No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00 Operation Guide 07

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical Configuration Examples

Typical Configuration Examples

This section describes typical configuration examples in typical application scenarios, helping users complete various operations based on the actual scenarios.

Example for Manually Adding an AC to Enable APs to Be Automatically Added to eSight

This topic uses an example to describe how to manually add an AC to eSight to enable APs to be automatically added to eSight.

Networking Requirements

On the network of company M, multiple APs are connected to an AC. Network administrator Tod expects that all APs are quickly added to eSight, facilitating subsequent WLAN service configuration.

Figure 12-71 Network diagram
Data Plan
Table 12-63 Basic data

Item

Data

eSight

IP address: 10.137.58.162 (If southbound and northbound services are separated for eSight, the eSight IP address here refers to the southbound IP address.)

Host name: eSight

AC

SNMP parameters

Version: SNMPv2c

Read community: public123

Write community: private123

Telnet parameters (obtained from the administrator)

User name: huawei

Password: huawei123

Management IP address

10.137.58.11

Configuration Roadmap
  1. Configure a reachable route between the AC and eSight, so that eSight can manage all devices on the LAN.
  2. Set SNMP and Telnet parameters on the AC, so that all devices can be added to eSight.
  3. Enable the first time authentication of the SSH client on the AC.
  4. SFTP needs to be used to transfer files between eSight and ACs.
  5. Add the AC to eSight.
  6. Verify that APs are synchronized to eSight.
Procedure
  1. Configure a reachable route between the AC and eSight. For the detailed operation procedure, see the related document of the AC.
  2. Set SNMP and Telnet parameters on the AC.
    NOTE:

    The AC of the V200R006C10 version is used as an example to describe the configuration process. If another version is used, perform configuration based on the related document.

    # Set SNMP parameters on the AC.

    <AC6605>system-view 
    [AC6605]snmp-agent 
    [AC6605]snmp-agent sys-info version v2c  
    [AC6605]snmp-agent community read public123 
    [AC6605]snmp-agent community write private123 
    [AC6605]snmp-agent trap enable 
    Info: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
    [AC6605]snmp-agent target-host trap-paramsname trapnms v2c securityname public123 
    [AC6605]snmp-agent target-host trap-hostname eSight address 10.137.58.162 trap-paramsname trapnms 
    [AC6605]quit

    # Set Telnet parameters on the AC.

    <AC6605>system-view 
    [AC6605]telnet server enable 
    [AC6605]user-interface maximum-vty 15 
    [AC6605]user-interface vty 0 14 
    [AC6605-ui-vty0-14]authentication-mode aaa 
    [AC6605-ui-vty0-14]protocol inbound telnet 
    [AC6605-ui-vty0-14]quit 
    [AC6605]aaa 
    [AC6605-aaa]local-user huawei password irreversible-cipher huawei123 
    [AC6605-aaa]local-user huawei privilege level 15 
    [AC6605-aaa]local-user huawei service-type telnet 
    [AC6605-aaa]quit 
    [AC6605]quit     
  3. You need to enable the first time authentication function of the SSH client on the AC, ensuring that APs can be successfully synchronized to eSight. By default, the function is disabled.
    <AC6605>system-view 
    [AC6605]ssh client first-time enable
  4. SFTP needs to be used to transfer files between eSight and ACs.

    FTP and TFTP may have potential security risks. Exercise caution when you use them. SFTP that is more secure than FTP and TFTP is recommended.

    • In the Windows scenario:
      1. Log in to the eSight server as the Administrator user.
      2. Check whether the value of enable corresponding to the SFTP protocol in the D:\eSight\AppBase\sysagent\etc\sysconf\svcbase\med_node_1_svc.xml file is true.
        NOTE:

        In the file name, D:\eSight must be changed to the actual installation directory.

        <config name="sftp">  
        <param name="enable">true</param> 
        </config>
        • If the parameter value is true, the SFTP server is normal.
        • If the parameter value is false, configure the SFTP server status by referring to Configuring the eSight File Transfer Protocol in the Maintenance Guide.
    • In the Linux scenario:
      1. Log in to the eSight server as the root user.
      2. Check whether the value of enable corresponding to the SFTP protocol in the /opt/eSight/AppBase/sysagent/etc/sysconf/svcbase/med_node_1_svc.xml file is true.
        NOTE:

        In the file name, /opt/eSight must be changed to the actual installation directory.

        <config name="sftp">  
        <param name="enable">true</param> 
        </config>
        • If the parameter value is true, the SFTP server is normal.
        • If the parameter value is false, configure the SFTP server status by referring to Configuring the eSight File Transfer Protocol in the Maintenance Guide.
  5. Add the AC to eSight.
    1. Choose Resource > Common > Add Resource > Add Resource from the main menu.
    2. Set SNMP and Telnet parameters and click OK.

    3. Test the settings of the SNMP and Telnet parameters.
      1. Choose Resource > Network > Equipment > Network Device from the main menu. Click the new device name.
      2. In the navigation on the left, choose Protocol Parameters > Telnet Parameters. Click Edit Telnet Parameter. Then click Test and view the test result. If the test fails, set parameters on the current page.

      3. In the navigation on the left, choose Protocol Parameters > SNMP Parameters. Click Edit SNMP Parameters. Then click Test and view the test result. If the test fails, set parameters on the current page.

  6. Verify that APs are synchronized to eSight.
    1. Choose System > System Settings > Southbound Devices from the main menu and choose Network Management Parameter Setting from the navigation tree on the left.

    2. Set AP Info Rolling interval and click Apply. eSight starts AP information polling and synchronizes APs.

    3. Choose System > System Management > Log Management from the main menu.

    4. Choose System Logs in the navigation tree to check whether AP information polling is successful.

      If AP information polling is successful, APs are added to eSight. Otherwise, rectify the fault according to After an AC Is Added to eSight, eSight Fails to Discover Associated APs. Why?

Verification

You can run commands on the AC and then compare the AP information in the command output with that on eSight.

  1. Run the display ap all command on the AC and check whether APs go online.
    <AC6605>display ap all                                                          
    Info: This operation may take a few seconds. Please wait for a moment.done.      
    Total AP information:                                                            
    fault: fault           [2]                                                       
    idle : idle            [7]                                                       
    ------------------------------------------------------------------------------------------------------------------------------       
    ID   MAC            Name                            Group                       IP Type            State STA Uptime                  
    ------------------------------------------------------------------------------------------------------------------------------       
    0    2222-2222-4422 fsaa1                           www                         -  -               idle  0   -                       
    1    0006-5635-1215 ww02                            www                         -  -               idle  0   -                       
    2    0002-2312-2323 w2                              default                     -  -               idle  0   -                       
    3    9003-2554-f300 9003-2554-f300                  default                     -  AP5030DN        idle  0   -                       
    4    9003-2554-f0a0 <script>alert(1)</script>       <script>alert("1")</script> -  AP5030DN        idle  0   -                       
    5    9003-2554-f2a0 <script>alert(2)</script>       default                     -  AP5030DN        fault 0   -                       
    6    9003-2554-f320 <script>alert(9-90-20)</script> default                     -  AP5030DN        fault 0   -                       
    7    0002-0103-0102 w4                              default                     -  -               idle  0   -                       
    8    0002-0301-0506 w5                              default                     -  -               idle  0   -                       
    ------------------------------------------------------------------------------------------------------------------------------       
    Total: 9  
  2. Log in to eSight. Choose Resource > Network > Equipment > WLAN Resources from the main menu.

  3. Choose AP from the navigation tree, view information about all APs connected to the current AC on the right, and verify that the AP information is consistent with the command output displayed on the AC.

Example for Configuring Tunnel Forwarding on a Layer 3 Network Where an AC is Deployed in Bypass Mode

This example describes how to use eSight to configure basic WLAN services in a scenario with an AC.

Networking Requirement

A network carrier plans to provide WLAN access services for a residential area, where two APs are deployed and connect to an AC through an access switch and an aggregation switch. The AC connects to the egress gateway Router through the aggregation switch. The AC is connected to the network in bypass mode. STAs are controlled and managed on the AC in a centralized manner. Figure 12-72 shows the network. A WLAN named huawei will be deployed for user access anytime anywhere. In addition, the AC will function as a DHCP server for allocating IP addresses to the AP and STAs.

Figure 12-72 Network diagram
Data Plan
Table 12-64 Basic data

Item

Data

eSight

IP address: 10.137.58.162 (If southbound and northbound services are separated for eSight, the eSight IP address here refers to the southbound IP address.)

Host name: eSight

Aggregation switch

SNMP parameters

Version: SNMPv2c

Read community: public123

Write community: private123

Telnet parameters (obtained from the administrator)

User name: huawei

Password: huawei123

Management IP address

10.137.240.116

Access switch

SNMP parameters

Version: SNMPv2c

Read community: public123

Write community: private123

Telnet parameters (obtained from the administrator)

User name: huawei

Password: huawei123

Management IP address

10.137.240.117

AC

SNMP parameters

Version: SNMPv2c

Read community: public123

Write community: private123

Telnet parameters (obtained from the administrator)

User name: huawei

Password: huawei123

Management IP address

10.137.240.42

VLAN

Management VLAN: 92

Service VLAN: 101

DHCP server

The AC functions as the DHCP server for STAs and APs.

Gateway of the AP

VLANIF92: 192.168.92.1/24

IP address pool of the AP

192.168.92.2-192.168.92.254/24

Gateway of the STAs

VLANIF101: 192.168.101.1/24

IP address pool of the STAs

192.168.101.2-192.168.101.254/24

AP authentication mode

MAC address authentication

VAP Profile

Name: huawei

VLAN ID: 101

Data forwarding mode: tunnel forwarding

Referenced profiles: SSID Profile huawei, security profile huawei, and traffic profile default (preset profile).

SSID profile

Name: huawei

SSID: huawei

Security profile

Name: huawei

Security policy: WPA-WPA2+PSK+AES

Password: a1234567

RF Profile

Name: default (preset profile)

AP profile

Name: default (preset profile)

AP

AP1

Name: AP-1

MAC address: F8-4A-BF-69-4E-20

AP2

Name: AP-2

MAC address: D4-B1-10-AB-FB-40

Table 12-65 Channel configuration

Interface Group

Interface Group

Allow Pass VLAN

Default VLAN

interfacegroup1

Access switch: GE 0/0/2 and GE 0/0/3

92

92

interfacegroup2

Aggregation switch: GE 0/0/1

Access switch: GE 0/0/1

92

interfacegroup3

Aggregation switch: GE 0/0/3

101

interfacegroup4

Aggregation switch: GE 0/0/2

AC: GE 0/0/1

92 and 101

Configuration Roadmap
  1. Configure a reachable route between the AC and eSight, so that eSight can manage all devices on the LAN.
  2. Set SNMP and Telnet parameters on the switches and AC, so that all the devices on the LAN can be added to eSight.
  3. Enable the first time authentication of the SSH client on the AC.
  4. SFTP needs to be used to transfer files between eSight and ACs.
  5. Add the switches and AC to eSight.
  6. Configure the VLANIF interface and address pool on the AC.
  7. Create device interface groups so that VLAN channels can be configured.
  8. Configure an AP whitelist on the AC so that APs can go online automatically after being powered on.
  9. Configure VLAN channels between the APs and AC.
  10. Configure basic AC information.
  11. Create WLAN service profiles.
  12. Create AP groups to facilitate profile binding.
  13. Bind profiles to AP groups to deploy WLAN services.
Procedure
  1. Configure a reachable route between the AC and eSight. For the detailed operation procedure, see the related document of the AC.
  2. Set SNMP and Telnet parameters on the AC.
    NOTE:

    The AC of the V200R006C10 version is used as an example to describe the configuration process. If another version is used, perform configuration based on the related document.

    # Set SNMP parameters on the AC.

    <AC6605>system-view 
    [AC6605]snmp-agent 
    [AC6605]snmp-agent sys-info version v2c  
    [AC6605]snmp-agent community read public123 
    [AC6605]snmp-agent community write private123 
    [AC6605]snmp-agent trap enable 
    Info: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
    [AC6605]snmp-agent target-host trap-paramsname trapnms v2c securityname public123 
    [AC6605]snmp-agent target-host trap-hostname eSight address 10.137.58.162 trap-paramsname trapnms 
    [AC6605]quit

    # Set Telnet parameters on the AC.

    <AC6605>system-view 
    [AC6605]telnet server enable 
    [AC6605]user-interface maximum-vty 15 
    [AC6605]user-interface vty 0 14 
    [AC6605-ui-vty0-14]authentication-mode aaa 
    [AC6605-ui-vty0-14]protocol inbound telnet 
    [AC6605-ui-vty0-14]quit 
    [AC6605]aaa 
    [AC6605-aaa]local-user huawei password irreversible-cipher huawei123 
    [AC6605-aaa]local-user huawei privilege level 15 
    [AC6605-aaa]local-user huawei service-type telnet 
    [AC6605-aaa]quit 
    [AC6605]quit     
  3. You need to enable the first time authentication function of the SSH client on the AC, ensuring that APs can be successfully synchronized to eSight. By default, the function is disabled.
    <AC6605>system-view 
    [AC6605]ssh client first-time enable
  4. SFTP needs to be used to transfer files between eSight and ACs.

    FTP and TFTP may have potential security risks. Exercise caution when you use them. SFTP that is more secure than FTP and TFTP is recommended.

    • In the Windows scenario:
      1. Log in to the eSight server as the Administrator user.
      2. Check whether the value of enable corresponding to the SFTP protocol in the D:\eSight\AppBase\sysagent\etc\sysconf\svcbase\med_node_1_svc.xml file is true.
        NOTE:

        In the file name, D:\eSight must be changed to the actual installation directory.

        <config name="sftp">  
        <param name="enable">true</param> 
        </config>
        • If the parameter value is true, the SFTP server is normal.
        • If the parameter value is false, configure the SFTP server status by referring to Configuring the eSight File Transfer Protocol in the Maintenance Guide.
    • In the Linux scenario:
      1. Log in to the eSight server as the root user.
      2. Check whether the value of enable corresponding to the SFTP protocol in the /opt/eSight/AppBase/sysagent/etc/sysconf/svcbase/med_node_1_svc.xml file is true.
        NOTE:

        In the file name, /opt/eSight must be changed to the actual installation directory.

        <config name="sftp">  
        <param name="enable">true</param> 
        </config>
        • If the parameter value is true, the SFTP server is normal.
        • If the parameter value is false, configure the SFTP server status by referring to Configuring the eSight File Transfer Protocol in the Maintenance Guide.
  5. Add the switches and AC to eSight.

    The following uses the AC as an example.

    1. Choose Resource > Common > Add Resource > Add Resource from the main menu.
    2. Set SNMP and Telnet parameters and click OK.

    3. Test the settings of the SNMP and Telnet parameters.
      1. Choose Resource > Network > Equipment > Network Device from the main menu. Click the new device name.
      2. In the navigation on the left, choose Protocol Parameters > Telnet Parameters. Click Edit Telnet Parameter. Then click Test and view the test result. If the test fails, set parameters on the current page.
      3. In the navigation on the left, choose Protocol Parameters > SNMP Parameters. Click Edit SNMP Parameters. Then click Test and view the test result. If the test fails, set parameters on the current page.
  6. Configure interface groups.

    The following uses the interfacegroup1 as an example. For details about group members, see Table 12-65.

    1. Choose Resource > Common > Resources Group > Group Management from the main menu.
    2. Click next to User Defined to create interface groups.

  7. Configure an AP whitelist.
    1. Choose Resource > Network > Equipment > WLAN Resources from the main menu.

    2. Choose AC from the navigation tree.
    3. Click in the Operation column of the desired AC and add the MAC addresses of AP1 and AP2 to the whitelist.

  8. Configure a VLANIF and an address pool.
    1. Choose Resource > Network > WLAN Management > Configuration and Deployment from the main menu.

    2. Choose Basic Configuration > VLAN IF & Address Pool.
    3. Under Device Of Configuration, click select devices, and click Confirm.
    4. After clicking device names, click in the VLANIF And Address Pool Configure and select Create VLANIF.
    5. On the AC, create VLANIF 92 and VLANIF 101 and use interface addresses as the address pool.

  9. Configure channels between the AC and APs.
    1. Choose Basic Configuration > Channel Configuration.
    2. Click next to Interface Group and select the four interface groups.
    3. Configure allow pass VLAN and default VLAN for each interface group.

    4. Select names of the four interface groups and click to deliver configurations to the devices.
  10. Configure basic AC information.
    1. In the navigation tree on the left, click Global AC Configuration.
    2. Click next to AC to select the AC.
    3. Configure AC information.

    4. Select the name of the AC and click to deliver configurations to the device.
  11. Create profiles.
    1. Choose Resource > Network > Equipment > Network Device from the main menu.
    2. Click the AC name to open the AC Object Manager.
    3. Choose WLAN Feature > Profile Management.
    4. Create an SSID profile.

      In the navigation tree, choose VAP Profile > SSID Profile and click . Set parameters and click Confirm. In the displayed dialog box, click Deploy.

    5. Create a security profile.

      In the navigation tree, choose VAP Profile > Security Profile and click . Set parameters and click Confirm. In the displayed dialog box, click Deploy.

    6. Create a VAP profile.

      In the navigation tree, choose VAP Profile and click . Set parameters and click Confirm. In the displayed dialog box, click Deploy.

  12. Create AP groups.
    1. Choose WLAN Feature > AP Group.
    2. Click , create AP groups, and add APs.

  13. Bind profiles to the AP groups.
    1. Click the name of an AP group to open the profile binding page.
    2. In the navigation tree, choose VAP Profile and click . Set parameters and click Confirm.

    3. In the displayed dialog box, click Deploy to deploy profiles.
Verification

When users in the residential area can search out the SSID of the deployed WLAN and access the WLAN for Internet access, the WLAN service is successfully configured.

  1. Have a user search for WLAN huawei using a laptop.

  2. Have the user access the WLAN and query the allocated IP address.

  3. View information about online users on eSight.
    1. Choose Resource > Network > WLAN Management > Region Monitor from the main menu.
    2. In the monitoring mode, right-click Region Topology on the left pane, and select Region Object Manager.
    3. Click Client in the navigation tree and click the Access Current tab page to view access user information.

Example for Configuring Direct Forwarding on a Layer 3 Network Where Multiple ACs Are Deployed in Bypass Mode (Cross-AC Configuration)

This section describes how to use eSight to configure basic WLAN services in a scenario with multiple ACs.

Networking Requirement

College M has constructed a wireless network, where two ACs are deployed to manage 80 APs. The ACs connect to the egress gateway Router through an aggregation switch.

The ACs are connected to the aggregation switch in bypass mode to manage users in a uniform manner. Figure 12-73 shows the network diagram.

The customer wants to deploy WLAN services to provide the SSID huawei for teachers and students, allowing a maximum number of 500 users to simultaneously access the WLAN anytime, anywhere.

Figure 12-73 Network diagram
Data Plan
Table 12-66 Basic data

Item

Data

eSight

IP address: 10.137.58.162 (If southbound and northbound services are separated for eSight, the eSight IP address here refers to the southbound IP address.)

Host name: eSight

Aggregation switch (Switch)

SNMP parameters

Version: SNMPv2c

Read community: public123

Write community: private123

Telnet parameters (obtained from the administrator)

User name: huawei

Password: huawei123

Access switch (S001 - S004)

SNMP parameters

Version: SNMPv2c

Read community: public123

Write community: private123

Telnet parameters (obtained from the administrator)

User name: huawei

Password: huawei123

AC (AC1, AC2)

IP address

AC1: 10.137.240.119

AC2: 10.137.240.120

SNMP parameters

Version: SNMPv2c

Read community: public123

Write community: private123

Telnet parameters (obtained from the administrator)

User name: huawei

Password: huawei123

VLAN

Management VLAN IDs: 92, 93

Service VLAN IDs: 101, 102

DHCP server

The ACs function as the DHCP server to allocate IP addresses to managed APs and STAs.

  • AC1:

    AP address pool: 192.168.92.2 to 192.168.92.254/24

    STA address pool: 192.168.101.2 to 192.168.101.254/24

  • AC2:

    AP address pool: 192.168.93.2 to 192.168.93.254/24

    STA address pool: 192.168.102.2 to 192.168.102.254/24

AP authentication mode

MAC address authentication

VAP Profile

  • AC1:

    Name: huawei01

    VLAN ID: 101

    Forwarding mode: Direct-forward

    Referenced profiles: SSID Profile huawei, security profile huawei, and traffic profile default (preset profile).

  • AC2:

    Name: huawei02

    VLAN ID: 102

    Forwarding mode: Direct-forward

    Referenced profiles: SSID Profile huawei, security profile huawei, and traffic profile default (preset profile).

SSID profile

Name: huawei

SSID: huawei

Security profile

Name: huawei

Security policy: WPA-WPA2+PSK+AES+PASS-PHRASE

Password: a1234567

RF profile

Name: default (preset profile)

AP profile

Name: default (preset profile)

Table 12-67 Channel configuration

Interface Group

Interface Group

Allow Pass VLAN

Default VLAN

interfacegroup1

Interface marked by in Figure 12-73

(Switch interface connected to Router)

Service VLAN: 101, 102

interfacegroup2

Interfaces marked by in Figure 12-73

(Interfaces for interconnection between Switch and AC1)

Management VLAN: 92

interfacegroup3

Interfaces marked by in Figure 12-73

(Interfaces for interconnection between Switch and AC2)

Management VLAN: 93

interfacegroup4

Interfaces marked by in Figure 12-73

(Interfaces for interconnection between Switch and S001/S002)

Management VLAN: 92

Service VLAN: 101

interfacegroup5

Interfaces marked by in Figure 12-73

(Interfaces for interconnection between Switch and S003/S004)

Management VLAN: 93

Service VLAN: 102

interfacegroup6

Interfaces marked by in Figure 12-73

(S001/S002 interfaces connected to APs managed by AC1)

Management VLAN: 92

Service VLAN: 101

Management VLAN: 92

interfacegroup7

Interfaces marked by in Figure 12-73

(S003/S004 interfaces connected to APs managed by AC2)

Management VLAN: 93

Service VLAN: 102

Management VLAN: 93

Table 12-68 AP groups and bound profiles

AP Group

Group Member

Bound Profile

apgroup01

AP001 — AP040

VAP profile: huawei01

WLAN ID: 1

Radio: radio-all

apgroup02

AP041 — AP080

VAP profile: huawei02

WLAN ID: 2

Radio: radio-all

Configuration Roadmap
  1. Configure a reachable route between the AC and eSight, so that eSight can manage all devices on the LAN.
  2. Set SNMP and Telnet parameters on the switches and AC, so that all the devices on the LAN can be added to eSight.
  3. Enable the first time authentication of the SSH client on the AC.
  4. SFTP needs to be used to transfer files between eSight and ACs.
  5. Add the switches and AC to eSight.
  6. Configure an AP whitelist on the AC so that APs can go online automatically after being powered on.
  7. Configure the management VLANs, service VLANs, and address pools on the ACs.
  8. Create device interface groups so that VLAN channels can be configured.
  9. Configure VLAN channels between the APs and AC.
  10. Configure basic AC information.
  11. Create WLAN service profiles.
  12. Create AP groups and bind service profiles to deliver WLAN services.
Page Switching

Versions later than V300R007C00SPC300 change the Business > WLAN Management > Configuration and Deployment > AP Configuration page.

Version

Difference of the Default AP Configuration Pages

Description

Page Switching Method

Versions later than V300R007C00SPC300

New page: displays the list of devices that support WLAN service configuration.

eSight delivers configurations to a single AC and WLAN service configurations can be synchronized between eSight and the AC.

  1. Log in to the eSight server.
  2. Open the {eSight installation directory}\AppBase\etc\apconfig.properties configuration file and set the synMode parameter. The options are as follows:
    • 1 (default value): Display the new page.
    • 0: Display the old page.
  3. Save and close the configuration file.

V300R007C00SPC300 and earlier versions

Old page: displays the AP Group, AP Specific, and Profile Management tab pages.

eSight can deliver configurations across ACs and WLAN service configurations cannot be synchronized between eSight and the AC.

-

Procedure
NOTE:

This topic describes the operation procedure on the old page. For details about the operation procedure on the new page, see Example for Configuring Direct Forwarding on a Layer 3 Network Where Multiple ACs Are Deployed in Bypass Mode (Single AC Configuration)

  1. Configure a reachable route between the AC and eSight. For the detailed operation procedure, see the related document of the AC.
  2. Configure SNMP and Telnet parameters on the switches and ACs.
    NOTE:

    This topic uses the AC product of version V200R006C10 as an example.

    # Set SNMP parameters on the AC1.

    <AC1> system-view 
    [AC1] snmp-agent 
    [AC1] snmp-agent sys-info version v2c  
    [AC1] snmp-agent community read public123 
    [AC1] snmp-agent community write private123 
    [AC1] snmp-agent trap enable 
    Info: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
    [AC1] snmp-agent target-host trap-paramsname trapnms v2c securityname public123 
    [AC1] snmp-agent target-host trap-hostname eSight address 10.137.58.162 trap-paramsname trapnms 
    [AC1] quit

    # Set Telnet parameters on the AC1.

    <AC1>system-view 
    [AC1]telnet server enable 
    [AC1]user-interface maximum-vty 15 
    [AC1]user-interface vty 0 14 
    [AC1-ui-vty0-14]authentication-mode aaa 
    [AC1-ui-vty0-14]protocol inbound telnet 
    [AC1-ui-vty0-14]quit 
    [AC1]aaa 
    [AC1-aaa]local-user huawei password irreversible-cipher huawei123 
    [AC1-aaa]local-user huawei privilege level 15 
    [AC1-aaa]local-user huawei service-type telnet 
    [AC1-aaa]quit 
    [AC1]quit     
  3. You need to enable the first time authentication function of the SSH client on the AC, ensuring that APs can be successfully synchronized to eSight. By default, the function is disabled. Perform this step on the AC1 and AC2 in sequence.
    <AC1>system-view 
    [AC1]ssh client first-time enable
  4. SFTP needs to be used to transfer files between eSight and ACs.

    FTP and TFTP may have potential security risks. Exercise caution when you use them. SFTP that is more secure than FTP and TFTP is recommended.

    • In the Windows scenario:
      1. Log in to the eSight server as the Administrator user.
      2. Check whether the value of enable corresponding to the SFTP protocol in the D:\eSight\AppBase\sysagent\etc\sysconf\svcbase\med_node_1_svc.xml file is true.
        NOTE:

        In the file name, D:\eSight must be changed to the actual installation directory.

        <config name="sftp">  
        <param name="enable">true</param> 
        </config>
        • If the parameter value is true, the SFTP server is normal.
        • If the parameter value is false, configure the SFTP server status by referring to Configuring the eSight File Transfer Protocol in the Maintenance Guide.
    • In the Linux scenario:
      1. Log in to the eSight server as the root user.
      2. Check whether the value of enable corresponding to the SFTP protocol in the /opt/eSight/AppBase/sysagent/etc/sysconf/svcbase/med_node_1_svc.xml file is true.
        NOTE:

        In the file name, /opt/eSight must be changed to the actual installation directory.

        <config name="sftp">  
        <param name="enable">true</param> 
        </config>
        • If the parameter value is true, the SFTP server is normal.
        • If the parameter value is false, configure the SFTP server status by referring to Configuring the eSight File Transfer Protocol in the Maintenance Guide.
  5. Add the switches and ACs to eSight.

    The following uses the AC as an example.

    1. Choose Resource > Common > Add Resource > Add Resource from the main menu.
    2. Set SNMP and Telnet parameters and click OK.

    3. Test the settings of the SNMP and Telnet parameters.
      1. Choose Resource > Network > Equipment > Network Device from the main menu. Click the new device name.
      2. In the navigation on the left, choose Protocol Parameters > Telnet Parameters. Click Edit Telnet Parameter. Then click Test and view the test result. If the test fails, set parameters on the current page.
      3. In the navigation on the left, choose Protocol Parameters > SNMP Parameters. Click Edit SNMP Parameters. Then click Test and view the test result. If the test fails, set parameters on the current page.
  6. Configure the AP whitelist.
    1. Choose Resource > Network > Equipment > WLAN Resources from the main menu.

    2. Choose AC from the navigation tree.
    3. In the AC list, click next to each AC to create the AP whitelist and add MAC addresses of APs.

  7. Configure the management VLANs, service VLANs, and address pools on the ACs.
    1. Choose Resource > Network > WLAN Management > Configuration and Deployment from the main menu.
    2. Choose Basic Configuration > VLAN IF & Address Pool.
    3. Under Device Of Configuration, click , select AC1, and click Confirm.
    4. Click the device name of AC1, click in the VLANIF And Address Pool Configure, and select Create VLANIF.
    5. Enter information about VLANIF 92 and VLANIF 101 as planned in Table 12-66 in the displayed dialog box and use them as address pools for APs and STAs.

    6. Similarly, create VLANIF 93 and VLANIF 102 for AC2 and use them as address pools for APs and STAs. For details, see 7.c to 7.e.
  8. Configure interface groups.

    The following uses the interfacegroup1 as an example. For details about group members, see Table 12-67.

    1. Choose Resource > Common > Resources Group > Group Management from the main menu.
    2. Click next to User Defined to create interface groups.

  9. Configure channels between the AC and APs.
    1. Choose Resource > Network > WLAN Management > Configuration and Deployment from the main menu.
    2. Choose Basic Configuration > Channel Configuration.
    3. Click next to Interface Group and select the seven interface groups.
    4. Configure allow pass VLAN and default VLAN for each interface group.

    5. Select names of the four interface groups and click to deliver configurations to the devices.
  10. Configure basic AC information.
    1. In the navigation tree on the left, click Global AC Configuration.
    2. Click next to AC Resource, and select AC1 and AC2.
    3. Configure AC information.

    4. Select the name of the AC and click to deliver configurations to the device.
  11. Create profiles.
    1. In the navigation tree on the left, click AP Configuration.
    2. Click Profile Management.
    3. Create an SSID profile.

      In the navigation tree, choose VAP Profile > SSID Profile and click .

      • Name: huawei
      • SSID: huawei

    4. Create a security profile.

      In the navigation tree, choose VAP Profile > Security Profile and click .

      • Name: huawei
      • Security Policy: WPA-WPA2
      • Authentication Mode: PSK
      • Cipher Mode: AES
      • Password Type: PASS-PHRASE
      • Password/Confirming Password: a1234567

    5. Create VAP profiles.

      In the navigation tree, choose VAP Profile and click to create two VAP profiles huawei01 and huawei02.

    • Name: huawei01

      Service VLAN ID: 101

      Forward Mode: Direct-forward

      Security Profile: huawei

      SSID Profile: huawei

    • Name: huawei02

      Service VLAN ID: 102

      Forward Mode: Direct-forward

      Security Profile: huawei

      SSID Profile: huawei

  12. Create AP groups and bind profiles.
    1. Click the AP Group tab page.
    2. Click to create apgroup01. Select AC1, add related APs, and click Create And Config.

    3. In the navigation tree, choose VAP Profile and click . Set parameters and click Confirm.

    4. In the displayed dialog box, click Deploy to deploy profiles.
    5. See 12.b to 12.d to complete the configuration for apgroup02.
Verification

When users in the residential area can search out the SSID of the deployed WLAN and access the WLAN for Internet access, the WLAN service is successfully configured.

  1. Have a user search for WLAN huawei using a laptop.

  2. Have the user access the WLAN and query the allocated IP address.

  3. View information about online users on eSight.
    1. Choose Resource > Network > WLAN Management > Region Monitor from the main menu.
    2. In the monitoring mode, right-click Region Topology on the left pane, and select Region Object Manager.

    3. Click Client in the navigation tree and click the Access Current tab page to view access user information.

Example for Configuring Direct Forwarding on a Layer 3 Network Where Multiple ACs Are Deployed in Bypass Mode (Single AC Configuration)

This section describes how to use eSight to configure basic WLAN services in a scenario with multiple ACs.

Networking Requirement

College M has constructed a wireless network, where two ACs are deployed to manage 80 APs. The ACs connect to the egress gateway Router through an aggregation switch.

The ACs are connected to the aggregation switch in bypass mode to manage users in a uniform manner. Figure 12-74 shows the network diagram.

The customer wants to deploy WLAN services to provide the SSID huawei for teachers and students, allowing a maximum number of 500 users to simultaneously access the WLAN anytime, anywhere.

Figure 12-74 Network diagram
Data Plan
Table 12-69 Basic data

Item

Data

eSight

IP address: 10.137.58.162 (If southbound and northbound services are separated for eSight, the eSight IP address here refers to the southbound IP address.)

Host name: eSight

Aggregation switch (Switch)

SNMP parameters

Version: SNMPv2c

Read community: public123

Write community: private123

Telnet parameters (obtained from the administrator)

User name: huawei

Password: huawei123

Access switch (S001 - S004)

SNMP parameters

Version: SNMPv2c

Read community: public123

Write community: private123

Telnet parameters (obtained from the administrator)

User name: huawei

Password: huawei123

AC (AC1, AC2)

IP address

AC1: 10.137.240.119

AC2: 10.137.240.120

SNMP parameters

Version: SNMPv2c

Read community: public123

Write community: private123

Telnet parameters (obtained from the administrator)

User name: huawei

Password: huawei123

VLAN

Management VLAN IDs: 92, 93

Service VLAN IDs: 101, 102

DHCP server

The ACs function as the DHCP server to allocate IP addresses to managed APs and STAs.

  • AC1:

    AP address pool: 192.168.92.2 to 192.168.92.254/24

    STA address pool: 192.168.101.2 to 192.168.101.254/24

  • AC2:

    AP address pool: 192.168.93.2 to 192.168.93.254/24

    STA address pool: 192.168.102.2 to 192.168.102.254/24

AP authentication mode

MAC address authentication

VAP Profile

  • AC1:

    Name: huawei01

    VLAN ID: 101

    Forwarding mode: Direct-forward

    Referenced profiles: SSID Profile huawei, security profile huawei, and traffic profile default (preset profile).

  • AC2:

    Name: huawei02

    VLAN ID: 102

    Forwarding mode: Direct-forward

    Referenced profiles: SSID Profile huawei, security profile huawei, and traffic profile default (preset profile).

SSID profile

Name: huawei

SSID: huawei

Security profile

Name: huawei

Security policy: WPA-WPA2+PSK+AES+PASS-PHRASE

Password: a1234567

RF profile

Name: default (preset profile)

AP profile

Name: default (preset profile)

Table 12-70 Channel configuration

Interface Group

Interface Group

Allow Pass VLAN

Default VLAN

interfacegroup1

Interface marked by in Figure 12-74

(Switch interface connected to Router)

Service VLAN: 101, 102

interfacegroup2

Interfaces marked by in Figure 12-74

(Interfaces for interconnection between Switch and AC1)

Management VLAN: 92

interfacegroup3

Interfaces marked by in Figure 12-74

(Interfaces for interconnection between Switch and AC2)

Management VLAN: 93

interfacegroup4

Interfaces marked by in Figure 12-74 (Interfaces for interconnection between Switch and S001/S002)

(Interfaces for interconnection between Switch and S001/S002)

Management VLAN: 92

Service VLAN: 101

interfacegroup5

Interfaces marked by in Figure 12-74

(Interfaces for interconnection between Switch and S003/S004)

Management VLAN: 93

Service VLAN: 102

interfacegroup6

Interfaces marked by in Figure 12-74

(S001/S002 interfaces connected to APs managed by AC1)

Management VLAN: 92

Service VLAN: 101

Management VLAN: 92

interfacegroup7

Interfaces marked by in Figure 12-74

(S003/S004 interfaces connected to APs managed by AC2)

Management VLAN: 93

Service VLAN: 102

Management VLAN: 93

Table 12-71 AP groups and bound profiles

AP Group

Group Member

Bound Profile

apgroup01

AP001 — AP040

VAP profile: huawei01

WLAN ID: 1

Radio: radio-all

apgroup02

AP041 — AP080

VAP profile: huawei02

WLAN ID: 2

Radio: radio-all

Configuration Roadmap
  1. Configure a reachable route between the AC and eSight, so that eSight can manage all devices on the LAN.
  2. Set SNMP and Telnet parameters on the switches and AC, so that all the devices on the LAN can be added to eSight.
  3. Enable the first time authentication of the SSH client on the AC.
  4. SFTP needs to be used to transfer files between eSight and ACs.
  5. Add the switches and AC to eSight.
  6. Configure an AP whitelist on the AC so that APs can go online automatically after being powered on.
  7. Configure the management VLANs, service VLANs, and address pools on the ACs.
  8. Create device interface groups so that VLAN channels can be configured.
  9. Configure VLAN channels between the APs and AC.
  10. Configure basic AC information.
  11. Create WLAN service profiles.
  12. Create AP groups and bind service profiles to deliver WLAN services.
Page Switching

The Business > WLAN Management > Configuration and Deployment > AP Configuration page is changed in V300R007C00SPC300 and later versions.

Version

Difference of the Default AP Configuration Pages

Description

Page Switching Method

Versions later than V300R007C00SPC300

New page: displays the list of devices that support WLAN service configuration.

eSight delivers configurations to a single AC and WLAN service configurations can be synchronized between eSight and the AC.

  1. Log in to the eSight server.
  2. Open the {eSight installation directory}\AppBase\etc\apconfig.properties configuration file and set the synMode parameter. The options are as follows:
    • 1 (default value): Display the new page.
    • 0: Display the old page.
  3. Save and close the configuration file.

V300R007C00SPC300 and earlier versions

Old page: displays the AP Group, AP Specific, and Profile Management tab pages.

eSight can deliver configurations across ACs and WLAN service configurations cannot be synchronized between eSight and the AC.

-

Procedure
NOTE:

This topic describes the operation procedure on the new page. For details about the operation procedure on the new page, see Example for Configuring Direct Forwarding on a Layer 3 Network Where Multiple ACs Are Deployed in Bypass Mode (Cross-AC Configuration).

  1. Configure a reachable route between the AC and eSight. For the detailed operation procedure, see the related document of the AC.
  2. Configure SNMP and Telnet parameters on the switches and ACs.
    NOTE:

    This section uses the AC product of version V200R006C10 as an example.

    # Set SNMP parameters on the AC1.

    <AC1> system-view 
    [AC1] snmp-agent 
    [AC1] snmp-agent sys-info version v2c  
    [AC1] snmp-agent community read public123 
    [AC1] snmp-agent community write private123 
    [AC1] snmp-agent trap enable 
    Info: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
    [AC1] snmp-agent target-host trap-paramsname trapnms v2c securityname public123 
    [AC1] snmp-agent target-host trap-hostname eSight address 10.137.58.162 trap-paramsname trapnms 
    [AC1] quit

    # Set Telnet parameters on the AC1.

    <AC1>system-view 
    [AC1]telnet server enable 
    [AC1]user-interface maximum-vty 15 
    [AC1]user-interface vty 0 14 
    [AC1-ui-vty0-14]authentication-mode aaa 
    [AC1-ui-vty0-14]protocol inbound telnet 
    [AC1-ui-vty0-14]quit 
    [AC1]aaa 
    [AC1-aaa]local-user huawei password irreversible-cipher huawei123 
    [AC1-aaa]local-user huawei privilege level 15 
    [AC1-aaa]local-user huawei service-type telnet 
    [AC1-aaa]quit 
    [AC1]quit     
  3. You need to enable the first time authentication function of the SSH client on the AC, ensuring that APs can be successfully synchronized to eSight. By default, the function is disabled. Perform this step on the AC1 and AC2 in sequence.
    <AC1>system-view 
    [AC1]ssh client first-time enable
  4. SFTP needs to be used to transfer files between eSight and ACs.

    FTP and TFTP may have potential security risks. Exercise caution when you use them. SFTP that is more secure than FTP and TFTP is recommended.

    • In the Windows scenario:
      1. Log in to the eSight server as the Administrator user.
      2. Check whether the value of enable corresponding to the SFTP protocol in the D:\eSight\AppBase\sysagent\etc\sysconf\svcbase\med_node_1_svc.xml file is true.
        NOTE:

        In the file name, D:\eSight must be changed to the actual installation directory.

        <config name="sftp">  
        <param name="enable">true</param> 
        </config>
        • If the parameter value is true, the SFTP server is normal.
        • If the parameter value is false, configure the SFTP server status by referring to Configuring the eSight File Transfer Protocol in the Maintenance Guide.
    • In the Linux scenario:
      1. Log in to the eSight server as the root user.
      2. Check whether the value of enable corresponding to the SFTP protocol in the /opt/eSight/AppBase/sysagent/etc/sysconf/svcbase/med_node_1_svc.xml file is true.
        NOTE:

        In the file name, /opt/eSight must be changed to the actual installation directory.

        <config name="sftp">  
        <param name="enable">true</param> 
        </config>
        • If the parameter value is true, the SFTP server is normal.
        • If the parameter value is false, configure the SFTP server status by referring to Configuring the eSight File Transfer Protocol in the Maintenance Guide.
  5. Add the switches and ACs to eSight.

    The following uses the AC as an example.

    1. Choose Resource > Common > Add Resource > Add Resource from the main menu.
    2. Set SNMP and Telnet parameters and click OK.

    3. Test the settings of the SNMP and Telnet parameters.
      1. Choose Resource > Network > Equipment > Network Device from the main menu. Click the new device name.
      2. In the navigation on the left, choose Protocol Parameters > Telnet Parameters. Click Edit Telnet Parameter. Then click Test and view the test result. If the test fails, set parameters on the current page.
      3. In the navigation on the left, choose Protocol Parameters > SNMP Parameters. Click Edit SNMP Parameters. Then click Test and view the test result. If the test fails, set parameters on the current page.
  6. Configure the AP whitelist.
    1. Choose Resource > Network > Equipment > WLAN Resources from the main menu.

    2. Choose AC from the navigation tree.
    3. In the AC list, click next to each AC to create the AP whitelist and add MAC addresses of APs.

  7. Configure the management VLANs, service VLANs, and address pools on the ACs.
    1. Choose Resource > Network > WLAN Management > Configuration and Deployment from the main menu.
    2. Choose Basic Configuration > VLAN IF & Address Pool.
    3. Under Device Of Configuration, click , select AC1, and click Confirm.
    4. Click the device name of AC1, click in the VLANIF And Address Pool Configure, and select Create VLANIF.
    5. Enter information about VLANIF 92 and VLANIF 101 as planned in Table 12-69 in the displayed dialog box and use them as address pools for APs and STAs.

    6. Similarly, create VLANIF 93 and VLANIF 102 for AC2 and use them as address pools for APs and STAs. For details, see 7.c to 7.e.
  8. Configure interface groups.

    The following uses the interfacegroup1 as an example. For details about group members, see Table 12-70.

    1. Choose Resource > Common > Resources Group > Group Management from the main menu.
    2. Click next to User Defined to create interface groups.

  9. Configure channels between the AC and APs.
    1. Choose Resource > Network > WLAN Management > Configuration and Deployment from the main menu.
    2. Choose Basic Configuration > Channel Configuration.
    3. Click next to Interface Group and select the seven interface groups.
    4. Configure allow pass VLAN and default VLAN for each interface group.

    5. Select names of the four interface groups and click to deliver configurations to the devices.
  10. Configure basic AC information.
    1. In the navigation tree on the left, click Global AC Configuration.
    2. Click next to AC Resource, and select AC1 and AC2.
    3. Configure AC information.

    4. Select the name of the AC and click to deliver configurations to the device.
  11. Create profiles for AC1.
    1. Choose Resource > Network > Equipment > Network Device from the main menu.
    2. Click the AC1 name to open the AC1 Object Manager.
    3. Choose WLAN Feature > Profile Management.
    4. Create an SSID profile.

      In the navigation tree, choose VAP Profile > SSID Profile and click . Set parameters and click Confirm. In the displayed dialog box, click Deploy.

      • Name: huawei
      • SSID: huawei

    5. Create a security profile.

      In the navigation tree, choose VAP Profile > Security Profile and click . Set parameters and click Confirm. In the displayed dialog box, click Deploy.

      • Name: huawei
      • Security Policy: WPA-WPA2
      • Authentication Mode: PSK
      • Cipher Mode: AES
      • Password Type: PASS-PHRASE
      • Password/Confirming Password: a1234567

    6. Create a VAP profile.
      Choose VAP Profile from the template tree and click to create two VAP profiles huawei01 and huawei02. In the displayed dialog box, click Deploy.
      • Name: huawei01
      • Service VLAN ID: 101
      • Forward Mode: Direct-forward
      • Security Profile: huawei
      • SSID Profile: huawei

  12. Create AP groups for AC1.
    1. Choose WLAN Feature > AP Group.
    2. Click to create the group apgroup01, add all APs, and click OK. Click Yes in the dialog box that is displayed.

  13. Bind profiles to the AP groups for AC1.
    1. Click the name of an AP group (apgroup01) to open the profile binding page.
    2. In the navigation tree, choose VAP Profile and click .

    3. In the dialog box that is displayed, click Deploy to deploy profiles.
  14. In the displayed dialog box, click Deploy to deploy profiles. See 11 to 13 to complete the configuration for AC2.
Verification

When users in the residential area can search out the SSID of the deployed WLAN and access the WLAN for Internet access, the WLAN service is successfully configured.

  1. Have a user search for WLAN huawei using a laptop.

  2. Have the user access the WLAN and query the allocated IP address.

  3. View information about online users on eSight.
    1. Choose Resource > Network > WLAN Management > Region Monitor from the main menu.
    2. In the monitoring mode, right-click Region Topology on the left pane, and select Region Object Manager.

    3. Click Client in the navigation tree and click the Access Current tab page to view access user information.

Translation
Download
Updated: 2019-06-30

Document ID: EDOC1100044378

Views: 58351

Downloads: 268

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next