No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

WLAN V200R008C10 Typical Configuration Examples

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring ACL-based Packet Filtering

Example for Configuring ACL-based Packet Filtering

Networking Requirements

Enterprise users can access the network through WLANs, which is the basic requirement of mobile office. Furthermore, users' services are not affected during roaming in the coverage area.

To control network traffic, the administrator requires that packets with source IP address 10.23.101.10 and destination IP address 10.23.101.11 be forbidden to pass.

Figure 4-71 Networking for configuring ACL-based packet filtering

Data Planning

Table 4-72 AC data planning

Item

Data

AP group
  • Name: ap-group1
  • Referenced profiles: VAP profile wlan-net
VAP profile
  • Name: wlan-net
  • Referenced profiles: traffic profile wlan-traffic

Traffic profile

  • Name: wlan-traffic

  • Configuration of ACL-based IPv4 packet filtering

Configuration Roadmap

  1. Configure ACL-based packet filtering in a traffic profile.

Configuration Notes

  • No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
    • In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
    • In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
    For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.
  • Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.

  • In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only packets from the management VLAN are transmitted between the AC and APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure

  1. Check the basic configuration of the WLAN.

    Check Item

    Command

    Data

    Check the AP group to which an AP belongs.

    display ap all

    AP group: ap-group1

    Check all profiles referenced by the AP group.

    display ap-group name ap-group1

    VAP profile: wlan-net

    NOTE:
    • If an AP has different configurations from that in the AP group, the configuration on the AP takes precedence.
    • A new profile takes effect only after being bound to an AP or an AP group.

  2. Configure ACL-based packet filtering.

    # Create ACL 3001 and forbid packets with source IP address 10.23.101.10 and destination IP address 10.23.101.11 to pass.
    <AC6605> system-view
    [AC6605] sysname AC
    [AC] acl 3001
    [AC-acl-adv-3001] rule deny ip source 10.23.101.10 0 destination 10.23.101.11 0
    [AC-acl-adv-3001] quit
    
    # Create traffic profile wlan-traffic and apply the ACL to it.
    [AC] wlan
    [AC-wlan-view] traffic-profile name wlan-traffic
    [AC-wlan-traffic-prof-wlan-traffic] traffic-filter inbound ipv4 acl 3001
    [AC-wlan-traffic-prof-wlan-traffic] quit

    # Bind traffic profile wlan-traffic to VAP profile wlan-net.

    [AC-wlan-view] vap-profile name wlan-net
    [AC-wlan-vap-prof-wlan-net] traffic-profile wlan-traffic
    Warning: This action may cause service interruption. Continue?[Y/N]y
    [AC-wlan-vap-prof-wlan-net] quit

  3. Verify the configuration.

    Run the display traffic-profile name wlan-traffic command on the AC to check the configuration of the traffic profile. The command output shows that ACL 3001 has been configured to filter out packets with source IP address 10.23.101.10 and destination IP address 10.23.101.11.

    [AC-wlan-view] display traffic-profile name wlan-traffic
    ----------------------------------------------------                            
    ...
    ---------------------------------------------------------------------------------------------
    Traffic Type                        Direction  AppliedRecord 
    ---------------------------------------------------------------------------------------------
    traffic-filter                      inbound    IPv4 ACL 3001
    ---------------------------------------------------------------------------------------------
    ----------------------------------------------------    

Configuration Files

  • AC configuration file

    #
     sysname AC
    #
    acl number 3001
     rule 5 deny ip source 10.23.101.10 0 destination 10.23.101.11 0
    #
    wlan
     traffic-profile name wlan-traffic   
      traffic-filter inbound ipv4 acl 3001  
     vap-profile name wlan-net
      traffic-profile wlan-traffic
     ap-group name ap-group1
      radio 0
       vap-profile wlan-net wlan 1
      radio 1
       vap-profile wlan-net wlan 1
     ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
      ap-name area_1
      ap-group ap-group1
    #
    return
Translation
Download
Updated: 2019-03-30

Document ID: EDOC1000184389

Views: 91257

Downloads: 460

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next