Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Standalone AC Solution: Aggregation Switches Function as Gateways for Wired and Wireless Users
Networking Requirements
Core switches set up a CSS that functions as the core of the entire campus network to implement high network reliability and forwarding of a large amount of data.
Aggregation switches set up stacks to implement device-level backup and increase the interface density and forwarding bandwidth. A standalone AC is deployed in off-path mode. It centrally manages APs on the entire network.
In this example, aggregation switches set up stacks that function as gateways for wired and wireless users on the entire network and are responsible for routing and forwarding of user services.
Figure 2-12 Aggregation switches functioning as gateways + standalone ACs
![]()
Device Requirements and Versions
Location |
Device Requirement |
Device Used in This Example |
Version Used in This Example |
|---|---|---|---|
Core layer |
- |
S12700E |
V200R019C10 |
Aggregation layer |
- |
S5731-H |
|
Access layer |
- |
S5735-L |
|
AC |
- |
AC6605 |
|
AP |
- |
AP6050DN |
V200R019C00 |
Deployment Roadmap
Step |
Deployment Roadmap |
Devices Involved |
|---|---|---|
1 |
Configure CSS, stacking, and uplink and downlink Eth-Trunk interfaces on switches. |
Core and aggregation switches |
2 |
Configure interfaces and VLANs on the switches and ACs and configure IP addresses and routes for Layer 3 interfaces to ensure network connectivity. |
Core, aggregation, and access switches |
3 |
Configure DHCP on the aggregation switches and ACs so that the switches and ACs function as DHCP servers to assign IP addresses to wired and wireless users and APs. |
Aggregation switches and ACs |
4 |
Configure VRRP and HSB on ACs. |
ACs |
5 |
Configure wireless services on ACs so that APs and STAs can go online. |
ACs |
6 |
Configure wireless configuration synchronization in the scenario where VRRP and HSB are configured. |
ACs |
Data Plan
Table 2-27 Service data plan for core switches
Item |
VLAN ID |
Network Segment |
|---|---|---|
Network segment for communication with AGG1 |
VLAN 70 |
172.16.70.0/24 |
Network segment for communication with AGG2 |
VLAN 80 |
172.16.80.0/24 |
Network segment for communication with servers |
VLAN 1000 |
192.168.11.254/24 |
Table 2-28 Service data plan for aggregation switches
Device |
Item |
VLAN ID |
Network Segment |
|---|---|---|---|
AGG1 |
Service VLANs for wireless users |
VLAN 30 |
172.16.30.0/24 |
VLAN 31 |
172.16.31.0/24 |
||
Service VLAN for wired users |
VLAN 50 |
172.16.50.0/24 |
|
Network segment for communication with CORE |
VLAN 70 |
172.16.70.0/24 |
|
Network segment for communication with AGG-ACs |
VLAN 20 |
172.16.20.0/24 |
|
AGG2 |
Service VLANs for wireless users |
VLAN 40 |
172.16.40.0/24 |
VLAN 41 |
172.16.41.0/24 |
||
Service VLAN for wired users |
VLAN 60 |
172.16.60.0/24 |
|
Network segment for communication with CORE |
VLAN 80 |
172.16.80.0/24 |
|
Network segment for communication with AGG-ACs |
VLAN 20 |
172.16.20.0/24 |
Table 2-29 Service data plan for AGG-ACs
Device |
Item |
VLAN ID |
Network Segment |
|---|---|---|---|
AGG-AC1 and AGG-AC2 |
Management VLAN for APs |
VLAN 20 |
192.168.20.0/24 |
Network segment for communication with CORE |
VLAN 70 |
172.16.70.0/24 |
|
VLAN for wireless configuration synchronization between AGG-AC1 and AGG-AC2 in an HSB group |
VLAN 200 |
172.16.200.0/24 |
|
AGG-AC3 and AGG-AC4 |
Management VLAN for APs |
VLAN 21 |
192.168.21.0/24 |
Network segment for communication with CORE |
VLAN 80 |
172.16.80.0/24 |
|
VLAN for wireless configuration synchronization between AGG-AC3 and AGG-AC4 in an HSB group |
VLAN 200 |
172.16.200.0/24 |
Table 2-30 Wireless service data plan for AGG-ACs
Item |
Data |
|---|---|
AP groups |
ap-group1, ap-group2 |
Regulatory domain profile |
domain1 |
SSID profiles |
ssid1, ssid2 |
VAP profiles |
vap1, vap2 (The data forwarding mode in the VAP profiles is direct forwarding.) |
Configuration Precautions
- It is not recommended that VLAN 1 be used as the management VLAN or a service VLAN. Remove all interfaces from VLAN 1. Allow an interface to transparently transmit packets from a VLAN based on actual service requirements. Do not allow an interface to transparently transmit packets from all VLANs.
- In direct forwarding mode, it is recommended that different VLANs be used as the management VLAN and service VLAN. Otherwise, service interruptions may occur. If a VLAN is configured as both the management VLAN and service VLAN, and the interface connecting a switch to an AP has the management VLAN ID as the PVID, downstream packets in the service VLAN are terminated when going out from the switch. In this case, services are interrupted.
- In direct forwarding mode, service packets from APs are not encapsulated in CAPWAP tunnels, but are directly forwarded to the upper-layer network. Service packets and management packets can be transmitted properly only if the network between APs and the upper-layer network is added to the service VLAN and the network between ACs and APs is added to the management VLAN.
- WLAN service configurations (for example, WMM profile, radio profile, radio, traffic profile, security profile, security policy, and WLAN ID) of the AP associated with the master and backup ACs must be consistent on the two ACs; otherwise, user services may be affected after a master/backup switchover between the ACs.
The models and software versions of the master and backup ACs must be the same.
- When deploying the DHCP server in the scenario where VRRP and HSB are configured, note the following:
- In versions earlier than V200R019C00, the DHCP server-enabled interface must be the interface on which a VRRP group is created. Otherwise, the master and backup ACs will allocate IP addresses at the same time. In V200R019C00 and later versions, there is no restriction on the DHCP server-enabled interface. Only the master AC allocates IP addresses. IP address allocation information on the master AC will be synchronized to the backup AC.
- The IP address pools configured on the master and backup ACs must be the same. If they are different, data backup between the master and backup ACs will fail.
- You need to run the hsb-service-type dhcp hsb-group group-index command to bind the DHCP service to the HSB group. Otherwise, IP address allocation information on the master and backup ACs cannot be backed up.
Procedure
- Configure CSS on core switches and stacking on aggregation switches, and configure MAD and uplink and downlink Eth-Trunk interfaces on the switches.
For details, see Typical CSS and Stack Deployment.
- Configure interfaces and VLANs on CORE, which is a CSS of core switches.# Create VLANs.
[CORE] vlan batch 70 80 1000
# Configure an Eth-Trunk interface for connecting to AGG1, which is a stack of aggregation switches. The configuration of an Eth-Trunk interface for connecting to AGG2 (also a stack of aggregation switches) is similar.
[CORE] interface eth-trunk 10 [CORE-Eth-Trunk10] description connect to AGG1 [CORE-Eth-Trunk10] mode lacp [CORE-Eth-Trunk10] port link-type trunk [CORE-Eth-Trunk10] port trunk allow-pass vlan 70 [CORE-Eth-Trunk10] undo port trunk allow-pass vlan 1 [CORE-Eth-Trunk10] quit
# Add the interface connected to a server to VLAN 1000.
[CORE] interface xgigabitethernet 1/2/0/1 [CORE-XGigabitEthernet1/2/0/1] port link-type access [CORE-XGigabitEthernet1/2/0/1] port default vlan 1000 [CORE-XGigabitEthernet1/2/0/1] quit
# Create Layer 3 interface VLANIF 70 for connecting to AGG1.
[CORE] interface vlanif 70 [CORE-Vlanif70] ip address 172.16.70.1 255.255.255.0 [CORE-Vlanif70] quit
# Create Layer 3 interface VLANIF 80 for connecting to AGG2.
[CORE] interface vlanif 80 [CORE-Vlanif80] ip address 172.16.80.1 255.255.255.0 [CORE-Vlanif80] quit
# Create Layer 3 interface VLANIF 1000 for connecting to a server.
[CORE] interface vlanif 1000 [CORE-Vlanif1000] ip address 192.168.11.254 255.255.255.0 [CORE-Vlanif1000] quit
- Configure interfaces and VLANs on AGG1. The configuration on AGG2 is similar.
# Create VLANs.
[AGG1] vlan batch 20 30 31 50 70
# Configure an Eth-Trunk interface for connecting to CORE.
[AGG1] interface eth-trunk 10 [AGG1-Eth-Trunk10] description connect to CORE [AGG1-Eth-Trunk10] mode lacp [AGG1-Eth-Trunk10] port link-type trunk [AGG1-Eth-Trunk10] port trunk allow-pass vlan 70 [AGG1-Eth-Trunk10] quit
# Create an Eth-Trunk 1 interface for connecting to AGG-AC1 and add the interface to the Eth-Trunk.
[AGG1] interface eth-trunk 1 [AGG1-Eth-Trunk1] description con to AC [AGG1-Eth-Trunk1] mode lacp [AGG1-Eth-Trunk1] port link-type trunk [AGG1-Eth-Trunk1] port trunk allow-pass vlan 20 [AGG1-Eth-Trunk1] undo port trunk allow-pass vlan 1 [AGG1-Eth-Trunk1] quit [AGG1] interface gigabitethernet 0/0/4 [AGG1-GigabitEthernet0/0/4] eth-trunk 1 [AGG1-GigabitEthernet0/0/4] quit [AGG1] interface gigabitethernet 0/0/5 [AGG1-GigabitEthernet0/0/3] eth-trunk 1 [AGG1-GigabitEthernet0/0/3] quit
# Create Layer 3 interface VLANIF 70 for connecting to CORE.
[AGG1] interface Vlanif 70 [AGG1-Vlanif70] ip address 172.16.70.2 255.255.255.0 [AGG1-Vlanif70] quit
# Create Layer 3 interface VLANIF 20 for connecting to the ACs.
[CORE] interface vlanif 20 [CORE-Vlanif20] ip address 192.168.20.20 255.255.255.0 [CORE-Vlanif20] quit
# Configure a downlink interface for connecting to ACC1.
[AGG1] interface eth-trunk 30 [AGG1-Eth-Trunk30] port link-type trunk [AGG1-Eth-Trunk30] port trunk allow-pass vlan 20 30 31 50 [AGG1-Eth-Trunk30] undo port trunk allow-pass vlan 1 [AGG1-Eth-Trunk30] quit
- Configure interfaces and VLANs on AGG-AC1. The configurations on AGG-AC2, AGG-AC3, and AGG-AC4 are similar.# Create VLANs.
<AC6605> system-view [AC6605] sysname AGG-AC1 [AGG-AC1] vlan batch 20 200
# On AGG-AC1, create an Eth-Trunk interface for connecting to AGG1 and add the interface to the Eth-Trunk.
[AGG-AC1] interface eth-trunk 1 [AGG-AC1-Eth-Trunk1] description connect to AGG1 [AGG-AC1-Eth-Trunk1] mode lacp [AGG-AC1-Eth-Trunk1] port link-type trunk [AGG-AC1-Eth-Trunk1] port trunk allow-pass vlan 20 [AGG-AC1-Eth-Trunk1] undo port trunk allow-pass vlan 1 [AGG-AC1-Eth-Trunk1] quit [AGG-AC1] interface gigabitethernet 0/0/21 [AGG-AC1-GigabitEthernet0/0/21] eth-trunk 1 [AGG-AC1-GigabitEthernet0/0/21] quit [AGG-AC1] interface gigabitethernet 0/0/22 [AGG-AC1-GigabitEthernet0/0/22] eth-trunk 1 [AGG-AC1-GigabitEthernet0/0/22] quit
# On AGG-AC1, configure the interface connected to AGG-AC2.[AGG-AC1] interface gigabitethernet 0/0/2 [AGG-AC1-GigabitEthernet0/0/2] port link-type trunk [AGG-AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 200 [AGG-AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1 [AGG-AC1-GigabitEthernet0/0/2] quit [AGG-AC1] interface vlanif 200 [AGG-AC1-Vlanif200] ip address 172.16.200.1 255.255.255.0 [AGG-AC1-Vlanif200] quit
- Configure interfaces and VLANs on ACC1. The configuration on ACC2 is similar.
# Create VLANs.
<HUAWEI> system-view [HUAWEI] sysname ACC1 [ACC1] vlan batch 20 30 31 50
# Configure an uplink interface for connecting to AGG1.
[ACC1] interface eth-trunk 30 [ACC1-Eth-Trunk30] mode lacp [ACC1-Eth-Trunk30] port link-type trunk [ACC1-Eth-Trunk30] port trunk allow-pass vlan 20 30 31 50 [ACC1-Eth-Trunk30] undo port trunk allow-pass vlan 1 [ACC1-Eth-Trunk30] quit
# Configure downlink interfaces connected to PC1 and AP1, and configure the interfaces as edge ports.
[ACC1] interface gigabitethernet 0/0/2 [ACC1-GigabitEthernet0/0/2] port link-type access [ACC1-GigabitEthernet0/0/2] port default vlan 50 [ACC1-GigabitEthernet0/0/2] port-isolate enable [ACC1-GigabitEthernet0/0/2] stp edged-port enable [ACC1-GigabitEthernet0/0/2] quit [ACC1] interface gigabitethernet 0/0/3 [ACC1-GigabitEthernet0/0/3] port link-type trunk [ACC1-GigabitEthernet0/0/3] port trunk pvid vlan 20 [ACC1-GigabitEthernet0/0/3] port trunk allow-pass vlan 20 30 31 [ACC1-GigabitEthernet0/0/3] port-isolate enable [ACC1-GigabitEthernet0/0/3] stp edged-port enable [ACC1-GigabitEthernet0/0/3] quit
- Configure DHCP on AGG1 so that AGG1 functions as a DHCP server to assign IP addresses to wired and wireless users. The configuration on AGG2 is similar.
# Enable DHCP globally and configure DHCP snooping for service VLANs.
[AGG1] dhcp enable [AGG1] dhcp snooping enable [AGG1] vlan 30 [AGG1-vlan30] dhcp snooping enable [AGG1-vlan30] quit [AGG1] vlan 31 [AGG1-vlan31] dhcp snooping enable [AGG1-vlan31] quit [AGG1] vlan 50 [AGG1-vlan50] dhcp snooping enable [AGG1-vlan50] quit
# Create Layer 3 interface VLANIF 30 for wireless services and configure AGG1 to assign IP addresses to STAs from the interface address pool.
[AGG1] interface Vlanif 30 [AGG1-Vlanif30] ip address 172.16.30.1 255.255.255.0 [AGG1-Vlanif30] dhcp select interface [AGG1-Vlanif30] dhcp server dns-list 192.168.11.1 //Configure the DNS server for terminals. [AGG1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP. [AGG1-Vlanif30] quit
# Create Layer 3 interface VLANIF 31 for wireless services and configure AGG1 to assign IP addresses to STAs from the interface address pool.
[AGG1] interface Vlanif 31 [AGG1-Vlanif30] ip address 172.16.31.1 255.255.255.0 [AGG1-Vlanif30] dhcp select interface [AGG1-Vlanif30] dhcp server dns-list 192.168.11.1 //Configure the DNS server for terminals. [AGG1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP. [AGG1-Vlanif30] quit
# Create Layer 3 interface VLANIF 50 for wired services and configure AGG1 to assign IP addresses to wired terminals from the interface address pool.
[AGG1] interface Vlanif 50 [AGG1-Vlanif50] ip address 172.16.50.1 255.255.255.0 [AGG1-Vlanif50] dhcp select interface [AGG1-Vlanif50] dhcp server dns-list 192.168.11.1 //Configure the DNS server for terminals. [AGG1-Vlanif50] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP. [AGG1-Vlanif50] quit
- Configure routing on core and aggregation switches to implement Layer 3 communication.# Configure OSPF on CORE.
[CORE] ospf 1 router-id 1.1.1.1 [CORE-ospf-1] area 0 [CORE-ospf-1-area-0.0.0.0] network 172.16.70.0 0.0.0.255 [CORE-ospf-1-area-0.0.0.0] network 172.16.80.0 0.0.0.255 [CORE-ospf-1-area-0.0.0.0] network 192.168.11.0 0.0.0.255 [CORE-ospf-1-area-0.0.0.0] quit
# Configure OSPF on AGG1. The configuration on AGG2 is similar.[AGG1] ospf 1 router-id 2.2.2.2 [AGG1-ospf-1] area 0 [AGG1-ospf-1-area-0.0.0.0] network 172.16.70.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.0] network 172.16.30.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.0] network 172.16.31.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.0] network 172.16.50.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.0] quit [AGG1-ospf-1] area 1 [AGG1-ospf-1-area-0.0.0.1] network 192.168.20.0 0.0.0.255 [AGG1-ospf-1-area-0.0.0.1] quit [CORE-ospf-1] quit
# Configure OSPF on AGG-AC1.[AGG-AC1] ospf 1 router-id 3.3.3.3 [AGG-AC1-ospf-1] area 1 [AGG-AC1-ospf-1-area-0.0.0.1] network 192.168.20.0 0.0.0.255 [AGG-AC1-ospf-1-area-0.0.0.1] quit [AGG-AC1-ospf-1] quit
- Configure DHCP on AGG-AC1 so that AGG-AC1 can function as a DHCP server to assign IP addresses to APs. The configuration on AGG-AC3 is similar.
[AGG-AC1] dhcp enable [AGG-AC1] interface Vlanif 20 [AGG-AC1-Vlanif20] ip address 172.16.20.1 255.255.255.0 [AGG-AC1-Vlanif20] dhcp select interface [AGG-AC1-Vlanif20] dhcp server excluded-ip-address 192.168.20.2 [AGG-AC1-Vlanif20] dhcp server excluded-ip-address 192.168.20.20 [AGG-AC1-Vlanif20] quit
- Configure VRRP and HSB on AGG-AC1. The configuration on AGG-AC2 is similar.
# Set the recovery delay of the VRRP group to 60 seconds.
[AGG-AC1] vrrp recover-delay 60
# Create a management VRRP group on AGG-AC1. Set the priority of AGG-AC1 in the VRRP group to 120 and set the preemption time to 1200 seconds.
[AGG-AC1] interface vlanif 20 [AGG-AC1-Vlanif20] vrrp vrid 1 virtual-ip 192.168.20.3 [AGG-AC1-Vlanif20] vrrp vrid 1 priority 120 [AGG-AC1-Vlanif20] vrrp vrid 1 preempt-mode timer delay 1200 [AGG-AC1-Vlanif20] quit
# Create HSB service 0 on AGG-AC1 and configure IP addresses and port numbers for the HSB channel.
[AGG-AC1] hsb-service 0 [AGG-AC1-hsb-service-0] service-ip-port local-ip 172.16.200.1 peer-ip 172.16.200.2 local-data-port 10241 peer-data-port 10241 [AGG-AC1-hsb-service-0] quit
# Create HSB group 0 on AGG-AC1, and bind HSB service 0 and the management VRRP group to HSB group 0.
[AGG-AC1] hsb-group 0 [AGG-AC1-hsb-group-0] bind-service 0 [AGG-AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 20 [AGG-AC1-hsb-group-0] quit
# Bind the AGG-AC1 service to HSB group 0.
[AGG-AC1] hsb-service-type access-user hsb-group 0 [AGG-AC1] hsb-service-type ap hsb-group 0 [AGG-AC1] hsb-group 0 [AGG-AC1-hsb-group-0] hsb enable [AGG-AC1-hsb-group-0] quit
# After the configuration is complete, run the display vrrp command on AGG-AC1 and AGG-AC2. The command output shows that the State field of AGG-AC1 displays Master and that of AGG-AC2 displays Backup.
[AGG-AC1] display vrrp Vlanif20 | Virtual Router 1 State : Master Virtual IP : 192.168.20.3 Master IP : 192.168.20.3 PriorityRun : 120 PriorityConfig : 120 MasterPriority : 120 Preempt : YES Delay Time : 1200 s TimerRun : 2 s TimerConfig : 2 s Auth type : NONE Virtual MAC : 0000-5e00-0101 Check TTL : YES Config type : admin-vrrp Backup-forward : disabled Track SysHealth Priority reduced : 254 SysHealth state : UP Create time : 2019-11-30 14:23:11 Last change time : 2019-11-30 14:23:17[AGG-AC2] display vrrp Vlanif20 | Virtual Router 1 State : Backup Virtual IP : 192.168.20.3 Master IP : 192.168.20.2 PriorityRun : 120 PriorityConfig : 120 MasterPriority : 0 Preempt : YES Delay Time : 1200 s TimerRun : 2 s TimerConfig : 2 s Auth type : NONE Virtual MAC : 0000-5e00-0101 Check TTL : YES Config type : admin-vrrp Backup-forward : disabled Track SysHealth Priority reduced : 254 SysHealth state : UP Create time : 2019-11-30 07:15:11 Last change time : 2019-11-30 14:23:17# Check the HSB service status on AGG-AC1 and AGG-AC2. The following command output shows that the Service State field displays Connected, indicating that the HSB channel has been established.
[AGG-AC1] display hsb-service 0 Hot Standby Service Information: ---------------------------------------------------------- Local IP Address : 172.16.200.1 Peer IP Address : 172.16.200.2 Source Port : 10241 Destination Port : 10241 Keep Alive Times : 5 Keep Alive Interval : 3 Service State : Connected Service Batch Modules : Shared-key : - ----------------------------------------------------------
[AGG-AC2] display hsb-service 0 Hot Standby Service Information: ---------------------------------------------------------- Local IP Address : 172.16.200.2 Peer IP Address : 172.16.200.1 Source Port : 10241 Destination Port : 10241 Keep Alive Times : 5 Keep Alive Interval : 3 Service State : Connected Service Batch Modules : Shared-key : - ----------------------------------------------------------
# Run the display hsb-group 0 command on AGG-AC1 and AGG-AC2 to check the service status of HSB group 0.
[AGG-AC1] display hsb-group 0 Hot Standby Group Information: ---------------------------------------------------------- HSB-group ID : 0 Vrrp Group ID : 1 Vrrp Interface : Vlanif20 Service Index : 0 Group Vrrp Status : Master Group Status : Active Group Backup Process : Realtime Peer Group Device Name : AC6605 Peer Group Software Version : V200R007C10 Group Backup Modules : Access-user AP ----------------------------------------------------------[AGG-AC2] display hsb-group 0 Hot Standby Group Information: ---------------------------------------------------------- HSB-group ID : 0 Vrrp Group ID : 1 Vrrp Interface : Vlanif20 Service Index : 0 Group Vrrp Status : Backup Group Status : Active Group Backup Process : Realtime Peer Group Device Name : AC6605 Peer Group Software Version : V200R007C10 Group Backup Modules : Access-user AP ---------------------------------------------------------- - Configure wireless services on AGG-AC1 so that AP1 can go online. The configuration on AGG-AC2 is similar.
# Configure the AC's source interface.
[AGG-AC1] capwap source interface vlanif 20
# Create an AP group to add APs with the same configurations to the AP group.
[AGG-AC1] wlan [AGG-AC1-wlan-view] ap-group name ap-group1 [AGG-AC1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure a country code in the profile, and apply the profile to the AP group.
[AGG-AC1-wlan-view] regulatory-domain-profile name domain1 [AGG-AC1-wlan-regulate-domain-domain1] country-code cn [AGG-AC1-wlan-regulate-domain-domain1] quit [AGG-AC1-wlan-view] ap-group name ap-group1 [AGG-AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AGG-AC1-wlan-ap-group-ap-group1] quit
# Add AP1 to the AP group ap-group1 and configure a name for the AP based on its deployment location.
[AGG-AC1-wlan-view] ap auth-mode mac-auth [AGG-AC1-wlan-view] ap-id 1 ap-mac 00e0-fc12-3300 [AGG-AC1-wlan-ap-1] ap-name area_1 Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than V200R009C00. Warning: This operation may cause AP reset. Continue? [Y/N]:y [AGG-AC1-wlan-ap-1] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, whether to continue? [Y/N]:y Info: This operation may take a few seconds. Please wait for a moment.. done. [AGG-AC1-wlan-ap-1] quit [AGG-AC1-wlan-view] quit
# After powering on AP1, run the display ap all command on AGG1-AC1 to check the AP running status. The command output shows that the State field displays nor, indicating that AP1 is in normal state.
[AGG-AC1] display ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor : normal [1] ----------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ----------------------------------------------------------------------------------------------- 1 00e0-fc12-3300 area_1 ap-group1 192.168.20.254 AP6010DN-AGN nor 0 2M:44S ----------------------------------------------------------------------------------------------- Total AP information: nor : normal [1] ExtraInfo : Extra information P : insufficient power supply ---------------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ---------------------------------------------------------------------------------------------------------- 1 00e0-fc12-4400 area_1 ap-group1 192.168.20.148 AP5010DN-AGN nor 0 1H:19M:18S - ----------------------------------------------------------------------------------------------------------
- Configure STAs to go online on AGG-AC1.
# Configure WLAN service parameters, and create security profiles, SSID profiles, and traffic profiles.
[AGG-AC1] wlan [AGG-AC1-wlan-view] security-profile name sec1 [AGG-AC1-wlan-sec-prof-sec1] security open [AGG-AC1-wlan-sec-prof-sec1] quit [AGG-AC1-wlan-view] ssid-profile name ssid1 [AGG-AC1-wlan-ssid-prof-ssid1] ssid test01 [AGG-AC1-wlan-ssid-prof-test01] quit [AGG-AC1-wlan-view] traffic-profile name traff1 [AGG-AC1-wlan-traffic-prof-traff1] user-isolate l2 [AGG-AC1-wlan-traffic-prof-test01] quit [AGG-AC1-wlan-view] security-profile name sec2 [AGG-AC1-wlan-sec-prof-sec2] security open [AGG-AC1-wlan-sec-prof-sec2] quit [AGG-AC1-wlan-view] ssid-profile name ssid2 [AGG-AC1-wlan-ssid-prof-ssid2] ssid test02 [AGG-AC1-wlan-ssid-prof-test02] quit [AGG-AC1-wlan-view] traffic-profile name traff2 [AGG-AC1-wlan-traffic-prof-traff2] user-isolate l2 [AGG-AC1-wlan-traffic-prof-traff2] quit
# Create WLAN VAP profiles, configure the service data forwarding mode and service VLANs, apply security profiles, SSID profiles, and enable IPSG, dynamic ARP inspection, and strict STA IP address learning through DHCP.
[AGG-AC1-wlan-view] vap-profile name vap1 [AGG-AC1-wlan-vap-prof-test01] forward-mode direct-forward [AGG-AC1-wlan-vap-prof-test01] service-vlan vlan-id 30 [AGG-AC1-wlan-vap-prof-test01] security-profile sec1 [AGG-AC1-wlan-vap-prof-test01] ssid-profile ssid1 [AGG-AC1-wlan-vap-prof-test01] traffic-profile traff1 [AGG-AC1-wlan-vap-prof-test01] ip source check user-bind enable [AGG-AC1-wlan-vap-prof-test01] arp anti-attack check user-bind enable [AGG-AC1-wlan-vap-prof-test01] learn-client-address dhcp-strict [AGG-AC1-wlan-vap-prof-test01] quit [AGG-AC1-wlan-view] vap-profile name vap2 [AGG-AC1-wlan-vap-prof-test02] forward-mode direct-forward [AGG-AC1-wlan-vap-prof-test02] service-vlan vlan-id 31 [AGG-AC1-wlan-vap-prof-test02] security-profile sec2 [AGG-AC1-wlan-vap-prof-test02] ssid-profile ssid2 [AGG-AC1-wlan-vap-prof-test02] traffic-profile traff2 [AGG-AC1-wlan-vap-prof-test02] ip source check user-bind enable [AGG-AC1-wlan-vap-prof-test02] arp anti-attack check user-bind enable [AGG-AC1-wlan-vap-prof-test02] learn-client-address dhcp-strict [AGG-AC1-wlan-vap-prof-test02] quit
IP packet check enabled using the ip source check user-bind enable command is based on binding entries. Therefore:
- For DHCP users, enable DHCP snooping on the device to automatically generate dynamic binding entries.
- For users using static IP addresses, manually configure static binding entries.
The prerequisites for running the learn-client-address dhcp-strict command are as follows:
- The DHCP trusted interface configured on an AP has been disabled using the undo dhcp trust port command in the VAP profile view.
- STA IP address learning has been enabled using the undo learn-client-address { ipv4 | ipv6 } disable command in the VAP profile view.
# Bind VAP profiles to the AP group.
[AGG-AC1-wlan-view] ap-group name ap-group1 [AGG-AC1-wlan-ap-group-ap-group1] vap-profile vap1 wlan 1 radio 0 [AGG-AC1-wlan-ap-group-ap-group1] vap-profile vap2 wlan 2 radio 0 [AGG-AC1-wlan-ap-group-ap-group1] vap-profile vap1 wlan 1 radio 1 [AGG-AC1-wlan-ap-group-ap-group1] vap-profile vap2 wlan 2 radio 1 [AGG-AC1-wlan-ap-group-ap-group1] quit [AGG-AC1-wlan-view] quit
Verifying the Deployment
Expected Result
Wired and wireless users can access the campus network.
Verification Method
The following uses AGG1 and AGG-AC1 as an example. The verification methods on AGG2 and AGG-AC3 are similar.
- Run the following command on AGG-AC1. The command output shows that an AP has obtained an IP address successfully.
[AGG-AC1] display ip pool interface vlanif20 used Pool-name : Vlanif20 Pool-No : 0 Lease : 1 Days 0 Hours 0 Minutes Domain-name : - DNS-server0 : - NBNS-server0 : - Netbios-type : - Position : Interface Status : Unlocked Gateway-0 : - Network : 192.168.20.0 Mask : 255.255.255.0 Logging : Disable Conflicted address recycle interval: - Address Statistic: Total :254 Used :1 Idle :251 Expired :0 Conflict :0 Disabled :2 ------------------------------------------------------------------------------------- Network section Start End Total Used Idle(Expired) Conflict Disabled ------------------------------------------------------------------------------------- 192.168.20.1 192.168.20.254 254 1 251(0) 0 2 ------------------------------------------------------------------------------------- Client-ID format as follows: DHCP : mac-address PPPoE : mac-address IPSec : user-id/portnumber/vrf PPP : interface index L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id ------------------------------------------------------------------------------------- Index IP Client-ID Type Left Status ------------------------------------------------------------------------------------- 147 192.168.20.148 00e0-fc12-4400 DHCP 80426 Used ------------------------------------------------------------------------------------- - Run the following command on AGG1. The command outputs show that a wired user has obtained an IP address successfully.
[AGG1] display ip pool interface vlanif50 used Pool-name : Vlanif50 Pool-No : 2 Lease : 1 Days 0 Hours 0 Minutes Domain-name : - DNS-server0 : 192.168.11.1 NBNS-server0 : - Netbios-type : - Position : Interface Status : Unlocked Gateway-0 : - Network : 172.16.50.0 Mask : 255.255.255.0 VPN instance : -- Logging : Disable Conflicted address recycle interval: - Address Statistic: Total :254 Used :1 Idle :254 Expired :0 Conflict :0 Disabled :0 ------------------------------------------------------------------------------------- Network section Start End Total Used Idle(Expired) Conflict Disabled ------------------------------------------------------------------------------------- 172.16.50.1 172.16.50.254 254 0 254(0) 0 0 -------------------------------------------------------------------------------------
- Wired and wireless users can communicate with each other.
# AP1 can ping a device in the server zone.
<area_1> ping 192.168.11.1 PING 192.168.11.1: 56 data bytes, press CTRL_C to break Reply from 192.168.11.1: bytes=56 Sequence=1 ttl=63 time=1 ms Reply from 192.168.11.1: bytes=56 Sequence=2 ttl=63 time=1 ms Reply from 192.168.11.1: bytes=56 Sequence=3 ttl=63 time=1 ms Reply from 192.168.11.1: bytes=56 Sequence=4 ttl=63 time=1 ms Reply from 192.168.11.1: bytes=56 Sequence=5 ttl=63 time=1 ms --- 192.168.11.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms# After a wireless user connects to AP1, you can view information about the wireless user on AGG-AC1.
[AGG-AC1] display station ssid test01 Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ----------------------------------------------------------------------------------------------- STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address ----------------------------------------------------------------------------------------------- 00e0-fc12-5555 1 area_1 0/1 2.4G 11n 24/1 -38 30 172.16.30.180 ----------------------------------------------------------------------------------------------- Total: 1 2.4G: 1 5G: 0
# PC1 can ping the wireless user connected to AP1.
C:\Users>ping 172.16.30.180 Pinging 172.16.30.180 with 32 bytes of data: Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Reply from 172.16.30.180: bytes=32 time<1ms TTL=128 Ping statistics for 172.16.30.180: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
Configuration Files
# CORE configuration file
# sysname CORE # vlan batch 70 80 1000 # interface Vlanif70 ip address 172.16.70.1 255.255.255.0 # interface Vlanif80 ip address 172.16.80.1 255.255.255.0 # interface Vlanif1000 ip address 192.168.11.254 255.255.255.0 # interface Eth-Trunk10 description connect to AGG1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 70 mode lacp # interface Eth-Trunk20 description connect to AGG2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 80 mode lacp # interface XGigabitEthernet1/1/0/1 eth-trunk 10 # interface XGigabitEthernet1/1/0/2 eth-trunk 20 # interface XGigabitEthernet1/1/0/10 mad detect mode direct # interface XGigabitEthernet1/2/0/1 port link-type access port default vlan 1000 # interface XGigabitEthernet2/1/0/1 eth-trunk 20 # interface XGigabitEthernet2/1/0/2 eth-trunk 10 # interface XGigabitEthernet2/1/0/10 mad detect mode direct # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 172.16.70.0 0.0.0.255 network 172.16.80.0 0.0.0.255 network 192.168.11.0 0.0.0.255 # return
# AGG-AC1 configuration file
# sysname AGG-AC1 # vrrp recover-delay 60 # vlan batch 20 200 # dhcp enable # dhcp snooping enable # interface vlanif 20 ip address 192.168.20.1 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.20.3 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1200 dhcp select interface dhcp server excluded-ip-address 192.168.20.2 dhcp server excluded-ip-address 192.168.20.20 # interface vlanif 200 ip address 172.16.200.1 255.255.255.0 # interface eth-trunk 1 description connect to AGG1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 mode lacp # interface gigabitethernet 0/0/1 eth-trunk 1 # interface gigabitethernet 0/0/2 port link-type trunk port trunk allow-pass vlan 200 undo port trunk allow-pass vlan 1 # ospf 1 router-id 3.3.3.3 area 0.0.0.1 network 192.168.20.0 0.0.0.255 # capwap source interface vlanif20 # hsb-service 0 service-ip-port local-ip 172.16.200.1 peer-ip 172.16.200.2 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif20 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan traffic-profile name traff1 user-isolate l2 traffic-profile name traff2 user-isolate l2 security-profile name sec1 security open security-profile name sec2 security open ssid-profile name ssid1 ssid test01 ssid-profile name ssid2 ssid test02 vap-profile name vap1 forward-mode direct-forward service-vlan vlan-id 30 ssid-profile ssid1 security-profile sec1 traffic-profile traff1 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode direct-forward service-vlan vlan-id 40 ssid-profile ssid2 security-profile sec2 traffic-profile traff2 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 radio 1 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 ap-id 1 type-id 30 ap-mac 00e0-fc12-6660 ap-sn 2102355547W0E3000316 ap-name area_1 ap-group ap-group1 ap-id 2 type-id 56 ap-mac 00e0-fc12-6670 ap-sn 21500829352SGA900583 ap-name area_2 ap-group ap-group1 #
# AGG-AC2 configuration file
# sysname AGG-AC2 # vrrp recover-delay 60 # vlan batch 20 200 # interface vlanif 20 ip address 192.168.20.2 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.20.3 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1200 # interface vlanif 200 ip address 172.16.200.1 255.255.255.0 # interface eth-trunk 1 description connect to AGG1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 mode lacp # interface gigabitethernet 0/0/1 eth-trunk 1 # interface gigabitethernet 0/0/2 port link-type trunk port trunk allow-pass vlan 200 undo port trunk allow-pass vlan 1 # hsb-service 0 service-ip-port local-ip 172.16.200.2 peer-ip 172.16.200.1 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif20 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type ap hsb-group 0 #
# AGG-AC3 configuration file
# sysname AGG-AC2 # vrrp recover-delay 60 # vlan batch 21 200 # dhcp enable # dhcp snooping enable # interface vlanif 21 ip address 192.168.21.1 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.21.3 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1200 dhcp select interface dhcp server excluded-ip-address 192.168.21.2 dhcp server excluded-ip-address 192.168.21.20 # interface vlanif 201 ip address 172.16.201.1 255.255.255.0 # interface eth-trunk 1 description connect to AGG2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 21 mode lacp # interface gigabitethernet 0/0/1 eth-trunk 1 # interface gigabitethernet 0/0/2 port link-type trunk port trunk allow-pass vlan 201 undo port trunk allow-pass vlan 1 # ospf 1 router-id 4.4.4.4 area 0.0.0.2 network 192.168.21.0 0.0.0.255 # capwap source interface vlanif21 # hsb-service 0 service-ip-port local-ip 172.16.201.1 peer-ip 172.16.201.2 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif21 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan traffic-profile name traff1 user-isolate l2 traffic-profile name traff2 user-isolate l2 security-profile name sec1 security open security-profile name sec2 security open ssid-profile name ssid3 ssid test03 ssid-profile name ssid4 ssid test04 vap-profile name vap1 forward-mode direct-forward service-vlan vlan-id 40 ssid-profile ssid3 security-profile sec1 traffic-profile traff1 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict vap-profile name vap2 forward-mode direct-forward service-vlan vlan-id 41 ssid-profile ssid2 security-profile sec2 traffic-profile traff2 ip source check user-bind enable arp anti-attack check user-bind enable learn-client-address dhcp-strict ap-group name ap-group1 regulatory-domain-profile domain1 radio 0 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 radio 1 vap-profile vap1 wlan 1 vap-profile vap2 wlan 2 ap-id 1 type-id 30 ap-mac 00e0-fc12-6660 ap-sn 2102355547W0E3000316 ap-name area_1 ap-group ap-group1 ap-id 2 type-id 56 ap-mac 00e0-fc12-6670 ap-sn 21500829352SGA900583 ap-name area_2 ap-group ap-group1 #
# AGG-AC4 configuration file
# sysname AGG-AC4 # vrrp recover-delay 60 # vlan batch 21 200 # interface vlanif 21 ip address 192.168.21.2 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.21.3 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1200 # interface vlanif 201 ip address 172.16.201.1 255.255.255.0 # interface eth-trunk 1 description connect to AGG2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 21 mode lacp # interface gigabitethernet 0/0/1 eth-trunk 1 # interface gigabitethernet 0/0/2 port link-type trunk port trunk allow-pass vlan 200 undo port trunk allow-pass vlan 1 # hsb-service 0 service-ip-port local-ip 172.16.201.2 peer-ip 172.16.201.1 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif21 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type ap hsb-group 0 #
# AGG1 configuration file
# sysname AGG1 # vlan batch 20 30 to 31 50 70 # dhcp enable # dhcp snooping enable # vlan 30 dhcp snooping enable vlan 31 dhcp snooping enable vlan 50 dhcp snooping enable # interface Vlanif20 ip address 192.168.20.20 255.255.255.0 # interface Vlanif30 ip address 172.16.30.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.1 # interface Vlanif31 ip address 172.16.31.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.1 # interface Vlanif50 ip address 172.16.50.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.1 # interface Vlanif70 ip address 172.16.70.2 255.255.255.0 # interface Eth-Trunk1 description con to AC port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 mode lacp # interface Eth-Trunk10 description con to CORE port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 70 mode lacp # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 30 to 31 50 mode lacp port-isolate enable # interface GigabitEthernet0/0/3 eth-trunk 30 # interface GigabitEthernet0/0/4 eth-trunk 1 # interface GigabitEthernet0/0/5 eth-trunk 1 # interface GigabitEthernet0/0/10 mad detect mode direct # interface GigabitEthernet1/0/3 eth-trunk 30 # interface GigabitEthernet1/0/10 mad detect mode direct # interface XGigabitEthernet0/0/1 eth-trunk 10 # interface XGigabitEthernet1/0/1 eth-trunk 10 # return
# AGG2 configuration file
# sysname AGG2 # vlan batch 21 40 to 41 60 80 # dhcp enable # dhcp snooping enable # vlan 40 dhcp snooping enable vlan 41 dhcp snooping enable vlan 60 dhcp snooping enable # interface Vlanif21 ip address 192.168.21.20 255.255.255.0 # interface Vlanif40 ip address 172.16.40.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.1 # interface Vlanif41 ip address 172.16.41.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.1 # interface Vlanif60 ip address 172.16.60.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enable dhcp select interface dhcp server dns-list 192.168.11.1 # interface Vlanif80 ip address 172.16.80.2 255.255.255.0 # interface Eth-Trunk1 description con to AC port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 21 mode lacp # interface Eth-Trunk10 description con to CORE port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 80 mode lacp # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 21 40 to 41 60 mode lacp port-isolate enable # interface GigabitEthernet0/0/3 eth-trunk 40 # interface GigabitEthernet0/0/4 eth-trunk 2 # interface GigabitEthernet0/0/5 eth-trunk 2 # interface GigabitEthernet0/0/10 mad detect mode direct # interface GigabitEthernet1/0/3 eth-trunk 40 # interface GigabitEthernet1/0/10 mad detect mode direct # interface XGigabitEthernet0/0/1 eth-trunk 20 # interface XGigabitEthernet1/0/1 eth-trunk 20 # return
# ACC1 configuration file
# sysname ACC1 # vlan batch 20 50 # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 50 mode lacp # interface GigabitEthernet0/0/1 eth-trunk 30 # interface GigabitEthernet0/0/2 eth-trunk 30 # interface GigabitEthernet0/0/3 port link-type access port default vlan 50 stp edged-port enable port-isolate enable group 1 # interface GigabitEthernet0/0/4 port link-type access port default vlan 20 stp edged-port enable port-isolate enable group 1 # return
# ACC2 configuration file
# sysname ACC2 # vlan batch 21 60 # interface Eth-Trunk40 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 21 60 mode lacp # interface GigabitEthernet0/0/1 eth-trunk 40 # interface GigabitEthernet0/0/2 eth-trunk 40 # interface GigabitEthernet0/0/3 port link-type access port default vlan 60 stp edged-port enable port-isolate enable group 1 # interface GigabitEthernet0/0/4 port link-type access port default vlan 21 stp edged-port enable port-isolate enable group 1 # return