Network Deployment in Small- and Medium-Sized Stores (AR Router Functioning as an Egress Gateway)
Application Scenario and Service Requirements
Application Scenario
This case is applicable to a small- or medium-sized store with multiple APs deployed to provide wireless access. In the store, a small number of wired terminals are allowed to access the network and about 200 guests access the network concurrently in peak hours.
Service Requirements
A small- or medium-sized store intends to build a network and has the following requirements:
- Guests access the Internet using wireless terminals. There are approximate 200 guests in peak hours.
- The store provides Internet access and mobile office services for employees who use wireless and wired terminals. There are around 20 employees in the store.
- Wireless terminals can access the Internet only after successful authentication.
Solution Design
Figure 2-81 shows a recommended networking based on service requirements.
- Wired access
Employees can work and access the Internet using wired terminals in the management area.
In the networking, the S5731-S functions as both a DHCP server to assign IP addresses to wired terminals and a wired access gateway.
- Wi-Fi coverage
A WLAN covers the guest area and management area. Using wireless terminals, guests in the guest area can access the Internet and employees in the management area can work and access the Internet as well.
In the networking, the AC6605 manages wireless services, and APs register with the AC across a Layer 3 network and forward service data packets in direct forwarding mode.
The S5731-S functions as a DHCP server to assign IP addresses to all APs and wireless terminals.
- Network egress
Network address translation (NAT) is configured on the AR6300 to translate public and private IP addresses.
The AR6300 connects to the Internet through PPPoE dial-up.
- Security
An ACL is configured on the S5731-S to control guest access so that wireless users in the guest area can access only the Internet but not terminals in the management area.
The AC6605 manages wireless services. Wireless terminals in the guest area and management area use Portal authentication and WPA-WPA2 authentication, respectively.
In this case, eight APs are deployed in the guest area, and one AP and one wired terminal (PC) are deployed in the management area. Determine the number of APs and wired terminals in each area as needed.
To prevent interference between APs and ensure optimal WLAN coverage, determine the positions where APs are to be installed, channel, bandwidth, and cabling solution according to WLAN Network Planning Guide before deploying APs.
Deployment Roadmap and Data Plan
Deployment Roadmap
- Configure the egress router AR6300.
- Configure PPPoE dialup for Internet access.
- Configure the LAN.
- Configure routes.
- Configure the S5731-S switch.
- Create VLANs, create VLANIF interfaces, and configure IP addresses for the VLANIF interfaces.
- Add VLANs to interfaces on the switch.
- Enable the DHCP server function. The switch then can assign IP addresses to APs, and wired and wireless terminals.
- Configure an ACL to control user access. Guests in the guest area can access only the Internet. This ensures data security in the management area.
- Configure a default static route with the next hop being the IP address of a downlink interface on the egress router.
- Configure the AC6605.
- Configure network interconnection.
- Configure APs to go online.
- Configure WLAN services.
Data Plan
Item |
Description |
|---|---|
VLAN 100 |
Wireless access management VLAN of the AC, also used for communication between the switch and AC |
VLAN 102 |
VLAN to which APs belong |
VLAN 103 |
VLAN to which uplink interfaces of the switch belong, used for communication between the switch and AR router |
VLAN 2000 |
Wireless access VLAN in the guest area |
VLAN 2100 |
Wireless access VLAN in the management area |
VLAN 2200 |
Wired access VLAN in the management area |
Device |
Interface Number |
VLAN to Which the Interface Belongs |
IP Address |
Description |
|---|---|---|---|---|
AR6300 |
GE0/0/2 |
- |
10.103.1.2/24 |
Downlink interface for communicating with the S5731-S |
GE0/0/0 |
- |
Negotiated IP address |
Uplink egress connected to an external network |
|
S5731-S |
GE0/0/1 to GE0/0/8 |
VLAN 102 and VLAN 2000 |
VLANIF 102: 10.102.1.1/24 VLANIF 2000: 192.168.200.1/24 |
Interfaces connected to the AP6050DNs in the guest area |
GE0/0/9 |
VLAN 102 and VLAN 2100 |
VLANIF 102: 10.102.1.1/24 VLANIF 2100: 192.168.210.1/24 |
Interface connected to the AP6050DN in the management area |
|
GE0/0/10 |
VLAN 2200 |
VLANIF 2200: 192.168.220.1/24 |
Interface providing access for a wired terminal in the management area |
|
GE0/0/11 |
VLAN 100 |
VLANIF 100: 10.100.1.1/24 |
Interface connected to the AC6605 |
|
GE0/0/12 |
VLAN 103 |
VLANIF 103: 10.103.1.1/24 |
Interface connected to the AR6300 |
|
AC6605 |
GE0/0/1 |
VLAN 100 |
10.100.1.2/24 |
Interface connected to the S5731-S |
Device |
Destination IP Address/Mask |
Next Hop/Outbound Interface |
Description |
|---|---|---|---|
AR6300 |
10.102.1.0/24 |
10.103.1.1 |
Route destined for APs |
192.168.200.0/24 |
10.103.1.1 |
Route destined for wireless terminals in the guest area |
|
192.168.210.0/24 |
10.103.1.1 |
Route destined for wireless terminals in the management area |
|
192.168.220.0/24 |
10.103.1.1 |
Route destined for wired terminals in the management area |
|
S5731-S |
0.0.0.0/0.0.0.0 |
10.103.1.2 |
Default route |
AC6605 |
0.0.0.0/0.0.0.0 |
10.100.1.1 |
Default route with the next hop being VLANIF 100 of the switch |
Item |
Data |
|---|---|
Source NAT policy |
Enabled |
Internet access mode |
PPPoE dial-up |
LAN gateway address/mask |
10.103.1.2/255.255.255.0 |
Item |
Data |
|---|---|
VLAN |
VLAN 100 VLAN 102 VLAN 103 VLAN 2000 VLAN 2100 VLAN 2200 |
IP address |
VLANIF 100: 10.100.1.1/24 VLANIF 102: 10.102.1.1/24 VLANIF 103: 10.103.1.1/24 VLANIF 2000: 192.168.200.1/24 VLANIF 2100: 192.168.210.1/24 VLANIF 2200: 192.168.220.1/24 |
DHCP |
Interface address pools: VLANIF 102: 10.102.1.1/24 (for APs); DHCP server option: 43; sub-option: 3; ascii: 10.100.1.2 VLANIF 2000: 192.168.200.1/24 (for wireless terminals in the guest area) VLANIF 2100: 192.168.210.1/24 (for wireless terminals in the management area) VLANIF 2200: 192.168.220.1/24 (for wired terminals in the management area) |
DNS server |
IP address: 114.114.114.114 |
ACL |
|
Item |
Data |
|---|---|
Management VLAN for APs |
VLAN 100 |
WLAN AC source interface |
VLANIF 100: 10.100.1.2/24 |
Guest Wi-Fi (covering the guest area) |
|
Employee Wi-Fi (covering the guest and management areas) |
|
Authentication-free rule |
DNS server address: 114.114.114.114 |
Device Requirements and Versions
Deployment Procedure
Configuring the AR6300
Preparations
Before the configuration, log in to the web system of the AR router using a PC and perform the following operations:
- Change the IP address of the PC to 192.168.1.x, for example, 192.168.1.100. The IP address cannot be set to 192.168.1.1.
- Connect the PC to the management interface (marked with the Management silkscreen) of the AR router using Ethernet cables.
- Visit https://192.168.1.1 using a browser on the PC and log in using the default username and password. The default username and password are available in AR Router Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.
Change the password as prompted upon the first login.
Procedure
- Configure PPPoE dialup for Internet access.
- In the Ethernet Interface Settings area, select the interface for Internet access, select Broadband dialup (PPPoE) from the Connection mode drop-down list box, set other parameters, and click OK, as shown in Figure 2-82.
- Configure the LAN.
- Click the Interface Attribute tab. In the Ethernet Interface List area, click Convert in the operation column of GigabitEthernet0/0/2, and click OK to configure the interface as a Layer 2 interface.Figure 2-83 Changing a Layer 3 Interface to a Layer 2 Interface
- Click LAN (Local Area Network). On the Default Gateway tab page, set the IP address and subnet mask of the default gateway for user hosts, as shown in Figure 2-84.
- Choose Advanced > IP > DHCP. On the DHCP Address Pool tab page, set DHCP status of OFF, as shown in Figure 2-85.
- Click the Interface Attribute tab. In the Ethernet Interface List area, click Convert in the operation column of GigabitEthernet0/0/2, and click OK to configure the interface as a Layer 2 interface.
- Configure routes.
- Expand Static Route, configure route information according to Table 2-125, and click Add.Figure 2-86 Configuring a static routeRepeat the preceding steps to configure all required static routes according to Table 2-125.
- Expand Static Route, configure route information according to Table 2-125, and click Add.
Configuring the S5731-S
Preparations
Before the configuration, you need to log in to the web system of the switch using a PC and perform the following operations.
In this example, all configurations of the S5731-S are performed in traditional management mode. If the switch is in NETCONF mode, log in to the switch through the web system and switch to the traditional management mode.
- Connect the PC to the first Ethernet interface on the switch using network cables.
- Press and hold down the MODE button for at least 6 seconds. When all indicators on the switch are steady green, the switch enters the initial configuration mode. After the switch enters the initial configuration mode, the default IP address 192.168.1.253/24 is configured for VLANIF 1 by default.
- Configure the PC with an IP address that is on the same subnet as the default IP address of the switch so that the PC and switch can communicate with each other at Layer 3.
- Visit https://192.168.1.253 using a browser on the PC and log in using the default username and password. Change the password as prompted upon the first login. The default username and password are available in S Series Switches Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.
- By default, the switch works in traditional management mode. If the switch works in NETCONF mode, log in to the switch's web system, choose , set Device Working Mode to Traditional management mode, and click Apply.
Procedure
- Create VLANs, create VLANIF interfaces, and configure IP addresses for the VLANIF interfaces.
- Create VLAN 102 to which APs belong and configure an IP address for VLANIF 102.
- Choose Configuration > Basic Services > VLAN from the main menu. The VLAN configuration page is displayed.
- Click Create. The Create VLAN page is displayed.
- Set VLAN ID to 102.
- Select Create VLANIF, set IPv4 address to 10.102.1.1, and set Mask to 24.
Click OK. VLAN 102 is configured, as shown in Figure 2-87.
- Create VLAN 102 to which APs belong and configure an IP address for VLANIF 102.
- Add interfaces on the switch to VLANs.
- Configure interfaces connected to the APs in the guest area.
- Choose Configuration > Basic Services > Interface Settings from the main menu. The Interface Settings page is displayed.
- Click Customized Under Select Task.Figure 2-88 Customizing interface configurations
- Select interfaces 1 to 8.
- Set Link Type to Trunk, Default VLAN to 102, and Pass VLAN(Tagged) to 102,2000.Figure 2-89 Configuring interfaces connected to the APs in the guest area
- Click Apply. The interfaces are configured.
- Configure interfaces connected to the APs in the guest area.
- Enable the DHCP server function.
- Configure an IP address pool from which the DHCP server assigns IP addresses to APs.
- Choose Configuration > Basic Services > DHCP from the main menu. The DHCP Address Pool page is displayed.
- Set DHCP status to ON. The DHCP function is enabled globally.
- In the Address Pool List area, click Create. The Create DHCP Address Pool page is displayed.Figure 2-90 Address pool list
- Set Address pool type to Interface address pool, and select Vlanif102.Figure 2-91 Interface address pool
- Set Vendor-defined to sub-option, and set 3, ascii, and 10.100.1.2 in the three text boxes below.Figure 2-92 Vendor-defined parameter
- Click Advanced, and set the IP address of the primary DNS server to 114.114.114.114.Figure 2-93 DNS server
- Click OK. The DHCP server function is configured.
- Configure an IP address pool from which the DHCP server assigns IP addresses to APs.
- Configure an ACL to limit access of wireless end users in the guest area.
- Choose Configuration > Security Services > ACL from the main menu. The ACL configuration page is displayed.
- Click the VLAN ACL tab, set VLAN ID to 2000, and click Add to add an ACL rule.Figure 2-94 Configuring an ACL rule
Table 2-129 describes the involved configuration items.
- Click Apply. ACL rules are configured.
- Configure a default route.Click
, as shown in Figure 2-95. The default route is configured.
, as shown in 
Configuring the AC6605
Preparations
- Activate the license on the Huawei ESDP website by binding the activation password to the ESN of the WLAN AC, that is, the SN on the label. Then download the generated license file.
Before the configuration, you need to log in to the web system of the WLAN AC using a PC and perform the following operations:
- Change the IP address of the wired network port on the PC to 169.254.1.x, such as 169.254.1.100. The IP address cannot be set to 169.254.1.1.
- Connect the PC to any idle network port on the AC using a network cable.
- Visit https://169.254.1.1 using a browser on the PC and log in using the default username and password. The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.
Change the password as prompted upon the first login.
Procedure
- Configure system parameters of the AC.
- Configure basic AC parameters.
- Choose from the main menu. The Basic AC Configuration page is displayed.
- Set Country/Region. The following uses China as an example. Set System time to Manual and Date and time to PC Time.
- Expand License Loading, import the license file, and activate it.
- Click Next. The Port Configuration page is displayed.
- Configure ports on the AC.
- Select GigabitEthernet0/0/1, expand Batch Modify, and set Interface type to Trunk and VLAN (Tagged) to 100.
- Click Apply. In the dialog box that is displayed, click OK.
- Click Next. The Network Interconnection Configuration page is displayed.
- Select GigabitEthernet0/0/1, expand Batch Modify, and set Interface type to Trunk and VLAN (Tagged) to 100.
- Configure network interconnection.
- Click Create under Interface Configuration. The Create Interface Configuration window is displayed.
- Set the IP address of VLANIF 100 to 10.100.1.2/24.
- Click OK.
- Expand Static Route Table, and then click Create. The Create Static Route Table dialog box is displayed.
- Configure a default route with the next hop being GE0/0/11 (using IP address 10.100.1.1) on the switch.
- Click OK.
- Click Next.
- Skip the AC backup configuration and click Next. The AC Source Address page is displayed.
- Configure the AC source address.
- Set AC source address to Vlanif100.
- Click Next. The Confirm Settings page is displayed.
- Set AC source address to Vlanif100.
- Configure basic AC parameters.
- Configure APs to go online.
- Configure APs to go online.
- Click Batch Import. The Batch Import dialog box is displayed.
- Click
to download the AP template.
- Enter the information about each AP in the AP template. The items in the following table are involved.
Item
Description
MAC address of an AP
The parameter must be set according to the actual value.
SN of an AP
The parameter must be set according to the actual value.
AP name
Set this parameter to AP1 to AP9 for each AP in sequence.
AP group
- Add AP1 to AP8 deployed in the guest area to ap-group1.
- Add AP9 deployed in the management area to ap-group2.
- You can check the MAC address and SN on the label attached on each AP.
- If AP authentication mode is set to MAC address authentication, AP MAC must be specified and AP SN is optional. If AP authentication mode is set to SN authentication, AP SN must be specified and AP MAC is optional.
- You are advised to use the WLAN Planner to export the planned settings to a .csv file, such as the radio ID, AP channel, frequency bandwidth, and power, and then fill the information into the AP template. Set the longitude and latitude in the template based on your site requirements.
- Click
next to Import AP file, select the AP template filled with planned settings, and click Import.
- After the template is imported, the import result is displayed. Click OK.
- Click Next. The Confirm Configurations page is displayed.
- Configure APs to go online.
- Configure WLAN services.
- Configure a Wi-Fi network for employees.
- Click Create. The Basic Information page is displayed.
- Set SSID Name to employee and Service VLAN ID to 2100.
- Click Next. The Security Authentication page is displayed.
- Select Key (applicable to personal networks), select AES-TKIP (AES and TKIP), and configure a key.
- Click Next. The Access Control page is displayed.
- Bind the SSID to the AP group ap-group2.
- Click Finish.
- Configure a Wi-Fi network for guests.
- Click Create. The Basic Information page is displayed.
- Set SSID Name to guest and Service VLAN ID to 2000.
- Click Next. The Security Authentication page is displayed.
- Set Security settings to Portal (applicable to enterprise networks) and set Portal server to Built-in Portal server. In the Built-in Portal Server Configuration area, set the server IP address and port number and set SSL policy to default_policy. You need to set the IP address of a Layer 3 interface that has a reachable route to users. In this example, the server IP address is set to 10.100.1.3.
- Click Manage next to Local user. The Local User page is displayed.
- Click Create. The Create Local User page is displayed.
- Set Creation mode to Manually add, and set a user name and password for the local user.
- Click OK.
- On the Local User page, select the created local user and click OK.
- Click Next. The Access Control page is displayed.
- Bind the SSID to the AP group ap-group1.
- Click Finish.
- Configure network resources that unauthenticated guests can access when connecting to the guest SSID.
- Choose from the main menu. The Profile Management page is displayed.
- Choose . The Authentication-free Rule Profile page is displayed.
- Select the authentication-free rule profile default_free_rule.
- Set Control mode to Authentication-free rule.
- Click Create, set Rule ID to 1, and set Destination IP address to the IP address of the DNS server.
- Click OK.
- Select the created authentication-free rule and click Apply. In the dialog box that is displayed, click OK.
- Configure a Wi-Fi network for employees.
to download the AP template.
next to 
Verifying the Configuration
- Verify whether guests in the guest area can access the WLAN and ensure that the following requirements can be met:
- The WLAN with the SSID guest is available to wireless end users in the guest area. After connecting to WLAN and performing operations as promoted, guests can be authenticated successfully and access the Internet.
- Wireless terminals in the guest area can obtain IP addresses on the subnet 192.168.200.0/24 after associating with the SSID guest.
- Wireless end users in the guest area, such as guests using laptops, cannot ping the wireless access gateway (192.168.210.1) in the management area.
- Verify whether employees in the management area can access the Internet and ensure that the following requirements are met:
- The WLAN with the SSID employee is available to wireless end users in the management area. End users have access to the Internet after entering the password YsHsjx_202206.
- Wireless terminals in the management area can obtain IP addresses on the subnet 192.168.210.0/24 after associating with the SSID employee.
- Wired end users in the management area can access the Internet and obtain IP addresses on the subnet 192.168.220.0/24.
- Wired end users in the management area can ping the wireless access gateway (192.168.210.1) in the management area.
Configuration Files
#
dns resolve
dns proxy enable
#
acl name GigabitEthernet0/0/0 2999
rule 5 permit
#
interface Dialer1
link-protocol ppp
ppp chap user admin
ppp chap password cipher %^%#Tj#S%h%p:+J`b#~!2&lFqh79>gVT0<Br@=(H43UN%^%#
ppp pap local-user admin password cipher %^%#qLq_5;^}n*B#['~ii{+.]U)0U\ra`PB\7:ZXL=\I%^%#
ppp ipcp dns admit-any
ppp ipcp dns request
ip address ppp-negotiate
dialer user arweb
dialer bundle 1
dialer number 1 autodial
dialer-group 1
nat outbound 2999
#
interface Vlanif1
ip address 10.103.1.2 255.255.255.0
#
interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1
#
interface GigabitEthernet0/0/2
portswitch
#
dialer-rule
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
ip route-static 10.102.1.0 255.255.255.0 10.103.1.1
ip route-static 192.168.200.0 255.255.255.0 10.103.1.1
ip route-static 192.168.210.0 255.255.255.0 10.103.1.1
ip route-static 192.168.220.0 255.255.255.0 10.103.1.1
#
return
# vlan batch 100 102 to 103 2000 2100 2200 # dhcp enable # acl name vlan2000 3999 rule 5 deny ip source 192.168.200.0 0.0.0.255 destination 192.168.220.0 0.0.0.255 rule 10 deny ip source 192.168.200.0 0.0.0.255 destination 192.168.210.0 0.0.0.255 # interface Vlanif100 ip address 10.100.1.1 255.255.255.0 # interface Vlanif102 ip address 10.102.1.1 255.255.255.0 dhcp select interface dhcp server dns-list 114.114.114.114 dhcp server option 43 sub-option 3 ascii 10.100.1.2 # interface Vlanif103 ip address 10.103.1.1 255.255.255.0 # interface Vlanif2000 ip address 192.168.200.1 255.255.255.0 dhcp select interface dhcp server dns-list 114.114.114.114 # interface Vlanif2100 ip address 192.168.210.1 255.255.255.0 dhcp select interface dhcp server dns-list 114.114.114.114 # interface Vlanif2200 ip address 192.168.220.1 255.255.255.0 dhcp select interface dhcp server dns-list 114.114.114.114 # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 102 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 2000 # interface GigabitEthernet0/0/2 port link-type trunk port trunk pvid vlan 102 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 2000 # interface GigabitEthernet0/0/3 port link-type trunk port trunk pvid vlan 102 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 2000 # interface GigabitEthernet0/0/4 port link-type trunk port trunk pvid vlan 102 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 2000 # interface GigabitEthernet0/0/5 port link-type trunk port trunk pvid vlan 102 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 2000 # interface GigabitEthernet0/0/6 port link-type trunk port trunk pvid vlan 102 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 2000 # interface GigabitEthernet0/0/7 port link-type trunk port trunk pvid vlan 102 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 2000 # interface GigabitEthernet0/0/8 port link-type trunk port trunk pvid vlan 102 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 2000 # interface GigabitEthernet0/0/9 port link-type trunk port trunk pvid vlan 102 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 2100 # interface GigabitEthernet0/0/10 port link-type access port default vlan 2200 loopback-detect enable port description desktop undo trust 8021p # interface GigabitEthernet0/0/11 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 # interface GigabitEthernet0/0/12 port link-type access port default vlan 103 # ip route-static 0.0.0.0 0.0.0.0 10.103.1.2 # traffic-filter vlan 2000 inbound acl name vlan2000 # return
# portal local-server ip 10.100.1.3 portal local-server url 10.100.1.3 portal local-server https ssl-policy default_policy port 20000 # vlan batch 100 2000 2100 2200 # authentication-profile name guest portal-access-profile guest web-description inner+local authentication-scheme guest # free-rule-template name default_free_rule free-rule 1 destination ip 114.114.114.114 mask 255.255.255.255 # portal-access-profile name guest portal local-server enable # aaa authentication-scheme guest authentication-mode none local-user admin password irreversible-cipher $1a$D[%AQ7aQQ0$z%oZMBn:`%##J2VG6;R&~1n!JTfvI0t`+uH`<K+)$ # interface Vlanif100 ip address 10.100.1.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 # ip route-static 0.0.0.0 0.0.0.0 10.100.1.1 # capwap source interface vlanif100 # wlan traffic-profile name guest rate-limit client up 1000 rate-limit client down 2000 security-profile name guest security open security-profile name employee security wpa-wpa2 psk pass-phrase %^%#F)&d'L_r}$$%`O9)#'>O%I*KC<O^!X%kI+6V'HhK%^%# aes-tkip ssid-profile name guest ssid guest ssid-profile name employee ssid employee vap-profile name guest service-vlan vlan-id 2000 ssid-profile guest security-profile guest traffic-profile guest authentication-profile guest vap-profile name employee service-vlan vlan-id 2100 ssid-profile employee security-profile employee ap-group name ap-group1 radio 0 vap-profile guest wlan 1 vap-profile employee wlan 2 radio 1 vap-profile guest wlan 1 vap-profile employee wlan 2 radio 2 vap-profile guest wlan 1 vap-profile employee wlan 2 ap-group name ap-group2 radio 0 vap-profile employee wlan 1 radio 1 vap-profile employee wlan 1 radio 2 vap-profile employee wlan 1 ap-id 0 type-id 30 ap-mac 00e0-fc76-e360 ap-sn 210235449210CB000010 ap-group ap-group1 ap-id 1 type-id 30 ap-mac 00e0-fc76-e361 ap-sn 210235449210CB000011 ap-group ap-group1 ap-id 2 type-id 30 ap-mac 00e0-fc76-e362 ap-sn 210235449210CB000012 ap-group ap-group1 ap-id 3 type-id 30 ap-mac 00e0-fc76-e363 ap-sn 210235449210CB000013 ap-group ap-group1 ap-id 4 type-id 30 ap-mac 00e0-fc76-e364 ap-sn 210235449210CB000014 ap-group ap-group1 ap-id 5 type-id 30 ap-mac 00e0-fc76-e365 ap-sn 210235449210CB000015 ap-group ap-group1 ap-id 6 type-id 30 ap-mac 00e0-fc76-e366 ap-sn 210235449210CB000016 ap-group ap-group1 ap-id 7 type-id 30 ap-mac 00e0-fc76-e367 ap-sn 210235449210CB000017 ap-group ap-group1 ap-id 8 type-id 30 ap-mac 00e0-fc76-e368 ap-sn 210235449210CB000018 ap-group ap-group1 ap-id 9 type-id 56 ap-mac 00e0-fc76-e369 ap-sn 210235449210CB000019 ap-group ap-group2 # return