moment ..... # Configure an authentication scheme that uses RADIUS authentication. [WAC1] aaa HCIP-WLAN V2.0 Lab Guide Page 124 [WAC1-aaa] authentication-scheme radius_huawei [WAC1-aaa-authen-radius_huawei] authentication-mode radius [WAC1-aaa-authen-radius_huawei] quit # Configure a RADIUS accounting scheme. [WAC1-aaa] accounting-scheme scheme1 [WAC1-aaa-accounting-scheme1] accounting-mode radius [WAC1-aaa-accounting-scheme1] accounting realtime 3 [WAC1-aaa-accounting-scheme1] quit [WAC1-aaa] quit # Configure a URL template. When NCE functions as a Portal server, the default port number of the Portal page is 19008. [WAC1] url-template name url1 [WAC1-url-template-url1] url https://172.18.134.230:19008/portal [WAC1-url-template-url1] url-parameter redirect-url redirect-url ssid ssid user-ipaddress userip usermac usermac device-ip ac-ip [WAC1-url-template-url1] quit # Configure a Portal server template. When NCE functions as a Portal server, the default listening port is 50200. [WAC1] web-auth-server server-source all-interface Warning: All interface listening has security risks. If configured, the configuration of the specified listening IP address will be removed. Continue?[Y/N] y [WAC1] web-auth-server abc [WAC1-web-auth-server-abc] server-ip 172.18.134.230 [WAC1-web-auth-server-abc] source-ip 10.23.100.1 [WAC1-web-auth-server-abc] shared-key cipher HUAWEI@123 [WAC1-web-auth-server-abc] port 50200 [WAC1-web-auth-server-abc] url-template url1 [WAC1-web-auth-server-abc] quit # Create the Portal access profile portal1 and configure Layer 2 Portal authentication. [WAC1] portal-access-profile name portal1 [WAC1-portal-access-profile-portal1] web-auth-server abc direct [WAC1-portal-access-profile-portal1] quit # An authentication-free rule profile is used to permit basic network access rights, such as accessing the DNS server, downloading patches, and updating the antivirus signature database. Only the IP address of the NCE server is permitted in this lab. [WAC1] free-rule-template name free1 [WAC1-free-rule-free1] free-rule 1 destination ip 172.18.134.230 mask 32 [WAC1-free-rule-free1] quit # Create the authentication profile p1, and bind the Portal access profile portal1, authentication-free rule profile free1, RADIUS server template radius_huawei, HCIP-WLAN V2.0 Lab Guide Page 125 authentication scheme radius_huawei, and accounting scheme scheme1 to the authentication profile. [WAC1] authentication-profile name p1 [WAC1-authentication-profile-p1] portal-access-profile portal1 [WAC1-authentication-profile-p1] free-rule-template free1 [WAC1-authentication-profile-p1] radius-server radius_huawei [WAC1-authentication-profile-p1] authentication-scheme radius_huawei [WAC1-authentication-profile-p1] accounting-scheme scheme1 [WAC1-authentication-profile-p1] quit Step 6 Configuring WLAN Services # Create the security profile wlan-net and configure a security policy in the profile. [WAC1] wlan [WAC1-wlan-view] security-profile name wlan-net [WAC1-wlan-sec-prof-wlan-net] security open [WAC1-wlan-sec-prof-wlan-net] quit # Create the SSID profile wlan-net and set the SSID name to wlan-net. [WAC1-wlan-view] ssid-profile name wlan-net [WAC1-wlan-ssid-prof-wlan-net] ssid wlan-net [WAC1-wlan-ssid-prof-wlan-net] quit # Create the VAP profile wlan-net, set the data forwarding mode and service VLAN, and bind the security profile and SSID profile to the VAP profile. [WAC1-wlan-view] vap-profile name wlan-net [WAC1-wlan-vap-prof-wlan-net] forward-mode tunnel Warning: This action may cause service interruption. Continue?[Y/N] y [WAC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101 [WAC1-wlan-vap-prof-wlan-net] security-profile wlan-net [WAC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net [WAC1-wlan-vap-prof-wlan-net] authentication-profile p1 Warning: This action may cause service interruption. Continue?[Y/N] y [WAC1-wlan-vap-prof-wlan-net] quit # Bind the VAP profile to the AP group. [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0 [WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1 [WAC1-wlan-ap-group-ap-group1] quit [WAC1-wlan-view] quit Step 7 Configure Portal authentication on NCE. Create the user name and password for Portal authentication on NCE. # Choose Policy > NAC > Admission Resources > Admission User Management from the main menu. HCIP-WLAN V2.0 Lab Guide Page 126 # Choose User Management > User, click +, and create a user group named HCIP-WLAN. HCIP-WLAN V2.0 Lab Guide Page 127 # Select the HCIP-WLAN user group and click Create. On the page that is displayed, set User name to portal-user, Password to Huawei@123, and Available login mode to Portal and 802.1X & Portal 2.0 for Portal authentication, and click OK. Add an admission device (WAC1) to NCE. # Choose NAC > Admission Resources > Admission Device and configure an admission device. HCIP-WLAN V2.0 Lab Guide Page 128 # Click Third-party Admission Device and click Create to create a third-party admission device. # Set parameters according to the following figure. Set Accounting key and Authorization key both to HUAWEI@123, and Accounting interval (min) to 3, which are the same as those configured on WAC1. HCIP-WLAN V2.0 Lab Guide Page 129 # Configure Portal authentication parameters. Set Portal protocol to HUAWEI Portal(Portal2.0), Portal key to HUAWEI@123 (same as the shared-key configured on WAC1), and Portal Authentication port to 2000 (default), and click OK. The Portal authentication port is the default listening port of WAC1 and is used to listen to Portal packets. Create authentication and authorization, authorization rules, and authorization results on NCE. # Choose NAC > Admission Policy > Authentication and Authorization from the main menu. HCIP-WLAN V2.0 Lab Guide Page 130 # Click Authentication Rules, click Create, and configure an authentication rule as follows: HCIP-WLAN V2.0 Lab Guide Page 131 # Click Authorization Rules, click Create, and configure an authorization rule according to the following figure. HCIP-WLAN V2.0 Lab Guide Page 132 Configure the Portal page push policy on NCE. (If there is no special requirement, use the default page.) # Choose Policy > NAC > Admission Resources > Page Management to manage Portal pages. HCIP-WLAN V2.0 Lab Guide Page 133 # Click the Portal Page Push Policy tab, click Create, set the parameters according to the following figures, and click OK. HCIP-WLAN V2.0 Lab Guide Page 134 # Check the Portal page push policy. 6.3 Verification 6.3.1 Checking the AP Onboarding Status # Run the display ap all command on WAC1 to check the AP onboarding status. If the State field of an AP displayed as nor, the AP goes online successfully. The IP address of the AP is dynamically obtained through DHCP. The actual IP address is subject to the lab result. [WAC1] display ap all Total AP information: nor : normal [3] ExtraInfo : Extra information ----------------------------------------------------------------------------------------------------------ID MAC Name Group IP Type State STA Uptime ExtraInfo ----------------------------------------------------------------------------------------------------------0 6ce8-748d-7540 AP1 ap-group1 10.23.100.13 AirEngine8760-X1-PRO nor 0 16S 1 6ce8-748d-6d20 AP2 ap-group1 10.23.100.201 AirEngine8760-X1-PRO nor 0 2 6ce8-748d-6f00 AP3 ap-group1 10.23.100.132 AirEngine8760-X1-PRO nor 1 21S - HCIP-WLAN V2.0 Lab Guide Page 135 ----------------------------------------------------------------------------------------------------------Total: 3 6.3.2 Checking VAP Information # Run the display vap all command on WAC1 to check VAP information. [WAC1] display vap all Info: This operation may take a few seconds, please wait. WID : WLAN ID ----------------------------------------------------------------------------AP ID AP name RfID WID BSSID Status Auth type STA ----------------------------------------------------------------------------0 AP1 0 1 6CE8-748D-7540 ON Open+Portal 0 0 AP1 1 1 6CE8-748D-7550 ON Open+Portal 0 1 AP2 0 1 6CE8-748D-6D20 ON Open+Portal 0 1 AP2 1 1 6CE8-748D-6D30 ON Open+Portal 0 2 AP3 0 1 6CE8-748D-6F00 ON Open+Portal 0 2 AP3 1 1 6CE8-748D-6F10 ON Open+Portal 1 ----------------------------------------------------------------------------Total: 6 SSID wlan-net wlan-net wlan-net wlan-net wlan-net wlan-net 6.3.3 Verifying STA Access to a WLAN in Portal Authentication Mode # After connected SSID wlan-net, open a browser on a STA and enter any IP address. The Portal authentication page is displayed. # You are redirected to the Portal authentication page, where you can enter the user name portal-user and password Huawei@123, and select User notice to log in. HCIP-WLAN V2.0 Lab Guide Page 136 # Verification succeeded is displayed, indicating that you can access network resources. HCIP-WLAN V2.0 Lab Guide Page 137 6.3.4 Checking Terminal Authentication Logs on NCE # On NCE, choose Policy > NAC > Diagnosis and Logs > Terminal Authentication Logs to check terminal authentication logs. # Click the Portal Login and Logout Logs tab to check Portal terminal authentication records. HCIP-WLAN V2.0 Lab Guide Page 138 6.3.5 Checking Terminal Authentication on WAC1 # Check detailed information about NAC access users on WAC1. Success indicates successful access of a user. [WAC1] display access-user detail Basic: User ID : 393235 User name : portal-user User MAC : e0e1-a954-ae6f User IP address : 10.23.101.93 User vpn-instance :User IPv6 address :User access Interface : Wlan-Dbss17500 User vlan event : Success QinQVlan/UserVlan : 0/101 User vlan source : user request User access time : XXXX/XX/XX 03:18:38 User accounting session ID : WAC100000000000101a8****0600013 User accounting mult session ID : 6CE8748D6D20E0E1A954AE6F676CC****DE696C6 User access type : WEB AP name : AP2 Radio ID :0 AP MAC : 6ce8-748d-6d20 SSID : wlan-net Online time : 300(s) Web-server IP address : 172.18.134.230 User Group Priority :0 AAA: User authentication type : WEB authentication Current authentication method : RADIUS Current authorization method :Current accounting method : RADIUS -----------------------------------------------------------------------------Total: 1, printed: 1 HCIP-WLAN V2.0 Lab Guide Page 139 6.4 Reference Configuration 6.4.1 WAC1 Configuration Software Version V200R022C00SPC100 # sysname WAC1 # vlan batch 100 to 101 # authentication-profile name p1 portal-access-profile portal1 free-rule-template free1 authentication-scheme radius_huawei accounting-scheme scheme1 radius-server radius_huawei # web-auth-server server-source all-interface # management-port isolate enable management-plane isolate enable # radius-server template radius_huawei radius-server shared-key cipher %^%#I/N%8moVPUUFK%!cJb;M;|PZ~N],pQVb*u(KD:;+%^%# radius-server authentication 172.18.134.230 1812 source Vlanif 100 weight 80 radius-server accounting 172.18.134.230 1813 source Vlanif 100 weight 80 radius-server authorization 172.18.134.230 shared-key cipher %^%#FjuvX'1T<!rA8(3[m'-!d*Xt+vtm/K&8&DUTTuU.%^%# server-group radius_huawei radius-server authorization server-source all-interface # free-rule-template name default_free_rule # free-rule-template name free1 free-rule 1 destination ip 172.18.134.230 mask 255.255.255.255 # url-template name url1 url https://172.18.134.230:19008/portal url-parameter redirect-url redirect-url ssid ssid user-ipaddress userip user-mac usermac device-ip acip # web-auth-server abc server-ip 172.18.134.230 port 50200 shared-key cipher %^%#/H+oJc*rtC_]{(WRUDt4un;&<1:g~NP{q(SD$ux#%^%# url-template url1 source-ip 10.23.100.1 # portal-access-profile name portal1 web-auth-server abc direct # portal-access-profile name portal_access_profile # aaa authentication-scheme radius_huawei HCIP-WLAN V2.0 Lab Guide Page 140 authentication-mode radius accounting-scheme scheme1 accounting-mode radius accounting realtime 3 local-aaa-user password policy administrator domain default authentication-scheme default accounting-scheme default radius-server default domain default_admin authentication-scheme default accounting-scheme default # interface Vlanif18 ip address 172.18.134.236 255.255.128.0 # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 management-interface # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 18 100 to 101 # interface NULL0 # ip route-static 0.0.0.0 0.0.0.0 10.23.100.254 ip route-static 172.19.0.0 255.255.0.0 172.18.128.1 # capwap source interface vlanif100 capwap dtls psk %^%#^zZq<D7&>Mc-euO[wdR)zrjY4I`*oJ%UcK6sn%t5%^%# capwap dtls inter-controller psk %^%#dKz03q"#ARJH__Pm`Yc(6QMF>dsn6M:M247\g!I&%^%# capwap dtls no-auth enable # wlan calibrate flexible-radio auto-switch temporary-management psk %^%#PwFE@vw_"@\n9{>}k<,-;9CD7K;0/%e,LB)9,^FX%^%# ap username admin password cipher %^%#PBMhAQ{@}1q,vb:X0*)B\.KXW7QH=Ogpvg'K*Y)I%^%# traffic-profile name default security-profile name default security-profile name wlan-net security open security-profile name default-wds security-profile name default-mesh ssid-profile name default ssid-profile name wlan-net ssid wlan-net vap-profile name default vap-profile name wlan-net forward-mode tunnel service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net authentication-profile p1 wds-profile name default HCIP-WLAN V2.0 Lab Guide mesh-handover-profile name default mesh-profile name default regulatory-domain-profile name default regulatory-domain-profile name domain1 air-scan-profile name default rrm-profile name default radio-2g-profile name default radio-5g-profile name default wids-spoof-profile name default wids-whitelist-profile name default wids-profile name default wireless-access-specification ap-system-profile name default port-link-profile name default wired-port-profile name default ap-group name default ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 125 ap-mac 6ce8-748d-7540 ap-sn 2102353GSG10N7100245 ap-name AP1 ap-group ap-group1 ap-id 1 type-id 125 ap-mac 6ce8-748d-6d20 ap-sn 2102353GSG10N7100219 ap-name AP2 ap-group ap-group1 ap-id 2 type-id 125 ap-mac 6ce8-748d-6f00 ap-sn 2102353GSG10N7100225 ap-name AP3 ap-group ap-group1 provision-ap # return 6.4.2 SW-Core Configuration !Software Version V200R022C00SPC500 # sysname SW-Core # vlan batch 18 100 to 101 # dhcp enable # interface Vlanif18 ip address 172.18.134.246 255.255.128.0 # interface Vlanif100 ip address 10.23.100.254 255.255.255.0 dhcp select interface # interface Vlanif101 ip address 10.23.101.254 255.255.255.0 dhcp select interface Page 141 HCIP-WLAN V2.0 Lab Guide Page 142 # interface MultiGE0/0/1 port link-type trunk port trunk allow-pass vlan 18 100 to 101 # interface MultiGE0/0/4 port link-type trunk port trunk allow-pass vlan 18 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 # return 6.4.3 SW-Access Configuration !Software Version V200R022C00SPC500 # sysname SW-Access # vlan batch 100 to 101 # interface MultiGE0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/2 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/3 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 # return 6.5 Quiz The DNS server is not configured in the preceding lab. What is the function of a DNS server in Portal authentication? Answer: HCIP-WLAN V2.0 Lab Guide Page 143 The DNS server parses the domain name sent by a terminal so that the AP can redirect the terminal to the Portal authentication page. That is, the terminal can be redirected to the Portal authentication page when accessing any domain name. HCIP-WLAN V2.0 Lab Guide 7 Page 144 WLAN Roaming Lab 7.1 Introduction 7.1.1 About This Lab This lab activity provides instructions on configuring and commissioning intra-WAC Layer 2 and inter-WAC Layer 3 roaming so that you can understand how to deploy HUAWEI WLAN roaming. 7.1.2 Objectives ⚫ Understand the intra-WAC Layer 2 roaming network configuration. ⚫ Understand the inter-WAC Layer 3 roaming network configuration. 7.1.3 Networking Topology Figure 7-1 WLAN roaming networking topology HCIP-WLAN V2.0 Lab Guide Page 145 7.1.4 Lab Planning Table 7-1 VLAN planning Device SW-Core Port Port Type MultiGE0/0/1 Trunk MultiGE0/0/2 Trunk VLAN Settings PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 200 and 201 PVID: 1 MultiGE0/0/9 Trunk Allow-pass: VLANs 100, 101, 200, and 201 PVID: 1 MultiGE0/0/9 Trunk MultiGE0/0/1 Trunk MultiGE0/0/2 Trunk MultiGE0/0/3 Trunk WAC1 GE0/0/1 Trunk WAC2 GE0/0/1 Trunk SW-Access Allow-pass: VLANs 100, 101, 200, and 201 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 200 Allow-pass: VLANs 200 and 201 PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 200 and 201 Table 7-2 IP address planning Device WAC1 WAC2 SW-Core Port IP Address VLANIF 100 10.23.100.1/24 VLANIF 101 10.23.101.254/24 VLANIF 200 10.23.200.1/24 VLANIF 201 10.23.201.254/24 VLANIF 100 10.23.100.254/24 VLANIF 200 10.23.200.254/24 HCIP-WLAN V2.0 Lab Guide Table 7-3 WAC1 service parameter planning WLAN Service Parameter Forwarding mode Direct forwarding Management VLAN 100 Service VLAN 101 AP group ap-group1 VAP profile wlan-net1 Security profile wlan-net Security policy WPA/WPA2+PSK+AES Password a12345678 SSID profile wlan-net SSID wlan-net Table 7-4 WAC2 service parameter planning WLAN Service Parameter Forwarding mode Direct forwarding Management VLAN 200 Service VLAN 201 AP group ap-group2 VAP profile wlan-net2 Security profile wlan-net Security policy WPA/WPA2+PSK+AES Password a12345678 SSID profile wlan-net SSID wlan-net Page 146 HCIP-WLAN V2.0 Lab Guide Page 147 7.2 Lab Configuration 7.2.1 Configuration Roadmap 1. Configure network connectivity among WAC1, WAC2, SW-Access, and SW-Core. 2. Configure WAC1 and WAC2 as DHCP servers to assign IP addresses to APs and STAs. 3. Configure AP1 and AP2 to go online on WAC1. 4. Configure AP3 to go online on WAC2. 5. Configure WLAN service parameters for STAs to access the WLAN. 6. Configure inter-WAC roaming. 7. Verify the roaming result. 7.2.2 Configuration Procedure Step 1 Configure network connectivity. Configure the access switch SW-Access. # Create VLANs 100, 101, 200, and 201 on SW-Access. <HUAWEI> system-view [HUAWEI] sysname SW-Access [SW-Access] vlan batch 100 101 200 201 # Configure the types, PVIDs, and allowed VLANs for the downlink interfaces on SWAccess. [SW-Access] interface MultiGE 0/0/1 [SW-Access-MultiGE0/0/1] port link-type trunk [SW-Access-MultiGE0/0/1] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/1] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/1] quit [SW-Access] interface MultiGE 0/0/2 [SW-Access-MultiGE0/0/2] port link-type trunk [SW-Access-MultiGE0/0/2] port trunk allow-pass vlan 100 101 [SW-Access-MultiGE0/0/2] port trunk pvid vlan 100 [SW-Access-MultiGE0/0/2] quit [SW-Access] interface MultiGE 0/0/3 [SW-Access-MultiGE0/0/3] port link-type trunk [SW-Access-MultiGE0/0/3] port trunk allow-pass vlan 200 201 [SW-Access-MultiGE0/0/3] port trunk pvid vlan 200 [SW-Access-MultiGE0/0/3] quit # Configure the type of the uplink interface on SW-Access and the allowed VLANs for the interface. [SW-Access] interface MultiGE 0/0/9 [SW-Access-MultiGE0/0/9] port link-type trunk [SW-Access-MultiGE0/0/9] port trunk allow-pass vlan 100 101 200 201 [SW-Access-MultiGE0/0/9] quit HCIP-WLAN V2.0 Lab Guide Page 148 Configure the core switch SW-Core. # Create VLANs 100, 101, 200, and 201 on SW-Core. <HUAWEI> system-view [HUAWEI] sysname SW-Core [SW-Core] vlan batch 100 101 200 201 # Configure the type of the downlink interface on SW-Core and configure the interface to allow packets from VLANs 100, 101, 200, and 201 to pass through. [SW-Core] interface MultiGE 0/0/9 [SW-Core-MultiGE 0/0/9] port link-type trunk [SW-Core-MultiGE 0/0/9] port trunk allow-pass vlan 100 101 200 201 [SW-Core-MultiGE 0/0/9] quit # Configure the type of the interface connecting SW-Core to WAC1 and the allowed VLANs for the interface. [SW-Core] interface MultiGE 0/0/1 [SW-Core-MultiGE 0/0/1] port link-type trunk [SW-Core-MultiGE 0/0/1] port trunk allow-pass vlan 100 101 [SW-Core-MultiGE 0/0/1] quit # Configure the type of the interface connecting SW-Core to WAC2 and the allowed VLANs for the interface. [SW-Core] interface MultiGE 0/0/2 [SW-Core-MultiGE 0/0/2] port link-type trunk [SW-Core-MultiGE 0/0/2] port trunk allow-pass vlan 200 201 [SW-Core-MultiGE 0/0/2] quit Configure WAC1. # Create VLANs 100 and 101 on WAC1. <AirEngine9700-M1> system-view [AirEngine9700-M1] sysname WAC1 [WAC1] vlan batch 100 101 # Configure the type of GE0/0/1 on WAC1 and the allowed VLANs for the interface. [WAC1] interface GigabitEthernet 0/0/1 [WAC1-GigabitEthernet /0/1] port link-type trunk [WAC1-GigabitEthernet /0/1] port trunk allow-pass vlan 100 101 [WAC1-GigabitEthernet /0/1] quit Configure WAC2. # Create VLANs 200 and 201 on WAC2. <AirEngine9700-M1> system-view [AirEngine9700-M1] sysname WAC2 [WAC2] vlan batch 200 201 HCIP-WLAN V2.0 Lab Guide Page 149 # Configure the type of GE0/0/1 on WAC2 and the allowed VLANs for the interface. [WAC2] interface GigabitEthernet 0/0/1 [WAC2-GigabitEthernet /0/1] port link-type trunk [WAC2-GigabitEthernet /0/1] port trunk allow-pass vlan 200 201 [WAC2-GigabitEthernet /0/1] quit # Configure IP addresses for SW-Core. [SW-Core] interface vlanif 100 [SW-Core-Vlanif100] ip address 10.23.100.254 24 [SW-Core-Vlanif100] quit [SW-Core] interface vlanif 200 [SW-Core-Vlanif200] ip address 10.23.200.254 24 [SW-Core-Vlanif200] quit # Configure IP addresses for WAC1. [WAC1] interface vlanif 100 [WAC1-Vlanif100] ip address 10.23.100.1 24 [WAC1-Vlanif100] quit [WAC1] interface Vlanif 101 [WAC1-Vlanif101] ip address 10.23.101.254 24 [WAC1-Vlanif101] quit # Configure IP addresses for WAC2. [WAC2] interface vlan 200 [WAC2-Vlanif200] ip address 10.23.200.1 24 [WAC2-Vlanif200] quit [WAC2] interface vlan 201 [WAC2-Vlanif201] ip address 10.23.201.254 24 [WAC2-Vlanif201] quit # Configure WLAN service routes on SW-Core. [SW-Core] ip route-static 10.23.101.0 255.255.255.0 10.23.100.1 [SW-Core] ip route-static 10.23.201.0 255.255.255.0 10.23.200.1 # Configure a default route on WAC1. [WAC1] ip route-static 0.0.0.0 0.0.0.0 10.23.100.254 # Configure a default route on WAC2. [WAC2] ip route-static 0.0.0.0 0.0.0.0 10.23.200.254 Step 2 Configure DHCP servers. # Configure WAC1 as a DHCP server to assign IP addresses to AP1, AP2, and STAs. [WAC1] dhcp enable HCIP-WLAN V2.0 Lab Guide Page 150 [WAC1] interface Vlanif 100 [WAC1-Vlanif100] dhcp select interface [WAC1-Vlanif100] quit [WAC1] interface Vlanif 101 [WAC1-Vlanif101] dhcp select interface [WAC1-Vlanif101] quit # Configure WAC2 as a DHCP server to assign IP addresses to AP3 and STAs. [WAC2] dhcp enable [WAC2] interface Vlanif 200 [WAC2-Vlanif200] dhcp select interface [WAC2-Vlanif200] quit [WAC2] interface Vlanif 201 [WAC2-Vlanif201] dhcp select interface [WAC2-Vlanif201] quit Step 3 Configure AP1 and AP2 to go online. # Enable the function of establishing CAPWAP DTLS sessions in none authentication mode on WAC1. (V200R021C00 and later versions) [WAC1] capwap dtls no-auth enable Warning: This operation allows for device access in non-DTLS encryption mode even when DTLS is enabled and brings security risks. After the device goes online for the first time, disable this function to prevent security risks. Continue? [Y/N]: y # Configure the CAPWAP source interface on WAC1. Ensure that the following parameters have been configured in advance: DTLS PSK: a1234567 Inter-WAC DTLS PSK: a1234567 Fit AP management parameters (user name/password): admin/HUAWEI@123 Global login password of the offline management VAP: a1234567 [WAC1] capwap dtls psk a1234567 [WAC1] capwap dtls inter-controller psk a1234567 [WAC1] wlan [WAC1-wlan-view] temporary-management psk a1234567 [WAC1-wlan-view] ap username admin password cipher Warning: This operation will disconnect administrator users logging in to the AP, Continue? [Y/N]: y Enter the password (plain-text password of 8-128 characters or cipher-text password of 48-188 characters that must be a combination of at least three of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters): HUAWEI@123 Confirm password: HUAWEI@123 [WAC1-wlan-view] quit [WAC1] capwap source interface vlanif 100 Warning: Ensure that the management VLAN and service VLAN are different. Otherwise, services may be interrupted. Warning: Before an added device goes online for the first time, enable DTLS no-auth if it runs a version earlier than V200R021C00 or enable DTLS certificate-mandatory-match if it runs V200R021C00 or later. HCIP-WLAN V2.0 Lab Guide Page 151 # Create the AP group ap-group1 to which AP1 and AP2 will be added. [WAC1] wlan [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] quit [WAC1-wlan-view] quit # On WAC1, set the AP authentication mode to MAC address authentication. [WAC1] wlan [WAC1-wlan-view] ap auth-mode mac-auth [WAC1-wlan-view] quit # Add APs on WAC1. (The APs' MAC addresses here are for reference only. Replace them as required.) [WAC1] wlan [WAC1-wlan-view] ap-id 0 ap-mac 6ce8-748d-7540 [WAC1-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC1-wlan-ap-0] ap-name AP1 Warning: The AP name cannot be the MAC address of another AP. Otherwise, the AP name may be lost after the device restarts. Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than V200R009C00. Warning: This operation may cause AP reset. Continue? [Y/N]: y [WAC1-wlan-ap-0] quit [WAC1-wlan-view] ap-id 1 ap-mac 6ce8-748d-6d20 [WAC1-wlan-ap-1] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC1-wlan-ap-1] ap-name AP2 Warning: The AP name cannot be the MAC address of another AP. Otherwise, the AP name may be lost after the device restarts. Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than V200R009C00. Warning: This operation may cause AP reset. Continue? [Y/N]: y [WAC1-wlan-ap-1] quit [WAC1-wlan-view] quit Step 4 Configure AP3 to go online. # Enable the function of establishing CAPWAP DTLS sessions in none authentication mode on WAC2. (V200R021C00 and later versions) [WAC2] capwap dtls no-auth enable Warning: This operation allows for device access in non-DTLS encryption mode even when DTLS is enabled and brings security risks. After the device goes online for the first time, disable this function to prevent security risks. Continue?[Y/N]: y HCIP-WLAN V2.0 Lab Guide Page 152 # Configure the CAPWAP source interface on WAC2. Ensure that the following parameters have been configured in advance: DTLS PSK: a1234567 Inter-WAC DTLS PSK: a1234567 Fit AP management parameters (user name/password): admin/HUAWEI@123 Global login password of the offline management VAP: a1234567 [WAC2] capwap dtls psk a1234567 [WAC2] capwap dtls inter-controller psk a1234567 [WAC2] wlan [WAC2-wlan-view] temporary-management psk a1234567 [WAC2-wlan-view] ap username admin password cipher Warning: This operation will disconnect administrator users logging in to the AP, Continue? [Y/N]: y Enter the password (plain-text password of 8-128 characters or cipher-text password of 48-188 characters that must be a combination of at least three of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters): HUAWEI@123 Confirm password: HUAWEI@123 [WAC2-wlan-view] quit [WAC2] capwap source interface vlanif 200 Warning: Ensure that the management VLAN and service VLAN are different. Otherwise, services may be interrupted. Warning: Before an added device goes online for the first time, enable DTLS no-auth if it runs a version earlier than V200R021C00 or enable DTLS certificate-mandatory-match if it runs V200R021C00 or later. # Create the AP group ap-group2. [WAC2] wlan [WAC2-wlan-view] ap-group name ap-group2 [WAC2-wlan-ap-group-ap-group2] quit [WAC2-wlan-view] quit # On WAC2, set the AP authentication mode to MAC address authentication. [WAC2] wlan [WAC2-wlan-view] ap auth-mode mac-auth [WAC2-wlan-view] quit # Add APs on WAC2. (The APs' MAC addresses here are for reference only. Replace them as required.) [WAC2] wlan [WAC2-wlan-view] ap-id 0 ap-mac 6ce8-748d-6f00 [WAC2-wlan-ap-0] ap-group ap-group2 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC2-wlan-ap-0] ap-name AP3 Warning: The AP name cannot be the MAC address of another AP. Otherwise, the AP name may be lost after the device restarts. Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than V200R009C00. HCIP-WLAN V2.0 Lab Guide Page 153 Warning: This operation may cause AP reset. Continue? [Y/N]: y [WAC2-wlan-ap-0] quit [WAC2-wlan-view] quit Step 5 Configure WLAN services on WAC1. # Configure the country code in a regulatory domain profile. The default country code is CN. (If the device is located outside China, change the country code accordingly.) [WAC1] wlan [WAC1-wlan-view] regulatory-domain-profile name domain1 [WAC1-wlan-regulate-domain-domain1] country-code CN [WAC1-wlan-regulate-domain-domain1] quit # Bind the regulatory domain profile to the AP group. [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: This configuration change will clear the channel and power configurations of radios, and may restart APs. Continue?[Y/N]: y [WAC1-wlan-ap-group-ap-group1] quit # Create the security profile wlan-net and configure a security policy in the profile. [WAC1] wlan [WAC1-wlan-view] security-profile name wlan-net [WAC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a12345678 aes [WAC1-wlan-sec-prof-wlan-net] quit # Create the SSID profile wlan-net and set the SSID name to wlan-net. [WAC1-wlan-view] ssid-profile name wlan-net [WAC1-wlan-ssid-prof-wlan-net] ssid wlan-net [WAC1-wlan-ssid-prof-wlan-net] quit # Create the VAP profile wlan-net1, set the data forwarding mode and service VLAN, and bind the security profile and SSID profile to the VAP profile. [WAC1-wlan-view] vap-profile name wlan-net1 [WAC1-wlan-vap-prof-wlan-net1] forward-mode direct-forward [WAC1-wlan-vap-prof-wlan-net1] service-vlan vlan-id 101 [WAC1-wlan-vap-prof-wlan-net1] security-profile wlan-net [WAC1-wlan-vap-prof-wlan-net1] ssid-profile wlan-net [WAC1-wlan-vap-prof-wlan-net1] quit # Bind the VAP profile to the AP group. [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net1 wlan 1 radio 0 [WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net1 wlan 1 radio 1 [WAC1-wlan-ap-group-ap-group1] quit [WAC1-wlan-view] quit HCIP-WLAN V2.0 Lab Guide Step 6 Page 154 Configure WLAN services on WAC2. # Configure the country code in a regulatory domain profile. The default country code is CN. (If the device is located outside China, change the country code accordingly.) [WAC2] wlan [WAC2-wlan-view] regulatory-domain-profile name domain1 [WAC2-wlan-regulate-domain-domain1] country-code CN [WAC2-wlan-regulate-domain-domain1] quit # Bind the regulatory domain profile to the AP group. [WAC2-wlan-view] ap-group name ap-group2 [WAC2-wlan-ap-group-ap-group2] regulatory-domain-profile domain1 Warning: This configuration change will clear the channel and power configurations of radios, and may restart APs. Continue?[Y/N]: y [WAC2-wlan-ap-group-ap-group2] quit # Create the security profile wlan-net and configure a security policy in the profile. [WAC2-wlan-view] security-profile name wlan-net [WAC2-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a12345678 aes [WAC2-wlan-sec-prof-wlan-net] quit # Create the SSID profile wlan-net and set the SSID name to wlan-net. [WAC2-wlan-view] ssid-profile name wlan-net [WAC2-wlan-ssid-prof-wlan-net] ssid wlan-net [WAC2-wlan-ssid-prof-wlan-net] quit # Create the VAP profile wlan-net2, set the data forwarding mode and service VLAN, and bind the security profile and SSID profile to the VAP profile. [WAC2-wlan-view] vap-profile name wlan-net2 [WAC2-wlan-vap-prof-wlan-net2] forward-mode direct-forward [WAC2-wlan-vap-prof-wlan-net2] service-vlan vlan-id 201 [WAC2-wlan-vap-prof-wlan-net2] security-profile wlan-net [WAC2-wlan-vap-prof-wlan-net2] ssid-profile wlan-net [WAC2-wlan-vap-prof-wlan-net2] quit # Bind the VAP profile to the AP group. [WAC2-wlan-view] ap-group name ap-group2 [WAC2-wlan-ap-group-ap-group2] vap-profile wlan-net2 wlan 1 radio 0 [WAC2-wlan-ap-group-ap-group2] vap-profile wlan-net2 wlan 1 radio 1 [WAC2-wlan-ap-group-ap-group2] quit [WAC2-wlan-view] quit Step 7 Configure inter-WAC roaming. # Create a mobility group on WAC1, and add WAC1 and WAC2 to the mobility group. [WAC1] wlan HCIP-WLAN V2.0 Lab Guide Page 155 [WAC1-wlan-view] mobility-group name mob1 [WAC1-mc-mg-mob1] member ip-address 10.23.100.1 [WAC1-mc-mg-mob1] member ip-address 10.23.200.1 [WAC1-mc-mg-mob1] quit # Create a mobility group on WAC2, and add WAC1 and WAC2 to the mobility group. [WAC2] wlan [WAC2-wlan-view] mobility-group name mob1 [WAC2-mc-mg-mob1] member ip-address 10.23.100.1 [WAC2-mc-mg-mob1] member ip-address 10.23.200.1 [WAC2-mc-mg-mob1] quit Step 8 Configure DTLS encryption for an inter-WAC tunnel. The pre-shared key for DTLS encryption between WACs has been configured in the previous steps. Therefore, you do not need to configure it again. # Enable DTLS encryption for inter-WAC tunnels on WAC1. [WAC1] capwap dtls inter-controller control-link encrypt on Warning: This operation may cause devices using CAPWAP connections to reset or go offline. Continue? [Y/N]: y # Enable DTLS encryption for inter-WAC tunnels on WAC2. [WAC2] capwap dtls inter-controller control-link encrypt on Warning: This operation may cause devices using CAPWAP connections to reset or go offline. Continue? [Y/N]: y 7.3 Verification 7.3.1 Checking the AP Onboarding Status # Run the display ap all command on WAC1 to check the onboarding status of AP1 and AP2. [WAC1] display ap all Total AP information: nor : normal [2] ExtraInfo : Extra information -----------------------------------------------------------------------------------------------------------ID MAC Name Group IP Type State STA Uptime ExtraInfo -----------------------------------------------------------------------------------------------------------0 6ce8-748d-7540 AP1 ap-group1 10.23.100.137 AirEngine8760-X1-PRO nor 0 24M:55S 1 6ce8-748d-6d20 AP2 ap-group1 10.23.100.180 AirEngine8760-X1-PRO nor 1 25M:6S -----------------------------------------------------------------------------------------------------------Total: 2 # Run the display ap all command on WAC2 to check the onboarding status of AP3. HCIP-WLAN V2.0 Lab Guide Page 156 [WAC2] display ap all Total AP information: nor : normal [1] ExtraInfo : Extra information ----------------------------------------------------------------------------------------------------------ID MAC Name Group IP Type State STA Uptime ExtraInfo ----------------------------------------------------------------------------------------------------------0 6ce8-748d-6f00 AP3 ap-group2 10.23.200.78 AirEngine8760-X1-PRO nor 0 16M:43S ----------------------------------------------------------------------------------------------------------Total: 1 7.3.2 Checking the VAP Status # Run the display vap all command on WAC1 to check VAP information. [WAC1] display vap all Info: This operation may take a few seconds, please wait. WID : WLAN ID -----------------------------------------------------------------------------AP ID AP name RfID WID BSSID Status Auth type STA SSID -----------------------------------------------------------------------------0 AP1 0 1 6CE8-748D-7540 ON WPA/WPA2-PSK 0 wlan-net 0 AP1 1 1 6CE8-748D-7550 ON WPA/WPA2-PSK 0 wlan-net 1 AP2 0 1 6CE8-748D-6D20 ON WPA/WPA2-PSK 1 wlan-net 1 AP2 1 1 6CE8-748D-6D30 ON WPA/WPA2-PSK 0 wlan-net -----------------------------------------------------------------------------Total: 4 # Run the display vap all command on WAC2 to check VAP information. [WAC2] display vap all Info: This operation may take a few seconds, please wait. WID : WLAN ID -----------------------------------------------------------------------------AP ID AP name RfID WID BSSID Status Auth type STA SSID -----------------------------------------------------------------------------0 AP3 0 1 6CE8-748D-6F00 ON WPA/WPA2-PSK 0 wlan-net 0 AP3 1 1 6CE8-748D-6F10 ON WPA/WPA2-PSK 0 wlan-net -----------------------------------------------------------------------------Total: 2 7.3.3 Checking the Mobility Group Status # Run the display mobility-group name mob1 command on WAC1 and WAC2 to check the mobility group status. If the State field displays as normal, the mobility group status is normal. The following uses WAC1 as an example. [WAC1] display mobility-group name mob1 -------------------------------------------------------------------------------State IP address Description -------------------------------------------------------------------------------normal 10.23.100.1 normal 10.23.200.1 - HCIP-WLAN V2.0 Lab Guide Page 157 -------------------------------------------------------------------------------Total: 2 7.3.4 Observing the STA Roaming Status # In the coverage area of AP1, enable a STA to search for the WLAN wlan-net, and enter the shared key a12345678 to connect to the WLAN. # Check STA access on WAC1. The command output shows that the STA is connected to AP1. [WAC1] display station all Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ---------------------------------------------------------------------------------------------------------STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address SSID ---------------------------------------------------------------------------------------------------------e0e1-a954-ae6f 0 AP1 0/1 2.4G 11n 1/52 -53 101 10.23.101.249 wlan-net ---------------------------------------------------------------------------------------------------------Total: 1 2.4G: 0 5G: 1 # As the STA gradually moves to the coverage area of AP2, it is found that the STA roams to AP2. [WAC1] display station all Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ---------------------------------------------------------------------------------------------------------STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address SSID ---------------------------------------------------------------------------------------------------------e0e1-a954-ae6f 1 AP2 0/1 2.4G 11n 1/58 -55 101 10.23.101.249 wlan-net ---------------------------------------------------------------------------------------------------------Total: 1 2.4G: 1 5G: 0 # Check the roaming track on WAC1 (intra-WAC Layer 2 roaming). [WAC1] display station roam-track sta-mac e0e1-a954-ae6f Access SSID:wlan-net Rx/Tx: link receive rate/link transmit rate(Mbps) s:Same Frequency Network c:PMK Cache Roam r:802.11r Roam d:802.11r over ds Roam p:proprietary 802.11r Roam -------------------------------------------------------------------------------------L2/L3 AP-AC IP AC-AC IP Ap name Radio ID BSSID TIME In/Out RSSI Out Rx/Tx -------------------------------------------------------------------------------------- HCIP-WLAN V2.0 Lab Guide -10.23.100.1 AP1 6ce8-748d-7540 XXXX-XX-XX/12:29:54 -52/-53 1/28 L2 10.23.100.1 AP2 6ce8-748d-6d20 XXXX-XX-XX/12:37:44 -57/-/-------------------------------------------------------------------------------------Number: 1 Page 158 0 0 # As the STA moves to the coverage area of AP3, it is found that the STA roams to AP3. [WAC2] display station all Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ---------------------------------------------------------------------------------------------------------STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address SSID ---------------------------------------------------------------------------------------------------------e0e1-a954-ae6f 0 AP3 0/1 2.4G -/101 10.23.101.249 wlan-net ---------------------------------------------------------------------------------------------------------Total: 1 2.4G: 1 5G: 0 # Check the roaming track on WAC2 (inter-WAC Layer 3 roaming). [WAC2] display station roam-track sta-mac e0e1-a954-ae6f Access SSID:wlan-net Rx/Tx: link receive rate/link transmit rate(Mbps) s:Same Frequency Network c:PMK Cache Roam r:802.11r Roam d:802.11r over ds Roam p:proprietary 802.11r Roam -------------------------------------------------------------------------------------L2/L3 AP-AC IP AC-AC IP Ap name Radio ID BSSID TIME In/Out RSSI Out Rx/Tx --------------------------------------------------------------------------------------10.23.100.1 AP1 0 6ce8-748d-7540 XXXX-XX-XX/12:29:54 -52/-53 1/28 L2 10.23.100.1 AP2 0 6ce8-748d-6d20 XXXX-XX-XX/12:37:44 -57/28/30 L3 10.23.200.1 10.23.200.1 AP3 0 9cb2-e82d-5120 XXXX-XX-XX/20:01:58 -53/-/-------------------------------------------------------------------------------------Number: 2 7.4 Reference Configuration 7.4.1 WAC1 Configuration Software Version V200R022C00SPC100 # sysname WAC1 # vlan batch 100 to 101 # dhcp enable # HCIP-WLAN V2.0 Lab Guide Page 159 interface Vlanif100 ip address 10.23.100.1 255.255.255.0 dhcp select interface management-interface # interface Vlanif101 ip address 10.23.101.254 255.255.255.0 dhcp select interface # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 to 101 # ip route-static 0.0.0.0 0.0.0.0 10.23.100.254 # capwap source interface vlanif100 capwap dtls inter-controller control-link encrypt on capwap dtls psk %^%#R=+I57EMP>bFKr35X0^<,+3nJW$Op9vERA&pLnIQ%^%# capwap dtls inter-controller psk %^%#AgB^DVxu6@WhSA>j\UA=vTE0H&`GaOmns<<Y~Y-"%^%# capwap dtls no-auth enable # wlan temporary-management psk %^%#A0jK$oAoNG5=j>6-NcL56%e2U4\G29J@z'/-:)]Q%^%# ap username admin password cipher %^%#U-k!~ucm:N'r~*SdQMQ3_EKpH7(s_D$O6g,NxwL$%^%# traffic-profile name default security-profile name default security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#H95ZT,~zPB3w;;VuULcRf#$]+cnEVPT02SMi_qo=%^%# aes security-profile name default-wds security-profile name default-mesh ssid-profile name default ssid-profile name wlan-net ssid wlan-net vap-profile name default vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net wds-profile name default mesh-handover-profile name default mesh-profile name default regulatory-domain-profile name default regulatory-domain-profile name domain1 air-scan-profile name default rrm-profile name default radio-2g-profile name default radio-5g-profile name default wids-spoof-profile name default wids-whitelist-profile name default wids-profile name default wireless-access-specification tunnel-ap-group name default ap-system-profile name default port-link-profile name default HCIP-WLAN V2.0 Lab Guide Page 160 wired-port-profile name default mobility-group name mob1 member ip-address 10.23.100.1 member ip-address 10.23.200.1 ap-group name default ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 125 ap-mac 6ce8-748d-7540 ap-sn 2102353GSG10N7100245 ap-name AP1 ap-group ap-group1 ap-id 1 type-id 125 ap-mac 6ce8-748d-6d20 ap-sn 2102353GSG10N7100219 ap-name AP2 ap-group ap-group1 provision-ap # return 7.4.2 WAC2 Configuration Software Version V200R022C00SPC100 # sysname WAC2 # vlan batch 200 to 201 # dhcp enable # interface Vlanif200 ip address 10.23.200.1 255.255.255.0 dhcp select interface management-interface # interface Vlanif201 ip address 10.23.201.254 255.255.255.0 dhcp select interface # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 200 to 201 # ip route-static 0.0.0.0 0.0.0.0 10.23.200.254 # capwap source interface vlanif200 capwap dtls inter-controller control-link encrypt on capwap dtls psk %^%#dgC,160`5;XLVhDL4+u@6c4NO.@cbDA='{CF\RxT%^%# capwap dtls inter-controller psk %^%#B^maC5I1.2sxISA++m$0OtU46|kX!&*,:FD|2_#7%^%# capwap dtls no-auth enable # wlan temporary-management psk %^%#_}=*4p!(<;Pb]EVN&)vWF4S^"5LnG)-#!!9èxFJ%^%# HCIP-WLAN V2.0 Lab Guide Page 161 ap username admin password cipher %^%#6#pl>Kz)r.r@r&Q/_fHW|us3LjRaK)hM-#Z@q4e(%^%# traffic-profile name default security-profile name default security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#\Mp-:nhlrX^YpV~[GI/VPz[P7!<`Q=UFu;RsrF=Y%^%# aes security-profile name default-wds security-profile name default-mesh ssid-profile name default ssid-profile name wlan-net ssid wlan-net vap-profile name default vap-profile name wlan-net2 service-vlan vlan-id 201 ssid-profile wlan-net security-profile wlan-net wds-profile name default mesh-handover-profile name default mesh-profile name default regulatory-domain-profile name default regulatory-domain-profile name domain1 air-scan-profile name default rrm-profile name default radio-2g-profile name default radio-5g-profile name default wids-spoof-profile name default wids-whitelist-profile name default wids-profile name default wireless-access-specification tunnel-ap-group name default ap-system-profile name default port-link-profile name default wired-port-profile name default mobility-group name mob1 member ip-address 10.23.100.1 member ip-address 10.23.200.1 ap-group name default ap-group name ap-group2 regulatory-domain-profile domain1 radio 0 vap-profile wlan-net2 wlan 1 radio 1 vap-profile wlan-net2 wlan 1 ap-id 0 type-id 125 ap-mac 6ce8-748d-6f00 ap-sn 2102353GSG10N7100225 ap-name AP3 ap-group ap-group2 provision-ap # return 7.4.3 SW-Core Configuration !Software Version V200R022C00SPC500 # sysname SW-Core HCIP-WLAN V2.0 Lab Guide # vlan batch 100 to 101 200 to 201 # interface Vlanif100 ip address 10.23.100.254 255.255.255.0 # interface Vlanif200 ip address 10.23.200.254 255.255.255.0 # interface MultiGE0/0/1 port link-type trunk port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/2 port link-type trunk port trunk allow-pass vlan 200 to 201 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 200 to 201 # interface NULL0 # ip route-static 10.23.101.0 255.255.255.0 10.23.100.1 ip route-static 10.23.201.0 255.255.255.0 10.23.200.1 # return 7.4.4 SW-Access Configuration !Software Version V200R022C00SPC500 # sysname SW-Access # vlan batch 100 to 101 200 to 201 # interface MultiGE0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/2 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/3 port link-type trunk port trunk pvid vlan 200 port trunk allow-pass vlan 200 to 201 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 200 to 201 Page 162 HCIP-WLAN V2.0 Lab Guide Page 163 # interface NULL0 # return 7.5 Quiz The same security policy is configured during roaming verification. If different security policies are configured before and after roaming, can STAs roam successfully? Answer: If two roaming APs are configured with different security policies, STAs do not trigger roaming. HCIP-WLAN V2.0 Lab Guide Page 164 8 RRM Lab 8.1 Introduction 8.1.1 About This Lab This lab provides instructions on the radio resource management (RRM) configuration, helping you master the deployment and configuration of RRM technologies. 8.1.2 Objectives ⚫ Understand how to configure WLAN radio calibration. ⚫ Understand how to configure WLAN band steering. ⚫ Understand how to configure WLAN load balancing. ⚫ Understand how to configure CAC for WLAN users. 8.1.3 Networking Topology Figure 8-1 RRM networking topology HCIP-WLAN V2.0 Lab Guide Page 165 8.1.4 Lab Planning Table 8-1 VLAN planning Device Port Port Type MultiGE0/0/1 Trunk MultiGE0/0/9 Trunk MultiGE0/0/9 Trunk MultiGE0/0/1 Trunk MultiGE0/0/2 Trunk MultiGE0/0/3 Trunk GE0/0/1 Trunk VLAN Settings PVID: 1 Allow-pass: VLANs 100 and 101 SW-Core PVID: 1 Allow-pass: VLAN 100 101 PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 SW-Access WAC1 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 100 and 101 Table 8-2 IP address planning Device SW-Core WAC1 Port IP Address VLANIF100 10.23.100.254/24 VLANIF101 10.23.101.254/24 VLANIF100 10.23.100.1/24 Table 8-3 WLAN service parameter planning WLAN Service Parameter Forwarding mode Direct forwarding Management VLAN 100 Service VLAN 101 AP group ap-group1 VAP profile wlan-net HCIP-WLAN V2.0 Lab Guide WLAN Service Page 166 Parameter Security profile wlan-net Security policy WPA/WPA2+PSK+AES Password a12345678 SSID profile wlan-net SSID wlan-net 8.2 Lab Configuration 8.2.1 Configuration Roadmap 1. Configure basic network connectivity to ensure Layer 2 and Layer 3 communication between devices. 2. Configure AP onboarding. 3. Configure WLAN services. 4. Configure the automatic calibration range for channels and frequencies. 5. Configure the band steering function. 6. Configure the load balancing function. 7. Configure the user CAC function. 8.2.2 Configuration Procedure Step 1 Configure the basic network, AP onboarding, and WLAN services. # For details, see Step 1 to Step 5 in section 1.2.2 "Configuration Procedure." Step 2 Configure radio calibration. # Set the radio calibration mode to auto and the default calibration interval to 1440 minutes. [WAC1-wlan-view] calibrate enable auto # Enable global Dynamic Frequency Assignment (DFA) function and set the redundant radio processing mode to auto-switch. [WAC1-wlan-view] calibrate flexible-radio auto-switch # Enable the Dynamic Channel Assignment (DCA) and Transmit Power Control (TPC) functions on the 2.4 GHz frequency band. [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] radio 0 HCIP-WLAN V2.0 Lab Guide Page 167 [WAC1-wlan-group-radio-ap-group1/0] calibrate auto-channel-select enable [WAC1-wlan-group-radio-ap-group1/0] calibrate auto-txpower-select enable [WAC1-wlan-group-radio-ap-group1/0] quit # Enable the DCA, TPC, and Dynamic Bandwidth Selection (DBS) functions on the 5 GHz frequency band. (The DBS function takes effect only on 5 GHz radios.) [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] radio 1 [WAC1-wlan-group-radio-ap-group1/1] calibrate auto-channel-select enable [WAC1-wlan-group-radio-ap-group1/1] calibrate auto-txpower-select enable [WAC1-wlan-group-radio-ap-group1/1] calibrate auto-bandwidth-select enable [WAC1-wlan-group-radio-ap-group1/1] quit # Manually trigger radio calibration. [WAC1-wlan-view] calibrate manual startup Warning: The operation may cause business interruption, continue? [y/n]: y Step 3 Configure band steering. # Enable band steering for a VAP. (By default, this function is enabled.) [WAC1-wlan-view] vap-profile name wlan-net [WAC1-wlan-vap-prof-wlan-net] undo band-steer disable [WAC1-wlan-vap-prof-wlan-net] quit # Create an RRM profile and configure band steering parameters. Set the start threshold for the number of access STAs to 90, the percentage threshold for access STAs on 5 GHz radios to 80%, and the start SNR threshold for 5G-prior access to 18 dB. [WAC1-wlan-view] rrm-profile name wlan-rrm [WAC1-wlan-rrm-prof-wlan-rrm] band-steer balance start-threshold 90 [WAC1-wlan-rrm-prof-wlan-rrm] band-steer balance gap-threshold 80 [WAC1-wlan-rrm-prof-wlan-rrm] band-steer snr-threshold 18 [WAC1-wlan-rrm-prof-wlan-rrm] quit # Create radio profiles and bind the RRM profile to the radio profiles, and enable interference detection. [WAC1-wlan-view] radio-2g-profile name wlan-2g [WAC1-wlan-radio-2g-prof-wlan-2g] rrm-profile wlan-rrm [WAC1-wlan-radio-2g-prof-wlan-2g] interference detect-enable Warning: This action may cause service interruption. Continue?[Y/N] y [WAC1-wlan-radio-2g-prof-wlan-2g] quit [WAC1-wlan-view] radio-5g-profile name wlan-5g [WAC1-wlan-radio-5g-prof-wlan-5g] rrm-profile wlan-rrm [WAC1-wlan-radio-5g-prof-wlan-5g] interference detect-enable Warning: This action may cause service interruption. Continue?[Y/N] y [WAC1-wlan-radio-5g-prof-wlan-5g] quit HCIP-WLAN V2.0 Lab Guide Page 168 # Bind the 2.4 GHz radio profile wlan-2g to radio 0 in the AP group and bind the 5 GHz radio profile wlan-5g to radio 1 in the AP group. [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] radio-2g-profile wlan-2g radio 0 Warning: This action may cause service interruption. Continue?[Y/N] y [WAC1-wlan-ap-group-ap-group1] radio-5g-profile wlan-5g radio 1 Warning: This action may cause service interruption. Continue?[Y/N] y [WAC1-wlan-ap-group-ap-group1] quit Step 4 Configure load balancing. # Configure dynamic load balancing based on the number of STAs. Set the start threshold for the number of access STAs to 12, the RSSI difference threshold to 5, and the RSSI threshold of members in a dynamic load balancing group to –63 dBm. [WAC1-wlan-view] rrm-profile name wlan-rrm [WAC1-wlan-rrm-prof-wlan-rrm] undo sta-load-balance dynamic disable [WAC1-wlan-rrm-prof-wlan-rrm] sta-load-balance dynamic sta-number start-threshold 12 [WAC1-wlan-rrm-prof-wlan-rrm] sta-load-balance dynamic sta-number gap-threshold number 5 [WAC1-wlan-rrm-prof-wlan-rrm] sta-load-balance dynamic rssi-threshold -63 [WAC1-wlan-rrm-prof-wlan-rrm] quit Step 5 Configure the user CAC function. # Configure the user CAC function. Enable CAC based on the number of users and set the access and roaming thresholds to 40. Enable the function of forbidding access from weak-signal STAs and set the SNR threshold to 13 dB. # Enable automatic SSID hiding when the number of access STAs reaches the threshold. [WAC1-wlan-view] rrm-profile name wlan-rrm [WAC1-wlan-rrm-prof-wlan-rrm] uac client-number enable [WAC1-wlan-rrm-prof-wlan-rrm] uac client-number threshold access 40 roam 40 [WAC1-wlan-rrm-prof-wlan-rrm] uac client-snr enable Warning: This action may cause service interruption. Continue?[Y/N] y [WAC1-wlan-rrm-prof-wlan-rrm] uac client-snr threshold 13 Warning: This action may cause service interruption. Continue?[Y/N] y [WAC1-wlan-rrm-prof-wlan-rrm] uac reach-access-threshold hide-ssid [WAC1-wlan-rrm-prof-wlan-rrm] quit [WAC1-wlan-view] quit 8.3 Verification 8.3.1 Checking RRM Profile Information # Check the RRM profile configuration on WAC1. [WAC1] display rrm-profile name wlan-rrm -------------------------------------------------------------------Retransmission rate threshold for trigger channel/power select(%) : 60 HCIP-WLAN V2.0 Lab Guide Noise-floor threshold for trigger channel/power select(dBm) : -75 Calibrate tpc threshold(dBm): : -60 Maximum 2.4G calibration TX power(dBm) : 127 Maximum 5G calibration TX power(dBm) : 127 Maximum 6G calibration TX power(dBm) : 127 Minimum 2.4G calibration TX power(dBm) :9 Minimum 5G calibration TX power(dBm) : 12 Minimum 6G calibration TX power(dBm) : 12 Calibrate retransmission rate check interval(min) :1 Calibrate retransmission rate check traffic threshold(kbps) : 1250 Calibrate grouping interference threshold(dBm) : -127 Airtime fairness schedule : disable Dynamic adjust EDCA parameter : disable Dynamic EDCA be-service threshold :6 UAC check client's SNR : enable UAC client's SNR threshold(dB) : 13 UAC check client number : enable UAC client number access threshold : 40 UAC client number roam threshold : 40 Action upon reaching the UAC threshold : SSID hide Band steer deny threshold :0 Band steer SNR threshold(dB) : 18 Band balance start threshold : 90 Band balance gap threshold(%) : 80 Client's band expire based on continuous probe counts : 35 Station load balance : enable Station load balance mode : sta-number Station load balance RSSI threshold(dBm) : -63 Station load balance RSSI-diff-gap threshold(dBm) :5 Station load balance sta-number start threshold : 12 Station load balance sta-number gap threshold(percentage) :Station load balance sta-number gap threshold(number) :5 Station load balance deauth fail times :0 Station load balance BTM fail times :5 Station load balance steer-restrict restrict time(s) :5 Station load balance steer-restrict probe threshold :5 Station load balance steer-restrict auth threshold :0 Station load balance probe-report interval(s) : 120 BSS color switch : enable Spatial reuse switch : enable Smart-roam : enable Smart-roam AI mode : enable Smart-roam quick kickoff : enable Smart-roam check SNR : enable Smart-roam quick kickoff check SNR : enable Smart-roam check rate : disable Smart-roam quick kickoff check rate : disable Smart-roam standing SNR threshold(dB) : 20 Smart-roam SNR quick-kickoff-threshold(dB) : 15 Smart-roam rate threshold(%) : 20 Smart-roam rate quick-kickoff-threshold(%) : 20 Smart-roam high level SNR margin(dB) : 15 Smart-roam low level SNR margin(dB) : 10 Smart-roam SNR check interval(s) :3 Smart-roam unable roam client expire time(min) : 30 Page 169 HCIP-WLAN V2.0 Lab Guide Smart-roam quick-kickoff SNR check interval(ms) Smart-roam quick-kickoff SNR P-N observe time Smart-roam quick-kickoff SNR P-N qualify time Smart-roam advanced scan Smart-roam quick-kickoff back off time AMC policy High density AMC optimize Antenna-mode SFN roam check high threshold(dBm) SFN roam check low threshold(dBm) SFN roam check interval(ms) SFN roam report interval(ms) SFN roam check rssi-accumulate threshold(dB) SFN roam check sta-holding times SFN roam check gap-rssi(dB) SFN roam check better-times DFS smart select DFS recover delay time(min) Multimedia air optimize Switch Voice threshold Video threshold Voice downlink-slice-ratio Video downlink-slice-ratio Voice downlink-delay-guarantee Video downlink-delay-guarantee Congestion-control tcp-window-tuning switch Rate limit dynamic interval Rate limit dynamic threshold CO-SR Wlan-slice high-reliability Switch rtt time-ratio FRER-enhance -------------------------------------------------------------------- Page 170 : 500 :6 :4 : enable : 60 : auto-balance : disable : auto : -55 : -60 : 700 : 400 :8 :3 :6 :2 : enable :0 : enable : 30 : 100 : medium : medium : medium : medium : enable :5 : 80 : enable : disable : 20 : 80 : disable 8.3.2 Checking the 2.4 GHz Radio Profile Configuration # Check the 2.4 GHz radio profile configuration on WAC1. [WAC1] display radio-2g-profile name wlan-2g -------------------------------------------------------------------Radio type : 802.11ax Power auto adjust : disable Beacon interval(TUs) : 100 Beamforming switch : disable Support short preamble : support Fragmentation threshold(Byte) : 2346 Channel switch announcement : enable Channel switch mode : continue Guard interval mode : short 802.11ax Guard interval mode : dot8 A-MPDU switch : enable HT A-MPDU length limit :3 HCIP-WLAN V2.0 Lab Guide A-MSDU switch : auto RTS-CTS-mode : rts-cts RTS-CTS-threshold : 1400 802.11bg basic rate :12 802.11bg support rate : 1 2 5 6 9 11 12 18 24 36 48 54 Multicast rate 2.4G : auto adapt Interference detect switch : enable Co-channel frequency interference threshold(%) : 50 Adjacent-channel frequency interference threshold(%) : 50 Station interference threshold : 32 WMM switch : enable Mandatory switch : disable Auto-off start time :Auto-off end time :Auto-off time-range :Wifi-light mode : signal-strength Utmost power switch : auto Rrm-profile : wlan-rrm Air-scan-profile : default Smart-antenna : default Agile-antenna-polarization : disable CCA threshold(dBm) :RX sensitivity(dBm) : -128 AGC high threshold(dBm) :High PER threshold(%) : 80 Low PER threshold(%) : 20 Training interval(s) : auto Training mpdu num : 640 Throughput trigger training threshold (%) : 10 Autonavigation roam optimize beacon interval(TUs): 60 VIP user bandwidth reservation ratio (%) : 20 -------------------------------------------------------------------AP EDCA parameters: -----------------------------------------------------------ECWmax ECWmin AIFSN TXOPLimit(32us) Ack-Policy AC_VO 3 2 1 47 normal AC_VI 4 3 1 94 normal AC_BE 6 4 3 0 normal AC_BK 10 4 7 0 normal ------------------------------------------------------------ 8.3.3 Checking the 5 GHz Radio Profile Configuration # Check the 5 GHz radio profile configuration on WAC1. [WAC1] display radio-5g-profile name wlan-5g -------------------------------------------------------------------Radio type : 802.11ax Power auto adjust : disable Beacon interval(TUs) : 100 Beamforming switch : disable Fragmentation threshold(Byte) : 2346 Channel switch announcement : enable Channel switch mode : continue Guard interval mode : short Page 171 HCIP-WLAN V2.0 Lab Guide 802.11ax guard interval mode : dot8 A-MPDU switch : enable HT A-MPDU length limit :3 VHT A-MPDU length limit :7 A-MSDU switch : auto VHT A-MSDU Max frame number :2 RTS-CTS-mode : RTS-CTS RTS-CTS-threshold : 1400 802.11a basic rate : 6 12 24 802.11a support rate : 6 9 12 18 24 36 48 54 Multicast rate 5G : auto adapt VHT mcs :99999999 Interference detect switch : enable Co-channel frequency interference threshold(%) : 50 Adjacent-channel frequency interference threshold(%) : 50 Station interference threshold : 32 WMM switch : enable Mandatory switch : disable Auto-off start time :Auto-off end time :Auto-off time-range :WiFi-light mode : signal-strength Utmost power switch : auto Rrm-profile : wlan-rrm Air-scan-profile : default Smart-antenna : default Agile-antenna-polarization : disable CCA threshold(dBm) :RX sensitivity(dBm) : -128 AGC high threshold(dBm) :High PER threshold(%) : 80 Low PER threshold(%) : 20 Training interval(s) : auto Training mpdu num : 640 Throughput trigger training threshold (%) : 10 Autonavigation roam optimize beacon interval(TUs): 60 VIP user bandwidth reservation ratio (%) : 20 -------------------------------------------------------------------AP EDCA parameters: -----------------------------------------------------------ECWmax ECWmin AIFSN TXOPLimit(32us) Ack-Policy AC_VO 3 2 1 47 normal AC_VI 4 3 1 94 normal AC_BE 6 4 3 0 normal AC_BK 10 4 7 0 normal ------------------------------------------------------------ 8.3.4 Checking the Radio Status # Check the current radio status on WAC1, especially the channel utilization. [WAC1] display radio all Info: This operation may take a few seconds. Please wait for a moment.done. CH/BW:Channel/Bandwidth CE:Current EIRP (dBm) Page 172 HCIP-WLAN V2.0 Lab Guide Page 173 ME:Max EIRP (dBm) CU:Channel utilization ST:Status WM:Working mode (normal/monitor/monitor dual-band-scan/monitor proxy dual-band-scan) ---------------------------------------------------------------------------------------------AP ID Name RfID Band Type ST CH/BW CE/ME STA CU WM ---------------------------------------------------------------------------------------------0 AP1 0 2.4G 11ax on 6/20M 9/29 2 57% normal 0 AP1 1 5G 11ax on 56/20M 12/34 0 0% normal 1 AP2 0 2.4G 11ax on 11/20M 9/29 0 69% normal 1 AP2 1 5G 11ax on 60/40M+ 12/34 0 0% normal 2 AP3 0 2.4G 11ax on 1/20M 9/29 0 97% normal 2 AP3 1 5G 11ax on 153/20M 12/34 0 1% normal ---------------------------------------------------------------------------------------------Total:6 8.4 Reference Configuration 8.4.1 WAC1 Configuration Software Version V200R021C00SPC100 # sysname WAC1 # vlan batch 100 to 101 # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 management-interface # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 to 101 # interface NULL0 # ip route-static 0.0.0.0 0.0.0.0 10.23.100.254 # capwap source interface vlanif100 capwap dtls inter-controller control-link encrypt on capwap dtls psk %^%#R=+I57EMP>bFKr35X0^<,+3nJW$Op9vERA&pLnIQ%^%# capwap dtls inter-controller psk %^%#AgB^DVxu6@WhSA>j\UA=vTE0H&`GaOmns<<Y~Y-"%^%# capwap dtls no-auth enable # wlan calibrate flexible-radio auto-switch temporary-management psk %^%#A0jK$oAoNG5=j>6-NcL56%e2U4\G29J@z'/-:)]Q%^%# ap username admin password cipher %^%#U-k!~ucm:N'r~*SdQMQ3_EKpH7(s_D$O6g,NxwL$%^%# traffic-profile name default security-profile name default security-profile name wlan-net HCIP-WLAN V2.0 Lab Guide Page 174 security wpa-wpa2 psk pass-phrase %^%#H95ZT,~zPB3w;;VuULcRf#$]+cnEVPT02SMi_qo=%^%# aes security-profile name default-wds security-profile name default-mesh ssid-profile name default ssid-profile name wlan-net ssid wlan-net vap-profile name default vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net wds-profile name default mesh-handover-profile name default mesh-profile name default regulatory-domain-profile name default regulatory-domain-profile name domain1 air-scan-profile name default rrm-profile name default rrm-profile name wlan-rrm uac reach-access-threshold hide-ssid band-steer balance gap-threshold 80 uac client-snr enable uac client-snr threshold 13 uac client-number enable uac client-number threshold access 40 roam 40 band-steer balance start-threshold 90 sta-load-balance dynamic rssi-threshold -63 sta-load-balance dynamic sta-number start-threshold 12 sta-load-balance dynamic sta-number gap-threshold number 5 band-steer snr-threshold 18 radio-2g-profile name default radio-2g-profile name wlan-2g interference detect-enable rrm-profile wlan-rrm radio-5g-profile name default radio-5g-profile name wlan-5g interference detect-enable rrm-profile wlan-rrm wids-spoof-profile name default wids-whitelist-profile name default wids-profile name default wireless-access-specification tunnel-ap-group name default ap-system-profile name default port-link-profile name default wired-port-profile name default mobility-group name mob1 member ip-address 10.23.100.1 member ip-address 10.23.200.1 ap-group name default ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 radio-2g-profile wlan-2g HCIP-WLAN V2.0 Lab Guide vap-profile wlan-net wlan 1 radio 1 radio-5g-profile wlan-5g vap-profile wlan-net wlan 1 calibrate auto-bandwidth-select enable ap-id 0 type-id 125 ap-mac 6ce8-748d-7540 ap-sn 2102353GSG10N7100245 ap-name AP1 ap-group ap-group1 ap-id 1 type-id 125 ap-mac 6ce8-748d-6d20 ap-sn 2102353GSG10N7100219 ap-name AP2 ap-group ap-group1 ap-id 2 type-id 125 ap-mac 6ce8-748d-6f00 ap-sn 2102353GSG10N7100225 ap-name AP3 ap-group ap-group1 provision-ap # return 8.4.2 SW-Core Configuration !Software Version V200R022C00SPC500 # sysname SW-Core # vlan batch 100 to 101 # dhcp enable # interface Vlanif100 ip address 10.23.100.254 255.255.255.0 dhcp select interface # interface Vlanif101 ip address 10.23.101.254 255.255.255.0 dhcp select interface # interface MultiGE0/0/1 port link-type trunk port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 # return 8.4.3 SW-Access Configuration !Software Version V200R022C00SPC500 # sysname SW-Access # vlan batch 100 to 101 Page 175 HCIP-WLAN V2.0 Lab Guide Page 176 # interface MultiGE0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/2 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/3 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 # return 8.5 Quiz In a radio calibration solution, the 2.4 GHz calibration channel set contains channels 1, 6, and 11 by default. Why are these channels selected in the 2.4 GHz calibration channel set? Answer: Channels 1, 6, and 11 are non-overlapping channels on the 2.4 GHz frequency band, which can avoid signal interference. HCIP-WLAN V2.0 Lab Guide 9 Page 177 Indoor WLAN Planning Lab 9.1 Introduction 9.1.1 About This Lab This lab uses the WLAN Planner to plan and design WLANs for indoor scenarios to meet customers' wireless requirements. 9.1.2 Objectives ⚫ Understand the indoor WLAN planning process. ⚫ Master the basic operations of the WLAN Planner. 9.1.3 Lab Scenarios A company plans to build a WLAN in the indoor office area. Figure 9-1 shows the floor plan of the area in this project. You need to design and plan an indoor WLAN for the company to ensure that the WLAN covers all areas required by the customer and meets the mobile office requirements of employees and Internet access requirements of guests. HCIP-WLAN V2.0 Lab Guide Page 178 Figure 9-1 Building floor plan for indoor WLAN planning 9.1.4 Preparations Preparation for WLAN planning consists of requirements collection and site survey. 9.1.4.1 Requirement Collection Requirements collection is the first step for WLAN planning. Communicate with the customer to collect complete and comprehensive project and requirement information to prevent redesign work due to insufficient information collected. The information to be obtained during this phase includes basic requirements, service requirements, and installation requirements. The information collection result is listed in the following table. Table 9-1 Basic requirements collection checklist Requirement Type Collection Result Laws and regulations Country code: CN Floor plan JPG drawing with scale information (building length: 45 m) Coverage mode Indoor settled HCIP-WLAN V2.0 Lab Guide Page 179 Table 9-2 Service requirements collection checklist Requirement Type Collection Result Key coverage areas: Open office areas, offices, meeting rooms, and manager's office Coverage area Common coverage area: Corridor Areas that do not need to be covered: staircases, restrooms, ELV room, and storage room Field strength Key coverage areas: ≥ –65 dBm Common coverage areas: ≥ –70 dBm Open office area: 40 cubicles in each open office area, with two STAs per cubicle Conference room: 30 persons at most, each with 1 STA Number of access STAs Meeting room: 8 persons at most, each with 1 STA Reception room: 12 persons at most, each with 2 STAs Office and manager's office: 1 person, with no more than 5 STAs Terminal type Laptop, mobile phone, and tablet Open office area: 4 Mbps, with a concurrency rate of 100% Meeting room: 8 Mbps, with a concurrency rate of 100% Bandwidth Reception room: 16 Mbps, with a concurrency rate of 80% Office and manager's office: 16 Mbps, with a concurrency rate of 100% Table 9-3 Installation requirements collection checklist Requirement Type Collection Result Power supply mode Power supply by a PoE switch Switch location ELV room in the lower left corner of the floor plan Special requirements No special requirements 9.1.4.2 Site Survey A site survey is conducted to obtain site environment information, such as interference sources, signal attenuation caused by obstacles, floor height, new obstacles, and ELV room locations. Determine AP models, installation positions and modes, and power supply and cabling design based on the construction drawings. HCIP-WLAN V2.0 Lab Guide Page 180 Table 9-4 Survey result Site Survey Item Determining drawing information Survey Result The onsite building information is consistent with that on the floor plan provided by the customer. The floor height is 2.6 m. Internal buildings: Tables and chairs are at normal heights and have little interference to signals, which can be ignored. Outer wall: 240 mm concrete Building materials and signal attenuation Interior walls of conference rooms, offices, and reception room: 240 mm thickened brick walls Walls of the break room, printing room, and reception desk: 12 mm thickened glass Determining interference sources There is no interference source in the WLAN coverage area. Cabling rules Network cables between switches and APs are routed above the ceiling. Hidden cabling is required, and hole drilling is allowed. Switch location ELV room or storage room Installation admission Approved 9.2 Lab Configuration 9.2.1 Configuration Roadmap 1. Analyze requirements based on the existing information. 2. Select devices based on requirements and calculate the number of APs. 3. Log in to the WLAN Planner and import the building floor plan. 4. Set the environment and draw obstacles. 5. Deploy APs. 6. Adjust AP parameters and antenna angles. 7. Lay out switches and cables. 8. Perform signal simulation. 9. Adjust the AP positions and repeatedly perform signal simulation until the signal coverage is complete. 10. Export the WLAN planning report. HCIP-WLAN V2.0 Lab Guide Page 181 9.2.2 Configuration Procedure Step 1 Analyze requirements. Based on the requirements collection and site survey, the following parameters are obtained. Table 9-5 WLAN planning requirements analysis Requirement Type Analysis Result Country Code CN Floor plan JPG drawing with scale information (building length: 45 m) Coverage mode Indoor settled Open office area: 160 STAs, 4 Mbps per-STA bandwidth requirement, and concurrency rate of 100% Conference room: 30 STAs, 8 Mbps per-STA bandwidth, concurrency rate of 100% Bandwidth Meeting room: 8 STAs, 8 Mbps per-STA bandwidth, concurrency rate of 100% Meeting room: 24 STAs, 16 Mbps per-STA bandwidth, concurrency rate of 80% Office and manager's office: 5 STAs;16 Mbps per-STA bandwidth, concurrency rate of 100% Only one floor needs to be covered by the WLAN. Coverage area Key coverage areas: One reception room, two open office areas, three meeting rooms, and three offices Common coverage area: Corridor Key coverage areas: ≥ –65 dBm Field strength Common coverage areas: ≥ –70 dBm Leakage field strength: no requirement Terminal type Laptop, mobile phone, and tablet that support 2x2 MIMO and 40 MHz frequency bandwidth @ 5 GHz Power supply mode Power supply by a PoE switch Installation mode Ceiling mounting Switch location ELV room, meeting the PoE power supply distance requirement Acceptance items and criteria No special requirements HCIP-WLAN V2.0 Lab Guide Step 2 Page 182 Select devices and calculate the number of APs. Calculate the number of APs required in each area based on the proportions of services in indoor scenarios and single-AP concurrency specifications. Table 9-6 Proportions of services in indoor scenarios Service Type Single-Service Baseline Rate (Mbps) Proportion of Services in Indoor Scenarios Open Office Meeting Area Room Single-Person Office Reception Room 2% 15% 10% 0% 8% 15% 10% 4 0% 7% 15% 10% 32 16 0% 0% 0% 10% Email 32 16 6% 8% 10% 10% Web browsing 8 4 21% 30% 20% 30% Gaming 2 1 8% 5% 10% 0% Instant messaging 0.512 0.256 35% 20% 10% 10% VoIP (voice) 0.256 0.128 30% 30% 5% 10% 4 8 16 16 Excellent Good 4K video 50 30 0% 1080p video 16 12 720p video 8 E-whiteboard (wireless projection) Average Single-User Bandwidth (Mbps) — Excellent HCIP-WLAN V2.0 Lab Guide Page 183 Table 9-7 Single-AP concurrency specifications Maximum Number of Concurrent STAs Supported by a Wi-Fi 6 AP at Different Bandwidths (20 MHz @ 2.4 GHz, 40 MHz @ 5 GHz, Wi-Fi 6 and Dual Spatial Streams Supported by All STAs) No. Access Bandwidth 1 Single Radio (5 GHz) Dual Radios (5 GHz) Three Radios (2.4 GHz + 5 GHz-1 + 5 GHz-2) Maximum Number of Concurrent STAs Maximum Number of Concurrent STAs 2 Mbps 56 85 141 2 4 Mbps 39 56 95 3 6 Mbps 27 38 65 4 8 Mbps 21 30 51 5 16 Mbps 12 18 30 Maximum Number of Concurrent STAs Calculate the maximum number of concurrent STAs in each coverage area based on the collected information. The calculation process is as follows: There are 40 cubicles in each open office area, with two STAs at each cubicle and a concurrency rate of 100%. Therefore, the total number of STAs in the open office area is: 160 = 40 x 2 x 2 x 100%. There are a total of 30 seats in a conference room, with one STA at each seat and a concurrency rate of 100%. Therefore, the maximum number of concurrent STAs in the conference room is: 30 = 30 x 1 x 100%. There are a total of 8 seats in each meeting room, with one STA at each seat and a concurrency rate of 100%. Therefore, the maximum number of concurrent STAs in the meeting room is: 8 = 8 x 1 x 100%. There are a total of 12 seats in the reception room, with two STAs at each seat and a concurrency rate of 80%. Therefore, the maximum number of concurrent STAs in the reception room is around: 19 = 12 x 2 x 80%. Each user in an office has five STAs, with a concurrency rate of 100%. Therefore, the maximum number of concurrent STAs in the office is: 5 = 1 x 5 x 100%. Calculate the number of APs required in each coverage area based on the single-AP concurrency specifications. The calculation formula is as follows: Maximum number of concurrent STAs/Maximum number of concurrent STAs on a single AP radio to meet the user access bandwidth. The calculation process is as follows: In the open office area, the bandwidth requirement is 4 Mbps, and the maximum number of concurrent dual-radio APs is 56. In this case, the number of required APs is 2 (160/56 ≈ 2). HCIP-WLAN V2.0 Lab Guide Page 184 In a conference room, the bandwidth requirement is 8 Mbps, and the maximum number of concurrent dual-radio APs is 30. In this case, the number of required APs is 1 (30/30 = 1). In a meeting room, the bandwidth requirement is 8 Mbps, and the maximum number of concurrent dual-radio APs is 30. In this case, the number of required APs is 1 (8/30 ≈ 1). In the reception room, the bandwidth requirement is 16 Mbps, and the maximum number of concurrent dual-radio APs is 18. In this case, the number of required APs is 1 (19/18 ≈ 1). In the single-person office room, the bandwidth requirement is 16 Mbps, and the maximum number of concurrent dual-radio APs is 18. In this case, the number of required APs is 1 (5/18 ≈ 1). Step 3 Log in to the WLAN Planner platform and create a project. The WLAN Planner is available on the ServiceTurbo Cloud platform, and all users can apply for the tool. The link is as follows: https://sg.serviceturbo-cloud.huawei.com/serviceturbocloud/en/tool/tool-details-extraneto3?id=GT2021113005&lang=en_US # Click Running. # Read the security management regulations on customer network data and click Confirm. HCIP-WLAN V2.0 Lab Guide Page 185 # Enter project information based on the site requirements, select I have read and agree to the Terms of Use, and click OK. Step 4 Create a floor and import a floor plan. # Create a floor and import the floor plan. In the Create dialog box that is displayed, set Type to Indoor, enter the name, and click Select File to import the corresponding floor plan. HCIP-WLAN V2.0 Lab Guide # Select a WLAN scenario. For this project, select Office and click OK. # Select the floor plan file and click OK. Page 186 HCIP-WLAN V2.0 Lab Guide Step 5 Page 187 Set the environment parameters. Set the environment and regions based on the customer requirements collection checklists and site survey information. # Set the scale. HCIP-WLAN V2.0 Lab Guide Page 188 # The floor plan width is 45 m. Select any position on the floor plan and set the scale length to 45 m from left to right. # Draw obstacles. Draw frames using insulation boundaries to draw frames, indoor walls using 240 mm thickened brick walls, and the break room, reception desk, and print room using 12 mm thickened glass. The following figure shows the final effect. HCIP-WLAN V2.0 Lab Guide Step 6 Page 189 Set regions. Select key coverage areas and common coverage areas based on customer requirements, as shown in the following figure. Set key coverage areas. # Set the same parameters for the two open office areas. # Set region parameters for the conference room (assuming 30 STAs) and meeting rooms (each assuming 8 STAs). The platform does not have 8 Mbit/s terminal bandwidth HCIP-WLAN V2.0 Lab Guide requirements. To meet user requirements, select 10 Mbit/s terminal bandwidth requirements. # Set region parameters for the reception room. Page 190 HCIP-WLAN V2.0 Lab Guide # Set region parameters for the single-person office. Set common coverage areas. # Set region parameters for the corridor. Page 191 HCIP-WLAN V2.0 Lab Guide Page 192 Check the regions after the basic properties are set. Step 7 Deploy APs and adjust AP parameters. # You can manually deploy APs one by one or configure automatic deployment and then manually adjust the number and positions of APs. # Select the required AP model. This project uses the AirEngine 5760-51. (If there is no AP model required by the project, click Choose Other AP Model to search for it.) HCIP-WLAN V2.0 Lab Guide # Set channel parameters. # The following figure shows the automatic deployment effect. Page 193 HCIP-WLAN V2.0 Lab Guide Page 194 # After the number and positions of APs are manually adjusted, the final effect is as shows. Adjust AP parameters. # Right-click an AP in the activity area and choose Property from the shortcut menu. (You can drag-select all APs and right-click them for the setting). The AP Attributes page is displayed. HCIP-WLAN V2.0 Lab Guide Page 195 # Because the customer requires APs to be mounted on the ceiling, retain the default installation mode of T-rail, height of 2.6 m, working mode of dual-radio mode, and other parameters. Set the attributes of APs in other areas in the same way. Step 8 Deploy switches. # Select a switch model. This project uses the S5731-S24P4X switch. HCIP-WLAN V2.0 Lab Guide # Deploy a switch in the ELV room in the lower left corner on the floor plan. Step 9 Route cables. Cables can be routed above the ceilings to directly connect APs and switches. Page 196 HCIP-WLAN V2.0 Lab Guide Step 10 Page 197 Simulate signals. Check the signal RSSI in key coverage areas (≥ –65 dBm). If an area has no color covered, the RSSI is lower than –65 dBm. # Set the signal strength in the simulation diagram to –65 dBm and click Open simulation. HCIP-WLAN V2.0 Lab Guide Page 198 # In this project, you only need to pay attention to the signal coverage in open office areas, offices, meeting rooms, and reception room. Check the signal RSSI in common coverage areas (≥ –70 dBm). If an area has no color covered, the RSSI is lower than –70 dBm. # Adjust the signal strength in the simulation diagram to –70 dBm. HCIP-WLAN V2.0 Lab Guide Page 199 # In this project, you only need to pay attention to the signal coverage in the corridor. If the signal coverage is poor, adjust the number and positions of APs repeatedly to ensure normal signal simulation. Check the coverage satisfaction degree to determine whether there are areas with poor signal coverage. The signal coverage in most areas is good. HCIP-WLAN V2.0 Lab Guide Step 11 Page 200 Export the WLAN planning report. Before exporting the report, you can check the WLAN planning. # Check whether there is any problem. If there is any warning item, confirm it. If there is no problem, export the WLAN planning report. HCIP-WLAN V2.0 Lab Guide Page 201 # Export the report and save it to the local PC. # Display the saved WLAN planning report. 9.3 Quiz 1. What information needs to be confirmed during requirements collection during the early phase of WLAN planning and design? Answer: 1. Laws and regulations: EIRP restrictions and available channels 2. Drawing information: drawing completeness HCIP-WLAN V2.0 Lab Guide Page 202 3. Coverage areas: key coverage areas, common coverage areas, and areas that do not need to be covered 4. Field strength: signal strength requirements 5. Number of access STAs: total number of access STAs in a coverage area 6. Terminal types 7. Bandwidth requirements 8. Wall types: Estimate the signal attenuation values of walls and determine whether signals can penetrate the walls. 9. Power supply mode 10. Switch location 11. Special requirements such as positioning and IoT 2. An open office area has 120 cubicles, each of which involves two STAs with a concurrency rate of 70%. In this case, how many APs need to be deployed to meet the 4 Mbps bandwidth and requirement for each STA? Answer: Number of access STAs: 120 x 2 = 240 Number of concurrent STAs: 240 x 70% = 168 Based on the single-AP concurrency specifications in this lab, the number of required APs is calculated as follows: 168/56 = 3. HCIP-WLAN V2.0 Lab Guide 10 Page 203 Outdoor WLAN Planning Lab 10.1 Introduction 10.1.1 About This Lab This lab uses the WLAN Planner to plan and design WLANs for outdoor scenarios to meet customers' wireless requirements. 10.1.2 Objectives ⚫ Understand the outdoor WLAN planning process. ⚫ Master the basic operations of the WLAN Planner. 10.1.3 Lab Scenarios A pedestrian street has an open square and plans to increase customer flows by deploying a free outdoor WLAN. Figure 10-1 Plan of the pedestrian square HCIP-WLAN V2.0 Lab Guide Page 204 10.1.4 Preparations Preparation for WLAN planning consists of requirements collection and site survey. 10.1.4.1 Requirements Collection Requirements collection is the first step for WLAN planning. Communicate with the customer to collect complete and comprehensive project and requirement information to prevent redesign work due to insufficient information collected. The information to be obtained during this phase includes basic requirements, service requirements, and installation requirements. The information collection result is listed in the following table. Table 10-1 Basic requirements collection checklist Requirement Type Collection Result Laws and regulations Country code: CN Floor plan JPG drawing with scale information (building length: 95 m) Coverage mode Outdoor installation Table 10-2 Service requirements collection checklist Requirement Type Collection Result Key coverage areas: pedestrian street and rest areas Coverage area Common coverage area: parking lot Areas that do not need to be covered: store areas Field strength Key coverage areas: ≥ –65 dBm Common coverage areas: ≥ –70 dBm Number of access STAs 300 persons during peak hours, one STA for each person Terminal type Mobile phone and tablet Bandwidth Bandwidth required by each user: 4 Mbps, with a concurrency rate of 60% Table 10-3 Installation requirements collection checklist Requirement Type Collection Result Power supply mode Power supply by a PoE switch Switch location ELV room in the store area on the left Special requirements No special requirement HCIP-WLAN V2.0 Lab Guide Page 205 10.1.4.2 Site Survey A site survey is conducted to obtain site environment information, such as interference sources, signal attenuation caused by obstacles, floor height, new obstacles, and ELV room locations. Determine AP models, installation positions and modes, and power supply and cabling design based on the construction drawings. Table 10-4 Survey result Site Survey Item Determining drawing information Building materials and signal attenuation Survey result The onsite building information is consistent with that on the floor plan provided by the customer. The store height is 5 m. Outer walls of stores: 240 mm thickened brick walls Partition walls of dining areas: 8 mm gypsum boards The onsite green belts have a height of half a person, which have little interference to signals and can be ignored. Determining interference sources There is no interference source in the WLAN coverage area. AP installation mode Wall mounting for APs near stores; pole mounting for APs in the parking lots Installation admission Approved 10.2 Lab Configuration 10.2.1 Configuration Roadmap 1. Analyze requirements based on the existing information. 2. Select devices based on requirements and calculate the number of APs. 3. Log in to WLAN Planner and import the building floor plan. 4. Set the environment and draw obstacles. 5. Deploy APs. 6. Adjust AP parameters and antenna angles. 7. Simulate signals. 8. Adjust the AP positions and repeatedly perform signal simulation until the signal coverage is complete. 9. Export the WLAN planning report. 10.2.2 Configuration Procedure Step 1 requirements analysis HCIP-WLAN V2.0 Lab Guide Page 206 Based on the requirements collection and site survey, the following parameters are obtained. Table 10-5 WLAN planning requirements analysis Requirement Type Analysis Result Country Code CN Floor plan JPG drawing with scale information (building length: 95 m) Coverage mode Outdoor installation Bandwidth Pedestrian street and rest areas (in peak hours): 300 STAs, 4 Mbps, 60% concurrency rate Key coverage areas: pedestrian street and rest areas Coverage area Common coverage area: parking lot Areas that do not need to be covered: store areas Key coverage areas: ≥ –65 dBm Field strength Common coverage areas: ≥ –70 dBm Leakage field strength: no requirement Terminal type Mobile phone and tablet that support 2x2 MIMO and 40 MHz frequency bandwidth @ 5 GHz Power supply mode Wall-mounted APs can be powered by PoE switches, and polemounted APs can be powered by PoE adapters. Installation mode Wall mounting or pole mounting Switch location Determine the installation position with the property management company based on the actual situation. Acceptance items and criteria No special requirements Step 2 Select device models and calculate the number of APs. Calculate the number of APs required in each area based on the proportions of services in outdoor scenarios and single-AP concurrency specifications. Table 10-6 Proportions of services in outdoor scenarios Service Type Web browsing Single-Service Baseline Rate (Mbps) Proportion of Services in Outdoor Scenarios Excellent Good Square Street Outdoor Parking Lot 8 4 50% 60% 35% HCIP-WLAN V2.0 Lab Guide Page 207 Streaming media (1080p) 16 12 10% 10% 20% VoIP 0.25 0.125 10% 10% 0% Gaming 2 1 10% 0% 30% Instant messaging 0.5 0.25 20% 20% 15% 6 8 8 Average Single-User Bandwidth (Mbps) — Excellent Table 10-7 Single-AP concurrency specifications Maximum Number of Concurrent STAs Supported by a Wi-Fi 6 AP at Different Bandwidths (20 MHz @ 2.4 GHz, 40 MHz @ 5 GHz, Wi-Fi 6 and Dual Spatial Streams Supported by All STAs) Single Radio (5 GHz) Dual Radios (5 GHz) Three Radios (2.4 GHz + 5 GHz-1 + 5 GHz-2) No. Access Bandwidth Maximum Number of Concurrent STAs (Single-Radio) Maximum Number of Concurrent STAs (SingleRadio) 1 2 Mbps 56 85 141 2 4 Mbps 39 56 95 3 6 Mbps 27 38 65 4 8 Mbps 21 30 51 5 16 Mbps 12 18 30 Maximum Number of Concurrent STAs (SingleRadio) Calculate the maximum number of concurrent STAs in each coverage area based on the collected information. The calculation process is as follows: During peak hours in the pedestrian street, there are 300 people, with one STA per user and a concurrency rate of 60%. Therefore, the total number of terminals in the pedestrian street scenario is 180 (300 x 1 x 60%). Calculate the number of APs required in each coverage area based on the single-AP concurrency specifications. The calculation formula is as follows: Maximum number of concurrent STAs/Maximum number of concurrent STAs on a single AP radio to meet the user access bandwidth. The calculation process is as follows: HCIP-WLAN V2.0 Lab Guide Page 208 In the pedestrian street, the bandwidth requirement is 4 Mbps, and the maximum number of concurrent dual-radio APs is 56. In this case, the number of required APs is 4 (180/56 ≈ 4). Step 3 Log in to the WLAN Planner platform and create a project. The WLAN Planner is available on the ServiceTurbo Cloud platform, and all users can apply for the tool. The link is as follows: https://serviceturbo-cloudcn.huawei.com/serviceturbocloud/#/toolsummary?entityId=d59de9ac-e4ef-409e-bbdceff3d0346b42 # Click Running. # Read the security management regulations on customer network data and click Confirm. # Enter project information based on the site requirements, select I have read and agree to the Terms of Use, and click OK. HCIP-WLAN V2.0 Lab Guide Step 4 Page 209 Add a region and import a floor plan. # Add a region, import a floor plan. In the Create dialog box that is displayed, set Type to Outdoor, enter the area name, and click Select to select a scenario. # Select a WLAN scenario. For this project, select Road/Walking Street and click Next. HCIP-WLAN V2.0 Lab Guide Page 210 # Select the floor plan file and click OK. Step 5 Set up the environment. Set the environment and regions based on the customer requirements collection checklists and site survey information. # Set the scale. HCIP-WLAN V2.0 Lab Guide Page 211 # The floor plan width is 95 m. Select any position on the floor plan and set the scale length to 95 m from left to right. # Drag-select a building area and set the obstacle height. HCIP-WLAN V2.0 Lab Guide Page 212 # After the environment is set, the effect is as follows. Step 6 Deploy APs and adjust AP parameters. In outdoor scenarios, skip the region setting step and directly go to the device deployment step. In outdoor scenarios, only manual AP deployment is supported. # Select a proper AP model on the toolbar and manually deploy APs. HCIP-WLAN V2.0 Lab Guide Page 213 # In this project, the AirEngine 5761R-11 is used as the wall-mounted AP, and the AirEngine 5761R-11E is used as the pole-mounted AP. The following figure shows the manual deployment effect. Adjust AP parameters. # Right-click an AP in a store area and choose Property from the shortcut menu. (You can drag-select all APs and right-click them for the setting). The AP Attributes page is displayed. HCIP-WLAN V2.0 Lab Guide Page 214 # Because the customer requires APs in these areas to be mounted on the walls, set the installation mode to Hanging and the height to 3 m, and retain default settings of other parameters. Set the downtilt of both 2.4 GHz and 5 GHz radios to 15 degrees. Set the attributes of APs in other areas in the same way. # The APs in the parking lots are installed on poles. The AirEngine 5761R-11E model is used. Set the parameters as follows. HCIP-WLAN V2.0 Lab Guide Step 7 Page 215 Simulate signals. Check the signal RSSI in key coverage areas (≥ –65 dBm). If an area has no color covered, the RSSI is lower than –65 dBm. # Set the signal strength in the simulation diagram to –65 dBm and click Open simulation. # In this project, you only need to pay attention to the signal coverage of the pedestrian street and rest areas. HCIP-WLAN V2.0 Lab Guide Page 216 Check the signal RSSI in common coverage areas (≥ –70 dBm). If an area has no color covered, the RSSI is lower than –70 dBm. # Adjust the signal strength in the simulation diagram to –70 dBm. # In this project, you only need to pay attention to the signal coverage in the parking lots. HCIP-WLAN V2.0 Lab Guide Page 217 If the signal coverage is poor, adjust the number and positions of repeatedly to ensure normal signal simulation. Check the coverage satisfaction degree to determine whether there are areas with poor signal coverage. The signal coverage in most areas is good. HCIP-WLAN V2.0 Lab Guide Step 8 Page 218 Export the WLAN planning report. Before exporting the report, you can check the network planning. # Check whether there is any problem. If there is any warning item, confirm it. If there is no problem, export the network planning report. HCIP-WLAN V2.0 Lab Guide Page 219 # Export the report and save it to the local PC. # Display the saved WLAN planning report. 10.3 Quiz 1. Which of the following information needs to be determined during requirements collection in outdoor WLAN planning and design? Answer: 1. Laws and regulations: EIRP restrictions and available channels 2. Drawing information: floor plan or map HCIP-WLAN V2.0 Lab Guide Page 220 3. Coverage areas: key coverage areas, common coverage areas, and areas that do not need to be covered 4. Field strength: signal strength requirements 5. Number of access STAs: total number of access STAs in a coverage area 6. Terminal types 7. Bandwidth requirements 8. Surrounding environment: Check whether there are buildings and trees around the site. 9. AP installation position and power supply mode: APs are typically mounted on lamp poles or external walls of buildings. If necessary, new poles are built for installing APs. 10. Switch location 11. Interference source: Check whether interference sources such as city surveillance based on wireless backhaul and microwave stations exist. 2. What are the differences between the application scenarios of outdoor APs with omnidirectional and directional antennas? What are their coverage ranges in a scenario in China? Answer: It is recommended that omnidirectional antennas be used in open outdoor areas with a coverage radius of 60 m to 80 m. It is recommended that directional antennas be used in outdoor street scenarios with a coverage length of 120 m to 150 m and a coverage width of 20 m to 35 m. HCIP-WLAN V2.0 Lab Guide 11 Page 221 CampusInsight O&M Lab 11.1 Introduction 11.1.1 About This Lab This lab instructs you to deploy the CampusInsight intelligent O&M platform, helping you understand how to perform WLAN inspection using the intelligent O&M platform. 11.1.2 Objectives ⚫ Understand how to configure the interconnection between the WAC and CampusInsight. ⚫ Understand basic O&M functions of CampusInsight. 11.1.3 Networking Topology Figure 11-1 CampusInsight O&M networking topology HCIP-WLAN V2.0 Lab Guide Page 222 In this lab, AP1, AP2, and AP3 are managed and configured by WAC1. The CampusInsight server is connected to the core switch SW-Core, and the network segment is 172.18.0.0/17. WAC1 interworks with the CampusInsight server to report service run logs and data to the CampusInsight server. The administrator can perform unified and intelligent O&M on the WLAN through CampusInsight. 11.1.4 Lab Planning Table 11-1 VLAN planning Device SW-Core Port Port Type MultiGE0/0/1 Trunk MultiGE0/0/9 Trunk MultiGE0/0/4 Trunk MultiGE0/0/9 Trunk MultiGE0/0/1 Trunk MultiGE0/0/2 Trunk MultiGE0/0/3 Trunk GE0/0/1 Trunk SW-Access WAC1 VLAN Settings PVID: 1 Allow-pass: VLANs 18 100 and 101 PVID: 1 Allow-pass: VLAN 100 101 PVID: 1 Allow-pass: VLAN 18 PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 18 100 and 101 Table 11-2 IP address planning Device SW-Core WAC1 CampusInsight server Port IP Address VLANIF 100 10.23.100.254/24 VLANIF 101 10.23.101.254/24 VLANIF 18 172.18.134.246/17 VLANIF 18 172.18.134.236/17 VLANIF 100 10.23.100.1/24 / 172.18.134.232/17 HCIP-WLAN V2.0 Lab Guide Page 223 Table 11-3 WLAN service parameter planning WLAN Service Parameter Forwarding mode Direct forwarding Management VLAN 100 Service VLAN 101 AP group ap-group1 VAP profile wlan-net Security profile wlan-net Security policy WPA/WPA2+PSK+AES Password a12345678 SSID profile wlan-net SSID wlan-net 11.2 Lab Configuration 11.2.1 Configuration Roadmap 1. Configure VLAN information for SW-Core, SW-Access, and WAC1. 2. Configure IP addresses for network devices to ensure network connectivity. 3. Configure the DHCP server on SW-Core to ensure that APs can obtain IP addresses. 4. Configure the basic network of CampusInsight to ensure network connectivity. 5. Configure WLAN service parameters to implement STA access. 6. Configure the interworking between the WAC1 and the CampusInsight server. 7. Log in to the CampusInsight server through the web to implement intelligent O&M. 11.2.2 Configuration Procedure Step 1 Configure the basic network connectivity, AP onboarding, and WLAN services. # For details, see Step 1 to Step 5 in section 1.2.2 "Configuration Procedure." Step 2 Configure network connectivity between CampusInsight and WAC1. The IP address and gateway of CampusInsight have been configured during software installation and are not described in this lab. The IP address of CampusInsight is 172.18.134.232/17, and the gateway address is 172.18.128.1. # Configure VLAN and IP address information for SW-Core. HCIP-WLAN V2.0 Lab Guide Page 224 [SW-Core] vlan 18 [SW-Core-vlan18] quit [SW-Core] interface MultiGE 0/0/4 [SW-Core-MultiGE0/0/4] port link-type trunk [SW-Core-MultiGE0/0/4] port trunk allow-pass vlan 18 [SW-Core-MultiGE0/0/4] quit [SW-Core] interface Vlanif 18 [SW-Core-Vlanif18] ip address 172.18.134.246 17 [SW-Core-Vlanif18] quit # Configure VLAN and IP address information for WAC1, and configure default route for WAC1 and set the next hop address to SW-Core. [WAC1] vlan 18 [WAC1-vlan18] quit [WAC1] interface GigabitEthernet 0/0/1 [WAC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 18 [WAC1-GigabitEthernet0/0/1] quit [WAC1] interface Vlanif 18 [WAC1-Vlanif18] ip address 172.18.134.236 17 [WAC1-Vlanif18] quit [WAC1] ip route-static 172.19.0.0 16 172.18.128.1 [WAC1] ip route-static 0.0.0.0 0.0.0.0 10.23.100.254 Step 3 Configure SNMP. WAC1 can be added to CampusInsight for management only after the SNMP protocol is configured on the device. # SNMPv2c is an insecure protocol. You are advised to configure SNMPv3, which is more secure. [WAC1] mgmt isolate disable Warnning: Disabling management plane isolation may bring security risks. Are you sure you want to continue ? [y/n]: y [WAC1] snmp-agent sys-info version v3 [WAC1] snmp-agent mib-view HCIP-test include iso [WAC1] snmp-agent group v3 test-group privacy write-view HCIP-test notify-view HCIP-test [WAC1] snmp-agent usm-user version v3 test-user group test-group [WAC1] snmp-agent usm-user version v3 test-user authentication-mode sha2-256 Please configure the authentication password (<8-64>) Enter Password: HUAWEI@123 Confirm password: HUAWEI@123 [WAC1] snmp-agent usm-user version v3 test-user privacy-mode aes256 Please configure the privacy password (<8-64>) Enter Password: HUAWEI@456 Confirm password: HUAWEI@456 # This lab assumes that the SNMP user name is test-user, authentication password is HUAWEI@123, and encryption password is HUAWEI@456. These parameters must be the same as those configured on CampusInsight. Step 4 Configure SFTP. HCIP-WLAN V2.0 Lab Guide Page 225 # The SFTP protocol is configured to enable CampusInsight to synchronize basic information, interface and link information, and other information about APs from devices through SFTP. [WAC1] ssh client first-time enable Step 5 Configure LLDP. # LLDP enables CampusInsight to discover LLDP links of the device. [WAC1] lldp enable [WAC1] wlan [WAC1-wlan-view] ap-system-profile name default [WAC1-wlan-ap-system-prof-default] lldp report enable [WAC1-wlan-ap-system-prof-default] quit [WAC1-wlan-view] quit Step 6 Configure log data reporting. By default, the device log reporting function supports HTTP/2 and UDP channels. HTTP/2 is recommended. # Configure the HTTP/2 channel for WAC1. [WAC1] undo access-user syslog-restrain enable [WAC1] wmi-server [WAC1-wmi-server] server ip-address 172.18.134.232 port 27371 [WAC1-wmi-server] collect-item log-data interval 60 [WAC1-wmi-server] log module mid ff760000 [WAC1-wmi-server] log module mid ff5f0000 [WAC1-wmi-server] log module mid ff630000 [WAC1-wmi-server] log module mid fff30000 [WAC1-wmi-server] log module mid ff620000 [WAC1-wmi-server] log module mid ff050000 [WAC1-wmi-server] log module mid d0410000 [WAC1-wmi-server] log module mid ff5a0000 [WAC1-wmi-server] log module mid ff8c0000 [WAC1-wmi-server] log module mid ff5d0000 [WAC1-wmi-server] quit # Configure the HTTP/2 channel for APs. [WAC1] wlan [WAC1-wlan-view] wmi-server name test [WAC1-wlan-wmi-server-prof-test] server ip-address 172.18.134.232 port 27371 [WAC1-wlan-wmi-server-prof-test] collect-item log-data interval 60 [WAC1-wlan-wmi-server-prof-test] ap log module mid FF600000 [WAC1-wlan-wmi-server-prof-test] ap log module mid D0410000 [WAC1-wlan-wmi-server-prof-test] ap log module mid FF620000 [WAC1-wlan-wmi-server-prof-test] ap log module mid FFED0000 [WAC1-wlan-wmi-server-prof-test] ap log module mid FFEF0000 [WAC1-wlan-wmi-server-prof-test] ap log module mid FFF30000 [WAC1-wlan-wmi-server-prof-test] ap log module mid FF2B0000 [WAC1-wlan-wmi-server-prof-test] ap log module mid FE011004 HCIP-WLAN V2.0 Lab Guide Page 226 [WAC1-wlan-wmi-server-prof-test] quit [WAC1-wlan-view] ap-system-profile name default [WAC1-wlan-ap-system-prof-default] wmi-server test index 2 [WAC1-wlan-ap-system-prof-default] quit [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] ap-system-profile default [WAC1-wlan-ap-group-ap-group1] quit [WAC1-wlan-view] quit Step 7 Configure the function of reporting WLAN service performance metric data. # This configuration enables the device to proactively report WLAN service performance metric data to CampusInsight for analysis. [WAC1] pki realm default [WAC1-pki-realm-default] certificate-check none [WAC1-pki-realm-default] quit [WAC1] wmi-server [WAC1-wmi-server] collect-item device-data interval 60 [WAC1-wmi-server] collect-item interface-data interval 60 [WAC1-wmi-server] collect-item cpcar-data interval 60 [WAC1-wmi-server] collect-item security-data interval 60 [WAC1-wmi-server] quit [WAC1] wlan [WAC1-wlan-view] wmi-server name test [WAC1-wlan-wmi-server-prof-test] report-interval 60 [WAC1-wlan-wmi-server-prof-test] collect-item device-data interval 60 [WAC1-wlan-wmi-server-prof-test] collect-item radio-data interval 60 [WAC1-wlan-wmi-server-prof-test] collect-item ssid-data interval 60 [WAC1-wlan-wmi-server-prof-test] collect-item terminal-data interval 60 [WAC1-wlan-wmi-server-prof-test] collect-item non-wifi-data interval 60 [WAC1-wlan-wmi-server-prof-test] quit [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] radio 0 [WAC1-wlan-group-radio-ap-group1/0] wids device detect enable Warning: This action may cause service interruption. Continue?[Y/N] y [WAC1-wlan-group-radio-ap-group1/0] spectrum-analysis enable [WAC1-wlan-group-radio-ap-group1/0] channel-monitor enable [WAC1-wlan-ap-group-ap-group1] radio 1 [WAC1-wlan-group-radio-ap-group1/1] wids device detect enable Warning: This action may cause service interruption. Continue?[Y/N] y [WAC1-wlan-group-radio-ap-group1/1] spectrum-analysis enable [WAC1-wlan-group-radio-ap-group1/1] channel-monitor enable [WAC1-wlan-group-radio-ap-group1/1] quit [WAC1-wlan-ap-group-ap-group1] quit [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] ap-system-profile default [WAC1-wlan-ap-group-ap-group1] quit Step 8 Configure the CampusInsight server. # Log in to CampusInsight, choose Inventory > Site-Region, and click Add. HCIP-WLAN V2.0 Lab Guide Page 227 # Add a site. Set the site name to HCIP-test and Parent node to Global, and click Confirm. # Choose Inventory > Wired Device, click Add Device, and click Add single device. HCIP-WLAN V2.0 Lab Guide Page 228 # Set IP address to 10.23.100.1 (IP address of WAC1), Site-Region to HCIP-test, and Device role to WAC. # In the SNMP area, select Edit SNMP parameters, set Version to v3, Security name to test-user, Authentication protocol to HMAC_SHA2_256, Privacy protocol to AES_256, Port to 161, Authentication password to HUAWEI@123, and Encryption password to HUAWEI@456. Then click Confirm. # The security name must be the same as the SNMP user name configured on WAC1. Other parameters must also be the same. # Check the onboarding status of wired devices. WAC1 is online. # After WAC1 is added to CampusInsight, the APs managed by WAC1 are automatically added to the AP list of CampusInsight. Click Wireless Device. The three APs are online. # Add a building to the HCIP-test site. Choose Inventory > Site-Region, select HCIP-test, and click Add. HCIP-WLAN V2.0 Lab Guide Page 229 # Set Type to Building and Name to Building_01, and click Confirm. # Add a floor to Building_01. Choose Inventory > Site-Region, select Building_01, and click Add. # Set Type to Floor and Name to First floor, and click Confirm. HCIP-WLAN V2.0 Lab Guide Page 230 # Choose Inventory > Wireless Device, select three APs, and click Move to move the three APs to First floor. # The Site-Region values of the three APs are changed to /HCIP-test/Building_01/First floor. Step 9 Configure CampusInsight O&M functions. Check the status of the entire network. # Choose Dashboard > General to view key information about the HCIP-test site, such as the resource status, health status, number of clients, traffic, and AP rate/traffic, so that the administrator can learn about the overall running status of the network. HCIP-WLAN V2.0 Lab Guide Page 231 Check the wireless network health. # Choose Network > Health to view the running status of the wireless network. # Detailed metrics include the access success rate, access time consumption, roaming fulfillment rate, signal and interference, capacity, and throughput. HCIP-WLAN V2.0 Lab Guide Page 232 HCIP-WLAN V2.0 Lab Guide Page 233 Check the client journey. # Choose Clients > Client Journey. On the Normal view tab page, you can view basic information about access clients. # Click a client MAC address (for example, 08-1f-71-53-90-b4) to view detailed indicators. HCIP-WLAN V2.0 Lab Guide Page 234 11.3 Verification 11.3.1 Checking the SNMP Configuration on WAC1 # Run the display snmp-agent mib-view command on WAC1 to view SNMP MIB information. [WAC1] display snmp-agent mib-view HCIP-test View name: HCIP-test MIB subtree: iso Subtree mask: Storage type: nonVolatile View type: included View status: active # Run the display snmp-agent group command on WAC1 to view SNMP group information. [WAC1] display snmp-agent group Group name: test-group Security model: v3 AuthPriv Readview: ViewDefault Writeview: HCIP-test Notifyview: HCIP-test Storage type: nonVolatile Total number is 1 # Run the display snmp-agent usm-user command on WAC1 to view SNMP user information. [WAC1] display snmp-agent usm-user User name: test-user Engine ID: 800007DB033CA37E857647 Group name: test-group Authentication mode: sha2-256, Privacy mode: aes256 Storage type: nonVolatile User status: active Total number is 1 11.3.2 Checking VAP information on WAC1 # Run the display vap all command on WAC1 to check VAP information. [WAC1] display vap all Info: This operation may take a few seconds, please wait. WID : WLAN ID -----------------------------------------------------------------------------AP ID AP name RfID WID BSSID Status Auth type STA SSID -----------------------------------------------------------------------------0 AP1 0 1 6CE8-748D-7540 ON WPA/WPA2-PSK 0 wlan-net 0 AP1 1 1 6CE8-748D-7550 ON WPA/WPA2-PSK 0 wlan-net HCIP-WLAN V2.0 Lab Guide 1 AP2 0 1 6CE8-748D-6D20 ON WPA/WPA2-PSK 1 AP2 1 1 6CE8-748D-6D30 ON WPA/WPA2-PSK 2 AP3 0 1 6CE8-748D-6F00 ON WPA/WPA2-PSK 2 AP3 1 1 6CE8-748D-6F10 ON WPA/WPA2-PSK -----------------------------------------------------------------------------Total: 6 Page 235 0 0 1 1 wlan-net wlan-net wlan-net wlan-net 11.4 Reference Configuration 11.4.1 WAC1 Configuration Software Version V200R022C00SPC100 # sysname WAC1 # vlan batch 18 100 to 101 # interface Vlanif18 ip address 172.18.134.236 255.255.128.0 # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 management-interface # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 18 100 to 101 # interface NULL0 # snmp-agent local-engineid 800007DB033CA37E857647 snmp-agent group v3 test-group privacy write-view HCIP-test notify-view HCIP-test snmp-agent mib-view HCIP-test include iso snmp-agent usm-user version v3 test-user snmp-agent usm-user version v3 test-user group test-group snmp-agent usm-user version v3 test-user authentication-mode sha2-256 %^%#o{tU-CUJ2I~#IK]4u7JzyqS6df_o%SZbsWov~t;%^%# snmp-agent usm-user version v3 test-user privacy-mode aes256 %^%#K<*vH_`J]W33uM9IZz~XWD5DK50`NApy4Dvn\J@%^%# snmp-agent protocol source-interface MEth0/0/1 snmp-agent # ssh server-source -i Vlanif100 ssh client first-time enable sftp server enable stelnet server enable # ip route-static 0.0.0.0 0.0.0.0 10.23.100.254 ip route-static 172.19.0.0 255.255.0.0 172.18.128.1 # capwap source interface vlanif100 capwap dtls inter-controller control-link encrypt on HCIP-WLAN V2.0 Lab Guide Page 236 capwap dtls psk %^%#R=+I57EMP>bFKr35X0^<,+3nJW$Op9vERA&pLnIQ%^%# capwap dtls inter-controller psk %^%#AgB^DVxu6@WhSA>j\UA=vTE0H&`GaOmns<<Y~Y-"%^%# capwap dtls no-auth enable # wmi-server server ip-address 172.18.134.232 port 27371 collect-item device-data interval 60 collect-item log-data interval 60 collect-item cpcar-data interval 60 log module mid fe090000 name SIPFPM log module mid ff2f0000 name SACADP log module mid ff5d0000 name AM log module mid ff8c0000 name ENTITYTRAP log module mid ff5a0000 name AAA log module mid d0410000 name SHELL log module mid ff050000 name IFPDT log module mid ff620000 name DHCP log module mid fff30000 name WLAN log module mid ff630000 name CM log module mid ff5f0000 name DOT1X log module mid ff760000 name WEB # wmi-server2 # wlan calibrate flexible-radio auto-switch temporary-management psk %^%#A0jK$oAoNG5=j>6-NcL56%e2U4\G29J@z'/-:)]Q%^%# ap username admin password cipher %^%#U-k!~ucm:N'r~*SdQMQ3_EKpH7(s_D$O6g,NxwL$%^%# traffic-profile name default security-profile name default security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#H95ZT,~zPB3w;;VuULcRf#$]+cnEVPT02SMi_qo=%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net regulatory-domain-profile name domain1 wmi-server name test server ip-address 172.18.134.232 port 27371 collect-item device-data interval 60 collect-item radio-data interval 60 collect-item terminal-data interval 60 collect-item log-data interval 60 collect-item non-wifi-data enable ap log module mid FF2B0000 ap log module mid FE011004 ap log module mid FFDC0000 ap log module mid FF2F0000 ap log module mid FE090000 ap log module mid FF600000 name PORTAL ap log module mid D0410000 name SHELL ap log module mid FF620000 name DHCP HCIP-WLAN V2.0 Lab Guide ap log module mid FFED0000 name SEA ap log module mid FFEF0000 name WSRV ap log module mid FFF30000 name WLAN ap-system-profile name default lldp report enable wmi-server test index 2 ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile wlan-net wlan 1 wids device detect enable spectrum-analysis enable channel-monitor enable radio 1 vap-profile wlan-net wlan 1 wids device detect enable spectrum-analysis enable channel-monitor enable ap-id 0 type-id 125 ap-mac 6ce8-748d-7540 ap-sn 2102353GSG10N7100245 ap-name AP1 ap-group ap-group1 ap-id 1 type-id 125 ap-mac 6ce8-748d-6d20 ap-sn 2102353GSG10N7100219 ap-name AP2 ap-group ap-group1 ap-id 2 type-id 125 ap-mac 6ce8-748d-6f00 ap-sn 2102353GSG10N7100225 ap-name AP3 ap-group ap-group1 provision-ap # return 11.4.2 SW-Core Configuration !Software Version V200R022C00SPC500 # sysname SW-Core # vlan batch 18 100 to 101 # dhcp enable # interface Vlanif18 ip address 172.18.134.246 255.255.128.0 # interface Vlanif100 ip address 10.23.100.254 255.255.255.0 dhcp select interface # interface Vlanif101 ip address 10.23.101.254 255.255.255.0 dhcp select interface # interface MultiGE0/0/1 port link-type trunk Page 237 HCIP-WLAN V2.0 Lab Guide Page 238 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/4 port link-type trunk port trunk allow-pass vlan 18 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 return 11.4.3 SW-Access Configuration !Software Version V200R022C00SPC500 # sysname SW-Access # vlan batch 100 to 101 # interface MultiGE0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/2 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/3 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 # return 11.5 Quiz In this lab, CampusInsight is used to perform intelligent O&M on a WLAN. What are the advantages of intelligent O&M compared with traditional O&M on the WAC's web page? Answer: Visualized experience: Telemetry-based second-level data collection is supported, visualizing experience of any user in any application at any moment. Minute-level proactive identification and root cause locating for potential faults: Identify potential faults based on dynamic baselines and big data association. Accurately locate root causes based on KPI association analysis and protocol playback. HCIP-WLAN V2.0 Lab Guide Page 239 Predictive network optimization: AI technologies are used to intelligently analyze the load trend of APs to complete predictive optimization of wireless networks. HCIP-WLAN V2.0 Lab Guide 12 Page 240 WLAN Troubleshooting Lab 12.1 Introduction 12.1.1 About This Lab This lab instructs you to troubleshoot common faults. 12.1.2 Objectives ⚫ Describe the fault symptoms and related configurations. ⚫ Understand troubleshooting methods. 12.1.3 Networking Topology Figure 12-1 WLAN troubleshooting networking topology HCIP-WLAN V2.0 Lab Guide Page 241 12.1.4 Lab Planning Table 12-1 VLAN planning Device SW-Core Port Port Type MultiGE0/0/1 Trunk MultiGE0/0/9 Trunk MultiGE0/0/4 Trunk MultiGE0/0/9 Trunk MultiGE0/0/1 Trunk MultiGE0/0/2 Trunk MultiGE0/0/3 Trunk GE0/0/1 Trunk PVID: 1 Allow-pass: VLANs 18 100 and 101 PVID: 1 Allow-pass: VLAN 100 101 PVID: 1 Allow-pass: VLAN 18 PVID: 1 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 SW-Access WAC1 VLAN Settings PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 100 Allow-pass: VLANs 100 and 101 PVID: 1 Allow-pass: VLANs 18 100 and 101 Table 12-2 IP address planning Device Port SW-Core WAC1 iMaster NCE-Campus IP Address VLANIF 100 10.23.100.254/24 VLANIF 101 10.23.101.254/24 VLANIF 18 172.18.134.246/17 VLANIF 18 172.18.134.236/17 VLANIF 100 10.23.100.1/24 / 172.18.134.230/17 Table 12-3 WLAN service parameter planning WLAN Service Forwarding mode Parameter Tunnel forwarding HCIP-WLAN V2.0 Lab Guide WLAN Service Parameter Management VLAN 100 Service VLAN 101 AP group ap-group1 VAP profile wlan-net Security profile wlan-net Security policy OPEN SSID profile wlan-net SSID wlan-net Name of the RADIUS authentication scheme: radius_huawei Name of the RADIUS accounting scheme: scheme1 RADIUS authentication parameters Name of the RADIUS server template: radius_huawei IP address: 172.18.134.230 Authentication port number: 1812 Accounting port number: 1813 Shared key: HUAWEI@123 Portal server template Portal access profile Authenticationfree rule profile Name: abc IP address: 172.18.134.230 Portal shared key: HUAWEI@123 Name: portal1 Bound profile: Portal server template abc Name: default_free_rule Name: p1 Bound profiles and schemes: Authentication profile Portal access profile portal1 RADIUS server template radius_huawei RADIUS authentication scheme radius_huawei RADIUS accounting scheme scheme1 Authentication-free rule profile default_free_rule Page 242 HCIP-WLAN V2.0 Lab Guide Page 243 12.2 Lab Configuration 12.2.1 Configuration Roadmap 1. Import the pre-configuration. 2. Rectify the fault based on the fault symptom. 12.2.2 Configuration Procedure Step 1 Import the pre-configuration. # Import the pre-configuration of WAC1. Software Version V200R022C00SPC100 # sysname WAC1 # vlan batch 18 100 # authentication-profile name p1 free-rule-template free1 authentication-scheme radius_huawei accounting-scheme scheme1 radius-server radius_huawei # web-auth-server server-source all-interface # radius-server template radius_huawei radius-server shared-key cipher %^%#:0-xH8,(|&.L-5UCL0p7VjX]LyPSDU,9NX;sV`sV%^%# radius-server authentication 172.18.134.230 1812 source Vlanif 100 weight 80 radius-server accounting 172.18.134.230 1813 source Vlanif 100 weight 80 radius-server authorization 172.18.134.230 shared-key cipher %^%#MeTn6Ud7d,LYC8=omJ2>,*:V-@zY=G$Q9IgU1+&%^%# server-group radius_huawei radius-server authorization server-source all-interface # # free-rule-template name free1 free-rule 1 destination ip 172.18.134.230 mask 255.255.255.255 # url-template name url1 url https://172.18.134.230:8445/portal url-parameter redirect-url redirect-url ssid ssid user-ipaddress userip user-mac usermac device-ip acip # web-auth-server abc server-ip 172.18.134.229 port 50100 shared-key cipher %^%#3KxF"4M3}TH5|8P_$GE>K>j$/oQiM,GyQw3qsXH>%^%# url-template url1 source-ip 10.23.100.1 server-detect # portal-access-profile name portal1 HCIP-WLAN V2.0 Lab Guide Page 244 web-auth-server abc direct # portal-access-profile name portal_access_profile # aaa authentication-scheme radius_huawei authentication-mode radius accounting-scheme scheme1 accounting-mode radius accounting realtime 3 # interface Vlanif18 ip address 172.18.134.236 255.255.128.0 # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 management-interface # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 18 100 to 101 # ip route-static 0.0.0.0 0.0.0.0 10.23.100.254 ip route-static 172.19.0.0 255.255.0.0 172.18.128.1 # capwap source interface vlanif100 capwap dtls psk %^%#eA~Y!E}kkQ%J_gCXL-(Z\eel8@*iU#Kdf<~OtF!T%^%# capwap dtls inter-controller psk %^%#-E4LO_;{`JNgV$#W;k&Oa<O&DL_c.C=<e6#f>om1%^%# capwap dtls no-auth enable # wlan temporary-management psk %^%#g*hpDBM3I-3eL3-CJ~1$Xq'"~_/NZ7_~+y~wC||Q%^%# ap username admin password cipher %^%#jjÀXVN<fYtQZf=f5ùLcLUN6+fG7I.#vvJ!)&LD%^%# security-profile name wlan-net security open ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net forward-mode tunnel service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net authentication-profile p1 regulatory-domain-profile name domain1 ap-group name ap-group1 regulatory-domain-profile domain1 radio 1 radio disable ap-id 0 type-id 125 ap-mac 6ce8-748d-7540 ap-sn 2102353GSG10N7100245 ap-name AP1 ap-group ap-group1 ap-id 1 type-id 125 ap-mac 6ce8-748d-6d20 ap-sn 2102353GSG10N7100219 ap-name AP2 ap-group ap-group1 ap-id 2 type-id 125 ap-mac 6ce8-748d-6f00 ap-sn 2102353GSG10N7100225 HCIP-WLAN V2.0 Lab Guide ap-name AP3 provision-ap # return # Import the pre-configuration of SW-Core. !Software Version V200R022C00SPC500 # sysname SW-Core # vlan batch 18 100 to 101 # dhcp enable # vinterface Vlanif18 ip address 172.18.134.246 255.255.128.0 # interface Vlanif100 ip address 10.23.100.254 255.255.255.0 dhcp select interface # interface Vlanif101 ip address 10.23.101.254 255.255.255.0 dhcp select interface # interface MultiGE0/0/1 port link-type trunk port trunk allow-pass vlan 18 100 to 101 # interface MultiGE0/0/4 port link-type trunk port trunk allow-pass vlan 18 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 return # Import the pre-configuration of SW-Access. !Software Version V200R022C00SPC500 # sysname SW-Access # vlan batch 100 to 101 # interface MultiGE0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/2 port link-type trunk port trunk pvid vlan 100 Page 245 HCIP-WLAN V2.0 Lab Guide Page 246 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/3 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 # return # Pre-configure the authentication server. For details, see Step 7 in section 6.2.2 "Configuration Procedure." Step 2 Troubleshoot STAs' failures to detect radio signals. # Search for SSIDs on a STA. The STA fails to detect the radio signal wlan-net. In this case, check whether the AP is online on WAC1. [WAC1] display ap all Total AP information: fault : fault [1] nor : normal [2] ExtraInfo : Extra information -----------------------------------------------------------------------------------------------------------ID MAC Name Group IP Type State STA Uptime ExtraInfo -----------------------------------------------------------------------------------------------------------0 6ce8-748d-7540 AP1 ap-group1 10.23.100.61 AirEngine8760-X1-PRO nor 0 36M:20S 1 6ce8-748d-6d20 AP2 ap-group1 10.23.100.112 AirEngine8760-X1-PRO nor 0 35M:27S 2 6ce8-748d-6f00 AP3 default AirEngine8760-X1-PRO fault 0 -----------------------------------------------------------------------------------------------------------Total: 3 # The three APs are online, but AP3 is not in the AP group ap-group1. To ensure that WAC1 delivers unified policies to APs, add AP3 to the correct AP group. [WAC1] wlan [WAC1-wlan-view] ap-id 2 [WAC1-wlan-ap-2] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.. done. [WAC1-wlan-ap-2] quit # Check AP information on WAC1 again. The command output shows that the three APs are all online and belong to ap-group1. [WAC1] display ap all Total AP information: nor : normal [3] ExtraInfo : Extra information HCIP-WLAN V2.0 Lab Guide Page 247 -----------------------------------------------------------------------------------------------------------ID MAC Name Group IP Type State STA Uptime ExtraInfo -----------------------------------------------------------------------------------------------------------0 6ce8-748d-7540 AP1 ap-group1 10.23.100.61 AirEngine8760-X1-PRO nor 0 34M:25S 1 6ce8-748d-6d20 AP2 ap-group1 10.23.100.112 AirEngine8760-X1-PRO nor 0 33M:32S 2 6ce8-748d-6f00 AP3 ap-group1 10.23.100.213 AirEngine8760-X1-PRO nor 0 34M:28S -----------------------------------------------------------------------------------------------------------Total: 3 # Check the VAP status. [WAC1] display vap all Info: This operation may take a few seconds, please wait. WID : WLAN ID --------------------------------------------------------------------------AP ID AP name RfID WID BSSID Status Auth type STA ----------------------------------------------------------------------------------------------------------------------------------------------------Total: 0 SSID # The command output shows that no AP is associated with any VAP. Check the configuration of WAC1. The command output shows that the VAP profile is not bound to any AP group. In this case, modify the configuration as follows. [WAC1] wlan [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0 [WAC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1 [WAC1-wlan-ap-group-ap-group1] quit # Check VAP information again. It is found that the three APs have released the SSID wlan-net, but the status of radio 1 on the APs is OFF, indicating that the 5 GHz radios are disabled and need to be manually enabled. [WAC1] display vap all Info: This operation may take a few seconds, please wait. WID : WLAN ID --------------------------------------------------------------------------AP ID AP name RfID WID BSSID Status Auth type STA --------------------------------------------------------------------------0 AP1 0 1 6CE8-748D-7540 ON Open 0 0 AP1 1 1 6CE8-748D-7550 OFF Open 0 1 AP2 0 1 6CE8-748D-6D20 ON Open 0 1 AP2 1 1 6CE8-748D-6D30 OFF Open 0 2 AP3 0 1 6CE8-748D-6F00 ON Open 1 2 AP3 1 1 6CE8-748D-6F10 OFF Open 0 --------------------------------------------------------------------------Total: 6 # Manually enable the 5 GHz radio. [WAC1] wlan SSID wlan-net wlan-net wlan-net wlan-net wlan-net wlan-net HCIP-WLAN V2.0 Lab Guide Page 248 [WAC1-wlan-view] ap-group name ap-group1 [WAC1-wlan-ap-group-ap-group1] radio 1 [WAC1-wlan-group-radio-ap-group1/1] undo radio disable [WAC1-wlan-group-radio-ap-group1/1] quit # Check the VAP status. The VAP status is normal. [WAC1] display vap all Info: This operation may take a few seconds, please wait. WID : WLAN ID ----------------------------------------------------------------------------AP ID AP name RfID WID BSSID Status Auth type STA ----------------------------------------------------------------------------0 AP1 0 1 6CE8-748D-7540 ON Open+Portal 0 0 AP1 1 1 6CE8-748D-7550 ON Open+Portal 0 1 AP2 0 1 6CE8-748D-6D20 ON Open+Portal 0 1 AP2 1 1 6CE8-748D-6D30 ON Open+Portal 0 2 AP3 0 1 6CE8-748D-6F00 ON Open+Portal 0 2 AP3 1 1 6CE8-748D-6F10 ON Open+Portal 0 ----------------------------------------------------------------------------Total: 6 Step 3 SSID wlan-net wlan-net wlan-net wlan-net wlan-net wlan-net Troubleshoot STAs' failures to obtain IP addresses after associating with radio signals. # After a STA connects to wlan-net, it cannot obtain an IP address. The check result shows that the data forwarding mode of the VAP is tunnel forwarding, but WAC1 does not have service VLAN information. In this case, manually create VLAN 101 on WAC1. [WAC1] vlan 101 [WAC1-vlan101] quit # Disconnect the STA from wlan-net and then reconnect the STA to wlan-net. The STA can obtain an IP address. Run the ipconfig command to verify this. C:\Users\admin>ipconfig Wireless LAN adapter WLAN: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::2d38:d0da:819f:238e%4 IPv4 Address. . . . . . . . . . . : 10.23.101.194 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.23.101.254 Step 4 Troubleshoot failures to automatically display Portal authentication pages in Portal authentication mode. # After a STA connects to the SSID wlan-net, open the browser and enter any IP address in the address box. The Portal authentication page is not displayed. HCIP-WLAN V2.0 Lab Guide Page 249 # There are many reasons for a failure to display the Portal authentication page. Check whether the authentication profile is correctly bound to the VAP profile. The VAP configuration is correct. vap-profile name wlan-net forward-mode tunnel service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net authentication-profile p1 # Check whether the authentication profile is correctly configured. It is found that no Portal access profile is configured in the authentication profile. authentication-profile name p1 authentication-scheme radius_huawei accounting-scheme scheme1 radius-server radius_huawei # Check the authentication profile configuration. The command output shows that the Portal access profile portal1 has been configured in WAC1 and bound to the authentication profile. [WAC1] authentication-profile name p1 [WAC1-authentication-profile-p1] portal-access-profile portal1 Info: This operation may take a few minutes, please wait.... Warning: Changing the authentication profile will cause online users to go offline. Continue? [Y/N] y Authentication profile p1 : done. [WAC1-authentication-profile-p1] quit HCIP-WLAN V2.0 Lab Guide Page 250 # The Portal authentication page still cannot be displayed on the STA. Check the configuration of the Portal server template. The IP address and port number of the Portal server are incorrect. The correct IP address is 172.18.134.230, and the correct port number is 50200. # web-auth-server abc server-ip 172.18.134.229 port 50100 shared-key cipher %^%#N[ePT/1o_2@zKz/>v:dTE_H%#s@Cy<{-|g:s'&\8%^%# url-template url1 source-ip 10.23.100.1 server-detect # # Configure a correct server address and set the shared key to HUAWEI@123 to ensure that the shared key is the same as that on NCE. [WAC1] web-auth-server abc [WAC1-web-auth-server-abc] undo server-ip 172.18.134.230 Warning: Server-ip access-users will be offline, sure to continue?[Y/N] y [WAC1-web-auth-server-abc] server-ip 172.18.134.230 [WAC1-web-auth-server-abc] port 50200 [WAC1-web-auth-server-abc] shared-key cipher HUAWEI@123 # Check the Portal service status. The Portal server is in DOWN state. [WAC1] display portal-server state Web-auth-server : abc Total-servers : 1 Live-servers : 0 Critical-num : 0 Status : Abnormal Ip-address Status 172.18.134.230 DOWN # Check the configuration. It is found that the Portal server detection function is enabled on the device, but the authentication server is not configured. Therefore, you need to manually disable the Portal server detection function. [WAC1] web-auth-server abc [WAC1-web-auth-server-abc] undo server-detect [WAC1-web-auth-server-abc] quit # Check the status of the Portal server again. The status is UP, as shown in the following figure. [WAC1] display portal-server state Web-auth-server : abc Total-servers : 1 Live-servers : 1 Critical-num : 0 Status : Normal HCIP-WLAN V2.0 Lab Guide Ip-address 172.18.134.230 Page 251 Status UP # Use the STA to perform the test again. It is found that the Portal authentication page still cannot be displayed. The port number of the redirected page is 8445, but the default port number of NCE that functions as the Portal server is 19008. Check the URL template on WAC1. It is found that the port number in the URL is incorrect, as shown in the following figure. # url-template name url1 url https://172.18.134.230:8445/portal url-parameter redirect-url redirect-url ssid ssid user-ipaddress userip user-mac usermac device-ip acip # # Change the URL port number to 19008. [WAC1] url-template name url1 [WAC1-url-template-url1] url https://172.18.134.230:19008/portal [WAC1-url-template-url1] quit # Disconnect the STA from wlan-net and reconnect the STA to wlan-net. The Portal authentication page is displayed. After the user name and password are entered, Portal authentication succeeds. 12.3 Verification 12.3.1 Checking VAP Information # Run the display vap all command on WAC1 to check VAP information. [WAC1] display vap all Info: This operation may take a few seconds, please wait. WID : WLAN ID ----------------------------------------------------------------------------AP ID AP name RfID WID BSSID Status Auth type STA ----------------------------------------------------------------------------0 AP1 0 1 6CE8-748D-7540 ON Open+Portal 0 0 AP1 1 1 6CE8-748D-7550 ON Open+Portal 0 1 AP2 0 1 6CE8-748D-6D20 ON Open+Portal 0 1 AP2 1 1 6CE8-748D-6D30 ON Open+Portal 0 2 AP3 0 1 6CE8-748D-6F00 ON Open+Portal 0 2 AP3 1 1 6CE8-748D-6F10 ON Open+Portal 1 ----------------------------------------------------------------------------Total: 6 SSID wlan-net wlan-net wlan-net wlan-net wlan-net wlan-net HCIP-WLAN V2.0 Lab Guide 12.3.2 Associating a STA with the WLAN and Verifying Authentication Page 252 HCIP-WLAN V2.0 Lab Guide Page 253 12.4 Reference Configuration 12.4.1 WAC1 Configuration Software Version V200R022C00SPC100 # sysname WAC1 # vlan batch 100 to 101 # authentication-profile name p1 portal-access-profile portal1 free-rule-template free1 authentication-scheme radius_huawei accounting-scheme scheme1 radius-server radius_huawei # web-auth-server server-source all-interface # management-port isolate enable management-plane isolate enable # radius-server template radius_huawei radius-server shared-key cipher %^%#I/N%8moVPUUFK%!cJb;M;|PZ~N],pQVb*u(KD:;+%^%# radius-server authentication 172.18.134.230 1812 source Vlanif 100 weight 80 radius-server accounting 172.18.134.230 1813 source Vlanif 100 weight 80 radius-server authorization 172.18.134.230 shared-key cipher %^%#FjuvX'1T<!rA8(3[m'-!d*Xt+vtm/K&8&DUTTuU.%^%# server-group radius_huawei radius-server authorization server-source all-interface# free-rule-template name default_free_rule # free-rule-template name free1 free-rule 1 destination ip 172.18.134.230 mask 255.255.255.255 # url-template name url1 url https://172.18.134.230:19008/portal url-parameter redirect-url redirect-url ssid ssid user-ipaddress userip user-mac usermac device-ip acip # web-auth-server abc server-ip 172.18.134.230 port 50200 shared-key cipher %^%#/H+oJc*rtC_]{(WRUDt4un;&<1:g~NP{q(SD$ux#%^%# url-template url1 source-ip 10.23.100.1 # portal-access-profile name portal1 web-auth-server abc direct # portal-access-profile name portal_access_profile # aaa authentication-scheme radius_huawei authentication-mode radius HCIP-WLAN V2.0 Lab Guide Page 254 accounting-scheme scheme1 accounting-mode radius accounting realtime 3 local-aaa-user password policy administrator domain default authentication-scheme default accounting-scheme default radius-server default domain default_admin authentication-scheme default accounting-scheme default # interface Vlanif18 ip address 172.18.134.236 255.255.128.0 # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 management-interface # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 18 100 to 101 # interface NULL0 # ip route-static 0.0.0.0 0.0.0.0 10.23.100.254 ip route-static 172.19.0.0 255.255.0.0 172.18.128.1 # capwap source interface vlanif100 capwap dtls psk %^%#^zZq<D7&>Mc-euO[wdR)zrjY4I`*oJ%UcK6sn%t5%^%# capwap dtls inter-controller psk %^%#dKz03q"#ARJH__Pm`Yc(6QMF>dsn6M:M247\g!I&%^%# capwap dtls no-auth enable # wlan calibrate flexible-radio auto-switch temporary-management psk %^%#PwFE@vw_"@\n9{>}k<,-;9CD7K;0/%e,LB)9,^FX%^%# ap username admin password cipher %^%#PBMhAQ{@}1q,vb:X0*)B\.KXW7QH=Ogpvg'K*Y)I%^%# traffic-profile name default security-profile name default security-profile name wlan-net security open security-profile name default-wds security-profile name default-mesh ssid-profile name default ssid-profile name wlan-net ssid wlan-net vap-profile name default vap-profile name wlan-net forward-mode tunnel service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net authentication-profile p1 wds-profile name default mesh-handover-profile name default HCIP-WLAN V2.0 Lab Guide mesh-profile name default regulatory-domain-profile name default regulatory-domain-profile name domain1 air-scan-profile name default rrm-profile name default radio-2g-profile name default radio-5g-profile name default wids-spoof-profile name default wids-whitelist-profile name default wids-profile name default wireless-access-specification ap-system-profile name default port-link-profile name default wired-port-profile name default ap-group name default ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 125 ap-mac 6ce8-748d-7540 ap-sn 2102353GSG10N7100245 ap-name AP1 ap-group ap-group1 ap-id 1 type-id 125 ap-mac 6ce8-748d-6d20 ap-sn 2102353GSG10N7100219 ap-name AP2 ap-group ap-group1 ap-id 2 type-id 125 ap-mac 6ce8-748d-6f00 ap-sn 2102353GSG10N7100225 ap-name AP3 ap-group ap-group1 provision-ap # return 12.4.2 SW-Core Configuration !Software Version V200R022C00SPC500 # sysname SW-Core # vlan batch 18 100 to 101 # dhcp enable # interface Vlanif18 ip address 172.18.134.246 255.255.128.0 # interface Vlanif100 ip address 10.23.100.254 255.255.255.0 dhcp select interface # interface Vlanif101 ip address 10.23.101.254 255.255.255.0 dhcp select interface # Page 255 HCIP-WLAN V2.0 Lab Guide Page 256 interface MultiGE0/0/1 port link-type trunk port trunk allow-pass vlan 18 100 to 101 # interface MultiGE0/0/4 port link-type trunk port trunk allow-pass vlan 18 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 # return 12.4.3 SW-Access Configuration !Software Version V200R022C00SPC500 # sysname SW-Access # vlan batch 100 to 101 # interface MultiGE0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/2 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/3 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 # interface MultiGE0/0/9 port link-type trunk port trunk allow-pass vlan 100 to 101 # return 12.5 Quiz In this lab, the URL configured on WAC1 is represented by the IP address of the Portal server. In an actual environment, the URL is represented by a domain name. In this case, what are the precautions for deploying Portal authentication? Answer: When a STA accesses the Portal server, the domain name needs to be resolved into an IP address through the DNS server. Therefore, before Portal authentication deployment, you HCIP-WLAN V2.0 Lab Guide Page 257 need to configure an authentication-free rule profile to allow the DNS server address to pass through to ensure correct DNS resolution.

HCIP-WLAN Lab Guide: Wireless Network Certification Training

Related documents

Products

Support

HCIP-WLAN Lab Guide: Wireless Network Certification Training

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib