Example for Configuring Dual-link Backup (AP-Specific Configuration Mode)
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system profile, AP wired port profile, WIDS profile, and WDS profile. When configuring WLAN services, you need to set related parameters in the WLAN profiles and bind the profiles to the AP group or APs. After that, the configuration is delivered to and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to know the relationships among the profiles before configuring them. For details about the profile relationships and their basic configuration procedure, see WLAN Service Configuration Procedure.
Networking Requirements
An enterprise deploys WLAN area A to provide WLAN services. As shown in Figure 9-8, the AP in area A is directly connected to the switch, the enterprise deploys two ACs in bypass mode, and the switch connects to the Internet through the egress route. The enterprise requires that dual-link backup be used to improve data transmission reliability.
| Item | Data |
|---|---|
Management VLAN for the AP |
VLAN 100 |
Service VLAN for the STA |
VLAN 101 |
DHCP server |
Switch functions as the DHCP server for the AP and STA. STA's gateway: 10.10.11.1/24 AP's gateway: 10.10.10.1/24 |
IP address pool for the AP |
10.10.10.4-10.10.10.254/24 |
IP address pool for the STA |
10.10.11.2-10.10.11.254/24 |
AC's source interface |
VLANIF 100 |
Active AC |
AC1 Local priority: 0 |
Standby AC |
AC2 Local priority: 1 |
Management IP address of AC1 |
VLANIF 100: 10.10.10.2/24 |
Management IP address of AC2 |
VLANIF 100: 10.10.10.3/24 |
AP group |
|
SSID profile |
|
Security profile |
|
VAP profile |
|
Configuration Roadmap
- Set up connections between the AC1, AC2, and other network devices. Configure the switch as a DHCP server to allocate IP addresses to APs and STAs.
- Configure AC1 as the active AC and configure basic WLAN services on AC1.
- Configure AC2 as the standby AC and configure basic WLAN services on AC2. Ensure that service configurations on AC1 and AC2 are the same.
- Configure dual-link backup on the active AC first and then on the standby AC. When dual-link backup is enabled, all APs are restarted. After dual-link backup configurations are complete, the standby AC replaces the active AC to manage APs if the CAPWAP tunnel between the active AC and APs is disconnected.
Configuration Notes
- In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
- In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
- The management VLAN and service VLAN cannot be configured the same.
When multiple VAP profiles are configured and share one service VLAN, enable inter-service VLAN proxy ARP if the data forwarding mode is set to tunnel.
Procedure
- Configure the switch and AC to enable the AC to communicate
with the APs.
# Create VLAN100 (management VLAN) and VLAN101 (service VLAN) on the switch. Set the link type of GE0/0/1 that connects the switch to the APs to trunk and PVID of the interface to 100, and configure the interface to allow packets of VLAN100 and VLAN101 to pass. Set the link type of GE0/0/2 and GE0/0/3 on the switch to trunk, and configure the interfaces to allow packets of VLAN100 to pass.
<Huawei> system-view [Huawei] sysname Switch [Switch] vlan batch 100 101 [Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port link-type trunk [Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100 [Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101 [Switch-GigabitEthernet0/0/1] port-isolate enable [Switch-GigabitEthernet0/0/1] quit [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] port link-type trunk [Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 [Switch-GigabitEthernet0/0/2] quit [Switch] interface gigabitethernet 0/0/3 [Switch-GigabitEthernet0/0/3] port link-type trunk [Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 [Switch-GigabitEthernet0/0/3] quit
# Add Eth2/0/0 that connects the AC1 to the switch to VLAN100.
<Huawei> system-view [Huawei] sysname AC1 [AC1] vlan batch 100 [AC1-vlan100] quit [AC1] interface ethernet 2/0/0 [AC1-Ethernet2/0/0] port link-type trunk [AC1-Ethernet2/0/0] port trunk allow-pass vlan 100 [AC1-Ethernet2/0/0] quit
# Add Eth2/0/0 that connects the AC2 to the switch to VLAN100.
<Huawei> system-view [Huawei] sysname AC2 [AC2] vlan batch 100 [AC2-vlan100] quit [AC2] interface ethernet 2/0/0 [AC2-Ethernet2/0/0] port link-type trunk [AC2-Ethernet2/0/0] port trunk allow-pass vlan 100 [AC2-Ethernet2/0/0] quit
- Configure the DHCP function on the switch to allocate IP
addresses to APs and STAs.
# Configure VLANIF100 to use the interface address pool to allocate IP addresses to APs.
[Switch] dhcp enable [Switch] interface vlanif 100 [Switch-Vlanif100] ip address 10.10.10.1 255.255.255.0 [Switch-Vlanif100] dhcp select interface [Switch-Vlanif100] dhcp server excluded-ip-address 10.10.10.2 10.10.10.3 [Switch-Vlanif100] quit
# Configure VLANIF101 to use the interface address pool to allocate IP addresses to STAs.
[Switch] interface vlanif 101 [Switch-Vlanif101] ip address 10.10.11.1 255.255.255.0 [Switch-Vlanif101] dhcp select interface [Switch-Vlanif101] quit
- Configure basic WLAN services on AC1.
- Configure the AP to go online.
# Create an AP group to which the APs with the same configuration can be added.
[AC1] wlan ac [AC1-wlan-view] ap-group name ap-group1 Info: This operation may take a few seconds. Please wait for a moment.done. [AC1-wlan-ap-group-ap-group1] quit# Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name domain1 [AC1-wlan-regulate-domain-domain1] country-code cn Info: The current country code is same with the input country code. [AC1-wlan-regulate-domain-domain1] quit [AC1-wlan-view] ap-group name ap-group1 [AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y [AC1-wlan-ap-group-ap-group1] quit [AC1-wlan-view] quit
# Configure the AC's source interface.
[AC1] interface vlanif 100 [AC1-Vlanif100] ip address 10.10.10.2 24 [AC1-Vlanif100] quit [AC1] capwap source interface vlanif 100
# Import the AP offline on the AC and add the AP to the AP group ap-group1. In this example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP area_1.The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.
[AC1] wlan ac [AC1-wlan-view] ap auth-mode mac-auth [AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360 [AC1-wlan-ap-0] ap-name area_1 [AC1-wlan-ap-0] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y Info: This operation may take a few seconds. Please wait for a moment.. done. [AC1-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.
[AC1-wlan-view] display ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor : normal [1] --------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime --------------------------------------------------------------------------------------------- 0 60de-4476-e360 area_1 ap-group1 10.10.10.254 AP6010DN-AGN nor 0 6S --------------------------------------------------------------------------------------------- Total: 1 - Configure WLAN service parameters.
# Create the security profile wlan-security and set the security policy in the profile.
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual situations, the security policy must be configured according to service requirements.
[AC1-wlan-view] security-profile name wlan-security [AC1-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes [AC1-wlan-sec-prof-wlan-security] quit
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-ssid [AC1-wlan-ssid-prof-wlan-ssid] ssid wlan-net Warning: This action may cause service interruption. Continue?[Y/N]y Info: This operation may take a few seconds, please wait.done. [AC1-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-vap [AC1-wlan-vap-prof-wlan-vap] forward-mode direct-forward Warning: This action may cause service interruption. Continue?[Y/N]y Info: This operation may take a few seconds, please wait.done. [AC1-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 Info: This operation may take a few seconds, please wait.done. [AC1-wlan-vap-prof-wlan-vap] security-profile wlan-security Info: This operation may take a few seconds, please wait..done. [AC1-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid Info: This operation may take a few seconds, please wait..done. [AC1-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of the AP.
[AC1-wlan-view] ap-group name ap-group1 [AC1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0 Info: This operation may take a few seconds, please wait.done. [AC1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1 Info: This operation may take a few seconds, please wait.done. [AC1-wlan-ap-group-ap-group1] quit
- Configure the AP to go online.
- Configure basic WLAN services on AC2.
# Configure basic parameters for AC2 according to the configurations of AC1. The configuration of AC2 is similar to that of AC1 except the source interface address.
# Configure the source interface of AC2.
[AC2] interface vlanif 100 [AC2-Vlanif100] ip address 10.10.10.3 255.255.255.0 [AC2-Vlanif100] quit [AC2] capwap source interface vlanif 100 [AC2] wlan ac
- Configure dual-link backup on AC1 and AC2.
# On AC1, configure the AC1 priority and AC2 IP address in the AP system profile view to implement dual-link backup.
- The AC priority configuration determines the active and standby ACs. One with higher priority functions as the active AC, and the other functions as the standby AC. A smaller value indicates a higher priority. When the AC priorities are the same, the AC with the maximum number of allowed APs is selected as the active AC. When the numbers of allowed APs are the same, the AC with the maximum number of allowed STAs is selected as the active AC. When the numbers of allowed APs and STAs are the same, the AC with a smaller IP address is selected as the active AC.
- In this example, dual-link backup is configured using the AP-specific configuration method. You can also use the global configuration method to configure dual-link backup in the WLAN view.
[AC1-wlan-view] ap-system-profile name ap-system1 [AC1-wlan-ap-system-prof-ap-system1] priority 0 Warning: This action will take effect after resetting AP. [AC1-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.10.10.3 Warning: This action will take effect after resetting AP. [AC1-wlan-ap-system-prof-ap-system1] quit
# Bind the AP system profile to the AP group view.[AC1-wlan-view] ap-group name ap-group1 [AC1-wlan-ap-group-ap-group1] ap-system-profile ap-system1 [AC1-wlan-ap-group-ap-group1] quit
# On AC1, enable dual-link backup and revertive switchover globally, and restart all APs to make the dual-link backup function take effect.By default, dual-link backup is disabled, and running the ac protect enable command restarts all APs. After the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs. You need to run the ap-reset command on the active AC to restart all APs and make the dual-link backup function take effect.
[AC1-wlan-view] undo ac protect restore disable Info: Protect restore has already enabled. [AC1-wlan-view] ac protect enable Warning: This operation maybe cause AP reset, continue?[Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.done. Info: Capwap echo interval has changed to default value 25, capwap echo times to 3.
# On AC2, configure the AC2 priority and AC1 IP address in the AP system profile view to implement dual-link backup.[AC2-wlan-view] ap-system-profile name ap-system1 [AC2-wlan-ap-system-prof-ap-system1] priority 1 Warning: This action will take effect after resetting AP. [AC2-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.10.10.2 Warning: This action will take effect after resetting AP. [AC2-wlan-ap-system-prof-ap-system1] quit
# Bind the AP system profile to the AP group view.[AC2-wlan-view] ap-group name ap-group1 [AC2-wlan-ap-group-ap-group1] ap-system-profile ap-system1 [AC2-wlan-ap-group-ap-group1] quit
# Enable dual-link backup and revertive switching globally for AC2.[AC2-wlan-view] undo ac protect restore disable Info: Protect restore has already enabled. [AC2-wlan-view] ac protect enable Warning: This operation maybe cause AP reset, continue?[Y/N]: y Info: This operation may take a few seconds. Please wait for a moment.done. Info: Capwap echo interval has changed to default value 25, capwap echo times to 3.
# Commit the configuration.
[AC1-wlan-view] commit all Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
[AC2-wlan-view] commit all Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
- Verify the configuration.
Run the display ac protect and display ap-system-profile command on the active and standby ACs to check the dual-link information and priority on the two ACs.
[AC1-wlan-view] display ac protect ------------------------------------------------------------ Protect state : enable Protect AC : - Priority : 0 Protect restore : enable Coldbackup kickoff station: disable ------------------------------------------------------------
[AC1-wlan-view] display ap-system-profile name ap-system1 ------------------------------------------------------------------------------ AC priority : 0 Protect AC IP address : 10.10.10.3 AP management VLAN : - Keep service : disable Temporary management switch : disable STA access mode : disable STA whitelist profile : - STA blacklist profile : - EAPOL start mode : multicast EAPOL start transform : equal-bssid EAPOL response mode : unicast learning EAPOL response transform : equal-bssid AP LLDP message transmission delay time(s): 2 AP LLDP message transmission hold multiplier: 4 AP LLDP message transmission interval time(s): 30 AP LLDP restart delay time(s) : 2 AP LLDP admin status : txrx AP LLDP report interval time(s): 30 AP high temperature threshold(degree C): - AP low temperature threshold(degree C): - AP CPU usage threshold(%) : 90 AP memory usage threshold(%) : 80 Alarm restriction : enable Alarm restriction period(s) : 60 Log server IP address : 0.0.0.0 Ethernet port MTU(byte) : 1500 Telnet : disable STelnet server : enable SFTP server : enable Console : enable Led : on Report disassoc request : enable Dynamic blacklist aging time(s): 600 AP report to : server Server IP : 0.0.0.0 Server port : - AC port : - Device aging-time(minute) : 3 ------------------------------------------------------------------------------
[AC2-wlan-view] display ac protect ------------------------------------------------------------ Protect state : enable Protect AC : - Priority : 0 Protect restore : enable Coldbackup kickoff station: disable ------------------------------------------------------------
[AC2-wlan-view] display ap-system-profile name ap-system1 ------------------------------------------------------------------------------ AC priority : 1 Protect AC IP address : 10.10.10.2 AP management VLAN : - Keep service : disable Temporary management switch : disable STA access mode : disable STA whitelist profile : - STA blacklist profile : - EAPOL start mode : multicast EAPOL start transform : equal-bssid EAPOL response mode : unicast learning EAPOL response transform : equal-bssid AP LLDP message transmission delay time(s): 2 AP LLDP message transmission hold multiplier: 4 AP LLDP message transmission interval time(s): 30 AP LLDP restart delay time(s) : 2 AP LLDP admin status : txrx AP LLDP report interval time(s): 30 AP high temperature threshold(degree C): - AP low temperature threshold(degree C): - AP CPU usage threshold(%) : 90 AP memory usage threshold(%) : 80 Alarm restriction : enable Alarm restriction period(s) : 60 Log server IP address : 0.0.0.0 Ethernet port MTU(byte) : 1500 Telnet : disable STelnet server : enable SFTP server : enable Console : enable Led : on Report disassoc request : enable Dynamic blacklist aging time(s): 600 AP report to : server Server IP : 0.0.0.0 Server port : - AC port : - Device aging-time(minute) : 3 ------------------------------------------------------------------------------
# When the link between the AP and AC1 is faulty, AC2 takes the active role. This ensures service stability.
Configuration Files
Switch configuration file
# sysname Switch # vlan batch 100 to 101 # dhcp enable # interface Vlanif100 ip address 10.10.10.1 255.255.255.0 dhcp select interface dhcp server excluded-ip-address 10.10.10.2 10.10.10.3 # interface Vlanif101 ip address 10.10.11.1 255.255.255.0 dhcp select interface # interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 to 101 port-isolate enable group 1 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 # interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 100 # return
AC1 configuration file
# sysname AC1 # vlan batch 100 # interface Vlanif100 ip address 10.10.10.2 255.255.255.0 # interface Ethernet2/0/0 port link-type trunk port trunk allow-pass vlan 100 # capwap source interface vlanif100 # wlan ac ac protect enable security-profile name wlan-security security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes ssid-profile name wlan-ssid ssid wlan-net vap-profile name wlan-vap service-vlan vlan-id 101 ssid-profile wlan-ssid security-profile wlan-security regulatory-domain-profile name domain1 ap-system-profile name ap-system1 priority 0 protect-ac ip-address 10.10.10.3 ap-group name ap-group1 ap-system-profile ap-system1 regulatory-domain-profile domain1 radio 0 vap-profile wlan-vap wlan 1 radio 1 vap-profile wlan-vap wlan 1 ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 # return
AC2 configuration file
# sysname AC2 # vlan batch 100 # interface Vlanif100 ip address 10.10.10.3 255.255.255.0 # interface Ethernet2/0/0 port link-type trunk port trunk allow-pass vlan 100 # capwap source interface vlanif100 # wlan ac ac protect enable security-profile name wlan-security security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes ssid-profile name wlan-ssid ssid wlan-net vap-profile name wlan-vap service-vlan vlan-id 101 ssid-profile wlan-ssid security-profile wlan-security regulatory-domain-profile name domain1 ap-system-profile name ap-system1 priority 1 protect-ac ip-address 10.10.10.2 ap-group name ap-group1 ap-system-profile ap-system1 regulatory-domain-profile domain1 radio 0 vap-profile wlan-vap wlan 1 radio 1 vap-profile wlan-vap wlan 1 ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 # return
