No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - WLAN-AC

S5700 and S6720 V200R012C00

This document describes the configurations of WLAN, including WLAN Service Configuration, Radio Resource Management, Roaming, WLAN QoS, WLAN Security, WDS, Mesh, Location, Hotspot 2.0, Dual-Link Cold Backup, N+1 Backup.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a VAP

Configuring a VAP

You can configure different VAP profiles and deliver configurations in the profiles to APs to provide differentiated WLAN services.

Creating a VAP Profile

Context

After you create a VAP profile, configure parameters in the profile. After the profile is applied in the AP group view, AP view, AP radio view, or AP group radio view, VAPs are generated and can provide wireless access services for STAs. You can configure different parameters in the VAP profile to enable APs to provide different wireless services.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run vap-profile name profile-name

    A VAP profile is created, and the VAP profile view is displayed.

    By default, the system provides the VAP profile default.

Configuring a Data Forwarding Mode

Context

Data on a WLAN involves control packets (management packets) and data packets. Control packets are forwarded through CAPWAP control tunnels. Data packets are forwarded in tunnel forwarding (centralized forwarding) or direct forwarding (local forwarding) mode according to whether data packets are forwarded through CAPWAP data tunnels.

Table 4-9 compares tunnel forwarding and direct forwarding.
Table 4-9  Comparison of tunnel forwarding and direct forwarding
Data Forwarding Mode Advantage Disadvantage
Tunnel forwarding

An AC forwards data packets in a centralized manner, ensuring security and facilitating centralized management and control.

Service data must be forwarded by an AC, reducing packet forwarding efficiency and burdening the AC.

Direct forwarding

Service data packets do not need to be forwarded by an AC, improving packet forwarding efficiency and reducing the burden on the AC.

Service data packets cannot be centrally managed or controlled.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run vap-profile name profile-name

    The VAP profile view is displayed.

  4. Run forward-mode { direct-forward | tunnel }

    A data forwarding mode is configured in a VAP profile.

    By default, the forwarding mode is direct-forward in the VAP profile.

Configuring Service VLANs

Context

Layer 2 data packets delivered from a VAP to an AP carry the service VLAN IDs.

Since WLANs provide flexible access modes, STAs may connect to the same WLAN at the office entrance or stadium entrance, and then roam to different APs.
  • If a single VLAN is configured as the service VLAN, IP address resources may become insufficient in areas where many STAs access the WLAN, and IP addresses in the other areas are wasted.

  • After a VLAN pool is created, add multiple VLANs to the VLAN pool and configure the VLANs as service VLANs. In this way, an SSID can use multiple service VLANs to provide wireless access services. STAs are dynamically assigned to VLANs in the VLAN pool, which reduces the number of STAs in each VLAN and also the size of the broadcast domain. Additionally, IP addresses are evenly allocated, preventing IP address waste.

    VLAN assignment algorithms include even and hash.

    • When the VLAN assignment algorithm is set to even, service VLANs are assigned to STAs from the VLAN pool based on the order in which STAs go online. Address pools mapping the service VLANs evenly assign IP addresses to STAs. If a STA goes online many times, it obtains different IP addresses.

    • When the VLAN assignment algorithm is set to hash, VLANs are assigned to STAs from the VLAN pool based on the harsh result of their MAC addresses. As long as the VLANs in the VLAN pool do not change, the STAs obtain fixed service VLANs. A STA is preferentially assigned the same IP address when going online at different times.

Note the following when adding service VLANs to the VLAN pool:

  • After a VLAN pool is configured to provide service VLANs, VLANs in the VLAN pool cannot be deleted. To delete the VLAN pool, cancel the service VLAN configuration of the VLAN pool.

  • In scenarios where a dual-stack address pool is configured, a STA successfully obtains an IP address if the VLAN pool has assigned an IPv4 or IPv6 address to it. In this case, the VLAN pool will not assign a new VLAN to the STA.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure a VLAN pool.

    This step is required when VLANs in a VLAN pool are used as service VLANs.

    1. Run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in a batch.
    2. Run the vlan pool pool-name command to create a VLAN pool and enter the VLAN pool view.

      By default, no VLAN pool is created on a device.

    3. Run the vlan { start-vlan [ to end-vlan ] } &<1-10> command to add VLANs to the VLAN pool.

      By default, no VLAN is available in a VLAN pool.

    4. (Optional) Run the assignment { even | hash } command to configure a VLAN assignment algorithm in the VLAN pool.

      By default, the VLAN assignment algorithm is hash in a VLAN pool.

      The VLAN assignment algorithm configuration affects only newly connected STAs, but not those that have been connected to the network.

    5. Run the quit command to return to the system view.
  3. Run wlan

    The WLAN view is displayed.

  4. Run vap-profile name profile-name

    The VAP profile view is displayed.

  5. Run service-vlan { vlan-id vlan-id | vlan-pool pool-name }

    A service VLAN is configured for a VAP.

    By default, VLAN 1 is the service VLAN of a VAP.

(Optional) Configuring the VAP Type

Context

Configure the VAP type based on the site requirements. Different VAP types are used depending on scenarios as follows:
  • If the type of a VAP is set to service, STAs connected to the VAP can only access network resources but not APs. Service VAPs are used in regular WLAN deployment scenarios.
  • If the type of a VAP is set to ap-management, STAs connected to the VAP can only access APs but not network resources. AP management VAPs are used in STA access and AP management scenarios.
  • If the type of a VAP is set to service-backup ap-offline, STAs can access the network through the backup service VAP after the AP goes offline. For example, on a headquarters-branch network, when APs at branches connect to the AC at the headquarters through a WAN, APs may go offline due to the WAN instability. You can configure a backup service VAP to allow new STAs to access the network if the AP goes offline.

  • If the type of a VAP is set to service-backup auth-server-down, the VAP is automatically enabled to allow network access of associated STAs when the authentication server is not accessible. When the authentication server recovers, this VAP is not automatically disabled. You can manually disable it if needed. If the authentication server is accessible but rejects user access, this VAP is not automatically enabled. You can manually enable it if needed. To enable or disable this VAP, run the vap-service-backup auth-server-down command.

When configuring VAP types, pay attention to the following points:
  • After the VAP type is configured in the VAP profile view, the VAPs generated by the VAP profile use the configured VAP type. The new VAP type will overwrite the old one.

  • For an AP management VAP:

    • Portal, MAC address, and 802.1X authentication using an external server is not supported.

    • After the type of a VAP is set to ap-management, a STA can connect to the AP only when the IP address 169.254.2.x/24 (except 169.254.2.1, 169.254.2.100 is recommended) is configured for the STA.

    • The VAP profile in which the VAP type is set to ap-management can be applied only to one radio of an AP.

  • For an AP-offline backup service VAP:

    • Only the open system, WEP, WPA+PSK, WPA2+PSK, and WAP-WPA2+PSK authentication modes are supported.

    • Service data can be forwarded only in direct mode.

    • When the number of configured AP-offline backup service VAPs reaches the maximum on the AP, if the offline management VAP function is enabled, the offline management VAP does not take effect when the AP goes offline.

  • For an authentication-server-down backup service VAP:

    • Only the open system, WEP, WPA+PSK, WPA2+PSK, and WAP-WPA2+PSK authentication modes are supported.

    • This VAP type is exclusive with the AP management VAP and AP-offline backup service VAP.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run vap-profile name profile-name

    The VAP profile view is displayed.

  4. Run type { ap-management | service | service-backup ap-offline }

    The VAP type is configured.

    By default, the type of a VAP is service.

(Optional) Configuring the Scheduled VAP Auto-Off Function

Context

In actual WLAN applications, the network administrator wants to disable WLAN services in a specified period, ensuring security and reducing power consumption. You can disable the VAP as scheduled.

This configuration is applicable to enterprises that want to disable WLAN services in a specified period for security or at midnight when the user service traffic volume is low.

  • The scheduled VAP auto-off function enabled in a VAP profile view takes effect only on the APs using the profile.

  • The scheduled VAP auto-off function enabled in a radio profile takes effect only on the APs using the profile. For details on how to configure the scheduled VAP auto-off function in a VAP profile view, see (Optional) Adjusting Radio Parameters.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run vap-profile name profile-name

    The VAP profile view is displayed.

  4. Run undo service-mode disable

    The service mode of a VAP is enabled.

    By default, the service mode of a VAP is enabled.

    Enabling the service mode of a VAP is the prerequisite for normal VAP working.

  5. Run auto-off service start-time start-time end-time end-time

    The scheduled VAP auto-off function is enabled and the time range when the VAP is disabled is set.

    By default, the scheduled VAP auto-off function is disabled.

(Optional) Configuring MU-MIMO

Context

Carrier sense multiple access with collision avoidance (CSMA-CA) allows an air interface channel to be occupied only by one STA, and other STAs cannot communicate with the AP. After MU-MIMO is enabled, STAs supporting MU-MIMO can form an MU group to simultaneously receive downlink data from the same air interface channel, improving channel efficiency and overall downlink throughput.

In Figure 4-39, before MU-MIMO is enabled, when the AP is communicating with STA_1, other STAs such as STA_2 cannot communicate with the AP. After MU-MIMO is enabled, the AP can communicate with multiple STAs simultaneously, improving air interface efficiency.

Figure 4-39  Communication before and after MU-MIMO is enabled
  • Only the 802.11ac wave2 APs support MU-MIMO on 5 GHz radios.

  • In WDS scenarios, ensure that the number of spatial streams on STA VAPs is smaller than that on AP VAPs. Otherwise, MU-MIMO cannot take effect. For example, if STA VAPs and AP VAPs are both configured with three spatial streams, an AP VAP can communicate with only one STA VAP even if MU-MIMO has been enabled.

  • MU-MIMO is not supported on a Mesh network.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run ssid-profile name profile-name

    An SSID radio profile is created and the SSID profile view is displayed.

    By default, the system provides the SSID profile default.

  4. Run undo mu-mimo disable

    MU-MIMO is enabled.

    By default, the MU-MIMO function is enabled.

  5. (Optional) Run mu-mimo optimize enable

    MU-MIMO optimization is enabled.

    In an environment with less interference, you can enable the MU-MIMO optimization function to meet requirements for high downlink throughput of the AP.

  6. Run vap-profile name profile-name

    The VAP profile view is displayed.

  7. Run ssid-profile profile-name

    The SSID profile is bound to a VAP profile.

    By default, the SSID profile default is bound to a VAP profile.

(Optional) Configuring the Device to Forcibly Disconnect STAs Without Traffic

Context

After the device is enabled to monitor user traffic and forcibly disconnect STAs without traffic, a STA meeting all the following conditions is forcibly disconnected after reassociation and going online:
  • The STA does not send DHCP Request messages or receive ARP Reply packets within 5s after going online.
  • The IP address of the STA changes after roaming.
  • The STA has only uplink traffic but no downlink traffic.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run undo sta-network-detect disable

    The device is enabled to monitor user traffic and forcibly disconnect STAs without traffic.

    By default, the device is enabled to monitor user traffic and forcibly disconnect STAs without traffic.

(Optional) Adjusting VAP Parameters

Context

You can flexibly adjust VAP parameters to adapt to different network requirements.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run vap-profile name profile-name

    The VAP profile view is displayed.

  4. Adjust VAP parameters.

    Procedure

    Command

    Description

    Enable the service mode of a VAP

    undo service-mode disable

    By default, the service mode of a VAP is enabled.

    Enabling the service mode of a VAP is the prerequisite for normal VAP working.

    Configure an AP to insert the Option 82 field in DHCP packets sent from a STA

    Enable an AP to insert the Option 82 field in DHCP packets sent from a STA

    dhcp option82 insert enable

    By default, the function of adding the Option 82 field to DHCP packets sent by STAs is disabled.

    A STA obtains an IP address through DHCP after going online. When the DHCP Request packet sent by the STA reaches an AP, the AP inserts the Option 82 field in the packet to send the AP's MAC address, SSID or name to the DHCP server. According to the Option 82 field, the DHCP server can determine the AP through which the STA goes online.

    Configure the format of the Option 82 field inserted in DHCP packets sent from a STA

    dhcp option82 { circuit-id | remote-id } format { ap-mac [ mac-format { normal | compact | hex } ] | ap-mac-ssid [ mac-format { normal | compact } ] | user-defined text | ap-name | ap-name-ssid }

    By default, the format of the Option 82 field inserted in DHCP packets sent by STAs is ap-mac.

Configuring a Security Profile

Context

As WLAN technology uses radio signals to transmit service data, service data can easily be intercepted or tampered by attackers when being transmitted on the open wireless channels. Security is critical to WLANs. You can create a security profile to configure security policies, which protect privacy of users and ensure data transmission security on WLANs.

A security profile provides four WLAN security policies: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, and WLAN Authentication and Privacy Infrastructure (WAPI). Each security policy has a series of security mechanisms, including the link authentication mechanism used to establish a wireless link, user authentication mechanism used when users attempt to connect to a wireless network, and data encryption mechanism used during data transmission.

If no security policy is configured during the creation of a security profile, the default authentication mode (open system authentication) is used. When a user searches for a wireless network, the user can connect to the wireless network without being authenticated.

The default security policy has low security. You are advised to configure a proper security policy. For details on how to configure security policies, see Security Policy Configuration.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run security-profile name profile-name

    A security profile is created, and the security profile view is displayed.

    By default, security profiles default, default-wds, and default-mesh are available in the system.

    After a security profile is created, you need to configure a proper security policy according to service requirements because the default security policy has security risks. For the detailed configuration, see Security Policy Configuration.

  4. Run quit

    Return to the WLAN view.

  5. Run vap-profile name profile-name

    The VAP profile view is displayed.

  6. Run security-profile profile-name

    The security profile is bound to a VAP profile.

    By default, the security profile default is bound to a VAP profile.

Configuring an SSID Profile

Context

SSIDs identify different wireless networks. When you search for available wireless networks on your laptop, the displayed wireless network names are SSIDs. In an SSID profile, you can define an SSID name and configure related parameters. After the SSID profile configuration is complete, bind the SSID profile to a VAP profile.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run ssid-profile name profile-name

    An SSID profile is created, and the SSID profile view is displayed.

    By default, the system provides the SSID profile default.

  4. Run ssid ssid

    An SSID name is configured.

    By default, the SSID HUAWEI-WLAN is configured in an SSID profile.

    The value is a string of 1 to 32 case-sensitive characters. It supports Chinese characters or Chinese + English characters, without tab characters.

  5. (Optional) Run ssid-hide enable

    SSID hiding in Beacon frames is enabled.

    By default, SSID hiding in Beacon frames is disabled in an SSID profile.

    When creating a WLAN, configure an AP to hide the SSID of the WLAN to ensure security. Only the users who know the SSID can connect to the WLAN.

  6. (Optional) Run advertise-ap-name enable

    Beacon frames are enabled to carry the AP name.

    By default, Beacon frames do not carry the AP name.

  7. (Optional) Run max-sta-number max-sta-number

    The maximum number of successfully associated STAs on a VAP is configured.

    By default, a VAP allows for a maximum of 64 successfully associated STAs.

    More access users on a VAP indicate fewer network resources that each user can occupy. To ensure Internet experience of users, you can configure a proper maximum number of access users on a VAP according to actual network situations.

  8. (Optional) Run reach-max-sta hide-ssid disable

    APs are disabled from automatically hiding SSIDs when the number of users reaches the maximum.

    By default, automatic SSID hiding is enabled when the number of users reaches the maximum.

    After automatic SSID hiding is enabled, SSIDs are automatically hidden when the number of users connected to the WLAN reaches the maximum, and SSIDs are unavailable for new users.

  9. (Optional) Run legacy-station [ only-dot11b ] disable

    Access of non-HT STAs is denied.

    By default, access of non-HT STAs is permitted.

    Non-HT STAs support only 802.11a/b/g and provide a data transmission rate far smaller than the rate of 802.11n/ac STAs. If the non-HT STAs access the wireless network, the data transmission rate of 802.11n/ac STAs will be reduced. To prevent the transmission rate of 802.11n/ac STAs from being affected, you can run the legacy-station [ only-dot11b ] disable command to deny access of all or only 802.11b-compliant non-HT STAs.

    After the legacy-station disable command is run, the access of non-HT STAs supporting only 802.11a/b/g fails to be denied if any of the following functions is configured on the non-HT STAs:
    • WMM function in a 2G or 5G radio profile disabled using the wmm disable command
    • Pre-shared key authentication and TKIP encryption for WPA/WPA2 configured using the security { wpa | wpa2 | wpa-wpa2 } psk { pass-phrase | hex } key-value tkip command when the security profile is used
    • 802.1X authentication and TKIP encryption for WPA/WPA2 configured using the security { wpa | wpa2 | wpa-wpa2 } dot1x tkip command when the security profile is used
    • WEP shared key authentication mode configured using the security wep [ share-key ] command when the security profile is used
    • 802.11b/g radio type in the 2G radio profile configured using the radio-type { dot11b | dot11g } command
    • 802.11a radio type in the 5G radio profile configured using radio-type dot11a command

    After the legacy-station only-dot11b disable command is run, the access of non-HT STAs supporting only 802.11b is denied. If 802.11b radio type in the 2G radio profile has been configured using the radio-type dot11b command, the access of non-HT STAs supporting only 802.11b fails to be denied.

  10. (Optional) Run single-txchain enable

    The single-antenna transmission mode is enabled.

    By default, the single-antenna transmission mode is disabled.

    Only 802.11ac Wave 2 APs support the single-antenna transmission mode.

  11. (Optional) Run association-timeout association-timeout

    The association aging time of STAs is configured.

    By default, the association aging time is 5 minutes.

    After the association aging time of STAs is configured, if the AP receives no data packet from a STA in a specified time, the STA goes offline after the association aging time expires.

  12. (Optional) Run dtim-interval dtim-interval

    A DTIM interval is configured.

    By default, the DTIM interval is 1.

    The DTIM interval specifies how many Beacon frames are sent before the Beacon frame that contains the DTIM. An AP sends a Beacon fame to wake a STA in power-saving mode, indicating that the saved broadcast and multicast frames will be transmitted to the STA.

    • A short DTIM interval helps transmit data in a timely manner, but the STA is wakened frequently, causing high power consumption.
    • A long DTIM interval lengthens the dormancy time of a STA and saves power, but degrades the transmission capability of the STA.

  13. (Optional) Run u-apsd enable

    The U-APSD function is enabled.

    By default, the U-APSD function is disabled.

    If some STAs on the network do not support the U-APSD function, disable the U-APSD function.

  14. (Optional) Run active-dull-client enable

    The function of preventing terminals from entering energy-saving mode is enabled.

    By default, the function of preventing terminals from entering energy-saving mode is disabled.

    Due to individual reasons, some terminals may not run services normally when entering energy-saving mode. You can run the active-dull-client enable command to enable the function of preventing terminals from entering energy-saving mode. After that, an AP frequently sends null data frames to these terminals to prevent them from entering energy-saving mode, ensuring normal services.

  15. (Optional) Run qbss-load enable

    APs are enabled to notify STAs of their load.

    By default, the function of notifying STA of the AP load is disabled.

  16. Run quit

    Return to the WLAN view.

  17. Run vap-profile name profile-name

    The VAP profile view is displayed.

  18. Run ssid-profile profile-name

    The SSID profile is bound to a VAP profile.

    By default, the SSID profile default is bound to a VAP profile.

Binding VAP Profiles

Context

After the configuration in a VAP profile is complete, you need to bind the VAP profile to an AP group, AP, AP radio, or AP group radio.After being delivered to APs, the configuration in a VAP profile can take effect on the APs.

After a VAP profile is applied to an AP group or AP, the parameter settings in the profile take effect on all radios of the AP group or AP. After a radio profile is applied in the AP group radio or AP radio view, the parameter settings in the profile take effect on the specified AP radio or radios in the AP group.

Procedure

  • Bind a VAP profile to an AP group.
    1. Run the system-view command to enter the system view.
    2. Run the wlan command to enter the WLAN view.
    3. Run the ap-group name group-name command to enter the AP group view.
    4. Run the vap-profile profile-name wlan wlan-id { radio { radio-id | all } } command to bind the VAP profile to the radio.

      By default, no VAP profile is bound to a radio.

  • Bind a VAP profile to an AP.
    1. Run the system-view command to enter the system view.
    2. Run the wlan command to enter the WLAN view.
    3. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP view.
    4. Run the vap-profile profile-name wlan wlan-id { radio { radio-id | all } } command to bind the VAP profile to the radio.

      By default, no VAP profile is bound to a radio.

  • Apply a VAP profile in the AP group radio view.
    1. Run the system-view command to enter the system view.
    2. Run the wlan command to enter the WLAN view.
    3. Run the ap-group name group-name command to enter the AP group view.
    4. Run the radio radio-id command to enter the radio view.
    5. Run the vap-profile profile-name wlan wlan-id command to bind the VAP profile to the radio.

      By default, no VAP profile is bound to a radio.

  • Apply a VAP profile in the AP radio view.
    1. Run the system-view command to enter the system view.
    2. Run the wlan command to enter the WLAN view.
    3. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP view.
    4. Run the radio radio-id command to enter the radio view.
    5. Run the vap-profile profile-name wlan wlan-id command to bind the VAP profile to the radio.

      By default, no VAP profile is bound to a radio.

Verifying the VAP, Security, and SSID Profile Configuration

Prerequisites

The configuration of the VAP, security, and SSID profiles is complete.

Procedure

  • Run the display vap { all | ssid ssid } or display vap { ap-group ap-group-name | { ap-name ap-name | ap-id ap-id } [ radio radio-id ] } [ ssid ssid ] command to check service VAP information.
  • Run the display vap-profile { all | name profile-name } command to check configuration and reference information about a VAP profile.
  • Run the display references vap-profile name profile-name command to check reference information about a VAP profile.
  • Run the display security-profile { all | name profile-name } command to check configuration and reference information about a security profile.
  • Run the display references security-profile name profile-name command to check reference information about a security profile.
  • Run the display ssid-profile { all | name profile-name } command to check configuration and reference information about an SSID profile.
  • Run the display references ssid-profile name profile-name command to check reference information about an SSID profile.
  • Run the display vlan pool { name pool-name | all [ verbose ] } command to check configurations in a VLAN pool.
  • Run the display references vlan pool pool-name command to check reference information about a VLAN pool.
  • Run the display vap create-fail-record all command to check records about VAP creation failures.
  • Run the display wlan config-errors command to check WLAN configuration errors.
Translation
Download
Updated: 2018-12-24

Document ID: EDOC1100038361

Views: 161209

Downloads: 445

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next