SupportDocumentationRoutersAccess RoutersAR100&200Configuration & CommissioningConfiguration Guide

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010 Web-based Configuration Guide

Configuration Wizard

Configuration Wizard

Internet Access Wizard

Context

The Internet access wizard allows the AR to connect to the Internet. Select a connection mode based on information you obtain from a network service provider.

The 3G/4G configuration wizard page is displayed only when the 3G/LTE data card is working.

By default, the Internet Access Wizard page is automatically displayed after you log in to the web platform. You can directly go to step 3. To configure the web platform not to automatically display this wizard upon the next login, select the Do not display this wizard upon next login. check box in the Internet Access Wizard menu, as shown in Figure 1-17. If you need to perform Internet Access Wizard configurations later, go to step 1.

Figure 1-17  Internet Access Wizard

Procedure

  1. Click Configuration on the toolbar to access the Configuration page. In the navigation tree on the left, click Configuration Wizard to access the Configuration Wizard page.
  2. Click Internet Access Wizard to access the Internet Access Wizard page, as shown in Figure 1-17.

    Figure 1-18  Internet Access Wizard page

  3. Select a connection mode based on information you obtain from a network service provider.

    • PPPoE dial-up

      If you obtain a user name and password from a network service provider, connect to the Internet through PPPoE dial-up.

      1. Click Broadband Dialup to access the Configure Internet access parameters for the broadband dialup mode page, as shown in Figure 1-19.
        Figure 1-19  Configure Internet access parameters for the broadband dialup mode page

      2. Enter the broadband account provided by the network service provider or network administrator, as shown in Table 1-6.
        Table 1-6  Description of parameters on the Configure Internet access parameters for the broadband dialup mode page
        Parameter Description
        Interface Interface used by a router to connect to the Internet.
        User name User name for PPPoE dial-up.
        Password Password for PPPoE dial-up.
        Enable NAT Enable or disable NAT.
        Static NAT If enable NAT, configure the parameter of static NAT. Click Static NAT Configurationas shown in Figure 1-20. For details, see the Table 1-7.
        Cloud management If you need to connect the device to the cloud management platform, select Cloud management.
        Gateway address The gateway address of interface.
        NOTE:

        Only V200R010C10 and later versions support this support.
        Subnet mask The subnet mask of interface.
        NOTE:

        Only V200R010C10 and later versions support this support.

        If there is no available LAN interface for the current device, you can select a WAN interface for LAN configuration.

        Figure 1-20  the page of Static NAT Configuration

        Table 1-7  the parameter of Static NAT

        Parameter

        Description

        Translation type

        		 Whether to translate addresses according to the protocol type:
        • Protocol translation: translates addresses only when IP packets are transmitted on the specified protocol.
        • Address translation: translates IP addresses when IP packets are transmitted on any protocol.

        Protocol type

        Protocol type for which NAT is used. Currently, the following protocols are supported: Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).

        NOTE:
        When this parameter is set to ICMP, you need to set only External IP and Internal IP.

        External port

        Public port number used by private network users to access public network servers. You can select a value from the drop-down list box or enter a port number.

        Internal IP

        IP address of a private network user.

        Internal port

        Source port number used by private network users to access public networks. You can select a value from the drop-down list box or enter a port number.
      3. Click Finish.
      4. Click OK to save the configuration.

    • Fixed IP address

      If you obtain a fixed IP address or IP segment from a network service provider, connect to the Internet using the fixed IP address.

      1. Click Fixed Address to access the Configure Internet access parameters for the fixed address mode page, as shown in Figure 1-21.
        Figure 1-21  Configure Internet access parameters for the fixed address mode page

      2. Enter information provided by the network service provider or network administrator, as shown in Table 1-8.
        Table 1-8  Description of parameters on the Configure Internet access parameters for the fixed address mode page
        Parameter Description
        Interface Interface used by a router to connect to the Internet.
        IP address

        IP address of an interface.

        The interface IP address cannot conflict with the IP addresses of other interfaces on the device or other devices in the network.
        Subnet mask Subnet mask of an interface.
        Gateway

        Default gateway address of an interface.

        The default gateway address must be in the same network segment as the interface IP address.
        Primary DNS server Primary DNS server address assigned to a DHCP client.
        NOTE:

        In V200R010C10 and later versions, this parameter is optional.
        Secondary DNS server Secondary DNS server address assigned to a DHCP client.
        Enable NAT Enable or disable NAT.
        Static NAT If enable NAT, configure the parameter of static NAT. Click Static NAT Configurationas shown in Figure 1-20. For details, see the Table 1-7.
      3. Click Finish.
      4. Click OK to save the configuration.

    • Dynamic address allocation

      If you obtain an IP address automatically from a network service provider, connect to the Internet using a dynamic IP address.

      1. Click Dynamic Address to access the Configure Internet access parameters for the dynamic address mode page, as shown in Figure 1-22.
        Figure 1-22  Configure Internet access parameters for the dynamic address mode page

      2. Select an interface for accessing the Internet. The interface automatically obtains an IP address from the network service provider.
      3. Select ON of Enable NAT to enable the static NAT.

      4. Click Configure of Static NAT, Static NAT Configurationas shown in Figure 1-20. For details, see the Table 1-7.

      5. Click Finish.
      6. Click OK to save the configuration.

    • 3G/4G

      If a 3G/4G card is installed on the device, connect to the Internet through 3G/4G.

      1. Click 3G/4G to access the Configure Internet access parameters for the 3G/4G mode page, as shown in Figure 1-23.
        Figure 1-23  Configure Internet access parameters for the 3G/4G mode page

      2. Enter the user name, password, and APN provided by the network service provider, as shown in Table 1-9.
        Table 1-9  Description of parameters on the Configure Internet access parameters for the 3G/4G mode page
        Parameter Description
        User name User name for accessing an external PDN network, which is provided by the carrier.
        Password User password for accessing an external PDN network, which is provided by the carrier.
        APN

        APN for the router.

        NOTE:

        APNs are provided by the carrier.
        Enable NAT Enable or disable NAT.
        Static NAT If enable NAT, configure the parameter of static NAT. Click Static NAT Configurationas shown in Figure 1-20. For details, see the Table 1-7.

        You can use the Internet access wizard to configure Internet access services only on Cellular0/0/0.

      3. Click Finish to finish the configuration and connect to a 3G/4G network.

  4. Parameters on the LAN(Local Area Network) page are configured automatically to obtain the default gateway IP address and subnet mask of the host.

    If an error occurs, click OK in the displayed dialog box and go to the LAN(Local Area Network) page to modify the configuration.

Wireless Configuration Wizard

Context

When a device works in WLAN AC mode, you can configure the WLN-AC function for the device through a wizard to allow APs to go online on the device and provide wireless access to STAs.
In V200R010C10 and later versions, APs can access the AC through Layer 3 interfaces.

Procedure

  1. Click Configuration on the toolbar to access the Configuration page. In the navigation tree on the left, click Configuration Wizard to access the Configuration Wizard page, as shown in Figure 1-24.

    Figure 1-24  Configuration Wizard page

  2. Click Wireless Configuration Wizard to access the Select Interface and Assign addresses page, as shown in Figure 1-25.

    Figure 1-25  Select Interface and Assign Addresses

    • VLANIF

      1. On the Select Interface and Assign addresses page, select VLANIF to access the VLANIF, as shown in Figure 1-26.

        Figure 1-26  VLANIF

      2. Connect to AP

        1. On the Select Interface and Assign Addresses page, click Connect to AP. On the displayed page, set interface and address parameters.Table 1-10 describes the parameters.

      3. Connect to switch

        1. On the Select Interface and Assign Addresses page, click Connect to switch to access the Connect to switch page, as shown in Figure 1-27.

          Figure 1-27  Connect to switch page

        2. On the Connect to switch page, set interface and address parameters. Table 1-10 describes the parameters.

    • LoopBack

      1. On the Select Interface and Assign Addresses page, select LoopBack, to access the LoopBack page, as shown in Figure 1-28

        Figure 1-28  LoopBack

      2. On the LoopBack page, set parameters for interface selection and address assignment. Table 1-10 describes the parameters.

    Table 1-10  Description of parameters on the Select Interface and Assign Addresses page

    Parameter

    Description

    AC source address

    Set the source interface for the AC.

    • VLANIF: Sets a VLANIF interface as the source interface.
    • LoopBack: Sets a loopback interface as the source interface.
      • NOTE:

      The selected source interface must have an IP address

      Click . In the dialog box that is displayed, select the source interface of the AC.

      Click Create to create a source interface of the AC.

    Manage VLAN

    Select a management VLAN for wireless configuration.

    Select Ethernet interface

    Select an Ethernet interface for wireless configuration.

    Connection mode

    (Mandatory) Set connection mode. The value can be Connect to AP or Connect to switch.

    IP/Mask

    (Mandatory) Set an IP address and mask for an AP.

    VLAN(Untagged mode)

    Set a VLAN ID for an interface in untagged mode. The VLAN ID is an integer ranging from 1 to 4094. The value can be a range (such as 3–5) or an integer

    VLAN(Tagged mode)

    Set a VLAN ID for an interface in tagged mode. The VLAN ID is an integer ranging from 1 to 4094. The value can be a range (such as 3–5) or an integer (such as 1, 7). The interface can only be set to either tagged or untagged mode.

    PVID

    (Mandatory) Set a PVID for an interface. The value is an integer ranging from 1 to 4094. The interface can only be set to either tagged or untagged mode.

  3. After configuring interface and address parameters on the Select Interface and Assign Addresses page, click Next to access the Configure AC page, as shown in Figure 1-29.

    Figure 1-29  Configure AC page

  4. On the Configure AC page, set Country code and AP authentication mode. (APs can be added offline.) Click Next to access the AP Login page, as shown in Figure 1-30.

    Figure 1-30  Check AP login page

    • Add an AP in offline mode.

    1. On the Configure AC page, click Add AP Offline to access the Add AP Offline page, as shown in Figure 1-31.

      Figure 1-31  Add AP Offline page

    • Add APs manually.

    1. On the Add AP Offline page, click Manually add to configure AP parameters. Table 1-11 describes the parameters.
    2. On the Add AP Offline page, click to add multiple APs. To delete an AP, click .
    3. After the configuration, click Finish. The configured AP information is displayed on the Check AP login page.

      Table 1-11  Description of parameters on the Add AP Login page

      Parameter

      Description

      AP ID

      ID of an AP

      AP type

      Type of an AP

      AP MAC

      MAC address of an AP

      NOTE:
      When the AP authentication mode is MAC address authentication, this parameter is mandatory.

      AP SN

      SN of an AP

      NOTE:
      When the AP authentication mode is SN authentication, AP SN and AP ID are mandatory.

    • Add APs in a batch.

    1. On the Add AP Offline page, click Batch import to access the Batch import page, as shown in Figure 1-32.

      Figure 1-32  Batch import page

    2. Load the AP template file. Click Import to import the AP template file.
    3. After the import is complete, click Finish. The configured AP information is displayed on the Check AP login page.
  5. On the Check AP login page, query AP online status. Click Next to access the Configure WLAN Service page, as shown in Figure 1-33.

    • Search for an AP.

    1. On the Check AP Login page, set the search criteria and click .

    Figure 1-33  Configure WLAN Service page

  6. On the Configure WLAN Service page, you can create, delete, modify, and search for APs.

    • Create an SSID.

    1. On the Configure WLAN Service page, click Create to access the Create SSID page, as shown in Figure 1-34.
    2. On the Create SSID page, set parameters. Table 1-12 describes the parameters.

      Figure 1-34  Create SSID page

    3. Click Finish. The configured SSID is displayed on the Configure WLAN Service page.

      Table 1-12  Description of parameters on the Create SSID page

      Parameter

      Description

      SSID

      (Mandatory) Set a name for an SSID.

      Service VLAN

      (Mandatory) Set a service VLAN ID for an added SSID. The value is an integer ranging from 1 to 4094. The interface can only be set to either tagged or untagged mode.

      NOTE:
      The value of Service VLAN on the Create SSID page can be configured only when Connection mode on the Select Interface and Assign Addresses page is set to Connect to switch.

      IP/Mask

      (Mandatory) Set an IP address and mask for an SSID.

      Security policy

      (Mandatory) Set a security policy for an SSID.

      Password

      (Mandatory) Set a password for an SSID. When a STA connects to an SSID, the correct password must be entered; otherwise, the SSID cannot be accessed.

      Confirm password

      (Mandatory) Enter the password again. The value must be the same as that of Password.

      Select Effective AP

      (Optional) Select APs from configured APs to make them take effect for an SSID.

    • Modify an SSID.

    1. On the Configure WLAN Service page, select an SSID and click Modify to access the Refresh SSID page, as shown in Figure 1-35.
    2. On the Modify SSID page, modify SSID parameters. Table 1-12 describes the parameters.

      Figure 1-35  Modify SSID page

    3. Click Finish. In the displayed Warning dialog box, click OK.

    • Delete an SSID.

    1. On the Configure WLAN Service page, select an SSID and click Delete.
    2. In the displayed Warning dialog box, click OK.

    • Search for an SSID.

    1. On the Configure WLAN Service page, set the search criteria and click . SSIDs matching the search criteria are displayed. You can view, modify, and delete the SSIDs.

    • Display information about an AP.

    1. On the Configure WLAN Service page, select an SSID and click Check AP to access the Check AP page, as shown in Figure 1-36.
    2. On the Check AP page, set the search criteria and click to search for information about valid APs.

      Figure 1-36  Check AP page

L2TP Access Wizard

Context

The L2TP access wizard enables remote dial-up users to access enterprise intranets over the Internet.

Procedure

  1. Log in to the web platform and choose Configuration > Configuration Wizard. The Configuration Wizard page is displayed, as shown in Figure 1-37.

    Figure 1-37  Configuration wizard

  2. Click L2TP Access Wizard. The L2TP Access Wizard page is displayed, as shown in Figure 1-38.

    Figure 1-38  L2TP access wizard

  3. On the L2TP Access Wizard page, set parameters as required. Table 1-13 describes parameters of the L2TP access wizard.

    Table 1-13  Parameters of the L2TP access wizard

    Parameter

    Description

    Auto dialing

    Enable or disable auto dialing.

    By default, auto dialing is disabled on the device.

    Server

    Select IP address or Domain.

    Server IP address

    Enter the IP address of the L2TP server. This option is mandatory.

    Server domain name

    Enter the domain name of the L2TP server. This option is mandatory.

    User name

    Enter the user name that initiates the dial-up on the L2TP client. This option is mandatory. To set up an L2TP tunnel between the L2TP server and client, the same user name and password must exist on the L2TP server, and the user cannot be set as the current online user.

    Password

    Enter the password of the user name that initiates the dial-up on the L2TP client. This option is mandatory.

    Enable NAT

    Enable or disable NAT. If NAT is enabled, the source IP address of data flows forwarded through the L2TP tunnel is translated into the client IP address allocated by the L2TP server.

    By default, NAT is disabled.

    Tunnel name

    Enter the tunnel name of the L2TP client.

    By default, the device name is used as the tunnel name. To view or modify the device name, see the device information in Device Information.

    Enabled Tunnel authentication

    Enable or disable tunnel authentication. If tunnel authentication is enabled on the L2TP server, it must be enabled on the L2TP client too.

    By default, tunnel authentication is disabled.

    Tunnel password

    Enter the tunnel password. When enable tunnel authentication, this option is mandatory.

    Keepalive interval (seconds)

    Set the interval for transmitting Hello packets over the tunnel.

    To ensure that the L2TP client and server can normally communicate over the tunnel established between them, the client periodically sends Hello packets to check the connectivity of the server. If the client receives no response for five consecutive Hello packets, the client will automatically tear down the tunnel connection.

    By default, the Keepalive interval is 60s.

    Show AVP data

    Enable or disable encryption of AVP data in L2TP packets. After encryption is enabled, L2TP negotiation packets are encrypted during the L2TP session setup process. This improves security but slows down tunnel setup. The L2TP client and server can normally negotiate only after both of them have this function enabled.

    By default, AVP data is not encrypted.

    MTU(Byte)

    Set the interface maximum transmission unit (MTU).

    By default, the interface MTU is 1500 bytes.

    TCP-MSS(Byte)

    Set the maximum segment size (MSS) of TCP packets on an interface.

    By default, the TCP-MSS is 1200 bytes on the interface.

  4. Click Finish. In the Info dialog box that is displayed, click OK.

IPSec Configuration Wizard

Procedure

  1. Log in to the web platform and choose Configuration > Configuration Wizard. The Configuration Wizard page is displayed, as shown in Figure 1-39.

    Figure 1-39  Configuration wizard

  2. Click IPSec Configuration Wizard. The Select Usage Scenario page is displayed, as shown in Figure 1-40.

    Figure 1-40  Selecting a usage scenario

    1. Select a usage scenario.

      • Site-to-Site

        If either the local device or the remote device can initiate negotiation, select Site-to-Site. The configurations of the local and remote devices must be consistent.

      • Central Site

        If the remote device has a variable or unknown IP address, select Central Site. The local device is used as the responder.

      • Branch Site

        When the local device actively sets up an Internet Protocol Security (IPSec) tunnel with the central site, select Branch Site. The local device is used as the initiator.

    2. Configure the network.

      • Enable IPSec on an Ethernet interface and use it as the outbound interface for IPSec-protected data.

      • Configure the remote device address (in IP address or domain name format). You can also click Ping to perform the network connectivity test.

        If the usage scenario is set to Central Site, you do not need to configure the remote device address.

  3. After you select a usage scenario and configure the network on the Select Usage Scenario page, click Next. The Configure Encryption and Authentication page is displayed, as shown in Figure 1-41.

    Figure 1-41  Configuring encryption and authentication

    Negotiation can be successful only when the following parameter settings are the same on the local and remote devices.

    1. Configure the pre-shared key. The value is a string of 1 to 128 characters. If the character string contains question marks (?) or spaces, you need to put the string in double quotation marks (""). You need to configure the same pre-shared key on the local and remote devices.

    2. Table 1-14 describes Internet Key Exchange (IKE) parameters.

      IKE provides the mechanism of negotiating keys and establishing security associations (SAs) to simplify the usage and management of IPSec. After an IKE SA is established between the local and remote devices to complete identity authentication and key information exchange, a pair of IPSec SA is negotiated based on parameters, such as the Authentication Header (AH) or encapsulation security payload (ESP) security protocol. Then, the local and remote devices can transmit encrypted data over the IPSec tunnel.

      Table 1-14  Configuring IKE parameters
      Parameter Description
      Negotiation mode Negotiation mode in IKEv1 phase 1.
      • Main mode: Identity information is encrypted, having high security. However, the negotiation speed is slow.

      • Aggressive mode: The negotiation speed is faster than the main mode, but identity authentication is not supported.
      Authentication algorithm Authentication algorithm used by the IKE protocol.
      • SHA1: The SHA1 algorithm uses a 160-bit key.
      • MD5: The MD5 algorithm uses a 128-bit key.
      • SHA2-256: The SHA2-256 algorithm uses a 256-bit key.
      • SHA2-384: The SHA2-384 algorithm uses a 384-bit key.
      • SHA2-512: The SHA2-512 algorithm uses a 512-bit key.
      • SM3: The SM3 algorithm uses a 256-bit key.

      Note that MD5 and SHA1 authentication algorithms cannot ensure security. You are advised to use another authentication algorithm.
      Encryption algorithm Encryption algorithm used by the IKE protocol.
      • 3DES: The 3DES algorithm uses a 168-bit key.
      • AES-128: The AES-128 algorithm uses a 128-bit key.
      • AES-192: The AES-192 algorithm uses a 192-bit key.
      • AES-256: The AES-256 algorithm uses a 256-bit key.
      • DES: The DES algorithm uses a 56-bit key.
      • SM1: SM1 is an encryption algorithm released by the State Encryption Administration of China. It uses a 128-bit key.
      • SM4: SM4 is an encryption algorithm released by the State Encryption Administration of China. It uses a 128-bit key.

      Note that 3DES and DES encryption algorithms cannot ensure security. You are advised to use another encryption algorithm.
      DH group number Diffie-Hellman group used in the IKE key negotiation phase.
      • Group1: 768-bit DH group.
      • Group2: 1024-bit DH group.
      • Group5: 1536-bit DH group.
      • Group14: 2048-bit DH group
      • Group19: 256-bit Encryption Control Protocol (ECP) DH group.
      • Group20: 384-bit ECP DH group.
      • Group21: 521-bit ECP DH group.

    3. Configure IPSec parameters. Table 1-15 describes IPSec parameters.

      Table 1-15  Configuring IPSec parameters
      Parameter Description
      Security protocol Security protocol used by IPSec to provide security services.
      • AH: Only the authentication function is available.
      • AH-ESP: Both AH and ESP are used to provide security services.
      • ESP: Both authentication and encryption functions are available.
      AH authentication algorithm Algorithm used by the AH protocol to complete data origin authentication and data integrity check.
      • MD5: The MD5 algorithm uses a 128-bit key.
      • SHA1: The SHA1 algorithm uses a 160-bit key.
      • SHA2-256: The SHA2-256 algorithm uses a 256-bit key.
      • SM3: The SM3 algorithm uses a 256-bit key.
      NOTE:

      When the SM3 algorithm is used, the ESP encryption algorithm must be SM1, SM4, or Non-encryption.

      Note that MD5 and SHA1 authentication algorithms cannot ensure security. You are advised to use another authentication algorithm.
      ESP authentication algorithm Algorithm used by the ESP protocol to complete data origin authentication and data integrity check.
      • Non-authentication.
      • MD5: The MD5 algorithm uses a 128-bit key.
      • SHA1: The SHA1 algorithm uses a 160-bit key.
      • SHA2-256: The SHA2-256 algorithm uses a 256-bit key.
      • SM3: The SM3 algorithm uses a 256-bit key.
      NOTE:

      When the SM3 algorithm is used, the ESP encryption algorithm must be SM1, SM4, or Non-encryption.

      The authentication and encryption algorithms of the ESP protocol cannot be set to Non-authentication and Non-encryption simultaneously.

      Note that MD5 and SHA1 authentication algorithms cannot ensure security. You are advised to use another authentication algorithm.
      ESP encryption algorithm Encryption algorithm used by the ESP protocol to encrypt valid payloads.
      • Non-encryption.
      • DES: The DES algorithm uses a 56-bit key.
      • 3DES: The 3DES algorithm uses a 168-bit key.
      • AES-128: The AES-128 algorithm uses a 128-bit key.
      • AES-192: The AES-192 algorithm uses a 192-bit key.
      • AES-256: The AES-256 algorithm uses a 256-bit key.
      • SM1: SM1 is an encryption algorithm released by the State Encryption Administration of China. It uses a 128-bit key.
      • SM4: SM4 is an encryption algorithm released by the State Encryption Administration of China. It uses a 128-bit key.
      NOTE:
      When the SM1 or SM4 algorithm is used, the ESP authentication algorithm must be SHA1, SM3, or Non-authentication.

      Note that 3DES and DES encryption algorithms cannot ensure security. You are advised to use another encryption algorithm.
      Encapsulation mode Mode in which AH or ESP-related fields are inserted into raw IP packets to authenticate and encrypt the packets.

      • Tunnel mode: An AH or ESP header is added before a raw IP header and a new IP header (IP address of the local device) is generated and added before the AH or ESP header.

        In tunnel mode, the IP addresses of two connected hosts on the intranets are shielded to improve security of raw data packets. The tunnel mode is applicable to scenarios, in which forwarding devices encapsulate traffic to be protected. It is recommended for communication between two security gateways.

      • Transport mode: An AH or ESP header is inserted behind the IP header but before the transport-layer protocol.

        The transport mode protects valid payloads in raw data packets. It is applicable to scenarios, in which two communicating parties, such as two hosts or a host and a gateway, encapsulate traffic to be protected.

  4. After you configure tunnel encryption and authentication parameters on the Configure Encryption and Authentication page, click Next. The Define Protected Data Flow page is displayed, as shown in Figure 1-42.

    Figure 1-42  Defining the data flows to be protected

    1. Enter the source IP address, destination IP address, and wildcard masks of the source and destination IP addresses. Then, click to add the data flow. If no value is entered, click to add the data flow, any data flows are protected. The configurations of the local and remote devices must mirror each other.

      You can add multiple data flows.

    2. If one or more data flows no longer need IPSec protection, select them and click Delete.

    3. Click Finish.