No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - WLAN-AC

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the concepts, configuration procedures, and configuration examples of WLAN-AC features.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a VAP

Configuring a VAP

Creating a VAP Profile

Context

After you create a VAP profile, configure parameters in the profile. After the profile is applied in the AP group view, AP view, AP radio view, or AP group radio view, VAPs are generated and can provide wireless access services for STAs. You can configure different parameters in the VAP profile to enable APs to provide different wireless services.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan ac

    The WLAN view is displayed.

  3. Run vap-profile name profile-name

    A VAP profile is created, and the VAP profile view is displayed.

    By default, the system provides the VAP profile default.

Configuring a Data Forwarding Mode

Context

Packets transmitted on a WLAN include control packets (management packets) and data packets. Control packets are forwarded through CAPWAP control tunnels. Data packets are forwarded in tunnel forwarding (centralized forwarding) or direct forwarding (local forwarding) mode according to whether data packets are forwarded through CAPWAP data tunnels.

Table 4-6 lists the comparison between tunnel forwarding and direct forwarding.
Table 4-6  Comparison between tunnel forwarding and direct forwarding
Data Forwarding Mode Advantage Disadvantage
Tunnel forwarding

An AC forwards data packets in a centralized manner, ensuring security and facilitating centralized management and control. New devices are easy to deploy and configure, with small changes to the existing network.

Service data must be forwarded by an AC, reducing packet forwarding efficiency and burdening the AC.

Direct forwarding

Service data does not need to be forwarded by an AC, improving packet forwarding efficiency and reducing the burden on the AC.

Service data cannot be centrally managed or controlled. New device deployment causes large changes to the existing network.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan ac

    The WLAN view is displayed.

  3. Run vap-profile name profile-name

    The VAP profile view is displayed.

  4. Run forward-mode { direct-forward | tunnel }

    A data forwarding mode is configured in a VAP profile.

    By default, the forwarding mode is direct-forward in the VAP profile.

Configuring Service VLANs

Context

Layer 2 data packets delivered from a VAP to an AP carry the service VLAN IDs.

Since WLANs provide flexible access modes, STAs may connect to the same WLAN at the office entrance or stadium entrance, and then roam to different APs.If a single VLAN is configured as the service VLAN, IP address resources may become insufficient in areas where many STAs access the WLAN, and IP addresses in the other areas are wasted.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan ac

    The WLAN view is displayed.

  3. Run vap-profile name profile-name

    The VAP profile view is displayed.

  4. Run service-vlan { vlan-id vlan-id }

    A service VLAN is configured for a VAP.

    By default, VLAN 1 is the service VLAN of a VAP.

(Optional) Improving VAP Security

Context

You can perform the following configurations to improve VAP security: enable STA address learning, strict STA IP address learning through DHCP, IP source guard on an AP, and disable DHCP trusted port functions on an AP.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan ac

    The WLAN view is displayed.

  3. Run vap-profile name profile-name

    The VAP profile view is displayed.

  4. Improve VAP security.

    Procedure

    Command

    Description

    Enable STA address learning

    undo learn-client-address disable

    By default, STA address learning is enabled.

    If a STA associates with an AP that has STA address learning enabled and obtains an IP address, the AP automatically reports the STA IP address to the AC to maintain the STA' IP address and MAC address binding entry

    Enabling STA address learning is a prerequisite for enabling strict STA IP address learning through DHCP.

    Enable strict STA IP address learning through DHCP

    learn-client-address dhcp-strict [ blacklist enable ]

    By default, strict STA IP address learning through DHCP is disabled.

    When a STA associates with an AP, the following situation occurs after strict STA IP address learning through DHCP is enabled:
    • If the STA obtains an IP address through DHCP, the AP will automatically report the IP address to the AC. The STA IP address can be used to maintain the mapping between STA IP addresses and MAC addresses.
    • For a STA using a static IP address:

      If blacklist enable is specified, the STA will be added to a dynamic blacklist of the AP and cannot associate with the AP before the blacklist entry ages.

      If blacklist enable is not specified, the STA can associate with the AP but the AP does not learn the IP address of the STA.

    After strict STA IP address learning is enabled, it is recommended that you run the ip source check user-bind enable commands to enable IP source guard so that STAs cannot communicate with the network before obtaining an IP address through DHCP.

    Enable IP source guard on an AP.

    ip source check user-bind enable

    By default, IP source guard is disabled on APs.

    IP source guard checks IP packets against the binding table to defend against source IP address spoofing attacks.

    IP source guard takes effect only when both the undo learn-client-address disable and ip source check user-bind enable commands are executed.

    If an offline STA goes online again on the AC enabled with STA address learning, you may not view the IP address of the STA. To solve this problem, enable IP source guard.

    Disable DHCP trusted port on an AP.

    undo dhcp trust port

    By default, the DHCP trusted interface is disabled in the VAP profile view and enabled on the AP's uplink interface in the AP wired port profile view..

    If a bogus DHCP server is deployed at the user side, STAs may obtain incorrect IP addresses and network configuration parameters and cannot communicate properly. After the undo dhcp trust port command is executed in the VAP profile view, an AP discards the DHCP OFFER, ACK, and NAK packets sent by the bogus DHCP server and reports to the AC about the IP address of the unauthorized DHCP server.

    Usually, you need to run the dhcp trust port command in an AP wired port profile to enable a DHCP trusted port on an AP. After that, the AP receives the DHCP OFFER, ACK, and NAK packets sent by authorized DHCP servers and forwards the packets to STAs so that the STAs can obtain valid IP addresses and go online. For the detailed configuration, see Managing an AP's Wired Interface.

    Enable broadcast flood attack detection.

    undo anti-attack broadcast-flood disable

    By default, the broadcast flood detection function is enabled.

    If a large number of broadcast packets are sent to a device in a short time, the device becomes busy processing the packets and cannot process normal services. To prevent broadcast flood attacks, you can configure broadcast flood detection.

    After broadcast flood detection is enabled, you can run the anti-attack broadcast-flood sta-rate-threshold sta-rate-threshold command to set a broadcast flood threshold.
    • When the traffic rate exceeds the threshold, the device considers a broadcast flood attack from the STA and discards the broadcast traffic. This prevents the upper-layer network from being affected by the broadcast flood.
    • If you enable the broadcast flood blacklist function the undo anti-attack broadcast-flood blacklist disable command, the device adds broadcast flood STAs to the blacklist.

(Optional) Adjusting VAP Parameters

Context

You can flexibly adjust VAP parameters to adapt to different network requirements.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan ac

    The WLAN view is displayed.

  3. Run vap-profile name profile-name

    The VAP profile view is displayed.

  4. Run type { ap-management | service }

    Set the VAP type.

    By default, the type of a VAP is service.

    NOTE:

    The VAP profile in which the VAP type is set to management AP can only be applied to one radio of an AP.

Configuring a Security Profile

Context

As WLAN technology uses radio signals to transmit service data, service data can easily be intercepted or tampered by attackers when being transmitted on the open wireless channels. Security is critical to WLANs. You can create a security profile to configure security policies, which protect privacy of users and ensure data transmission security on WLANs.

A security profile provides four WLAN security policies: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, and WLAN Authentication and Privacy Infrastructure (WAPI). Each security policy has a series of security mechanisms, including the link authentication mechanism used to establish a wireless link, user authentication mechanism used when users attempt to connect to a wireless network, and data encryption mechanism used during data transmission.

If no security policy is configured during the creation of a security profile, the default authentication mode (open system authentication) is used. When a user searches for a wireless network, the user can connect to the wireless network without being authenticated.

The default security policy has low security. You are advised to configure a proper security policy. For details on how to configure security policies, see WLAN Security Configuration.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan ac

    The WLAN view is displayed.

  3. Run security-profile name profile-name

    A security profile is created, and the security profile view is displayed.

    By default, security profiles default and default-wds are available in the system.

    After a security profile is created, you need to configure a proper security policy according to service requirements because the default security policy has security risks. For the detailed configuration, see Configuring a WLAN Security Policy.

  4. Run quit

    Return to the WLAN view.

  5. Run vap-profile name profile-name

    The VAP profile view is displayed.

  6. Run security-profile profile-name

    The security profile is bound to a VAP profile.

    By default, the security profile default is bound to a VAP profile.

Configuring an SSID Profile

Context

SSIDs identify different wireless networks. When you search for available wireless networks on your laptop, the displayed wireless network names are SSIDs. In an SSID profile, you can define an SSID name and configure related parameters. After the SSID profile configuration is complete, bind the SSID profile to a VAP profile.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan ac

    The WLAN view is displayed.

  3. Run ssid-profile name profile-name

    An SSID profile is created, and the SSID profile view is displayed.

    By default, the system provides the SSID profile default.

  4. Run ssid ssid

    An SSID name is configured.

    By default, the SSID HUAWEI-WLAN is configured in an SSID profile.

  5. (Optional) Run ssid-hide enable

    SSID hiding in Beacon frames is enabled.

    By default, SSID hiding in Beacon frames is disabled in an SSID profile.

    When creating a WLAN, configure an AP to hide the SSID of the WLAN to ensure security. Only the users who know the SSID can connect to the WLAN.

  6. (Optional) Run max-sta-number max-sta-number

    The maximum number of successfully associated STAs on a VAP is configured.

    By default, a VAP allows for a maximum of 64 successfully associated STAs.

    More access users on a VAP indicate fewer network resources that each user can occupy. To ensure Internet experience of users, you can configure a proper maximum number of access users on a VAP according to actual network situations.

  7. (Optional) Run reach-max-sta hide-ssid disable

    APs are disabled from automatically hiding SSIDs when the number of users reaches the maximum.

    By default, automatic SSID hiding is enabled when the number of users reaches the maximum.

    After automatic SSID hiding is enabled, SSIDs are automatically hidden when the number of users connected to the WLAN reaches the maximum, and SSIDs are unavailable for new users.

  8. (Optional) Run legacy-station disable

    Access of legacy terminals is denied.

    By default, access of legacy terminals is permitted.

    Legacy terminals support only 802.11a, 802.11b, or 802.11g and provide a rate far smaller than 802.11n and 802.11ac terminals. If the legacy terminals access the wireless network, the data transmission rate of 802.11n and 802.11ac terminals will be reduced. To prevent the transmission rate of 802.11n and 802.11ac terminals from being affected, deny access of legacy terminals.

  9. (Optional) Run association-timeout association-timeout

    The association aging time of STAs is configured.

    By default, the association aging time is 5 minutes.

    After the association aging time of STAs is configured, if the AP receives no data packet from a STA in a specified time, the STA goes offline after the association aging time expires.

  10. (Optional) Run dtim-interval dtim-interval

    A DTIM interval is configured.

    By default, the DTIM interval is 1.

    The DTIM interval specifies how many Beacon frames are sent before the Beacon frame that contains the DTIM. An AP sends a Beacon fame to wake a STA in power-saving mode, indicating that the saved broadcast and multicast frames will be transmitted to the STA.

    • A short DTIM interval helps transmit data in a timely manner, but the STA is wakened frequently, causing high power consumption.
    • A long DTIM interval lengthens the dormancy time of a STA and saves power, but degrades the transmission capability of the STA.

  11. (Optional) Run active-dull-client enable

    The function of preventing terminals from entering energy-saving mode is enabled.

    By default, the function of preventing terminals from entering energy-saving mode is disabled.

    Due to individual reasons, some terminals may not run services normally when entering energy-saving mode. You can run the active-dull-client enable command to enable the function of preventing terminals from entering energy-saving mode. After that, an AP frequently sends null data frames to these terminals to prevent them from entering energy-saving mode, ensuring normal services.

  12. Run quit

    Return to the WLAN view.

  13. Run vap-profile name profile-name

    The VAP profile view is displayed.

  14. Run ssid-profile profile-name

    The SSID profile is bound to a VAP profile.

    By default, the SSID profile default is bound to a VAP profile.

Binding VAP Profiles

Context

After the configuration in a VAP profile is complete, you need to bind the VAP profile to an AP group, AP, AP radio, or AP group radio.After being delivered to APs, the configuration in a VAP profile can take effect on the APs.

After a VAP profile is applied to an AP group or AP, the parameter settings in the profile take effect on all radios of the AP group or AP. After a radio profile is applied in the AP group radio or AP radio view, the parameter settings in the profile take effect on the specified AP radio or radios in the AP group.

Procedure

  • Bind a VAP profile to an AP group.
    1. Run the system-view command to enter the system view.
    2. Run the wlan ac command to enter the WLAN view.
    3. Run the ap-group name group-name command to enter the AP group view.
    4. Run the vap-profile profile-name wlan wlan-id [ radio radio-id ] command to bind the VAP profile to the radio.

      By default, no VAP profile is bound to a radio.

  • Bind a VAP profile to an AP.
    1. Run the system-view command to enter the system view.
    2. Run the wlan ac command to enter the WLAN view.
    3. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP view.
    4. Run the vap-profile profile-name wlan wlan-id [ radio radio-id ] command to bind the VAP profile to the radio.

      By default, no VAP profile is bound to a radio.

  • Apply a VAP profile in the AP group radio view.
    1. Run the system-view command to enter the system view.
    2. Run the wlan ac command to enter the WLAN view.
    3. Run the ap-group name group-name command to enter the AP group view.
    4. Run the radio radio-id command to enter the radio view.
    5. Run the vap-profile profile-name wlan wlan-id command to bind the VAP profile to the radio.

      By default, no VAP profile is bound to a radio.

  • Apply a VAP profile in the AP radio view.
    1. Run the system-view command to enter the system view.
    2. Run the wlan ac command to enter the WLAN view.
    3. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP view.
    4. Run the radio radio-id command to enter the radio view.
    5. Run the vap-profile profile-name wlan wlan-id command to bind the VAP profile to the radio.

      By default, no VAP profile is bound to a radio.

Verifying the VAP Configuration

Prerequisites

The configuration of the VAP, security, and SSID profiles is complete.

Procedure

  • Run the display vap { all | ssid ssid } or display vap { ap-group ap-group-name | { ap-name ap-name | ap-id ap-id } [ radio radio-id ] } [ ssid ssid ] command to check service VAP information.
  • Run the display vap-profile { all | name profile-name } command to check configuration and reference information about a VAP profile.
  • Run the display references vap-profile name profile-name command to check reference information about a VAP profile.
  • Run the display security-profile { all | name profile-name } command to check configuration and reference information about a security profile.
  • Run the display references security-profile name profile-name command to check reference information about a security profile.
  • Run the display ssid-profile { all | name profile-name } command to check configuration and reference information about an SSID profile.
  • Run the display references ssid-profile name profile-name command to check reference information about an SSID profile.
  • Run the display vap create-fail-record all command to check records about VAP creation failures.
  • Run the display wlan config-errors command to check WLAN configuration errors.
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100033726

Views: 33931

Downloads: 211

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next