WLAN V200R010C00 Typical Configuration Examples
Large-Sized Hotel Network Wired and Wireless Access Deployment Case (Independent AC Solution)
Applicable Scenarios and Service Requirements
Applicable Scenarios
This solution is used to provide full network coverage for large hotels (with about 5,000 users) with access of a variety of terminals, such as wired/wireless terminals, surveillance cameras, and IPTV devices.
Service Requirements
- High user density
- High guest mobility
- Diverse user types
- Demanding security requirements
Generally, a hotel has the following service requirements on its network:
- Access requirements
- Wired and wireless access for staff
- Wired access for surveillance cameras and IPTV devices
- Wireless access for visitors and guests
- Network access rights for different types of users (as shown in Table 4-208)
- Wireless roaming requirements
- Support roaming when wireless terminals move between different areas.
- Support fast handover without interrupting services.
- Authentication requirements
- To ensure hotel network data security, all devices must pass authentication before accessing network resources. Authentication modes for visitors and guests must be convenient and simple. Authentication modes for hotel employees must provide higher security. Authentication for terminals such as surveillance cameras and IPTV terminals is also required.
- The authentication process needs to be simplified when users access the wireless network again.
- Security requirements
- Unauthorized devices and attacks are prevented from invading the network, and the authentication system is used to ensure security compliance.
- Reliability requirements
- Hotel networks bear major services such as network access of customers and office of employees. Therefore, high network reliability must be provided to ensure continuous and stable services.
- APs can detect the number of access users and flexibly adjust Enhanced Distributed Channel Access (EDCA) parameters, which reduces the possibility of collision, prevents many users from accessing the same AP, and ensures service quality and user experience.
- Management and O&M requirements
- Information such as users' access records and traffic can be displayed in reports.
- Network faults can be visually viewed, and quickly located and rectified.
Solution Design
Networking Diagram
Figure 4-124 shows the networking of the wired and wireless access solution (independent AC solution) applicable to large hotels.
Network Design Analysis
- Access design
- Wireless network coverage involves the office network, conference center/lobby network, and guest room network. The office network provides wireless access for mobile employees, the conference center/lobby network provides wireless access for visitors, and the guest room network provides wireless access for guests. Wireless authentication uses open system authentication. Wired network coverage involves the office network, security monitoring network, and guest room network. The office network (wired) provides wired access for employees, the security monitoring network (wired) provides wired access for surveillance cameras, and the guest room network (wired) provides wired access for IPTV terminals.
- Wireless services are centrally managed by ACs, data packets are transmitted in direct forwarding mode, and the ACs serve as gateways to assign IP addresses to APs.
- For the office network, a common omnidirectional indoor AP is recommended, for example, the AP6050DN or AP7052DN. For the conference center which has a large space and centralized users and traffic, the AP7052DN or AP7052DE is recommended. For the lobby, the AP4050DN-HD is recommended. The guest room network needs to cover a large number of guest rooms. The layout is complex and comprehensive coverage is required. However, the user concurrency rate and user density are low. Additionally, wired IPTV terminals need to access the network. In this case, the solution of central AP (AD9430DN) + remote unit (R250D) is used. A remote unit (RU) is deployed in one room. Signals do not need to penetrate walls and can evenly cover rooms without coverage holes. APs go online using the Layer 2 mode and are enabled with the roaming function.
- The S7706 core switches serve as DHCP servers and as gateways of wired and wireless terminals to assign IP addresses for them.
- Wireless coverage is required in hotel offices, conference center/lobby, and guest rooms, delivering network access for mobile office staff, visitors, and guests, respectively. MAC address-prioritized Portal authentication is used for wireless access.
- Authentication design
Wireless access authentication is deployed on the ACs, and wired access authentication on the S7706 switches. Wireless users access the network using MAC address-prioritized Portal authentication on a user-friendly login page, without the need to install a client. When users disconnect from and reconnect to the network within a certain period of time, they are directly authenticated based on the MAC address and do not need to log in again. Wired users access the network through MAC address + Portal authentication, which ensures high security. Surveillance cameras and IPTV devices use MAC address authentication.
- Security design
- Configure multiple SSIDs on the ACs to isolate a variety of services. Bind the SSIDs with different service VLANs to implement wireless user isolation.
- Configure multicast packet suppression and ARP flood detection/suppression on the wireless side.
- Configure attack defense functions on the S7706s, such as user-level rate limit, port-based attack defense, and attack source tracing.
- Configure port isolation and suppression of wireless multicast packets on the interfaces of the S5700-LI and S5720-EI switches connecting to the APs.
- Configure DHCP snooping on the S5700-LI and S5720-EI switches to protect the network against DHCP attacks.
- Reliability design
- Connect the ACs to the core switches in bypass mode. Configure VRRP backup and HSB to ensure device security.
- Configure dynamic EDCA parameter adjustment and dynamic load balancing on the ACs to reduce co-channel interference when APs are densely deployed and alleviate the load on a single AP. This configuration also reduces the possibility of collision, prevents many users from accessing the same AP, and ensures service quality and user experience.
- Configure CSS on S7706 core switches to ensure device reliability. Configure MAD to detect the presence of multiple active switches and handle such problem on the network after a CSS split.
- Configure iStack on S5720-EI access switches to ensure device reliability.
- Connect the S7706s to the AC6605s, S5700-LIs, and S5720-EI through Eth-Trunks to enhance link reliability.
- O&M design
- The Agile Controller-Campus implements authentication and accounting, and generates reports on information such as user access records and traffic usage, facilitating easy O&M for administrators.
- All the devices are configured using web systems to provide visibility of network status and enable quick network fault location.
Involved Products and Software Versions
Table 4-209 lists the products and software versions used in the solution.
Configuration Roadmap and Data Planning
Configuration Roadmap
- Configure the interfaces, VLANs, IP addresses, routes for each device to enable network communication.
- Configure CSS and MAD on the S7706s to ensure device reliability, and configure Eth-Trunks to improve link reliability.
- Cofigure the S7706 as the DHCP servers to assign IP addresses to terminals.
- Set the wired access authentication mode to MAC address + Portal authentication on the S7706s.
- Use network segments to distinguish different types of users on the S7706s, and configure ACL rules to manage network permission of different user groups.
- Set the wired access authentication mode to MAC address + Portal authentication on the AC6605s.
- Configure VRRP + HSB on the AC6605s to ensure device reliability, and configure Eth-Trunks to improve link reliability.
- Configure WLAN services on the AC6605s. Enable smart roaming, dynamic EDCA parameter adjustment, and dynamic load balancing to reduce co-channel interference when APs are densely deployed and alleviate the load on a single AP.
- Configure port isolation and suppression of wireless multicast packets on the interfaces of the S5700-LI and S5720-EI switches connecting to the APs.
- Add the AC6605s to the Service Manager of the Agile Controller-Campus, and configure parameters to ensure that the Agile Controller-Campus can communicate properly with the AC6605s.
Data Planning
The following describes the data planning of VLANs, interfaces, IP addresses, routes, and services involved in this case.
Product Name |
Parameter |
Description |
---|---|---|
S7706 |
VLAN 10 |
VLAN used to connect the Agile Controller-Campus |
VLAN 100 |
CAPWAP management VLAN |
|
VLAN 101 |
Wired office service VLAN |
|
VLAN 102 |
Wireless office service VLAN |
|
VLAN 103 |
Wired surveillance service VLAN |
|
VLAN 104 |
Wireless service VLAN for visitors |
|
VLAN 105 |
Wireless service VLAN for guests |
|
VLAN 106 |
Wired IPTV service VLAN |
Product Name |
Interface number |
Member Interface |
VLAN to Which the Interface Belongs |
IP Address |
Description |
---|---|---|---|---|---|
AC6605_1 |
GE0/0/2 |
- |
40 |
192.168.40.1/24 |
Connects to GE0/0/2 of the AC6605_2. |
Eth-Trunk 50 |
GE0/0/21 |
10 and 100 |
|
Connects to GE1/2/1/6 and GE2/2/1/6 of the S7706s. |
|
GE0/0/22 |
|||||
AC6605_2 |
GE0/0/2 |
- |
40 |
192.168.40.2/24 |
Connects to GE0/0/2 of the AC6605_1. |
Eth-Trunk 50 |
GE0/0/21 |
10 and 100 |
|
Connects to GE1/2/1/8 and GE2/2/1/8 of the S7706s. |
|
GE0/0/22 |
|||||
S7706 |
GE2/2/1/5 |
- |
10 |
10.1.0.1/24 |
Connects to the Agile Controller-Campus. |
Eth-Trunk 0 |
GE1/2/1/0 |
10, 100, 101, and 102 |
|
Connects to the S5700-LI_1, hotel office network, and wired office service VLAN. Connects to the S5700-LI_1, hotel office network, and wireless office service VLAN. |
|
GE2/2/1/0 |
|||||
Eth-Trunk 1 |
GE1/2/1/1 |
10, 100, and 103 |
|
Connects to the S5700-LI_2, security surveillance network, and wired surveillance service VLAN. |
|
GE2/2/1/1 |
|||||
Eth-Trunk 2 |
GE1/2/1/2 |
10, 100, 104, 105, and 106 |
|
Connects to the S5720EI-iStack, guest room network, and wireless service VLAN for visitors. Connects to the S5720EI-iStack, guest room network, and wireless service VLAN for guests. Connects to the S5720EI-iStack, guest room network, and wired IPTV service VLAN. |
|
GE2/2/1/2 |
|||||
Eth-Trunk 10 |
GE1/2/1/6 |
10 and 100 |
VLANIF 100: 172.16.100.4/24 |
Connects to GE0/0/21 of the AC6605_1. |
|
GE2/2/1/6 |
Connects to GE0/0/22 of the AC6605_1. |
||||
Eth-Trunk 20 |
GE1/2/1/8 |
Connects to GE0/0/21 of the AC6605_2. |
|||
GE2/2/1/8 |
Connects to GE0/0/22 of the AC6605_2. |
||||
GE1/1/1/7 |
- |
- |
- |
Connects to S7706_2 to detect multi-active conflicts after a CSS spit. |
|
GE2/1/1/7 |
- |
- |
- |
Connects to S7706_1 to detect multi-active conflicts after a CSS spit. |
|
S5700-LI_1 |
Eth-Trunk 0 |
GE0/0/25 |
100, 101, and 102 |
- |
Connects to Eth-Trunk 0 of the S7706. |
GE0/0/26 |
|||||
GE0/0/1 |
- |
101 |
- |
Connects to wired terminals. |
|
GE0/0/2 |
- |
100 and 102 |
- |
Connects to AP_1. |
|
S5700-LI_2 |
Eth-Trunk 0 |
GE0/0/25 |
100 and 103 |
- |
Connects to Eth-Trunk 1 of the S7706. |
GE0/0/26 |
|||||
GE0/0/1 |
- |
103 |
- |
Connects to cameras. |
|
S5720EI-iStack |
Eth-Trunk 0 |
XGE0/0/1 |
100, 104, 105, and 106 |
- |
Connects to Eth-Trunk 2 of the S7706. |
XGE1/0/1 |
|||||
GE1/0/1 |
- |
100 and 104 |
- |
Connects to AP_2. |
|
GE1/0/2 |
- |
100, 105, and 106 |
- |
Connects to GE0/0/24 of the AD9430DN. |
|
AD9430DN |
GE0/0/24 |
- |
100, 105, and 106 |
- |
Connects to GE1/0/2 of the S5720EI-iStack. |
GE0/0/0 |
- |
100, 105, and 106 |
- |
Connects to the R250D. |
|
R250D |
GE0/0/0 |
- |
100, 105, and 106 |
- |
Connects to GE0/0/0 of the AD9430DN. |
GE0/0/1 |
- |
106 |
- |
Connects to the IPTV. |
Item |
Data |
---|---|
IP address of the CAPWAP source interface |
172.16.100.1 |
Management VLAN for APs |
100 |
VRRP group |
Virtual IP address of VLANIF 100: 172.16.100.1 ID of the management VRRP group: 1 Backup services: DHCP, user access, and AP services AC6605_1:
AC6605_2:
|
DHCP server |
|
AAA |
|
RADIUS server |
|
Portal server template |
|
URL template |
|
Portal access profile |
|
Authentication-free rule profile |
|
MAC access profile |
Name: hotel |
Authentication profile |
|
AP group |
|
SSID profile |
|
Security profile |
|
Traffic profile |
|
RRM profile |
|
2G radio profile |
|
5G radio profile |
|
Wired port profile |
|
Agile Controller-Campus |
|
VAP |
|
Configuration Procedure
Configuring the S7706
- Configure the two S7706 switches to set up a CSS.
- Install CSS cards on S7706_1 and S7706_2, and connect cluster cables. For details on CSS setup, see CSS of S Switches.
- Check the CSS status to confirm that the CSS of S7706 switches has been successfully set up.
- Log in to the switch through the console interface, and pre-configure the web management system account, Telnet account, and IP address of the management network interface.
<HUAWEI> system-view [HUAWEI] sysname CSS [CSS] telnet server enable [CSS] user-interface vty 0 4 [CSS-ui-vty0-4] user privilege level 15 [CSS-ui-vty0-4] authentication-mode aaa [CSS-ui-vty0-4] protocol inbound all [CSS-ui-vty0-4] quit [CSS] aaa [CSS-aaa] local-user admin password irreversible-cipher Root@123 [CSS-aaa] local-user admin privilege level 15 [CSS-aaa] local-user admin service-type http telnet [CSS-aaa] quit [CSS] interface ethernet 0/0/0/0 [CSS-Ethernet0/0/0/0] ip address 192.168.0.3 24 [CSS-Ethernet0/0/0/0] quit
- Log in to the CSS through the web management system.
- Connect the PC to the management network interface of the S7706 and set the local connection IP address of the PC to 192.168.0.2/24. Enter https://192.168.0.3 in the browser address box. On the displayed page, enter the user name (admin) and password (Root@123), select EasyOperation, and click GO to enter the CSS.
- The CSS is successfully established if the active and standby switches are displayed on the home page.
- Configure multi-active detection (MAD) in direct mode on cluster interfaces. This function can only be enabled through the CLI. Click on the bottom right corner of the page to enter the CLI.
Choose
, select Custom level, choose Enable or Prompt next to Initialize and script ActiveX controls not marked as safe for scripting to display the CLI. Internet Explorer 10.0 is used in the preceding example.- Configure MAD in direct mode on GE1/1/1/7.
[CSS] interface gigabitethernet 1/1/1/7 [CSS-GigabitEthernet1/1/1/7] mad detect mode direct Warning: This command will block the port, and no other configuration running on this port is recommended. Continue?[Y/N]:y [CSS-GigabitEthernet1/1/1/7] quit
- Configure MAD in direct mode on GE2/1/1/7.
[CSS] interface gigabitethernet 2/1/1/7 [CSS-GigabitEthernet2/1/1/7] mad detect mode direct Warning: This command will block the port, and no other configuration running on this port is recommended. Continue?[Y/N]:y [CSS-GigabitEthernet2/1/1/7] quit
- Check detailed MAD configuration of the CSS.
[CSS] display mad verbose Current MAD domain: 0 Current MAD status: Detect Mad direct detect interfaces configured: GigabitEthernet1/1/1/7 GigabitEthernet2/1/1/7 Mad relay detect interfaces configured: Excluded ports(configurable): Excluded ports(can not be configured): XGigabitEthernet1/6/0/0 XGigabitEthernet2/6/0/0
- Configure MAD in direct mode on GE1/1/1/7.
- Configure Eth-Trunks connecting the S7706s to the AC6605s, S5700-LIs, and S5720-EI.
- Choose Configuration > Basic Services > Interface Settings, and click Connect to Switch under Select Task. Select interfaces according to Table 4-213, select Enable link aggregation, and set Eth-Trunk and Allowed VLANs. After the configuration is complete, click Apply.
- Configure the interface on the S7706 connecting to the Agile Controller-Campus.
# Choose Configuration > Basic Services > Interface Settings, and click Connect to PC under Select Task. Select the interface (GE2/2/1/5) to be configured, and set Default VLAN to 10. After the configuration is complete, click Apply.
- Create Loopback 0 and set the OSPF router ID to the loopback interface address. This function can only be enabled through the CLI. Click on the bottom right corner of the page to enter the CLI.
[CSS] interface loopback 0 [CSS-LoopBack0] ip address 3.3.3.3 32 //Router ID [CSS-LoopBack0] quit
- Configure an IP address for the VLANIF interface connected to the Agile Controller-Campus.
# Choose Modify VLAN dialog box that is displayed, select Create VLANIF, and configure an IP address and a mask for VLANIF 10.
, and select VLAN 10. In the - Configure DHCP on the S7706.
- Enable DHCP globally.
# Choose DHCP status to ON.
, set - Choose Modify VLAN dialog box that is displayed, select Create VLANIF, and configure an IP address and a mask for VLANIF 106. , and select VLAN 106. In the
- Choose Configuration > Basic Services > DHCP, and click Create. On the Create IP Pool page that is displayed, configure DHCP parameters and click OK.
- Set IP addresses for each VLANIF interface of VLANs 100 through 105 to 172.16.100.4/24, 172.16.101.1/24, 172.16.102.1/24, 172.16.103.1/24, 172.16.104.1/24, and 172.16.105.1/24, respectively in the same way. Configure DHCP address pools for these VLANs.
- Enable DHCP globally.
- Configure a route.
- Configure an OSPF route. This function can only be configured through the CLI. Click in the lower right corner of the page to enter the CLI.
[CSS] router id 3.3.3.3 [CSS] ospf 1 [CSS-ospf-1] area 0.0.0.0 [CSS-ospf-1-area-0.0.0.0] network 10.1.0.0 0.0.0.255 //Configure the network segment for connecting to the Agile Controller-Campus. [CSS-ospf-1-area-0.0.0.0] network 172.16.100.0 0.0.0.255 //Configure the network segment of service VLAN 100. [CSS-ospf-1-area-0.0.0.0] network 172.16.101.0 0.0.0.255 //Configure the network segment of service VLAN 101. [CSS-ospf-1-area-0.0.0.0] network 172.16.102.0 0.0.0.255 //Configure the network segment of service VLAN 102. [CSS-ospf-1-area-0.0.0.0] network 172.16.103.0 0.0.0.255 //Configure the network segment of service VLAN 103. [CSS-ospf-1-area-0.0.0.0] network 172.16.104.0 0.0.0.255 //Configure the network segment of service VLAN 104. [CSS-ospf-1-area-0.0.0.0] network 172.16.105.0 0.0.0.255 //Configure the network segment of service VLAN 105. [CSS-ospf-1-area-0.0.0.0] network 172.16.106.0 0.0.0.255 //Configure the network segment of service VLAN 106. [CSS-ospf-1-area-0.0.0.0] quit [CSS-ospf-1] quit
- Configure an OSPF route. This function can only be configured through the CLI. Click in the lower right corner of the page to enter the CLI.
- Configure MAC address + Portal authentication for wired office users, and configure MAC address authentication for surveillance cameras and wired IPTV users.
- Configure a RADIUS server template.
- Choose Configuration > Security Services > AAA, and click the RADIUS tab.
- Under RADIUS Server Profile, click Create. The Create RADIUS Server Profile page is displayed. Set Profile name to hotel and configure Profile default shared key. Click Create Server. The Create Server Configuration page is displayed.
On the Create Server Configuration page, set IP Address to 10.1.0.2. Select Authentication under Server Settings, set Port number to 1812 and Source address of outgoing packets to 10.1.0.1, and retain the default values for other parameters. Select Accounting under Server Settings, set Port number to 1813 and Source address of outgoing packets to 10.1.0.1, and retain the default values for other parameters. On the Create Server Configuration page, click OK. On the Create RADIUS Server Profile page, click OK.
- Configure parameters for the authorization servers.
On the Authorization Server Template page, click Create. The Create Authorization Server page is displayed. Set Authorization server IP address to 10.1.0.2 and Profile name to hotel, and configure key. Click OK.
- Configure an authentication scheme and an accounting scheme.
- Choose Configuration > Security Services > AAA. Click the Authentication/Authorization/Accounting Scheme tab. Click the arrow to the left of Authentication Scheme List and then click Create. On the Create Authentication Scheme page that is displayed, set Authentication scheme name to hotel and First authentication to RADIUS authentication. Use the default settings for the other parameters and click OK.
- Click the arrow to the left of Accounting Scheme List and then click Create. On the Create Accounting Scheme page that is displayed, set Accounting scheme name to hotel, Accounting mode to RADIUS accounting, Real-time accounting to ON, and Real-time accounting interval (minutes) to 15. Use the default settings for the other parameters and click OK.
- Configure a domain profile.
- Choose Configuration > Security Services > AAA Profile Mgmt. Click Domain Profile under Authentication Profile, and click Create. On the page that is displayed, set Profile name to hotel and click OK.
- Choose domain profile hotel under Authentication Profile. Set Authentication scheme to hotel, Accounting scheme to hotel, and RADIUS server profile to hotel, and Authorization scheme to default. Use the default settings for the other parameters and click Apply.
- Configure a Portal server template.
# Choose Configuration > Security Services > AAA. Click the Portal Server Global Configuration tab. In Portal Authentication Server List, click Create. Configure parameters for the authentication server and then click OK.
- Configure a MAC authentication profile and a Portal authentication profile.
- Choose Configuration > Security Services > AAA Profile Mgmt. On the Profile Management page that is displayed, choose MAC Authentication Profile from the navigation tree on the left. Click Create, set Profile name to hotel, and click OK.
- On the page that is displayed, set User name mode to MAC address and use the default settings for the other parameters. Click Apply.
- Click Portal Profile under Authentication Profile. Click Create, set Profile name to hotel, and click OK.
- On the page that is displayed, set Primary Portal server group to hotel and Authentication mode to Layer 2 authentication. Use the default settings for the other parameters and click Apply.
- Configure an authentication-free rule profile.
- Choose default_free_rule under Authentication-free Rule Profile. Click Create. On the page that is displayed, set the rule number to 1 and destination IP address to Specified, enter the destination IP address 8.8.8.8/32, and click OK. , and select
- Configure an authentication profile.
- Choose Configuration > Security Services > AAA Profile Mgmt. Click Authentication Profile and then Create. Set Profile name to hotel and then click OK.
- Bind a Portal profile to an authentication profile. Click + to the left of authentication profile hotel and click Portal Profile. On the page that is displayed, set Portal Profile to hotel, Primary Portal server group to hotel, and Authentication mode to Layer 2 authentication. Use the default settings for the other parameters and click Apply.
- Bind a MAC authentication profile to an authentication profile. Click + to the left of authentication profile hotel and click MAC Authentication Profile. On the page that is displayed, set MAC Authentication Profile to hotel and click Apply.
- Bind the authentication-free rule profile to the authentication profile. Select Authentication-free Rule Profile under hotel, select default_free_rule, and click Apply.
- Bind an authentication profile to a domain profile. Click + to the left of authentication profile hotel and click Domain Profile. On the page that is displayed, set Domain Profile to hotel and click Apply.
- Configure an authentication profile for dumb terminals.
- Choose Configuration > Security Services > AAA. Click the Authentication Profile tab and then click Create. Set Profile name to hotel_mac and then click OK.
- Click + to the left of authentication profile hotel_mac and click MAC Authentication Profile. On the page that is displayed, set MAC Authentication Profile to hotel and click Apply.
- Click + to the left of authentication profile hotel_mac and click Domain Profile. On the page that is displayed, set Domain Profile to hotel and click Apply.
- Bind the authentication profile to the wired user VLAN, and enable user authentication.
- Choose Configuration > Security Services > AAA Service App and click the Wired Interface Authentication tab.
- Under VLAN Authentication, click next to the VLAN text box. On the page that is displayed, select VLAN101 and click OK.
- Set Authentication Profile to hotel and click Apply.
- Perform configurations for wired service VLANs 103 and 106 using the same method. Set Authentication Profile to hotel_mac. Click Apply.
- Configure a RADIUS server template.
- Configure an ACL policy to manage network rights for different user groups. Table 4-214 lists the rights for different users to access the office server (on the IP address segment 10.100.2.0/24), IPTV server (on the IP address segment 10.100.3.0/24), and Internet.Table 4-214 Network access rights for different types of users
User Type
Office Server
IPTV Server
Internet
Wired office users
√
×
√
Wireless office users
×
×
√
Wireless guests
×
×
√
Wireless visitors
×
×
√
Wired IPTV devices
×
√
×
- Choose Configuration > Security Services > ACL Config > ACL Config. Click Create. In the dialog box that is displayed, configure an ACL policy for wired office users and click OK.
- Select an ACL and click Add Rule. Configure an ACL rule that forbids hotelemployees from accessing the IPTV server.
- Configure ACL policies acl-wireless, acl-visitor, and acl-guest for wireless office users, wireless visitors, and wireless guests, respectively in the same way. Forbid these users from accessing the IPTV and office servers, and allow them to access the Internet. Configure ACL policy acl-iptv for wired IPTV devices, allow these devices to access the IPTV server, and deny their access to the office server and Internet.
- Configure and apply ACL rules on an interface to enable interface-based packet filtering. Choose Configuration > Security Services > ACL Reference. Select Interface ACL and configure an interface-based ACL rule. After the configuration is complete, click Apply.
- Configure security functions only by running commands. Click at the lower right corner of the page to access the CLI console.
- Enable the user-level rate limiting (enabled by default) if X series cards are installed on switches.
<CSS> system-view [CSS] cpu-defend host-car enable
- Enable the port-based attack defense (enabled by default), and run the display auto-port-defend configuration command to display the command output. The Auto-port-defend field value is enable.
[CSS] display auto-port-defend configuration ---------------------------------------------------------------------------- Name : default Related slot : <1/1,1/6,2/1,2/6,1/8> Auto-port-defend : enable Auto-port-defend sample : 5 Auto-port-defend aging-time : 300 second(s) Auto-port-defend arp-request threshold : 60 pps(enable) Auto-port-defend arp-reply threshold : 60 pps(enable) Auto-port-defend dhcp threshold : 60 pps(enable) Auto-port-defend icmp threshold : 60 pps(enable) Auto-port-defend igmp threshold : 60 pps(enable) Auto-port-defend ip-fragment threshold : 30 pps(enable) Auto-port-defend alarm : disable ----------------------------------------------------------------------------
- Enable attack source tracing (enabled by default), and run the display cpu-defend configuration all command to confirm the configuration.
[CSS] display cpu-defend configuration all Car configurations on mainboard. ---------------------------------------------------------------------- Packet Name Status Cir(Kbps) Cbs(Byte) Queue Port-Type ---------------------------------------------------------------------- 8021x Enabled 128 24064 3 NA 8021x-ident Enabled 64 12032 3 NA 8021x-ident-wlan Enabled 64 12032 3 NA 8021x-start Enabled 64 12032 3 NA 8021x-start-wlan Enabled 16 10000 3 NA 8021x-wireless Enabled 128 24064 3 NA arp-miss Enabled 64 12032 3 NA arp-reply Enabled 128 24064 3 NA arp-request Enabled 128 24064 3 NA asdp Enabled 256 48128 6 NA bfd Enabled 512 96256 6 NA bgp Enabled 512 96256 5 NA bgp4plus Enabled 128 24064 5 NA bpdu-tunnel Enabled 512 96256 5 NA capwap-association Enabled 16 10000 4 NA capwap-disassoc Enabled 24 10000 3 NA capwap-discov-bc Enabled 16 10000 2 NA capwap-discov-uc Enabled 16 10000 2 NA capwap-echo Enabled 1024 192512 6 NA capwap-keepalive Enabled 1024 192512 6 NA capwap-other Enabled 400 75200 3 NA cdp Enabled 128 24064 5 NA dhcp-client Enabled 512 96256 3 NA dhcp-server Enabled 512 96256 3 NA ....................................... ----------------------------------------------------------------------------
- Enable the user-level rate limiting (enabled by default) if X series cards are installed on switches.
Configuring the AC6605
- Create VLANs, and configure interfaces to allow packets from the VLANs to pass to ensure network communication.
- Create VLAN 10, VLAN 40, and VLANs 100 through 106 on AC6605_1, and add the interfaces on AC6605_1 connected to S7706_1 and S7706_2 to VLAN 10 and VLAN 100, respectively.
<AC6605> system-view [AC6605] sysname AC6605_1 [AC6605_1] vlan batch 10 40 100 to 106 [AC6605_1] dhcp enable [AC6605_1] interface vlanif 10 [AC6605_1-Vlanif10] ip address 10.1.0.3 24 [AC6605_1-Vlanif10] quit [AC6605_1] interface vlanif 100 [AC6605_1-Vlanif100] ip address 172.16.100.2 24 [AC6605_1-Vlanif100] dhcp select interface [AC6605_1-Vlanif100] dhcp server excluded-ip-address 172.16.100.3 [AC6605_1-Vlanif100] quit [AC6605_1] interface eth-trunk 50 [AC6605_1-Eth-Trunk50] description Connect to S7706_Eth-Trunk [AC6605_1-Eth-Trunk50] port link-type trunk [AC6605_1-Eth-Trunk50] port trunk allow-pass vlan 10 100 [AC6605_1-Eth-Trunk50] undo port trunk allow-pass vlan 1 [AC6605_1-Eth-Trunk50] quit [AC6605_1] interface gigabitethernet 0/0/21 [AC6605_1-GigabitEthernet0/0/21] eth-trunk 50 [AC6605_1-GigabitEthernet0/0/21] quit [AC6605_1] interface gigabitethernet 0/0/22 [AC6605_1-GigabitEthernet0/0/22] eth-trunk 50 [AC6605_1-GigabitEthernet0/0/22] quit
- Create VLAN 10, VLAN 40, and VLANs 100 through 106 on AC6605_2, and add the interfaces on AC6605_2 connected to S7706_1 and S7706_2 to VLAN 10 and VLAN 100, respectively.
<AC6605> system-view [AC6605] sysname AC6605_2 [AC6605_2] vlan batch 10 40 100 to 106 [AC6605_2] dhcp enable [AC6605_2] interface vlanif 10 [AC6605_2-Vlanif10] ip address 10.1.0.4 24 [AC6605_2-Vlanif10] quit [AC6605_2] interface vlanif 100 [AC6605_2-Vlanif100] ip address 172.16.100.3 24 [AC6605_2-Vlanif100] dhcp select interface [AC6605_2-Vlanif100] dhcp server excluded-ip-address 172.16.100.2 [AC6605_2-Vlanif100] quit [AC6605_2] interface eth-trunk 50 [AC6605_2-Eth-Trunk50] description Connect to S7706_Eth-Trunk [AC6605_2-Eth-Trunk50] port link-type trunk [AC6605_2-Eth-Trunk50] port trunk allow-pass vlan 10 100 [AC6605_2-Eth-Trunk50] undo port trunk allow-pass vlan 1 [AC6605_2-Eth-Trunk50] quit [AC6605_2] interface gigabitethernet 0/0/21 [AC6605_2-GigabitEthernet0/0/21] eth-trunk 50 [AC6605_2-GigabitEthernet0/0/21] quit [AC6605_2] interface gigabitethernet 0/0/22 [AC6605_2-GigabitEthernet0/0/22] eth-trunk 50 [AC6605_2-GigabitEthernet0/0/22] quit
- Create VLAN 10, VLAN 40, and VLANs 100 through 106 on AC6605_1, and add the interfaces on AC6605_1 connected to S7706_1 and S7706_2 to VLAN 10 and VLAN 100, respectively.
- Configure VRRP + HSB.
- Configure HSB connectivity between AC6605_1 and AC6605_2.
- Add GE0/0/2 on AC6605_1 connected to AC6605_2 to VLAN 40.
[AC6605_1] vlan 40 [AC6605_1-vlan40] quit [AC6605_1] interface vlanif 40 [AC6605_1-Vlanif40] ip address 192.168.40.1 24 [AC6605_1-Vlanif40] quit [AC6605_1] interface gigabitethernet 0/0/2 [AC6605_1-GigabitEthernet0/0/2] port link-type trunk [AC6605_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 40 [AC6605_1-GigabitEthernet0/0/2] quit
- Add GE0/0/2 on AC6605_2 connected to AC6605_1 to VLAN 40.
[AC6605_2] vlan 40 [AC6605_2-vlan40] quit [AC6605_2] interface vlanif 40 [AC6605_2-Vlanif40] ip address 192.168.40.2 24 [AC6605_2-Vlanif40] quit [AC6605_2] interface gigabitethernet 0/0/2 [AC6605_2-GigabitEthernet0/0/2] port link-type trunk [AC6605_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 40 [AC6605_2-GigabitEthernet0/0/2] quit
- Add GE0/0/2 on AC6605_1 connected to AC6605_2 to VLAN 40.
- Configure VRRP on AC6605_1 to implement AC hot standby.
- Set the recovery delay of the VRRP group to 60s.
[AC6605_1] vrrp recover-delay 60
- Create management VRRP group 1 on AC6605_1, set the priority of AC6605_1 in the VRRP management group to 120, and set the preemption time to 1200 seconds.
[AC6605_1] interface vlanif 100 [AC6605_1-Vlanif100] vrrp vrid 1 virtual-ip 172.16.100.1 [AC6605_1-Vlanif100] vrrp vrid 1 priority 120 [AC6605_1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1200 [AC6605_1-Vlanif100] admin-vrrp vrid 1 //Configure VRRP group 1 as the management VRRP. [AC6605_1-Vlanif100] quit
- Create HSB service 0 on AC6605_1, and configure the IP addresses and port numbers for the active and standby HSB channels.
[AC6605_1] hsb-service 0 [AC6605_1-hsb-service-0] service-ip-port local-ip 192.168.40.1 peer-ip 192.168.40.2 local-data-port 10241 peer-data-port 10241 [AC6605_1-hsb-service-0] quit
- Create HSB group 0 on AC6605_1, and bind it to HSB service 0 and management VRRP group 1.
[AC6605_1] hsb-group 0 [AC6605_1-hsb-group-0] bind-service 0 [AC6605_1-hsb-group-0] track vrrp vrid 1 interface vlanif 100 [AC6605_1-hsb-group-0] quit
- Bind AC6605_1 services to the HSB group.
[AC6605_1] hsb-service-type access-user hsb-group 0 //Bind the NAC service to HSB group 0. [AC6605_1] hsb-service-type ap hsb-group 0 //Specify HSB group 0 for WLAN service backup. [AC6605_1] hsb-service-type dhcp hsb-group 0 //Bind DHCP servers to HSB group 0. [AC6605_1] hsb-group 0 [AC6605_1-hsb-group-0] hsb enable [AC6605_1-hsb-group-0] quit
- Set the recovery delay of the VRRP group to 60s.
- Configure VRRP on AC6605_2 to implement AC hot standby.
- Set the recovery delay of the VRRP group to 60s.
[AC6605_2] vrrp recover-delay 60
- Create management VRRP group 1 on AC6605_2.
[AC6605_2] interface vlanif 100 [AC6605_2-Vlanif100] vrrp vrid 1 virtual-ip 172.16.100.1 [AC6605_2-Vlanif100] admin-vrrp vrid 1 //Configure VRRP group 1 as the management VRRP. [AC6605_2-Vlanif100] quit
- Create HSB service 0 on AC6605_2, and configure the IP addresses and port numbers for the active and standby HSB channels.
[AC6605_2] hsb-service 0 [AC6605_2-hsb-service-0] service-ip-port local-ip 192.168.40.2 peer-ip 192.168.40.1 local-data-port 10241 peer-data-port 10241 [AC6605_2-hsb-service-0] quit
- Create HSB group 0 on AC6605_2, and bind it to HSB service 0 and management VRRP group 1.
[AC6605_2] hsb-group 0 [AC6605_2-hsb-group-0] bind-service 0 [AC6605_2-hsb-group-0] track vrrp vrid 1 interface vlanif 100 [AC6605_2-hsb-group-0] quit
- Bind AC6605_2 services to the HSB group.
[AC6605_2] hsb-service-type access-user hsb-group 0 //Bind the NAC service to HSB group 0. [AC6605_2] hsb-service-type ap hsb-group 0 //Specify HSB group 0 for WLAN service backup. [AC6605_2] hsb-service-type dhcp hsb-group 0 //Bind DHCP servers to HSB group 0. [AC6605_2] hsb-group 0 [AC6605_2-hsb-group-0] hsb enable [AC6605_2-hsb-group-0] quit
- Set the recovery delay of the VRRP group to 60s.
- Configure HSB connectivity between AC6605_1 and AC6605_2.
- Configure wireless user authentication on AC6605_1.
- Create and configure a RADIUS server template and an AAA scheme.
- Create and configure RADIUS server template hotel.
[AC6605_1] radius-server template hotel [AC6605_1-radius-hotel] radius-server authentication 10.1.0.2 1812 source ip-address 172.16.100.1 weight 80 //Configure the authentication server. [AC6605_1-radius-hotel] radius-server accounting 10.1.0.2 1813 source ip-address 172.16.100.1 weight 80 //Configure the accounting server. [AC6605_1-radius-hotel] radius-server shared-key cipher Huawei@123 [AC6605_1-radius-hotel] quit
- Configure a RADIUS authorization server.
[AC6605_1] radius-server authorization 10.1.0.2 shared-key cipher Huawei@123
- Create AAA authentication scheme hotel and set the authentication mode to RADIUS.
[AC6605_1] aaa [AC6605_1-aaa] authentication-scheme hotel [AC6605_1-aaa-authen-hotel] authentication-mode radius //Set the authentication mode to RADIUS. [AC6605_1-aaa-authen-hotel] quit [AC6605_1-aaa] accounting-scheme hotel [AC6605_1-aaa-accounting-hotel] accounting-mode radius //Set the accounting mode to RADIUS. [AC6605_1-aaa-accounting-hotel] accounting realtime 15 //Enable realtime accounting and set the accounting interval to 15 minutes. [AC6605_1-aaa-accounting-hotel] quit [AC6605_1-aaa] quit
A shorter real-time accounting interval requires higher performance of network devices and the RADIUS server. Set a real-time accounting interval based on the user quantity. Table 4-215 lists the recommended real-time accounting intervals for different user quantities.
- Create and configure RADIUS server template hotel.
- Configure a URL profile and set the redirection URL for the Portal server. Specify parameters in the URL, which include the SSID with which users associate and the original URL that users access.
[AC6605_1] url-template name hotel [AC6605_1-url-template-hotel] url http://10.1.0.2:8080/portal [AC6605_1-url-template-hotel] url-parameter ssid ssid redirect-url url [AC6605_1-url-template-hotel] quit
- Configure a Portal server template.
[AC6605_1] web-auth-server hotel [AC6605_1-web-auth-server-hotel] server-ip 10.1.0.2 //Configure the IP address of the Portal server. [AC6605_1-web-auth-server-hotel] shared-key cipher Huawei@123 //Configure the shared key. [AC6605_1-web-auth-server-hotel] port 50100 //Configure the port number of the portal server. [AC6605_1-web-auth-server-hotel] source-ip 172.16.100.1 //Configure the source IP address. [AC6605_1-web-auth-server-hotel] url-template hotel [AC6605_1-web-auth-server-hotel] quit
- Configure routes from AC6605_1 and AC6605_2 to the Agile Controller-Campus, and set the next hop to VLANIF 100 of the S7706.
[AC6605_1] ip route-static 0.0.0.0 0.0.0.0 172.16.100.4
[AC6605_2] ip route-static 0.0.0.0 0.0.0.0 172.16.100.4
- Create and configure a RADIUS server template and an AAA scheme.
- Configure WLAN services on the ACs to allow wireless access of users.
- Configure WLAN services on AC6605_1.
- Configure the source IP address of the CAPWAP tunnel.
[AC6605_1] capwap source ip-address 172.16.100.1
- Create an AP group on AC6605_1 to which APs with the same configuration can be added. The following uses AP_1 as an example.
[AC6605_1] wlan [AC6605_1-wlan-view] ap-group name AP_group_office [AC6605_1-wlan-ap-group-AP_group_office] quit [AC6605_1-wlan-view] ap auth-mode mac-auth [AC6605_1-wlan-view] ap-id 0 ap-mac 7079-90bb-1980 [AC6605_1-wlan-ap-0] ap-group AP_group_office Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AC6605_1-wlan-ap-0] quit
- Configure other AP groups and add related APs based on the planning.
[AC6605_1-wlan-view] ap-group name AP_group_lobby [AC6605_1-wlan-ap-group-AP_group_lobby] quit [AC6605_1-wlan-view] ap-id 1 ap-mac 4cfa-cafe-c600 [AC6605_1-wlan-ap-1] ap-group AP_group_lobby Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AC6605_1-wlan-ap-1] quit [AC6605_1-wlan-view] ap-group name AP_group_room [AC6605_1-wlan-ap-group-AP_group_room] quit [AC6605_1-wlan-view] ap-id 2 ap-mac 002b-a376-fd00 [AC6605_1-wlan-ap-2] ap-group AP_group_room Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AC6605_1-wlan-ap-2] quit [AC6605_1-wlan-view] ap-id 3 ap-mac 60de-4476-e360 [AC6605_1-wlan-ap-3] ap-group AP_group_room Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AC6605_1-wlan-ap-3] quit [AC6605_1-wlan-view] quit
- Create AP system profile hotel and configure service holding upon CAPWAP link disconnection.
[AC6605_1] wlan [AC6605_1-wlan-view] ap-system-profile name hotel [AC6605_1-wlan-ap-system-prof-hotel] keep-service enable [AC6605_1-wlan-ap-system-prof-hotel] quit [AC6605_1-wlan-view] quit
- Create AP system profile hotel on AC6605_2 and configure service holding upon CAPWAP link disconnection in the same way.
- Bind the AP system profile to AP groups.
[AC6605_1] wlan [AC6605_1-wlan-view] ap-group name AP_group_office [AC6605_1-wlan-ap-group-AP_group_office] ap-system-profile hotel [AC6605_1-wlan-ap-group-AP_group_office] quit [AC6605_1-wlan-view] ap-group name AP_group_lobby [AC6605_1-wlan-ap-group-AP_group_lobby] ap-system-profile hotel [AC6605_1-wlan-ap-group-AP_group_lobby] quit [AC6605_1-wlan-view] ap-group name AP_group_room [AC6605_1-wlan-ap-group-AP_group_room] ap-system-profile hotel [AC6605_1-wlan-ap-group-AP_group_room] quit [AC6605_1-wlan-view] quit
- Configure MAC access profile hotel.
[AC6605_1] mac-access-profile name hotel [AC6605_1-mac-access-profile-hotel] quit
- Configure Portal access profile hotel.
[AC6605_1] portal-access-profile name hotel [AC6605_1-portal-access-profile-hotel] web-auth-server hotel direct [AC6605_1-portal-access-profile-hotel] quit
- Configure an authentication-free rule profile.
[AC6605_1] free-rule-template name hotel [AC6605_1-free-rule-hotel] quit
- Configure authentication profile hotel.
[AC6605_1] authentication-profile name hotel [AC6605_1-authentication-profile-hotel] mac-access-profile hotel [AC6605_1-authentication-profile-hotel] portal-access-profile hotel [AC6605_1-authentication-profile-hotel] free-rule-template hotel [AC6605_1-authentication-profile-hotel] authentication-scheme hotel [AC6605_1-authentication-profile-hotel] accounting-scheme hotel [AC6605_1-authentication-profile-hotel] radius-server hotel [AC6605_1-authentication-profile-hotel] quit
- Create a security profile and configure a security policy. By default, the security policy is open system authentication.
[AC6605_1] wlan [AC6605_1-wlan-view] security-profile name hotel [AC6605_1-wlan-sec-prof-hotel] quit
- Create SSID profile hotel_employee for wireless office users.
[AC6605_1-wlan-view] ssid-profile name hotel_employee [AC6605_1-wlan-ssid-prof-hotel_employee] ssid hotel_employee [AC6605_1-wlan-ssid-prof-hotel_employee] association-timeout 1 [AC6605_1-wlan-ssid-prof-hotel_employee] quit
- Create SSID profiles hotel_visitor and hotel_guest for guests and visitors respectively in the same way.
- Create traffic profile hotel, enable isolation of all users, and set the STA-based rate limit to 10 Mbit/s.
[AC6605_1-wlan-view] traffic-profile name hotel [AC6605_1-wlan-traffic-prof-hotel] user-isolate all [AC6605_1-wlan-traffic-prof-hotel] rate-limit client up 10000 [AC6605_1-wlan-traffic-prof-hotel] rate-limit client down 10000 [AC6605_1-wlan-traffic-prof-hotel] quit
- Enable automatic radio calibration, enable policies load, noise-floor, non-wifi, and rogue-ap, and set the calibration sensitivity to high.
[AC6605_1-wlan-view] calibrate enable auto interval 1440 start-time 03:00:00 [AC6605_1-wlan-view] calibrate policy load [AC6605_1-wlan-view] calibrate policy noise-floor [AC6605_1-wlan-view] calibrate policy non-wifi [AC6605_1-wlan-view] calibrate policy rogue-ap [AC6605_1-wlan-view] calibrate sensitivity high
- Configure RRM profile hotel. Enable smart roaming, dynamic EDCA parameter adjustment, and dynamic load balancing to reduce co-channel interference when APs are densely deployed and alleviate the load on a single AP. Dynamic load balancing and smart roaming are enabled by default.
[AC6605_1-wlan-view] rrm-profile name hotel [AC6605_1-wlan-rrm-prof-hotel] smart-roam roam-threshold snr 25 [AC6605_1-wlan-rrm-prof-hotel] smart-roam quick-kickoff-threshold snr 20 [AC6605_1-wlan-rrm-prof-hotel] dynamic-edca enable [AC6605_1-wlan-rrm-prof-hotel] quit
- Create a VAP profile for wireless office users, set the service data forwarding mode and service VLAN, and bind the security, SSID, traffic, and authentication profiles to the VAP profile. Configure broadcast flood detection and suppression.
[AC6605_1-wlan-view] vap-profile name hotel_employee [AC6605_1-wlan-vap-prof-hotel_employee] forward-mode direct-forward [AC6605_1-wlan-vap-prof-hotel_employee] service-vlan vlan-id 102 [AC6605_1-wlan-vap-prof-hotel_employee] security-profile hotel [AC6605_1-wlan-vap-prof-hotel_employee] ssid-profile hotel_employee [AC6605_1-wlan-vap-prof-hotel_employee] traffic-profile hotel [AC6605_1-wlan-vap-prof-hotel_employee] authentication-profile hotel [AC6605_1-wlan-vap-prof-hotel_employee] anti-attack flood arp sta-rate-threshold 10 [AC6605_1-wlan-vap-prof-hotel_employee] quit
- Create VAP profiles for guests and visitors in the same way. Table 4-216 lists the specific configuration parameters.
Table 4-216 VAP configuration parameters
Object
VAP Profile
Data
Office employees
hotel_employee
- Forwarding mode: direct forwarding
- Service VLAN: VLAN 102
- Security profile: hotel
- SSID profile: hotel_employee
- Authentication profile: hotel
- Traffic profile: hotel
- Rate threshold for ARP flood attack detection and suppression: 10 pps
Guests
hotel_guest
- Forwarding mode: direct forwarding
- Service VLAN: VLAN 105
- Security profile: hotel
- SSID profile: hotel_guest
- Authentication profile: hotel
- Traffic profile: hotel
- Rate threshold for ARP flood attack detection and suppression: 10 pps
Visitors
hotel_visitor
- Forwarding mode: direct forwarding
- Service VLAN: VLAN 104
- Security profile: hotel
- SSID profile: hotel_visitor
- Authentication profile: hotel
- Traffic profile: hotel
- Rate threshold for ARP flood attack detection and suppression: 10 pps
- Create radio profiles on AC6605_1.
[AC6605_1-wlan-view] radio-2g-profile name 2G_hotel [AC6605_1-wlan-radio-2g-prof-2G_hotel] rrm-profile hotel [AC6605_1-wlan-radio-2g-prof-2G_hotel] beacon-interval 160 [AC6605_1-wlan-radio-2g-prof-2G_hotel] quit [AC6605_1-wlan-view] radio-5g-profile name 5G_hotel [AC6605_1-wlan-radio-5g-prof-5G_hotel] rrm-profile hotel [AC6605_1-wlan-radio-5g-prof-5G_hotel] rts-cts-mode rts-cts [AC6605_1-wlan-radio-5g-prof-5G_hotel] quit
- Bind corresponding VAP profiles to the AP groups, and apply the VAP profile configurations to radio 0 and radio 1 of the APs.
[AC6605_1-wlan-view] ap-group name AP_group_office [AC6605_1-wlan-ap-group-AP_group_office] vap-profile hotel_employee wlan 1 radio all [AC6605_1-wlan-ap-group-AP_group_office] radio 0 [AC6605_1-wlan-group-radio-AP_group_office/0] radio-2g-profile 2G_hotel [AC6605_1-wlan-group-radio-AP_group_office/0] quit [AC6605_1-wlan-ap-group-AP_group_office] radio 1 [AC6605_1-wlan-group-radio-AP_group_office/1] radio-5g-profile 5G_hotel [AC6605_1-wlan-group-radio-AP_group_office/1] quit [AC6605_1-wlan-ap-group-AP_group_office] quit [AC6605_1-wlan-view] ap-group name AP_group_lobby [AC6605_1-wlan-ap-group-AP_group_lobby] vap-profile hotel_employee wlan 1 radio all [AC6605_1-wlan-ap-group-AP_group_lobby] vap-profile hotel_guest wlan 2 radio all [AC6605_1-wlan-ap-group-AP_group_lobby] vap-profile hotel_visitor wlan 3 radio all [AC6605_1-wlan-ap-group-AP_group_lobby] radio 0 [AC6605_1-wlan-group-radio-AP_group_lobby/0] radio-2g-profile 2G_hotel [AC6605_1-wlan-group-radio-AP_group_lobby/0] quit [AC6605_1-wlan-ap-group-AP_group_lobby] radio 1 [AC6605_1-wlan-group-radio-AP_group_lobby/1] radio-5g-profile 5G_hotel [AC6605_1-wlan-group-radio-AP_group_lobby/1] quit [AC6605_1-wlan-ap-group-AP_group_lobby] quit [AC6605_1-wlan-view] ap-group name AP_group_room [AC6605_1-wlan-ap-group-AP_group_room] vap-profile hotel_guest wlan 1 radio all [AC6605_1-wlan-ap-group-AP_group_room] radio 0 [AC6605_1-wlan-group-radio-AP_group_room/0] radio-2g-profile 2G_hotel [AC6605_1-wlan-group-radio-AP_group_room/0] quit [AC6605_1-wlan-ap-group-AP_group_room] radio 1 [AC6605_1-wlan-group-radio-AP_group_room/1] radio-5g-profile 5G_hotel [AC6605_1-wlan-group-radio-AP_group_room/1] quit [AC6605_1-wlan-ap-group-AP_group_room] quit
- Configure AP wired port profiles.
[AC6605_1-wlan-view] wired-port-profile name wired_port1 [AC6605_1-wlan-wired-port-wired_port1] vlan pvid 106 [AC6605_1-wlan-wired-port-wired_port1] vlan untagged 106 [AC6605_1-wlan-wired-port-wired_port1] mode endpoint [AC6605_1-wlan-wired-port-wired_port1] quit [AC6605_1-wlan-view] wired-port-profile name wired_port2 [AC6605_1-wlan-wired-port-wired_port2] vlan tagged 106 [AC6605_1-wlan-wired-port-wired_port2] quit
- Bind the AP wired port profiles to AP group AP_group_room.
[AC6605_1-wlan-view] ap-group name AP_group_room [AC6605_1-wlan-ap-group-AP_group_room] wired-port-profile wired_port1 gigabitethernet 1 [AC6605_1-wlan-ap-group-AP_group_room] wired-port-profile wired_port2 gigabitethernet 24 [AC6605_1-wlan-ap-group-AP_group_room] quit [AC6605_1-wlan-view] quit
- Configure the source IP address of the CAPWAP tunnel.
- Configure private WLAN service parameters on AC6605_2.
# Configure the source IP address of AC6605_2.
[AC6605_2] capwap source ip-address 172.16.100.1
- Configure wireless configuration synchronization in VRRP HSB scenarios.
After wireless configuration synchronization is configured, the functions that are not manually configured on AC6605_2 (such as the RADIUS server template and WLAN services) are automatically synchronized to AC6605_2.
- Configure wireless configuration synchronization on AC6605_1.
[AC6605_1] wlan [AC6605_1-wlan-view] master controller [AC6605_1-master-controller] master-redundancy peer-ip ip-address 172.16.100.3 local-ip ip-address 172.16.100.2 psk Huawei@123 [AC6605_1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100 [AC6605_1-master-controller] quit [AC6605_1-wlan-view] quit
- Configure wireless configuration synchronization on AC6605_2.
[AC6605_2] wlan [AC6605_2-wlan-view] master controller [AC6605_2-master-controller] master-redundancy peer-ip ip-address 172.16.100.2 local-ip ip-address 172.16.100.3 psk Huawei@123 [AC6605_2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100 [AC6605_2-master-controller] quit [AC6605_2-wlan-view] quit
- Trigger wireless configuration synchronization manually. Run the display sync-configuration status command to check the wireless configuration synchronization status. If the status in the command output is displayed as cfg-mismatch, manually trigger wireless configuration synchronization on AC6605_1. Wireless configurations are then synchronized to AC6605_2 after a restart.
[AC6605_1] display sync-configuration status Controller role:Master/Backup/Local ------------------------------------------------------------------------------------ Controller IP Role Device Type Version Status ------------------------------------------------------------------------------------ 172.16.100.3 Backup AC6605 V200R010C00 cfg-mismatch(config check fail) ------------------------------------------------------------------------------------ Total: 1 [AC6605_1] synchronize-configuration Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its configurations. Whether to continue? [Y/N]:y
- Configure wireless configuration synchronization on AC6605_1.
- Configure WLAN services on AC6605_1.
Configuring the S5700-LI
- Configure VLANs on S5700-LI_1 for the office network.
- Create VLANs 100 through 102. VLAN 100 is the management VLAN of APs, VLAN 101 is the wired office service VLAN, and VLAN 102 is the wireless office service VLAN.
<HUAWEI> system-view [HUAWEI] sysname S5700_1 [S5700_1] vlan batch 100 to 102
- Configure the interfaces connected to the S7706s to allow packets from VLANs 100 through 102 to pass through.
[S5700_1] interface eth-trunk 0 [S5700_1-Eth-Trunk0] port link-type trunk [S5700_1-Eth-Trunk0] port trunk allow-pass vlan 100 to 102 [S5700_1-Eth-Trunk0] quit [S5700_1] interface gigabitethernet 0/0/25 [S5700_1-GigabitEthernet0/0/25] eth-trunk 0 [S5700_1-GigabitEthernet0/0/25] quit [S5700_1] interface gigabitethernet 0/0/26 [S5700_1-GigabitEthernet0/0/26] eth-trunk 0 [S5700_1-GigabitEthernet0/0/26] quit
- Configure the interface connected to the PC.
[S5700_1] interface gigabitethernet 0/0/1 [S5700_1-GigabitEthernet0/0/1] port link-type access [S5700_1-GigabitEthernet0/0/1] port default vlan 101 [S5700_1-GigabitEthernet0/0/1] quit
- Configure the interface connected to AP_1, and enable port isolation.
[S5700_1] interface gigabitethernet 0/0/2 [S5700_1-GigabitEthernet0/0/2] port link-type trunk [S5700_1-GigabitEthernet0/0/2] port trunk pvid vlan 100 [S5700_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102 [S5700_1-GigabitEthernet0/0/2] port-isolate enable [S5700_1-GigabitEthernet0/0/2] quit
- Create VLANs 100 through 102. VLAN 100 is the management VLAN of APs, VLAN 101 is the wired office service VLAN, and VLAN 102 is the wireless office service VLAN.
- Configure DHCP snooping on S5700-LI_1.
- Enable DHCP globally.
[S5700_1] dhcp enable
- Enable DHCP snooping globally.
[S5700_1] dhcp snooping enable
- Enable DHCP snooping in VLAN 101.
[S5700_1] vlan 101 [S5700_1-Vlanif101] dhcp snooping enable [S5700_1-Vlanif101] quit
- Enable DHCP globally.
- Configure multicast packet suppression.
# If direct forwarding is used to forward wireless service data, it is recommended that multicast packet suppression be configured on the interface directly connected to the AP.
Create traffic classifier test and define a matching rule.
[S5700_1] traffic classifier test [S5700_1-classifier-test] if-match destination-mac 0100-5e00-0000 ffff-ff00-0000 [S5700_1-classifier-test] quit
Create traffic behavior test, enable traffic statistics collection, and set the traffic rate limit.
[S5700_1] traffic behavior test [S5700_1-behavior-test] statistic enable [S5700_1-behavior-test] car cir 100 [S5700_1-behavior-test] quit
Create traffic policy test, and bind the traffic classifier and traffic behavior to the traffic policy.
[S5700_1] traffic policy test [S5700_1-trafficpolicy-test] classifier test behavior test [S5700_1-trafficpolicy-test] quit
Apply the traffic policy to the inbound and outbound directions of the interface.
[S5700_1] interface gigabitethernet 0/0/2 [S5700_1-GigabitEthernet0/0/2] traffic-policy test inbound [S5700_1-GigabitEthernet0/0/2] traffic-policy test outbound [S5700_1-GigabitEthernet0/0/2] quit
- Configure VLANs on S5700-LI_2 for the security surveillance network.
- Create VLAN 100 and VLAN 103. VLAN 100 is the management VLAN of APs, and VLAN 103 is the wired service VLAN for surveillance cameras.
<HUAWEI> system-view [HUAWEI] sysname S5700_2 [S5700_2] vlan batch 100 103
- Configure the interfaces connected to the S7706s to allow packets from VLANs 100 and 103 to pass through.
[S5700_2] interface eth-trunk 0 [S5700_2-Eth-Trunk0] port link-type trunk [S5700_2-Eth-Trunk0] port trunk allow-pass vlan 100 103 [S5700_2-Eth-Trunk0] quit [S5700_2] interface gigabitethernet 0/0/25 [S5700_2-GigabitEthernet0/0/25] eth-trunk 0 [S5700_2-GigabitEthernet0/0/25] quit [S5700_2] interface gigabitethernet 0/0/26 [S5700_2-GigabitEthernet0/0/26] eth-trunk 0 [S5700_2-GigabitEthernet0/0/26] quit
- Configure the interface connected to the surveillance camera.
[S5700_2] interface gigabitethernet 0/0/1 [S5700_2-GigabitEthernet0/0/1] port link-type access [S5700_2-GigabitEthernet0/0/1] port default vlan 103 [S5700_2-GigabitEthernet0/0/1] quit
- Create VLAN 100 and VLAN 103. VLAN 100 is the management VLAN of APs, and VLAN 103 is the wired service VLAN for surveillance cameras.
- Configure DHCP snooping on S5700-LI_2.
- Enable DHCP globally.
[S5700_2] dhcp enable
- Enable DHCP snooping globally.
[S5700_2] dhcp snooping enable
- Enable DHCP snooping in VLAN 103.
[S5700_2] vlan 103 [S5700_2-Vlanif103] dhcp snooping enable [S5700_2-Vlanif103] quit
- Enable DHCP globally.
Configuring the S5720-EI
- Configure the two S5720-EI switches to set up a stack.
- Install stack cards on the two S5720-EI switches and connect them using stack cables. The switches then automatically set up a stack. For details, see iStack of S Switch.
- Check the stack status and verify that the stack is successfully set up.
- Configure VLANs.
- Create VLAN 100 and VLANs 104 through 106. VLAN 100 is the management VLAN of the AC6605, and VLANs 104 through 106 are VLANs for wireless visitors, wireless guests, and wired IPTV services, respectively.
<HUAWEI> system-view [HUAWEI] sysname S5720EI-iStack [S5720EI-iStack] vlan batch 100 104 to 106
- Configure the interfaces connected to the S7706s to allow packets from VLAN 100 and VLANs 104 through 106 to pass through.
[S5720EI-iStack] interface eth-trunk 0 [S5720EI-iStack-Eth-Trunk0] port link-type trunk [S5720EI-iStack-Eth-Trunk0] port trunk allow-pass vlan 100 104 to 106 [S5720EI-iStack-Eth-Trunk0] quit [S5720EI-iStack] interface xgigabitethernet 0/0/1 [S5720EI-iStack-XGigabitEthernet0/0/1] eth-trunk 0 [S5720EI-iStack-XGigabitEthernet0/0/1] quit [S5720EI-iStack] interface xgigabitethernet 1/0/1 [S5720EI-iStack-XGigabitEthernet1/0/1] eth-trunk 0 [S5720EI-iStack-XGigabitEthernet1/0/1] quit
- Configure the interface connected to AP_2 and enable port isolation.
[S5720EI-iStack] interface gigabitethernet 1/0/1 [S5720EI-iStack-GigabitEthernet1/0/1] port link-type trunk [S5720EI-iStack-GigabitEthernet1/0/1] port trunk pvid vlan 100 [S5720EI-iStack-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 104 to 105 [S5720EI-iStack-GigabitEthernet1/0/1] port-isolate enable [S5720EI-iStack-GigabitEthernet1/0/1] quit
- Configure the interface connected to the AD9430DN and enable port isolation.
[S5720EI-iStack] interface gigabitethernet 1/0/2 [S5720EI-iStack-GigabitEthernet1/0/2] port link-type trunk [S5720EI-iStack-GigabitEthernet1/0/2] port trunk pvid vlan 100 [S5720EI-iStack-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 105 to 106 [S5720EI-iStack-GigabitEthernet1/0/2] port-isolate enable [S5720EI-iStack-GigabitEthernet1/0/2] quit
- Create VLAN 100 and VLANs 104 through 106. VLAN 100 is the management VLAN of the AC6605, and VLANs 104 through 106 are VLANs for wireless visitors, wireless guests, and wired IPTV services, respectively.
- Configure multicast packet suppression.
# If direct forwarding is used to forward wireless service data, it is recommended that multicast packet suppression be configured on the interface directly connected to the AP.
Create traffic classifier test and define a matching rule.
[S5720EI-iStack] traffic classifier test [S5720EI-iStack-classifier-test] if-match destination-mac 0100-5e00-0000 ffff-ff00-0000 [S5720EI-iStack-classifier-test] quit
Create traffic behavior test, enable traffic statistics collection, and set the traffic rate limit.
[S5720EI-iStack] traffic behavior test [S5720EI-iStack-behavior-test] statistic enable [S5720EI-iStack-behavior-test] car cir 100 [S5720EI-iStack-behavior-test] quit
Create traffic policy test, and bind the traffic classifier and traffic behavior to the traffic policy.
[S5720EI-iStack] traffic policy test [S5720EI-iStack-trafficpolicy-test] classifier test behavior test [S5720EI-iStack-trafficpolicy-test] quit
Apply the traffic policy to the inbound and outbound directions of the interfaces.
[S5720EI-iStack] interface gigabitethernet 1/0/1 [S5720EI-iStack-GigabitEthernet1/0/1] traffic-policy test inbound [S5720EI-iStack-GigabitEthernet1/0/1] traffic-policy test outbound [S5720EI-iStack-GigabitEthernet1/0/1] quit [S5720EI-iStack] interface gigabitethernet 1/0/2 [S5720EI-iStack-GigabitEthernet1/0/2] traffic-policy test inbound [S5720EI-iStack-GigabitEthernet1/0/2] traffic-policy test outbound [S5720EI-iStack-GigabitEthernet1/0/2] quit
- Configure DHCP snooping.
- Enable DHCP globally.
[S5720EI-iStack] dhcp enable
- Enable DHCP snooping globally.
[S5720EI-iStack] dhcp snooping enable
- Enable DHCP snooping in VLANs 104 and 105.
[S5720EI-iStack] vlan 104 [S5720EI-iStack-Vlanif104] dhcp snooping enable [S5720EI-iStack-Vlanif104] quit [S5720EI-iStack] vlan 105 [S5720EI-iStack-Vlanif105] dhcp snooping enable [S5720EI-iStack-Vlanif105] quit
- Enable DHCP globally.
Configuring the Agile Controller-Campus
- Log in to the Agile Controller-Campus.Open the browser, and enter the address for accessing the Agile Controller-Campus in the address box. On the displayed page, enter the user name and password, and click GO to log in to the Agile Controller-Campus.
If you log in to the Agile Controller-Campus for the first time, use the super administrator user name admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller-Campus cannot be used.
The following table describes addresses for accessing the Agile Controller-Campus.
Access Mode
Description
https://Agile Controller-Campus-IP:8443
Agile Controller-Campus-IP specifies the IP address of the Agile Controller-Campus.
IP address of the Agile Controller-Campus
If interface 80 is enabled during installation, you can access the Agile Controller-Campus by entering its IP address without the interface number. The URL of the Agile Controller-Campus will automatically change to https://Agile Controller-Campus-IP:8443.
- Configure user groups and users.
- Choose OK. . Click to add a user group. On the page that is displayed, enter user group name employee (wired office users) and click
- Select the new user group in the navigation tree and click Add. The Add Account page is displayed. Set Account type to Common account, set Account, Password, and User name, deselect Change password upon next login, and click OK.
- Create user groups wireless, guest, and visitor for wireless office users, guests, and visitors, respectively. Add users to these groups.
- Configure device management for the S7706 and AC6605.
- Choose Add to add the S7706. Configure authentication parameters and click OK. . Click
- Add AC6605_1. Configure authentication parameters and click OK.
- Add AC6605_2. Configure authentication parameters and click OK.
- Click System > Terminal Configuration > Global Parameters, and configure MAC address-prioritized Portal authentication in Configure MAC Address-Prioritized Portal Authentication.
- Configure authentication and authorization rules and results.
- Configure authentication rules.
# The default authentication rule is used in this case. Confirm whether a new authentication rule needs to be created according to the existing network status. Click Policy > Permission Control > Authentication & Authorization > Authentication Rule, and click Add to create a new authentication rule.
- Configure authorization results.
# The default authorization result is used in this example. To create an authorization result based on the actual situation, choose Policy > Permission Control > Authentication & Authorization > Authorization Result. Click Add to create an authorization result.
- Configure an authorization rule for wired and wireless users.
- Choose Policy > Permission Control > Authentication & Authorization > Authorization Rule. Click Add to create authorization rule wired_and_wireless. Add employee, wireless, guest, and lodger to User Group, and set the authorization result to Permit Access.
- Configure authentication rules.
- Configure authorization rules for IPTV and security surveillance devices.
- Choose Resource > Terminal > Terminal List. Click Device Group and then Add to create device groups iptv and monitor.
- Select a device group. Click Add in Device List to create a device account.
- Create an account for device group monitor in the same way.
- Configure authentication rules.
# The default authentication rule is used in this case. Confirm whether a new authentication rule needs to be created according to the existing network status. Click Policy > Permission Control > Authentication & Authorization > Authentication Rule, and click Add to create a new authentication rule.
- Configure authorization results.
# The default authorization result is used in this example. To create an authorization result based on the actual situation, choose Policy > Permission Control > Authentication & Authorization > Authorization Result. Click Add to create an authorization result.
- Configure authorization rules.
- Choose Policy > Authentication & Authorization > Authentication Rule, and click Add to create authorization rule iptv_authorization_result. Set Service type to MAC bypass authentication, Terminal Group to iptv, and Authorization result to Permit Access. After the configuration is complete, click OK.
- Create authorization rule monitor_authorization_result in the same way.
Verification
- Access the network using the wireless user account hotel_employee, hotel_visitor, or hotel_guest. After authentication is successful, you can view user information (such as the AP to which the user is connected) on the AC6605 and information about online users on the Agile Controller-Campus.
- Perform access authentication using the account of hotel_employee, hotel_visitor, hotel_guest, or an IPTV user, and verify user network rights. For example, wired office users cannot access the IPTV server, but can access the Internet and office server.
Configuration Script
- S7706
# sysname CSS # router id 3.3.3.3 # vlan batch 10 100 to 106 # authentication-profile name hotel mac-access-profile hotel portal-access-profile hotel free-rule-template default_free_rule access-domain hotel authentication-profile name hotel_mac mac-access-profile hotel # telnet server enable # dhcp enable # radius-server template hotel radius-server shared-key cipher %^%#jFB$;|}{hPY&{yGWzOA<OAG43)~]B(Nq\V;&`rXF%^%# radius-server authentication 10.1.0.2 1812 source ip-address 10.1.0.1 weight 80 radius-server accounting 10.1.0.2 1813 source ip-address 10.1.0.1 weight 80 radius-server authorization 10.1.0.2 shared-key cipher %^%#$]p}HMl';I2u/&H>9[aMEEg%PQzIRF#a6='+l=<Z%^%# server-group hotel # acl name acl-employee 3001 rule 5 permit ip source 172.16.101.0 0.0.0.255 destination 10.100.2.0 0.0.0.255 rule 10 deny ip source 172.16.101.0 0.0.0.255 destination 10.100.3.0 0.0.0.255 acl name acl-wireless 3002 rule 5 deny ip source 172.16.102.0 0.0.0.255 destination 10.100.2.0 0.0.0.255 rule 10 deny ip source 172.16.102.0 0.0.0.255 destination 10.100.3.0 0.0.0.255 acl name acl-visitor 3003 rule 5 deny ip source 172.16.103.0 0.0.0.255 destination 10.100.2.0 0.0.0.255 rule 10 deny ip source 172.16.103.0 0.0.0.255 destination 10.100.3.0 0.0.0.255 acl name acl-guest 3004 rule 5 deny ip source 172.16.103.0 0.0.0.255 destination 10.100.2.0 0.0.0.255 rule 10 deny ip source 172.16.103.0 0.0.0.255 destination 10.100.3.0 0.0.0.255 acl name acl-iptv 3005 rule 5 deny ip source 172.16.103.0 0.0.0.255 destination 10.100.2.0 0.0.0.255 rule 10 permit ip source 172.16.103.0 0.0.0.255 destination 10.100.3.0 0.0.0.255 # free-rule-template name default_free_rule free-rule 1 destination ip 8.8.8.8 mask 255.255.255.255 # web-auth-server hotel server-ip 10.1.0.2 port 50100 shared-key cipher %^%#cctY6)Rb~OHH"J$ah^F2GWM{-97UEZ2$Y1)3HF:B%^% url http://10.1.0.2:8080/portal# portal-access-profile name hotel web-auth-server hotel direct # aaa authentication-scheme hotel authentication-mode radius accounting-scheme hotel accounting-mode radius accounting realtime 15 domain hotel authentication-scheme hotel accounting-scheme hotel radius-server hotel local-user admin password irreversible-cipher $1a$2)#3@S3Jx/$$=X(#mQlVVM9*y&_#4G~ON\A@vM7H-G>\tErxdhL$ local-user admin privilege level 15 local-user admin service-type telnet http # interface Vlanif10 ip address 10.1.0.1 255.255.255.0 # interface Vlanif100 ip address 172.16.100.4 255.255.255.0 # interface Vlanif101 ip address 172.16.101.1 255.255.255.0 authentication-profile hotel dhcp select interface dhcp server dns-list 8.8.8.8 # interface Vlanif102 ip address 172.16.102.1 255.255.255.0 dhcp select interface dhcp server dns-list 8.8.8.8 # interface Vlanif103 ip address 172.16.103.1 255.255.255.0 authentication-profile hotel_mac dhcp select interface dhcp server dns-list 8.8.8.8 # interface Vlanif104 ip address 172.16.104.1 255.255.255.0 dhcp select interface dhcp server dns-list 8.8.8.8 # interface Vlanif105 ip address 172.16.105.1 255.255.255.0 dhcp select interface dhcp server dns-list 8.8.8.8 # interface Vlanif106 ip address 172.16.106.1 255.255.255.0 authentication-profile hotel_mac dhcp select interface dhcp server dns-list 8.8.8.8 # interface Eth-Trunk0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 100 to 102 traffic-filter inbound acl name acl-employee traffic-filter inbound acl name acl-wired mode lacp port description switch # interface Eth-Trunk1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 100 103 traffic-filter inbound acl name acl-monitor mode lacp port description switch # interface Eth-Trunk2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 104 to 106 traffic-filter inbound acl name acl-employee traffic-filter inbound acl name acl-guest traffic-filter inbound acl name acl-iptv mode lacp port description switch # interface Eth-Trunk10 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 100 mode lacp port description switch # interface Eth-Trunk20 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 100 mode lacp port description switch # interface Ethernet0/0/0/0 ip address 192.168.0.3 255.255.255.0 # interface GigabitEthernet1/1/1/7 mad detect mode direct # interface GigabitEthernet1/2/1/0 eth-trunk 0 # interface GigabitEthernet1/2/1/1 eth-trunk 1 # interface GigabitEthernet1/2/1/2 eth-trunk 2 # interface GigabitEthernet1/2/1/6 eth-trunk 10 # interface GigabitEthernet1/2/1/8 eth-trunk 20 # interface GigabitEthernet2/1/1/7 mad detect mode direct # interface GigabitEthernet2/2/1/0 eth-trunk 0 # interface GigabitEthernet2/2/1/1 eth-trunk 1 # interface GigabitEthernet2/2/1/2 eth-trunk 2 # interface GigabitEthernet2/2/1/5 port link-type access port default vlan 10 loopback-detect enable port description desktop # interface GigabitEthernet2/2/1/6 eth-trunk 10 # interface GigabitEthernet2/2/1/8 eth-trunk 20 # interface LoopBack0 ip address 3.3.3.3 255.255.255.255 # ospf 1 area 0.0.0.0 network 10.1.0.0 0.0.0.255 network 172.16.100.0 0.0.0.255 network 172.16.101.0 0.0.0.255 network 172.16.102.0 0.0.0.255 network 172.16.103.0 0.0.0.255 network 172.16.104.0 0.0.0.255 network 172.16.105.0 0.0.0.255 network 172.16.106.0 0.0.0.255 # traffic-secure inbound acl name Auto_PGM_OPEN_POLICY traffic-filter inbound acl name Auto_PGM_PREFER_POLICY traffic-filter inbound acl name Auto_PGM_U10 traffic-filter inbound acl name Auto_PGM_U11 traffic-filter inbound acl name Auto_PGM_U12 traffic-filter inbound acl name Auto_PGM_U13 # user-interface vty 0 4 authentication-mode aaa user privilege level 15 protocol inbound all # mac-access-profile name hotel # return
- AC6605_1
# sysname AC6605_1 # vrrp recover-delay 60 # vlan batch 10 40 100 to 106 # authentication-profile name hotel mac-access-profile hotel portal-access-profile hotel free-rule-template hotel authentication-scheme hotel accounting-scheme hotel radius-server hotel # dhcp enable # radius-server template hotel radius-server shared-key cipher %^%#n#*3'4mNq~&xt8=kB,d,D=3v6lEJX%}L)hU**ky=%^% radius-server authentication 10.1.0.2 1812 source ip-address 172.16.100.1 weight 80 radius-server accounting 10.1.0.2 1813 source ip-address 172.16.100.1 weight 80 radius-server authorization 10.1.0.2 shared-key cipher %^%#+P#@*(4vRP9R<03ds(*RHvPB:A(SR9X*Q!Tj,[0P%^%# # free-rule-template name hotel # url-template name hotel url http://10.1.0.2:8080/portal url-parameter ssid ssid redirect-url url # web-auth-server hotel server-ip 10.1.0.2 port 50100 shared-key cipher %^%#>F<uRsRA'<d"RH;sG|e,@ffH3J3NOCrIu0,\!Dg+%^%# url-template hotel source-ip 172.16.100.1 # portal-access-profile name hotel web-auth-server hotel direct # aaa authentication-scheme hotel authentication-mode radius accounting-scheme hotel accounting-mode radius accounting realtime 15 # interface Vlanif10 ip address 10.1.0.3 255.255.255.0 # interface Vlanif40 ip address 192.168.40.1 255.255.255.0 # interface Vlanif100 ip address 172.16.100.2 255.255.255.0 vrrp vrid 1 virtual-ip 172.16.100.1 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1200 dhcp select interface dhcp server excluded-ip-address 172.16.100.3 # interface Eth-Trunk50 description Connect to S7706_Eth-Trunk port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 100 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 40 # interface GigabitEthernet0/0/21 eth-trunk 50 # interface GigabitEthernet0/0/22 eth-trunk 50 # ip route-static 0.0.0.0 0.0.0.0 172.16.100.4 # capwap source ip-address 172.16.100.1 # hsb-service 0 service-ip-port local-ip 192.168.40.1 peer-ip 192.168.40.2 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif100 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan calibrate policy rogue-ap calibrate policy non-wifi calibrate policy load calibrate policy noise-floor calibrate sensitivity high traffic-profile name hotel rate-limit client up 10000 rate-limit client down 10000 user-isolate all security-profile name hotel ssid-profile name hotel_employee ssid hotel_employee association-timeout 1 ssid-profile name hotel_guest ssid hotel_guest association-timeout 1 ssid-profile name hotel_visitor ssid hotel_visitor association-timeout 1 vap-profile name hotel_employee service-vlan vlan-id 102 ssid-profile security-profile hotel traffic-profile hotel authentication-profile hotel vap-profile name hotel_guest service-vlan vlan-id 105 ssid-profile hotel_guest security-profile hotel traffic-profile hotel authentication-profile hotel vap-profile name hotel_visitor service-vlan vlan-id 104 ssid-profile hotel_visitor security-profile hotel traffic-profile hotel authentication-profile hotel rrm-profile name hotel smart-roam roam-threshold snr 25 smart-roam quick-kickoff-threshold snr 20 dynamic-edca enable radio-2g-profile name 2G_hotel beacon-interval 160 rrm-profile hotel radio-5g-profile name 5G_hotel beacon-interval 160 rrm-profile hotel ap-system-profile name hotel keep-service enable wired-port-profile name wired_port1 mode endpoint vlan pvid 106 vlan untagged 106 wired-port-profile name wired_port2 vlan tagged 106 ap-group name AP_group_room ap-system-profile hotel wired-port-profile wired_port1 gigabitethernet 1 wired-port-profile wired_port2 gigabitethernet 24 radio 0 radio-2g-profile 2G_hotel vap-profile hotel_guest wlan 1 radio 1 radio-5g-profile 5G_hotel vap-profile hotel_guest wlan 1 ap-group name AP_group_lobby ap-system-profile hotel radio 0 radio-2g-profile 2G_hotel vap-profile hotel_employee wlan 1 vap-profile hotel_guest wlan 2 vap-profile hotel_visitor wlan 3 radio 1 radio-5g-profile 5G_hotel vap-profile hotel_employee wlan 1 vap-profile hotel_guest wlan 2 vap-profile hotel_visitor wlan 3 ap-group name AP_group_office ap-system-profile hotel radio 0 radio-2g-profile 2G_hotel vap-profile hotel_employee wlan 1 radio 1 radio-5g-profile 5G_hotel vap-profile hotel_employee wlan 1 ap-id 0 type-id 56 ap-mac 7079-90bb-1980 ap-sn 210235810810EC005283 ap-group AP_group_office ap-id 1 type-id 56 ap-mac 4cfa-cafe-c600 ap-sn 21500826412SF9906934 ap-group AP_group_lobby ap-id 2 type-id 52 ap-mac 002b-a376-fd00 ap-sn 2102350KGF9WGA000106 ap-group AP_group_room ap-id 3 type-id 65 ap-mac 60de-4476-e360 ap-sn 21500827352SG8913066 ap-group AP_group_room provision-ap master controller master-redundancy track-vrrp vrid 1 interface Vlanif100 master-redundancy peer-ip ip-address 172.16.100.3 local-ip ip-address 172.16.100.2 psk %^%#rZ/r9y.:f!VEk92}rOQLOhNU+_MIg2v*_DS&4P&-%^%# # mac-access-profile name hotel # return
- AC6605_2
# sysname AC6605_2 # vlan batch 10 40 100 to 106 # authentication-profile name hotel mac-access-profile hotel portal-access-profile hotel free-rule-template hotel authentication-scheme hotel accounting-scheme hotel radius-server hotel # dhcp enable # radius-server template hotel radius-server shared-key cipher %^%#n#*3'4mNq~&xt8=kB,d,D=3v6lEJX%}L)hU**ky=%^% radius-server authentication 10.1.0.2 1812 source ip-address 172.16.100.1 weight 80 radius-server accounting 10.1.0.2 1813 source ip-address 172.16.100.1 weight 80 radius-server authorization 10.1.0.2 shared-key cipher %^%#+P#@*(4vRP9R<03ds(*RHvPB:A(SR9X*Q!Tj,[0P%^%# # free-rule-template name hotel # url-template name hotel url http://10.1.0.2:8080/portal url-parameter ssid ssid redirect-url url # web-auth-server hotel server-ip 10.1.0.2 port 50100 shared-key cipher %^%#>F<uRsRA'<d"RH;sG|e,@ffH3J3NOCrIu0,\!Dg+%^%# url-template hotel source-ip 172.16.100.1 # portal-access-profile name hotel web-auth-server hotel direct # aaa authentication-scheme hotel authentication-mode radius accounting-scheme hotel accounting-mode radius accounting realtime 15 # interface Vlanif10 ip address 10.1.0.4 255.255.255.0 # interface Vlanif40 ip address 192.168.40.2 255.255.255.0 # interface Vlanif100 ip address 172.16.100.3 255.255.255.0 vrrp vrid 1 virtual-ip 172.16.100.1 admin-vrrp vrid 1 dhcp select interface dhcp server excluded-ip-address 172.16.100.2 # interface Eth-Trunk50 description Connect to S7706_Eth-Trunk port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 100 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 40 # interface GigabitEthernet0/0/21 eth-trunk 50 # interface GigabitEthernet0/0/22 eth-trunk 50 # ip route-static 0.0.0.0 0.0.0.0 172.16.100.4 # capwap source ip-address 172.16.100.1 # hsb-service 0 service-ip-port local-ip 192.168.40.2 peer-ip 192.168.40.1 local-data-port 10241 peer-data-port 10241 # hsb-group 0 track vrrp vrid 1 interface Vlanif100 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan calibrate policy rogue-ap calibrate policy non-wifi calibrate policy load calibrate policy noise-floor calibrate sensitivity high traffic-profile name hotel rate-limit client up 10000 rate-limit client down 10000 user-isolate all security-profile name hotel ssid-profile name hotel_employee ssid hotel_employee association-timeout 1 ssid-profile name hotel_guest ssid hotel_guest association-timeout 1 ssid-profile name hotel_guest ssid hotel_guest association-timeout 1 vap-profile name hotel_employee service-vlan vlan-id 102 ssid-profile security-profile hotel traffic-profile hotel authentication-profile hotel vap-profile name hotel_guest service-vlan vlan-id 105 ssid-profile hotel_guest security-profile hotel traffic-profile hotel authentication-profile hotel vap-profile name hotel_visitor service-vlan vlan-id 104 ssid-profile hotel_visitor security-profile hotel traffic-profile hotel authentication-profile hotel rrm-profile name hotel smart-roam enable smart-roam roam-threshold snr 25 smart-roam quick-kickoff-threshold snr 20 dynamic-edca enable sta-load-balance dynamic enable radio-2g-profile name 2G_hotel beacon-interval 160 rrm-profile hotel rts-cts-threshold 1400 rts-cts-mode rts-cts radio-5g-profile name 5G_hotel beacon-interval 160 rrm-profile hotel rts-cts-threshold 1400 rts-cts-mode rts-cts ap-system-profile name hotel keep-service enable wired-port-profile name wired_port1 mode endpoint vlan pvid 106 vlan untagged 106 wired-port-profile name wired_port2 vlan tagged 106 ap-group name AP_group_room ap-system-profile hotel wired-port-profile wired_port1 gigabitethernet 1 wired-port-profile wired_port2 gigabitethernet 24 radio 0 radio-2g-profile 2G_hotel vap-profile hotel_guest wlan 1 radio 1 radio-5g-profile 5G_hotel vap-profile hotel_guest wlan 1 ap-group name AP_group_lobby ap-system-profile hotel radio 0 radio-2g-profile 2G_hotel vap-profile hotel_employee wlan 1 vap-profile hotel_guest wlan 2 vap-profile hotel_visitor wlan 3 radio 1 radio-5g-profile 5G_hotel vap-profile hotel_employee wlan 1 vap-profile hotel_guest wlan 2 vap-profile hotel_visitor wlan 3 ap-group name AP_group_office ap-system-profile hotel radio 0 radio-2g-profile 2G_hotel vap-profile hotel_employee wlan 1 radio 1 radio-5g-profile 5G_hotel vap-profile hotel_employee wlan 1 ap-id 0 type-id 56 ap-mac 7079-90bb-1980 ap-sn 210235810810EC005283 ap-group AP_group_office ap-id 1 type-id 56 ap-mac 4cfa-cafe-c600 ap-sn 21500826412SF9906934 ap-group AP_group_lobby ap-id 2 type-id 52 ap-mac 002b-a376-fd00 ap-sn 2102350KGF9WGA000106 ap-group AP_group_room ap-id 3 type-id 65 ap-mac 60de-4476-e360 ap-sn 21500827352SG8913066 ap-group AP_group_room provision-ap master controller master-redundancy track-vrrp vrid 1 interface Vlanif100 master-redundancy peer-ip ip-address 172.16.100.2 local-ip ip-address 172.16.100.3 psk %^%#rZ/r9y.:f!VEk92}rOQLOhNU+_MIg2v*_DS&4P&-%^%# # mac-access-profile name hotel # return
- S5700-LI_1
# sysname S5700_1 # vlan batch 100 to 102 # dhcp enable # dhcp snooping enable # traffic classifier test operator and if-match destination-mac 0100-5e00-0000 ffff-ff00-0000 # traffic behavior test statistic enable car cir 100 pir 100 cbs 12500 pbs 12500 green pass yellow pass red discard # traffic policy test match-order config classifier test behavior test # vlan 101 dhcp snooping enable # interface Eth-Trunk0 port link-type trunk port trunk allow-pass vlan 100 to 102 # interface GigabitEthernet0/0/1 port link-type access port default vlan 101 # interface GigabitEthernet0/0/2 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 102 traffic-policy test inbound traffic-policy test outbound port-isolate enable # interface GigabitEthernet0/0/25 eth-trunk 0 # interface GigabitEthernet0/0/26 eth-trunk 0 # return
- S5700-LI_2
# sysname S5700_2 # vlan batch 100 103 # dhcp enable # dhcp snooping enable # vlan 103 dhcp snooping enable # interface Eth-Trunk0 port link-type trunk port trunk allow-pass vlan 100 103 # interface GigabitEthernet0/0/1 port link-type access port default vlan 103 # interface GigabitEthernet0/0/25 eth-trunk 0 # interface GigabitEthernet0/0/26 eth-trunk 0 # return
- S5720-EI
# sysname S5720EI-iStack # vlan batch 100 104 to 106 # dhcp enable # dhcp snooping enable # traffic classifier test operator and if-match destination-mac 0100-5e00-0000 ffff-ff00-0000 # traffic behavior test statistic enable car cir 100 pir 100 cbs 12500 pbs 12500 green pass yellow pass red discard # traffic policy test match-order config classifier test behavior test # vlan 104 dhcp snooping enable # vlan 105 dhcp snooping enable # interface Eth-Trunk0 port link-type trunk port trunk allow-pass vlan 100 104 to 106 # interface GigabitEthernet1/0/1 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 104 to 105 traffic-policy test inbound traffic-policy test outbound port-isolate enable # interface GigabitEthernet1/0/2 port link-type trunk port trunk pvid vlan 100 port trunk allow-pass vlan 100 105 to 106 traffic-policy test inbound traffic-policy test outbound port-isolate enable # interface XGigabitEthernet0/0/1 eth-trunk 0 # interface XGigabitEthernet1/0/1 eth-trunk 0 # return