No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Support Documentation
S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Native AC + NAC Solution: Parent (Core Switches) in an SVF System Functions as the Authentication Point

Native AC + NAC Solution: Parent (Core Switches) in an SVF System Functions as the Authentication Point

Networking Requirements

Core switches set up a CSS that functions as the core of the entire campus network to implement high network reliability and forwarding of a large amount of data. In addition, core switches are configured with the native AC function to manage APs and transmit wireless service traffic on the entire network, implementing wired and wireless convergence.

Aggregation switches set up stacks to implement device-level backup and increase the interface density and forwarding bandwidth.

There are a large number of wired and wireless access devices that are widely distributed. To implement unified management and configuration and reduce management costs, SVF is deployed on the network. Core, aggregation, and access switches set up an SVF system. In the SVF system, the CSS of core switches functions as the parent, and aggregation and access switches function as ASs. The parent manages and configures ASs in a unified manner.

In this example, core switches set up an SVF system, which functions as the gateway and authentication point for wired and wireless users on the entire network. These users can access the network only after being authenticated. The specific requirements are as follows:

  • Agile Controller-Campus functions as both the access authentication server and user data source server.
  • Users include employees and guests. Wired users use combined 802.1X + Portal authentication, and wireless users use 802.1X authentication and MAC address-prioritized Portal authentication.
  • The authentication server delivers authorization ACLs to control network access rights of different users.
Figure 2-68 Parent (core switches) in an SVF system functioning as the authentication point

Device Requirements and Versions

Location

Device Requirement

Device Used in This Example

Version Used in This Example

Core layer
  • Modular switches configured with X series cards
  • Layer 3 fixed switches that support the native AC function, such as S5731-H switches

S12700E

V200R019C10

Aggregation layer

-

S5731-H

Access layer

-

S5735-L

AP

-

AP6050DN

V200R019C00

Deployment Roadmap

Step

Deployment Roadmap

Devices Involved

1

Configure AAA, including configuring a RADIUS server template, AAA schemes, and authentication domains to enable user authentication, authorization, and accounting through RADIUS, as well as configuring parameters for interconnection between switches and the RADIUS server.

Core switches (CORE)

2

Configure a pre-authentication domain and a post-authentication domain.

Core switches (CORE)

3

Configure combined 802.1X + Portal authentication for wired users. In an SVF system, the authentication mode of wired users needs to be defined in a user access profile.

Core switches (CORE)

4

Configure 802.1X authentication and MAC address-prioritized Portal authentication for wireless users.

Core switches (CORE)

6

Log in to Agile Controller-Campus, add users, and configure parameters for interconnection with CORE, RADIUS and Portal parameters, as well as the authentication and authorization functions.

Agile Controller-Campus

Data Plan

Table 2-88 Service data plan for core switches

Item

VLAN ID

Network Segment

Management VLAN

VLAN 20

192.168.20.0/24

Service VLANs for wireless users (AP1)

VLAN 30

172.16.30.0/24

VLAN 40

172.16.40.0/24

Service VLAN for a wired user (PC1)

VLAN 50

172.16.50.0/24

Service VLAN for a wired user (PC2)

VLAN 60

172.16.60.0/24

Network segment for communication with servers

VLAN 1000

192.168.11.0/24
Table 2-89 Wireless service data plan for core switches

Item

Data

AP group

ap-group

Regulatory domain profile

domain

SSID profiles

ssid1, ssid2

VAP profiles

vap1, vap2 (The data forwarding mode in the VAP profiles is tunnel forwarding.)
Table 2-90 Data plan for the SVF system

Item

Data

Parent

CSS of two S12700E switches

Parent's cards connected to ASs

X1E cards of the same type in slot 1 of the two CSS member switches

MAC addresses of ASs and APs

as-layer1-1: 00e0-fc01-0011

as-layer1-2: 00e0-fc01-0022

as-layer2-1: 00e0-fc01-0033

as-layer2-2: 00e0-fc01-0044

Management VLAN of the SVF system

VLAN 20

IP address of the management VLANIF interface

192.168.20.1/24

Parent's interfaces connected to as-layer1-1

GE1/1/0/1 and GE2/1/0/2

Add the interfaces to Eth-Trunk 10 and bind them to fabric port 1.

Parent's interfaces connected to as-layer1-2

GE1/1/0/2 and GE2/1/0/1

Add the interfaces to Eth-Trunk 20 and bind them to fabric port 2.

as-layer1-1's interfaces connected to as-layer2-1

GE0/0/3 and GE1/0/3

Add the interfaces to Eth-Trunk 30 and bind them to fabric port 3.

as-layer1-2's interfaces connected to as-layer2-2

GE0/0/3 and GE1/0/3

Add the interfaces to Eth-Trunk 40 and bind them to fabric port 4.

as-layer2-1's interface connected to AP1

GE0/0/4

Add the interface to an AP port group.

as-layer2-2's interface connected to AP2

GE0/0/4

Add the interface to an AP port group.

AS authentication mode

Whitelist authentication

Service configuration of an AS administrator profile

Administrator profile admin_profile, in which the administrator user name and password are configured

AS group admin_group, which includes all ASs

Bind the administrator profile admin_profile to the AS group admin_group.

Service configuration of AS network basic profiles

Network basic profile basic_profile_1, in which VLAN 50 is configured as the VLAN from which packets are allowed to pass through

Network basic profile basic_profile_2, in which VLAN 60 is configured as the VLAN from which packets are allowed to pass through

Network basic profile basic_profile_3, in which VLAN 50 is configured as the VLAN from which packets are allowed to pass through

Network basic profile basic_profile_4, in which VLAN 60 is configured as the VLAN from which packets are allowed to pass through

Port group port_group_1, which includes all downlink interfaces of as-layer1-1

Port group port_group_2, which includes all downlink interfaces of as-layer1-2

Port group port_group_3, which includes all downlink interfaces (except GigabitEthernet 0/0/4 connected to an AP) of as-layer2-1

Port group port_group_4, which includes all downlink interfaces (except GigabitEthernet 0/0/4 connected to an AP) of as-layer2-2

Bind network basic profile basic_profile_1 to port group port_group_1.

Bind network basic profile basic_profile_2 to port group port_group_2.

Bind network basic profile basic_profile_3 to port group port_group_3.

Bind network basic profile basic_profile_4 to port group port_group_4.
Table 2-91 Authentication service data plan for core switches

Item

Data

AAA schemes
Authentication scheme:
  • Name: auth
  • Authentication mode: RADIUS

Accounting scheme:

  • Name: acco
  • Accounting mode: RADIUS

RADIUS server
  • RADIUS server template name: tem_rad
  • IP address of the authentication server: 192.168.11.1
  • Port number of the authentication server: 1812
  • IP address of the accounting server: 192.168.11.1
  • Port number of the accounting server: 1813
  • Accounting interval: 15 minutes
  • Authentication and accounting keys: Admin@123
  • Authorization key: Admin@123

Portal server
  • Portal server template name: tem_portal
  • IP address: 192.168.11.1
  • Port number: 50200
  • Shared key: Admin@123

802.1X access profile
  • Name: d1
  • Authentication mode: EAP

Portal access profile

Name: web1

MAC access profile

Name: mac1

Pre-authentication domain

IP address of the DNS server: 192.168.11.2

Post-authentication domains
  • Employees: service server and Internet
  • Guests: Internet

The IP addresses of the service server and campus egress device are 192.168.11.3 and 172.16.3.1, respectively.
Table 2-92 Service data plan for Agile Controller-Campus

Item

Data

IP address of CORE

192.168.11.254

RADIUS parameters

  • Device series: Huawei S series switches

  • Authentication and accounting keys: Admin@123

  • Authorization key: Admin@123

  • Real-time accounting interval: 15 minutes

Portal parameters

  • Port number: 2000

  • Portal key: Admin@123

  • IP addresses of access terminals:

    Wireless: 192.168.13.0/24

    Wired: 192.168.14.0/24

Accounts
Employee:

  • User name: user1

  • Password: Example@123

Guest:

  • User name: user2

  • Password: Guest@123

Procedure

  1. Enable campus network connectivity. For details, see Native AC + SVF Solution: the Parent Containing Core Switches Functions as the Gateway for Wired and Wireless Users.

    For wireless users, the security policies in security profiles vary according to access authentication modes.

    User Access Authentication Mode

    Security Policy

    MAC address authentication or Portal authentication

    Open system authentication

    802.1X authentication

    WPA/WPA2-802.1X authentication. WPA2 authentication is used in this example.

    For users who use 802.1X authentication, configure a security policy in security profile sec1 as follows:

    [CORE-wlan-sec-prof-sec1] security wpa2 dot1x aes

    For users who use MAC address-prioritized Portal authentication, configure a security policy in security profile sec2 as follows:

    [CORE-wlan-sec-prof-sec2] security open

  2. Configure AAA on CORE.

    # Configure the RADIUS server template tem_rad and configure parameters for interconnection between CORE and the RADIUS server. The parameters include the IP addresses, port numbers, and shared keys of the RADIUS authentication and accounting servers.
    <CORE> system-view
[CORE] radius-server template tem_rad 
[CORE-radius-tem_rad] radius-server authentication 192.168.11.1 1812 
[CORE-radius-tem_rad] radius-server accounting 192.168.11.1 1813 
[CORE-radius-tem_rad] radius-server shared-key cipher Admin@123 
[CORE-radius-tem_rad] quit

    # Configure a RADIUS authorization server.

    [CORE] radius-server authorization 192.168.11.1 shared-key cipher Example@123
    # Configure AAA schemes, set the authentication, authorization, and accounting modes to RADIUS, and set the accounting interval to 15 minutes.
    [CORE] aaa 
[CORE-aaa] authentication-scheme auth     
[CORE-aaa-authen-auth] authentication-mode radius   
[CORE-aaa-authen-auth] quit 
[CORE-aaa] accounting-scheme acco 
[CORE-aaa-accounting-acco] accounting-mode radius 
[CORE-aaa-accounting-acco] accounting realtime 15 
[CORE-aaa-accounting-acco] quit
    # Configure the domain huawei.com and bind AAA schemes and RADIUS server template to this domain.
    [CORE-aaa] domain huawei.com 
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco
[CORE-aaa-domain-huawei.com] radius-server tem_rad 
[CORE-aaa-domain-huawei.com] quit 
[CORE-aaa] quit

  3. Configure a pre-authentication domain and a post-authentication domain on CORE.

    # Configure a pre-authentication domain to allow packets destined for the DNS server to pass through before users are authenticated.
    [CORE] free-rule-template name default_free_rule 
[CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.2 mask 32 
[CORE-free-rule-default_free_rule] quit
    # Configure post-authentication domains. Configure ACL 3001 and ACL 3002 to control the network access rights of employees and guests, respectively.
    [CORE] acl 3001   //Configure an ACL for authorization of employees, so that they can access the Internet and service server after being authenticated.
[CORE-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 
[CORE-acl-adv-3001] rule 2 permit ip destination 192.168.11.3 0.0.0.0
[CORE-acl-adv-3001] rule 3 deny ip destination any
[CORE-acl-adv-3001] quit
[CORE] acl 3002   //Configure an ACL for authorization of guests, so that they can access the Internet after being authenticated.
[CORE-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 
[CORE-acl-adv-3002] rule 2 deny ip destination any
[CORE-acl-adv-3002] quit

  4. Configure combined 802.1X + Portal authentication for wired users on CORE.

    # Change the NAC mode to unified.

    By default, the unified mode is used. The switch will restart automatically after the NAC mode is changed between common and unified modes.

    [CORE] authentication unified-mode
    # Configure an 802.1X access profile.

    By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X authentication requests.

    [CORE] dot1x-access-profile name d1
[CORE-dot1x-access-profile-d1] dot1x authentication-method eap
[CORE-dot1x-access-profile-d1] quit
    # Configure a MAC access profile.
    [CORE] mac-access-profile name mac1 
[CORE-mac-access-profile-mac1] quit
    # Configure Portal server template tem_portal, and set parameters for interconnection between CORE and the Portal server. The parameters include the IP address, port number, and shared key of the Portal server.
    [CORE] web-auth-server tem_portal 
[CORE-web-auth-server-tem_portal] server-ip 192.168.11.1   
[CORE-web-auth-server-tem_portal] port 50200   //The Portal server port number is fixed at 50200 when Agile Controller-Campus functions as the Portal server.
[CORE-web-auth-server-tem_portal] shared-key cipher Admin@123
[CORE-web-auth-server-tem_portal] url http://192.168.11.1:8080/portal
[CORE-web-auth-server-tem_portal] quit

    # Configure a Portal access profile.

    [CORE] portal-access-profile name web1 
[CORE-portal-acces-profile-web1] web-auth-server tem_portal direct
[CORE-portal-acces-profile-web1] quit

    # Configure an authentication profile for wired users, and bind the 802.1X access profile and Portal access profile to the authentication profile.

    [CORE] authentication-profile name p1 
[CORE-authen-profile-p1] dot1x-access-profile d1 
[CORE-authen-profile-p1] portal-access-profile web1 
[CORE-authen-profile-p1] free-rule-template default_free_rule 
[CORE-authen-profile-p1] access-domain huawei.com force  //Configure the domain huawei.com as a forcible domain.
[CORE-authen-profile-p1] quit

    # Configure combined 802.1X + Portal authentication for wired users.

    [CORE] uni-mng 
[CORE-um] user-access-profile name test01       //Configure a user access profile, which needs to be bound to authentication profile p1.
[CORE-um-user-access-test01] authentication-profile p1  
[CORE-um-user-access-test01] quit 
[CORE-um] port-group name port_group_3           //Configure a port group, which needs to be bound to the user access profile and interfaces of the AS.
[CORE-um-portgroup-port_group_1] user-access-profile test01 
[CORE-um-portgroup-port_group_1] as name as-layer2-1 interface gigabitEthernet 0/0/2 gigabitEthernet 0/0/4 to 0/0/24 
[CORE-um-portgroup-port_group_1] quit 
[CORE-um] port-group name port_group_4           //Configure a port group, which needs to be bound to the user access profile and interfaces of the AS.
[CORE-um-portgroup-port_group_2] user-access-profile test01 
[CORE-um-portgroup-port_group_2] as name as-layer2-2 interface gigabitEthernet 0/0/2 gigabitEthernet 0/0/4 to 0/0/24 
[CORE-um-portgroup-port_group_2] quit 
[CORE-um] commit as all                           //Commit the configuration. Configurations in service profiles then are delivered to ASs.
Warning: Committing the configuration will take a long time. Continue?[Y/N]: y
[CORE-um] quit

  5. On CORE, configure 802.1X authentication and MAC address-prioritized Portal authentication for wireless users.

    # Configure an authentication profile for wireless users, and set the authentication mode to MAC address-prioritized Portal authentication.

    [CORE] authentication-profile name p2
[CORE-authen-profile-p2] portal-access-profile web1
[CORE-authen-profile-p2] mac-access-profile mac1
[CORE-authen-profile-p2] free-rule-template default_free_rule 
[CORE-authen-profile-p2] access-domain huawei.com force  //Configure the domain huawei.com as a forcible domain.
[CORE-authen-profile-p2] quit

    # Configure an authentication profile for wireless users, and set the authentication mode to 802.1X authentication.

    [CORE] authentication-profile name p3 
[CORE-authen-profile-p3] dot1x-access-profile d1
[CORE-authen-profile-p3] free-rule-template default_free_rule 
[CORE-authen-profile-p3] access-domain huawei.com force  //Configure the domain huawei.com as a forcible domain.
[CORE-authen-profile-p3] quit

    # Configure 802.1X authentication for wireless users in VAP profile vap1.

    [CORE] wlan
[CORE-wlan-view] vap-profile name vap1
[CORE-wlan-vap-prof-vap1] authentication-profile p3 
[CORE-wlan-vap-prof-vap1] quit
[CORE-wlan-view] quit

    # Configure MAC address-prioritized Portal authentication for wireless users in the VAP profile vap2.

    [CORE] wlan
[CORE-wlan-view] vap-profile name vap2
[CORE-wlan-vap-prof-vap2] authentication-profile p2 
[CORE-wlan-vap-prof-vap2] quit
[CORE-wlan-view] quit

  6. Configure Agile Controller-Campus.

    1. Add switches so that they can communicate with Agile Controller-Campus.
      Choose Resource > Device > Device Management, click Add, and configure device information and authentication parameters.
      Table 2-93 Parameter settings on Agile Controller-Campus and CORE

      Parameter on Agile Controller-Campus

      Configuration on Agile Controller-Campus

      Configuration on CORE

      Name

      CORE

      -

      IP address

      192.168.11.254

      IP address of VLANIF 1000, which is used by CORE to communicate with Agile Controller-Campus

      Device series

      Huawei S Series

      -

      Authentication/Accounting key

      Admin@123

      radius-server shared-key cipher Admin@123

      Authorization key

      Admin@123

      radius-server authorization 192.168.11.1 shared-key cipher Admin@123

      Real-time accounting interval (minute)

      15

      accounting realtime 15

      Port

      2000

      Port 2000 is used by default. You can run the web-auth-server listening-port port-number command in the system view to change the port number.

      Portal key

      Admin@123

      shared-key cipher Admin@123

      Access terminal IPv4 list

      172.16.30.0/24;172.16.40.0/24

      IP addresses of guests, corresponding to IP address pools on VLANIF 30 and VLANIF 40

      Enable heartbeat between access device and Portal server

      Selected

      Only when Enable heartbeat between access device and Portal server is selected and the Portal server IP address is added to the Portal server IP address list, the Portal server can periodically send heartbeat packets to CORE, based on which CORE determines the Portal server status. This configuration corresponds to the server-detect command configured in the Portal server template view on CORE.

      Portal server IP address list

      192.168.11.1
      Figure 2-69 Adding a device

    2. Create user groups and accounts. The following describes how to configure the user group Employee. The configuration of the user group Guest is similar.

      1. Choose Resource > User > User Management.

      2. Click in the operation area on the left, and create the user group Employee.
        Figure 2-70 Adding a user group
      3. Click Add in the operation area on the right, and add an account.
        Figure 2-71 Adding an account
      4. Click Transfer in the operation area on the right, and add the account to the user group Employee.
        Figure 2-72 Adding an account to a user group

    3. Enable MAC address-prioritized Portal authentication.

      1. Choose System > Terminal Configuration > Global Parameters > Access Management.

      2. On the Configure MAC Address-Prioritized Portal Authentication tab page, enable MAC address-prioritized Portal authentication, and set Validity period of MAC address (min) to 60.

      Figure 2-73 Configuring MAC address-prioritized Portal authentication
    4. Configure authorization. End users will match authorization rules based on specified conditions. The following describes how to configure authorization for employees. The configuration for guests is similar.

      1. Choose Policy > Permission Control > Authentication & Authorization > Authorization Result, and configure a post-authentication domain for employees.

        Figure 2-74 Adding an authorization result

      2. Configure authorization rules for employees and guests according to Table 2-94. The following describes how to configure authorization rules for wired access of employees. The configuration for guests is similar.

        Table 2-94 Authorization rules for employees and guests

        Name

        User Group

        Terminal IP Address Range

        SSID

        Authorization Result

        Wired employees authorization rule

        Employee

        wire

        -

        Employees_post-authentication_domain

        Wireless employees authorization rule

        Employee

        -

        test01

        Employees_post-authentication_domain

        Guests authorization rule

        Guest

        -

        test02

        Guests_post-authentication_domain
        • Choose Resource > User > IP Address Range, set the name of an IP address range to wire, and add IP address segments 172.16.50.0/24 and 172.16.60.0/24.
          Figure 2-75 Adding an IP address range
        • Choose Policy > Permission Control > Authentication & Authorization > Authorization Rule.
          Figure 2-76 Adding an authorization rule

Verifying the Deployment

Check Item

Expected Result

Employee authentication

  • The employee can complete 802.1X authentication using the 802.1X client on a wired terminal. The employee can also complete Portal authentication after entering http://192.168.11.1:8080/portal in the address box of a browser and entering the user name and password on the redirection page.

  • The employee can use a mobile terminal to associate with the SSID test01 and complete 802.1X authentication to access the Wi-Fi network.

  • After the employee is authenticated, you can run the display access-user username user1 detail command on CORE to check the online, authentication, and authorization information of the employee account.

  • On Agile Controller-Campus, you can choose Resource > User > RADIUS Log to check RADIUS authentication logs of the employee account.

Guest authentication

  • A guest can use a mobile terminal to associate with the SSID test02, enter http://192.168.11.1:8080/portal in the address box of a browser, and enter the user name and password on the redirection page to complete Portal authentication and access the Wi-Fi network.

    After disconnecting from the Wi-Fi network, the guest can access the Internet again by associating with the SSID test02, without the need to enter the user name and password.

  • After the guest is authenticated, you can run the display access-user username user2 detail command on CORE to check the online, authentication, and authorization information of the guest account.

  • On Agile Controller-Campus, you can choose Resource > User > RADIUS Log to check RADIUS authentication logs of the guest account.
The following uses the employee account user1 as an example. Run the display access-user username user1 detail command on CORE to check the online, authentication, and authorization information of the employee account.
[CORE] display access-user username user1 detail
Basic:
  User ID                         : 81564
  User name                       : user1  //User name
  Domain-name                     : huawei.com  //Authentication domain
  User MAC                        : 00e0-fc12-3344
  User IP address                 : 192.168.50.111
  User vpn-instance               : -
  User IPv6 address               : FE80::E9AA:9FE9:95F9:C499
  User IPv6 link local address    : FE80::E9AA:9FE9:95F9:C499
  User access Interface           : Eth-Trunk10
  User vlan event                 : Success
  QinQVlan/UserVlan               : 0/50
  User vlan source                : user request
  User access time                : 2019/10/22 02:00:03
  User accounting session ID      : LSW900210000000050ad****0203e9c
  User access type                : 802.1x  //User access type
  AS ID                           : 1
  AS name                         : as-layer2-1 //AS on which the user goes online
  AS IP                           : 192.168.20.212
  AS MAC                          : 00e0-fc12-4455
  AS Interface                    : GigabitEthernet0/0/10  //AS interface on which the user goes online
  Terminal Device Type            : Data Terminal
  Dynamic ACL ID(Effective)       : 3001         //Authorization information

AAA:
  User authentication type        : 802.1x authentication  //Authentication mode
  Current authentication method   : RADIUS
  Current authorization method    : -
  Current accounting method       : RADIUS

 ------------------------------------------------------------------------------
 Total: 1, printed: 1

Choose Resource > User > RADIUS Log on Agile Controller-Campus to check RADIUS authentication logs of the employee account.

Configuration Files

  • CORE configuration file
    #
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
stp mode rstp
#
authentication-profile name p1
 dot1x-access-profile d1
 portal-access-profile web1
 free-rule-template default_free_rule
 access-domain huawei.com force
authentication-profile name p2
 mac-access-profile mac1
 portal-access-profile web1
 free-rule-template default_free_rule
 access-domain huawei.com force
authentication-profile name p3
 dot1x-access-profile d1
 free-rule-template default_free_rule
 access-domain huawei.com force
#
dhcp enable
#
dhcp snooping enable
#
radius-server template tem_rad
 radius-server shared-key cipher %^%#qQ|nH:|:'FgpyL5UC4Z2)/xvM$9LeJLmE~Z{k]g4%^%#
 radius-server authentication 192.168.11.1 1812 weight 80
 radius-server accounting 192.168.11.1 1813 weight 80
radius-server authorization 192.168.11.1 shared-key cipher %^%#="WcD4CxUB5)$q=hN3C=}Oq:"|2Zw-z\z_1{_|r~%^%#
#
acl number 3001
 rule 1 permit ip destination 172.16.3.0 0.0.0.255  
 rule 2 permit ip destination 192.168.11.3 0 
 rule 3 deny ip 
acl number 3002
 rule 1 permit ip destination 172.16.3.0 0.0.0.255 
 rule 2 deny ip 
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 192.168.11.2 mask 255.255.255.255
#
web-auth-server tem_portal
 server-ip 192.168.11.1
 port 50200
 shared-key cipher %^%#_M::Zym'FA[(u+HjUyPHzPbG$T;hE%Bx"n$(w@S'%^%#
 url http://192.168.11.1:8080/portal
#
portal-access-profile name web1
 web-auth-server tem_portal direct
#
drop-profile default
#
vlan 30
 dhcp snooping enable
vlan 40
 dhcp snooping enable
vlan 50
 dhcp snooping enable
vlan 60
 dhcp snooping enable
#
interface Vlanif20
 ip address 192.168.20.1 255.255.255.0
 dhcp select interface
#
interface Vlanif30
 ip address 172.16.30.1 255.255.255.0
 dhcp select interface
#
interface Vlanif40
 ip address 172.16.40.1 255.255.255.0
 dhcp select interface
# 
interface Vlanif50   
 ip address 172.16.50.1 255.255.255.0 
 dhcp select interface  
#
interface Vlanif60
 ip address 172.16.60.1 255.255.255.0
 dhcp select interface
#
interface Vlanif1000
 ip address 192.168.11.254 255.255.255.0
 dhcp select interface
#
interface Eth-Trunk10
 port link-type hybrid
 port hybrid tagged vlan 1 20 50
 stp root-protection
 stp edged-port disable  
 mode lacp
 loop-detection disable
 mad relay
# 
interface XGigabitEthernet1/1/0/1
 eth-trunk 10
#
interface XGigabitEthernet2/1/0/2
 eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
 eth-trunk 20
#
interface XGigabitEthernet2/1/0/1
 eth-trunk 20
#
interface XGigabitEthernet1/2/0/1
 port link-type access
 port default vlan 1000
#
capwap source interface vlanif20
#
wlan
 traffic-profile name traff1
  user-isolate l2
 traffic-profile name default
 security-profile name sec1
  security wpa2 dot1x aes
 security-profile name default
 security-profile name default-wds
 security-profile name default-mesh
 ssid-profile name ssid1
  ssid test01
 ssid-profile name ssid2
  ssid test02
 ssid-profile name default
 vap-profile name vap1
  forward-mode tunnel
  service-vlan vlan-id 30
  ssid-profile ssid1
  security-profile sec1
  traffic-profile traff1
  authentication-profile p3 
  ip source check user-bind enable
  arp anti-attack check user-bind enable
  learn-client-address dhcp-strict
 vap-profile name vap2
  forward-mode tunnel
  service-vlan vlan-id 40
  ssid-profile ssid2
  security-profile sec2
  traffic-profile traff2
  authentication-profile p2
  ip source check user-bind enable
  arp anti-attack check user-bind enable
  learn-client-address dhcp-strict
 vap-profile name default
 wds-profile name default
 mesh-handover-profile name default
 mesh-profile name default
 regulatory-domain-profile name domain
 regulatory-domain-profile name default
 air-scan-profile name default
 rrm-profile name default
 radio-2g-profile name default
 radio-5g-profile name default
 wids-profile name default
 ap-system-profile name default
 port-link-profile name default
 wired-port-profile name default
 ap-group name default
 ap-group name ap-group
  regulatory-domain-profile domain
 ap-group name ap-group1
  radio 0
   vap-profile vap1 wlan 1
  radio 1
   vap-profile vap1 wlan 1
 ap-id 1 type-id 30 ap-mac 00e0-fc12-4400 ap-sn 2102355547W0E3000316
  ap-name area_1
  ap-group ap-group
 provision-ap
 wlan work-group default
#
as-auth
 undo auth-mode
 whitelist mac-address 00e0-fc00-0011
 whitelist mac-address 00e0-fc00-0022
 whitelist mac-address 00e0-fc00-0033
 whitelist mac-address 00e0-fc00-0044
# 
uni-mng
 as name as-layer1-1 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0011
  down-direction fabric-port 1 member-group interface Eth-Trunk 30
  port Eth-Trunk 30 trunkmember interface GigabitEthernet0/0/3
 as name as-layer1-2 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0022
  down-direction fabric-port 1 member-group interface Eth-Trunk 40
  port Eth-Trunk 10 trunkmember interface GigabitEthernet0/0/4
 as name as-layer2-1 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0033
 as name as-layer2-2 model S5720-28X-PWR-SI-AC mac-address 00e0-fc01-0044
 interface fabric-port 1
  port member-group interface Eth-Trunk 10
 interface fabric-port 2
  port member-group interface Eth-Trunk 20
 interface fabric-port 3
  port member-group interface Eth-Trunk 30
 interface fabric-port 4
  port member-group interface Eth-Trunk 40
 as-admin-profile name admin_profile
  user asuser password %^%#@ROwA@p_b1-Y5,#^8JYBZ~w-&ZE2KL;EKLVI4%^%#
 network-basic-profile name basic_profile_1
  pass-vlan 50
 network-basic-profile name basic_profile_2
  pass-vlan 60
 network-basic-profile name basic_profile_3
  pass-vlan 50
 network-basic-profile name basic_profile_4
  pass-vlan 60
 user-access-profile name test01
  authentication-profile p1
 as-group name admin_group
  as-admin-profile admin_profile
  as name as-layer1-1
  as name as-layer1-2
  as name as-layer2-1
  as name as-layer2-2
 port-group name port_group_1
  network-basic-profile basic_profile_1
  as name as-layer1-1 interface all
 port-group name port_group_2
  network-basic-profile basic_profile_2
  as name as-layer1-2 interface all
 port-group name port_group_3
  network-basic-profile basic_profile_3
  as name as-layer2-1 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24
  user-access-profile test01
 port-group name port_group_4
  network-basic-profile basic_profile_4
  as name as-layer2-2 interface GigabitEthernet 0/0/2 GigabitEthernet 0/0/4 to 0/0/24
  user-access-profile test01
 port-group connect-ap name ap
  as name as-layer2-1 interface GigabitEthernet 0/0/3
  as name as-layer2-2 interface GigabitEthernet 0/0/3
#
dot1x-access-profile name d1
#
mac-access-profile name mac1
return

Translation
Español 日本語 Русский 简体中文
Download
Updated: 2022-06-28

Document ID: EDOC1000069520

Views: 1473775

Downloads: 37916

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next
Huawei e+ App Huawei e+

Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :