No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - WLAN-AC

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the concepts, configuration procedures, and configuration examples of WLAN-AC features.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Managing an AP's Wired Interface

Managing an AP's Wired Interface

Context

Managing an AP's wired interface includes configuring AP wired interface parameters and link layer parameters.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan ac

    The WLAN view is displayed.

  3. Run wired-port-profile name profile-name

    An AP wired port profile is created, and the AP wired port profile view is displayed.

    By default, the system provides the AP wired port profile default.

  4. Configure parameters for an AP's wired interface.

    Procedure

    Command

    Description

    Add an AP's wired interface to an Eth-Trunk

    eth-trunk trunk-id

    By default, an AP interface is not added to any Eth-Trunk.

    To improve the connection reliability and increase the bandwidth, you can run this command to bind multiple interfaces into an Eth-Trunk.

    NOTE:

    APs that have only one physical network interface do not support this command.

    The physical interface to be added to an Eth-Trunk cannot have other configurations. Before adding a physical interface to an Eth-Trunk, clear all configurations on it except the interface status, working mode, descriptions, LLDP function, and alarm function for CRC errors.

    Configure a working mode for an AP's wired interface

    mode { root | endpoint | middle }

    By default, the GigabitEthernet interface of a common AP works in root mode, the Ethernet interface in endpoint mode, and the Eth-trunk interface in root mode.

    When working as an uplink interface to connect to an AC, an AP's wired interface must work in root mode. In root mode, the AP's wired interface automatically joins service VLANs and user-specific VLANs (for example, VLANs assigned by the RADIUS server).

    When working as a downlink interface to connect to a wired terminal, the AP's wired interface must work in endpoint mode. In endpoint mode, the AP's wired interface does not join any VLAN by default.

    NOTE:

    The AP's wired interface supports user isolation in endpoint mode, but not in root mode.

    Enable a DHCP trusted port on an AP's wired interface

    dhcp trust port

    By default, the DHCP trusted interface is disabled in the VAP profile view and enabled on the AP's uplink interface in the AP wired port profile view..

    This command takes effect only on the AP's uplink interface.

    Before WLAN services are delivered to an AP, run the dhcp trust port command in the AP wired port profile view. After the command is run, the AP receives the DHCP OFFER, ACK, and NAK packets sent by the authorized DHCP server and forwards the packets to STAs so that the STAs can obtain valid IP addresses and go online.

    NOTE:

    If a bogus DHCP server is deployed at the user side, STAs may obtain incorrect IP addresses and network configuration parameters and cannot communicate properly. After the dhcp trust port command is executed in the VAP profile view, an AP discards the DHCP OFFER, ACK, and NAK packets sent by the bogus DHCP server and reports to the AC about the IP address of the unauthorized DHCP server. For details, see (Optional) Improving VAP Security.

    Enable terminal address learning on an AP's wired interface

    learn-client-address enable

    By default, terminal address learning is disabled on an AP's wired interface.

    After terminal address learning is enabled on an AP's wired interface, if a wired terminal connected to the AP wired interface successfully obtains an IP address, the AP automatically reports the IP address of the terminal to the AC, helping to maintain the IP address and MAC address binding entries of wired terminals.

    This configuration takes effect only on AP's wired interfaces working in endpoint mode.

    Enable IP source guard (IPSG) on an AP's wired interface

    ipsg enable

    By default, IPSG is disabled on an AP's wired interface.

    Attackers often use packets with the source IP addresses or MAC addresses of authorized users to access or attack networks. As a result, authorized users cannot obtain stable and secure network services. You can enable the IPSG function to prevent the situation.

    To make the configuration take effect, terminal address learning must be enabled on the AP's wired interface using the learn-client-address enable command.

    Enable dynamic ARP inspection (DAI) on an AP's wired interface

    dai enable

    By default, DAI is disabled on an AP's wired interface.

    You can enable DAI using this command to prevent Man in The Middle (MITM) attacks and theft on authorized user information. When a device receives an ARP packet, it compares the source IP address, source MAC address, interface number, and VLAN ID of the ARP packet with DHCP snooping binding entries. If the ARP packet matches a binding entry, the device allows the packet to pass through. If the ARP packet does not match any binding entry, the device discards the packet.

    To make the configuration take effect, terminal address learning must be enabled on the AP's wired interface using the learn-client-address enable command.

    Set the maximum volume of broadcast, multicast, or unknown unicast traffic on an AP's wired interface

    traffic-optimize { broadcast-suppression | multicast-suppression | unicast-suppression } packets packets-rate

    By default, the volume of broadcast, multicast, or unknown unicast traffic is not suppressed on an AP's wired interface.

    When a large number of broadcast, multicast, and unknown unicast packets are transmitted on a network, a lot of network resources are occupied, and services on the network are affected. When the traffic volume of broadcast, multicast, and unknown unicast packets reaches the maximum on an AP's wired interface, the system discards excess packets to control the traffic volume in a proper range and prevent flooding attacks.

  5. Run quit

    Return to the WLAN view.

  6. Configure link layer parameters for an AP's wired interface
    1. Run the port-link-profile name profile-name command to create an AP wired port link profile and enter the profile view.

      By default, the system provides the AP wired port link profile default.

    2. Run the crc-alarm enable [ high-threshold high-threshold-value | low-threshold low-threshold-value ]* command to configure the alarm function for CRC errors on an AP's wired interface, and set the alarm threshold and clear alarm threshold.

      By default, the alarm function for CRC errors is disabled on the AP wired interface. The alarm threshold for CRC errors is 50 and the clear alarm threshold is 20.

    3. Run the shutdown command to disable the AP's wired interface.

      By default, an AP's wired interface is enabled.

      If malicious users launch attacks to the network through an AP's wired interface, the administrator can deliver the shutdown command on the AC to shut down the interface.

      The shutdown command takes effect only on AP's wired interfaces working in endpoint or middle mode but not on those working in root mode.

    4. Run the quit command to return to the WLAN view.
    5. Run the wired-port-profile name profile-name command to enter the AP wired port profile view.
    6. Run the port-link-profile profile-name command to bind the AP wired port link profile to the AP wired port profile.

      By default, the AP wired port link profile default is bound to an AP wired port profile.

    7. Run the quit command to return to the WLAN view.
  7. Bind the AP wired port profile to an AP group or AP.

    • Bind the AP wired port profile to an AP group.
      1. Run the ap-group name group-name command to enter the AP group view.
      2. Run the wired-port-profile profile-name interface-type interface-number command to bind the AP wired port profile to an AP group.

        By default, the AP wired port profile default is bound to an AP group.

    • Bind the AP wired port profile to to an AP.
      1. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP view.
      2. Run the wired-port-profile profile-name interface-type interface-number command to bind the AP wired port profile to an AP.

        By default, no AP wired port profile is bound to an AP.

  8. Run quit

    Return to the WLAN view.

  9. Run commit { all | ap-name ap-name | ap-id { ap-id1 [ to ap-id2 ] } &<1-10> }

    Configurations are delivered to APs.

Verifying the Configuration

  • Run the display wired-port-profile { all | name profile-name } command to check configuration and reference information about an AP wired port profile.
  • Run the display port-link-profile { all | name profile-name } command to check configuration and reference information about an AP wired port link profile.
  • Run the display references wired-port-profile name profile-name command to check reference information about an AP wired port profile.
  • Run the display references port-link-profile name profile-name command to check reference information about an AP wired port link profile.
  • Run the display mac-address mac-address [ verbose ] ap-all command to check MAC address entries on all APs.
  • Run the display mac-address { ap-id ap-id | ap-name ap-name } interface-type interface-number command to check all dynamic MAC address entries on an AP's wired interface.
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033726

Views: 36165

Downloads: 220

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next