No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Managing an AP's Wired Interface

Managing an AP's Wired Interface

Context

Managing an AP's wired interface includes configuring AP wired interface parameters and link layer parameters.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    wlan

    The WLAN view is displayed.

  3. Run:

    wired-port-profile name profile-name

    An AP wired port profile is created, and the AP wired port profile view is displayed.

    By default, the system provides the AP wired port profile default.

  4. Configure parameters for an AP's wired interface.

    Procedure

    Command

    Description

    Add an AP's wired interface to an Eth-Trunk

    eth-trunk trunk-id

    By default, an RU interface is not added to any Eth-Trunk.

    To improve the connection reliability and increase the bandwidth, you can run this command to bind multiple interfaces into an Eth-Trunk.

    NOTE:

    RUs that have only one physical uplink network interface do not support this command.

    The physical interface to be added to an Eth-Trunk cannot have other configurations. Before adding a physical interface to an Eth-Trunk, clear all configurations on it except the interface status, descriptions, LLDP function, and alarm function for CRC errors.

    Enable STP on an AP's wired interface

    stp enable

    By default, STP is disabled on an AP's wired interface.

    STP on the AP's wired interfaces takes effect only when the AP forms a single loop with wired devices. As shown in Figure 17-1, the central AP, SwitchA, SwitchB, and AP form a loop. To break the loop, configure STP on the AP's wired interfaces. After STP is configured, the AP's wired interfaces are engaged in STP calculation of the loop and will be blocked based on the calculation results.
    Figure 17-1  STP networking
    NOTE:
    • A central AP can deliver STP configurations to an RU only if wired interfaces of the RU are not added to an Eth-trunk interface.
    • The STP cost on Huawei switches (including central APs) complies with 802.1t, while the STP cost on Huawei APs complies with 802.1d. When a Huawei AP is connected to a Huawei switch or a central AP and STP is enabled on the AP, run the the stp pathcost-standard dot1d-1998 command in the system view of the switch or central AP to set the correct STP cost. Incorrect STP cost may block the link between the AP and central AP.

    Configure a working mode for an AP's wired interface

    mode { root | endpoint | middle }

    By default,
    • On a common AP: Its GE interfaces work in root mode, Ethernet interfaces in endpoint mode, and Eth-Trunk interfaces in root mode.
    • On a central AP: Its downlink GE interfaces work in middle mode and uplink GE interfaces in root mode.
    • On an R230D: Its Ethernet interface works in root mode.
    • On an R240D: Its Ethernet interface works in endpoint mode and GE interface in root mode.
    • On an R250D and R250D-E: Their uplink GE interfaces work in root mode and downlink GE interfaces in endpoint mode.

    When working as an uplink interface to connect to a central AP, an AP's wired interface must work in root mode. In root mode, the AP's wired interface automatically joins service VLANs and user-specific VLANs (for example, VLANs assigned by the RADIUS server).

    When working as a downlink interface to connect to a wired terminal, the AP's wired interface must work in endpoint mode. In endpoint mode, the AP's wired interface does not join any VLAN by default.

    NOTE:

    The AP's wired interface supports user isolation in endpoint mode, but not in root or middle mode.

    Enable a DHCP trusted port on an AP's wired interface

    dhcp trust port

    By default, the DHCP trusted interface is disabled in the VAP profile view and enabled on the RU's uplink interface in the AP wired port profile view.

    This command takes effect only on the AP's uplink interface.

    Before WLAN services are delivered to an AP, run the dhcp trust port command in the AP wired port profile view. After the command is run, the AP receives the DHCP OFFER, ACK, and NAK packets sent by the authorized DHCP server and forwards the packets to STAs so that the STAs can obtain valid IP addresses and go online.

    NOTE:

    If a bogus DHCP server is deployed at the user side, STAs may obtain incorrect IP addresses and network configuration parameters and cannot communicate properly. After the dhcp trust port command is executed in the VAP profile view, an AP discards the DHCP OFFER, ACK, and NAK packets sent by the bogus DHCP server and reports to the central AP about the IP address of the unauthorized DHCP server. For details, see Configuring Defense Against Bogus DHCP Server Attacks.

    Enable terminal address learning on an AP's wired interface

    learn-client-address { ipv4 | ipv6 } enable

    By default, terminal address learning is disabled on an RU's wired interface.

    After terminal address learning is enabled on an RU's wired interface, if a wired terminal connected to the RU wired interface successfully obtains an IP address, the RU automatically reports the IP address of the terminal to the central AP, helping to maintain the ARP binding entries of wired terminals.

    This configuration takes effect only on AP's wired interfaces working in endpoint mode.

    Enable IP source guard (IPSG) on an AP's wired interface

    ipsg enable

    By default, IPSG is disabled on an AP's wired interface.

    Attackers often use packets with the source IP addresses or MAC addresses of authorized users to access or attack networks. As a result, authorized users cannot obtain stable and secure network services. You can enable the IPSG function to prevent the situation.

    To make the configuration take effect, terminal address learning must be enabled on the AP's wired interface using the learn-client-address { ipv4 | ipv6 } enable command.

    Enable dynamic ARP inspection (DAI) on an AP's wired interface

    dai enable

    By default, DAI is disabled on an RU's wired interface.

    You can enable DAI using this command to prevent Man in The Middle (MITM) attacks and theft on authorized user information. When a device receives an ARP packet, it compares the source IP address, source MAC address, interface number, and VLAN ID of the ARP packet with DHCP snooping binding entries. If the ARP packet matches a binding entry, the device allows the packet to pass through. If the ARP packet does not match any binding entry, the device discards the packet.

    To make the configuration take effect, terminal address learning must be enabled on the AP's wired interface using the learn-client-address { ipv4 | ipv6 } enable command.

    Set the maximum volume of broadcast, multicast, or unknown unicast traffic on an AP's wired interface

    traffic-optimize { broadcast-suppression | multicast-suppression | unicast-suppression } packets packets-rate

    By default, the volume of broadcast, multicast, or unknown unicast traffic is not suppressed on an AP's wired interface.

    When a large number of broadcast, multicast, and unknown unicast packets are transmitted on a network, a lot of network resources are occupied, and services on the network are affected. When the traffic volume of broadcast, multicast, and unknown unicast packets reaches the maximum on an AP's wired interface, the system discards excess packets to control the traffic volume in a proper range and prevent flooding attacks.

    Enable the STP-triggered port shutdown function on an AP's wired interface

    stp auto-shutdown enable

    By default, the STP-triggered port shutdown function is disabled on an AP's wired interface.

    After the STP-triggered port shutdown function is enabled, the RU automatically shuts down the interface when STP detects a loop. The AP will periodically recover the interface and re-executes STP detection. If the loop still exists on the interface, the AP shuts down the interface again. If the loop is removed, the AP reports a clear alarm to the network management system (NMS).

    To make the configuration take effect, the stp enable command must be run first.

    Set an auto-recovery interval for an AP's wired interface on which the STP-triggered port shutdown function is enabled

    stp auto-shutdown recovery-time recovery-time

    By default, the auto-recovery interval is 600s.

    After the STP-triggered port shutdown function is enabled, the AP automatically shuts down the interface when STP detects a loop. The RU will periodically recover the interface and re-executes STP detection. If the loop still exists on the interface, the AP shuts down the interface again. If the loop is removed, the AP reports a clear alarm to the network management system (NMS).

    To make the configuration take effect, the stp auto-shutdown enable command must be run first.

    Enable IGMP snooping on an AP's wired interface.

    igmp-snooping enable

    By default, IGMP snooping is disabled on an AP's wired port.

    IGMP snooping is a basic Layer 2 multicast function that forwards and controls multicast traffic at the data link layer. IGMP snooping runs on a Layer 2 device and analyzes IGMP messages exchanged between a Layer 3 device and hosts to set up and maintain a Layer 2 multicast forwarding table. The Layer 2 device forwards multicast packets based on the Layer 2 multicast forwarding table.

    Configure the VLAN to which an AP's wired interface is added.

    vlan { tagged | untagged } { vlan-id1 [ to vlan-id2 ] } &<1-10>

    By default, an AP wired interface allows packets from all VLANs to pass. The wired interface is added to VLAN 1 in untagged mode and to other VLANs in tagged mode.

    An AP's wired interface directly connects to a host. Add the wired interface to a VLAN or a group of VLANs in untagged mode using the untagged parameter. After the wired interface is added to the VLAN, the interface removes VLAN tags of frames before sending frames to the host.

    When an AP's wired interface connects to a Layer 2 network, add the wired interface to a VLAN or a group of VLANs in tagged or untagged mode based on the condition of peer devices using the tagged or untagged parameter, respectively.

    Configure ACL-based packet filtering on an AP's wired interface

    traffic-filter { inbound | outbound } { ipv4 | l2 } acl { acl-number | name acl-name }

    By default, ACL-based packet filtering is not configured on an AP's wired interface.

    Before the traffic-remark command is run, an ACL rule must have been created.
    • acl (system view)
    • acl name

    Configure ACL-based priority re-marking on an AP's wired interface

    traffic-remark { inbound | outbound } { ipv4 | l2 } acl { acl-number | name acl-name } { dot1p dot1p-value | dscp dscp-value }

    By default, ACL-based priority re-marking is not configured on an AP's wired interface.

    Before the traffic-remark command is run, an ACL rule must have been created.
    • acl (system view)
    • acl name

    Configure the user isolation function on an AP wired port profile.

    user-isolate { all | l2 }

    By default, user isolation is disabled on an AP's wired interface.

    The user isolation function prevents users on the same wired interface from communicating with each other. All user traffic on the wired interface is forwarded by the gateway. Therefore, this function ensures communication security on wired interfaces and allows uniform charging for users.

    Precautions

    Eth-Trunk member interfaces do not support the user isolation function.

    Configure a PVID for an AP's wired interface.

    vlan pvid vlan-id

    By default, no PVID is configured for an AP wired interface.

    When receiving an untagged packet from a peer device, the AP wired interface adds a VLAN tag to the packet. After the PVID is configured on the wired interface, the interface adds the PVID to all the received untagged packets.

    Precautions

    Eth-Trunk member interfaces do not support PVID setting.

    The PVID can be configured in different modes for an AP's wired interface.
    • If the AP's wired interface works in root mode and has been configured to transmit packets carrying the management VLAN tag using the management-vlan vlan-id command, the PVID for the AP's wired interface must be configured the same as the management VLAN ID.
    • If the AP's wired interface works in endpoint mode, the PVID can be configured directly. The configuration takes effect after the system restarts.
    • If the AP's wired interface works in middle mode, the PVID cannot be configured.

  5. Run:

    quit

    Return to the WLAN view.

  6. Configure link layer parameters for an AP's wired interface
    1. Run the port-link-profile name profile-name command to create an AP wired port link profile and enter the profile view.

      By default, the system provides the AP wired port link profile default.

    2. Run the crc-alarm enable [ high-threshold high-threshold-value | low-threshold low-threshold-value ]* command to configure the alarm function for CRC errors on an AP's wired interface, and set the alarm threshold and clear alarm threshold.

      By default, the alarm function for CRC errors is disabled on the RU wired interface. The alarm threshold for CRC errors is 50 and the clear alarm threshold is 20.

    3. Run the shutdown command to disable the AP's wired interface.

      By default, an RU's wired interface is enabled.

      If malicious users launch attacks to the network through an RU's wired interface, the administrator can deliver the shutdown command on the central AP to shut down the interface.

      The shutdown command takes effect only on RU's wired interfaces working in endpoint or middle mode but not on those working in root mode.

    4. Run the quit command to return to the WLAN view.
    5. Run the wired-port-profile name profile-name command to enter the AP wired port profile view.
    6. Run the port-link-profile profile-name command to bind the AP wired port link profile to the AP wired port profile.

      By default, the AP wired port link profile default is bound to an AP wired port profile.

    7. Run the quit command to return to the WLAN view.
  7. Bind the AP wired port profile to an AP group or AP.

    • Bind the AP wired port profile to an AP group.
      1. Run the ap-group name group-name command to enter the AP group view.
      2. Run the wired-port-profile profile-name interface-type interface-number command to bind the AP wired port profile to an AP group.

        By default, the AP wired port profile default is bound to an AP group.

    • Bind the AP wired port profile to to an AP.
      1. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP view.
      2. Run the wired-port-profile profile-name interface-type interface-number command to bind the AP wired port profile to an AP.

        By default, no AP wired port profile is bound to an AP.

Checking the Configuration

  • Run the display wired-port-profile { all | name profile-name } command to check configuration and reference information about an AP wired port profile.
  • Run the display port-link-profile { all | name profile-name } command to check configuration and reference information about an AP wired port link profile.
  • Run the display references wired-port-profile name profile-name command to check reference information about an AP wired port profile.
  • Run the display references port-link-profile name profile-name command to check reference information about an AP wired port link profile.
  • Run the display mac-address mac-address [ verbose ] ap-all command to check MAC address entries on all APs.
  • Run the display mac-address { ap-id ap-id | ap-name ap-name } interface-type interface-number command to check all dynamic MAC address entries on an AP's wired interface.
  • Run the display management-vlan command to check the management VLAN for RUs.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 114112

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next