WLAN V200R010C00 Typical Configuration Examples

Large-Sized Hotel Network Wired and Wireless Access Deployment Case (Independent AC Solution)

Applicable Scenarios and Service Requirements
Solution Design
Configuration Roadmap and Data Planning
Configuration Procedure
Verification
Configuration Script

Applicable Scenarios and Service Requirements

Applicable Scenarios

This solution is used to provide full network coverage for large hotels (with about 5,000 users) with access of a variety of terminals, such as wired/wireless terminals, surveillance cameras, and IPTV devices.

Service Requirements

Hotels have the following characteristics:

High user density
High guest mobility
Diverse user types
Demanding security requirements

Generally, a hotel has the following service requirements on its network:

Access requirements

Wired and wireless access for staff
Wired access for surveillance cameras and IPTV devices
Wireless access for visitors and guests

Network access rights for different types of users (as shown in Table 4-208)

Table 4-208 Network access rights for different types of users

User Type	Office Server	IPTV Server	Internet
Wired office users	√	×	√
Wireless office users	×	×	√
Wireless guests	×	×	√
Wireless visitors	×	×	√
Wired IPTV devices	×	√	×

Wireless roaming requirements
- Support roaming when wireless terminals move between different areas.
- Support fast handover without interrupting services.
Authentication requirements
- To ensure hotel network data security, all devices must pass authentication before accessing network resources. Authentication modes for visitors and guests must be convenient and simple. Authentication modes for hotel employees must provide higher security. Authentication for terminals such as surveillance cameras and IPTV terminals is also required.
- The authentication process needs to be simplified when users access the wireless network again.
Security requirements
- Unauthorized devices and attacks are prevented from invading the network, and the authentication system is used to ensure security compliance.
Reliability requirements
- Hotel networks bear major services such as network access of customers and office of employees. Therefore, high network reliability must be provided to ensure continuous and stable services.
- APs can detect the number of access users and flexibly adjust Enhanced Distributed Channel Access (EDCA) parameters, which reduces the possibility of collision, prevents many users from accessing the same AP, and ensures service quality and user experience.
Management and O&M requirements
- Information such as users' access records and traffic can be displayed in reports.
- Network faults can be visually viewed, and quickly located and rectified.

Solution Design

Networking Diagram

Figure 4-124 shows the networking of the wired and wireless access solution (independent AC solution) applicable to large hotels.

Figure 4-124 Networking of the wired and wireless access solution (independent AC solution)

Network Design Analysis

Access design
- Wireless network coverage involves the office network, conference center/lobby network, and guest room network. The office network provides wireless access for mobile employees, the conference center/lobby network provides wireless access for visitors, and the guest room network provides wireless access for guests. Wireless authentication uses open system authentication. Wired network coverage involves the office network, security monitoring network, and guest room network. The office network (wired) provides wired access for employees, the security monitoring network (wired) provides wired access for surveillance cameras, and the guest room network (wired) provides wired access for IPTV terminals.
- Wireless services are centrally managed by ACs, data packets are transmitted in direct forwarding mode, and the ACs serve as gateways to assign IP addresses to APs.
- For the office network, a common omnidirectional indoor AP is recommended, for example, the AP6050DN or AP7052DN. For the conference center which has a large space and centralized users and traffic, the AP7052DN or AP7052DE is recommended. For the lobby, the AP4050DN-HD is recommended. The guest room network needs to cover a large number of guest rooms. The layout is complex and comprehensive coverage is required. However, the user concurrency rate and user density are low. Additionally, wired IPTV terminals need to access the network. In this case, the solution of central AP (AD9430DN) + remote unit (R250D) is used. A remote unit (RU) is deployed in one room. Signals do not need to penetrate walls and can evenly cover rooms without coverage holes. APs go online using the Layer 2 mode and are enabled with the roaming function.
- The S7706 core switches serve as DHCP servers and as gateways of wired and wireless terminals to assign IP addresses for them.
- Wireless coverage is required in hotel offices, conference center/lobby, and guest rooms, delivering network access for mobile office staff, visitors, and guests, respectively. MAC address-prioritized Portal authentication is used for wireless access.
Authentication design
Wireless access authentication is deployed on the ACs, and wired access authentication on the S7706 switches. Wireless users access the network using MAC address-prioritized Portal authentication on a user-friendly login page, without the need to install a client. When users disconnect from and reconnect to the network within a certain period of time, they are directly authenticated based on the MAC address and do not need to log in again. Wired users access the network through MAC address + Portal authentication, which ensures high security. Surveillance cameras and IPTV devices use MAC address authentication.
Security design
- Configure multiple SSIDs on the ACs to isolate a variety of services. Bind the SSIDs with different service VLANs to implement wireless user isolation.
- Configure multicast packet suppression and ARP flood detection/suppression on the wireless side.
- Configure attack defense functions on the S7706s, such as user-level rate limit, port-based attack defense, and attack source tracing.
- Configure port isolation and suppression of wireless multicast packets on the interfaces of the S5700-LI and S5720-EI switches connecting to the APs.
- Configure DHCP snooping on the S5700-LI and S5720-EI switches to protect the network against DHCP attacks.
Reliability design
- Connect the ACs to the core switches in bypass mode. Configure VRRP backup and HSB to ensure device security.
- Configure dynamic EDCA parameter adjustment and dynamic load balancing on the ACs to reduce co-channel interference when APs are densely deployed and alleviate the load on a single AP. This configuration also reduces the possibility of collision, prevents many users from accessing the same AP, and ensures service quality and user experience.
- Configure CSS on S7706 core switches to ensure device reliability. Configure MAD to detect the presence of multiple active switches and handle such problem on the network after a CSS split.
- Configure iStack on S5720-EI access switches to ensure device reliability.
- Connect the S7706s to the AC6605s, S5700-LIs, and S5720-EI through Eth-Trunks to enhance link reliability.
O&M design
- The Agile Controller-Campus implements authentication and accounting, and generates reports on information such as user access records and traffic usage, facilitating easy O&M for administrators.
- All the devices are configured using web systems to provide visibility of network status and enable quick network fault location.

Involved Products and Software Versions

Table 4-209 lists the products and software versions used in the solution.

Table 4-209 Involved products and software versions

Product Name	Software Version
S7706	V200R010C00SPC600 + latest patches
S5700-LI	V200R010C00SPC600 + latest patches
S5720-EI	V200R010C00SPC600 + latest patches
Agile Controller-Campus	V100R002C10SPC405
AC6605
AD9430DN
R250D
AP

Configuration Roadmap and Data Planning

Configuration Roadmap

Configure the interfaces, VLANs, IP addresses, routes for each device to enable network communication.
Configure CSS and MAD on the S7706s to ensure device reliability, and configure Eth-Trunks to improve link reliability.
Cofigure the S7706 as the DHCP servers to assign IP addresses to terminals.
Set the wired access authentication mode to MAC address + Portal authentication on the S7706s.
Use network segments to distinguish different types of users on the S7706s, and configure ACL rules to manage network permission of different user groups.
Set the wired access authentication mode to MAC address + Portal authentication on the AC6605s.
Configure VRRP + HSB on the AC6605s to ensure device reliability, and configure Eth-Trunks to improve link reliability.
Configure WLAN services on the AC6605s. Enable smart roaming, dynamic EDCA parameter adjustment, and dynamic load balancing to reduce co-channel interference when APs are densely deployed and alleviate the load on a single AP.
Configure port isolation and suppression of wireless multicast packets on the interfaces of the S5700-LI and S5720-EI switches connecting to the APs.
Add the AC6605s to the Service Manager of the Agile Controller-Campus, and configure parameters to ensure that the Agile Controller-Campus can communicate properly with the AC6605s.

Data Planning

The following describes the data planning of VLANs, interfaces, IP addresses, routes, and services involved in this case.

Table 4-210 VLAN planning

Product Name	Parameter	Description
S7706	VLAN 10	VLAN used to connect the Agile Controller-Campus
	VLAN 100	CAPWAP management VLAN
	VLAN 101	Wired office service VLAN
	VLAN 102	Wireless office service VLAN
	VLAN 103	Wired surveillance service VLAN
	VLAN 104	Wireless service VLAN for visitors
	VLAN 105	Wireless service VLAN for guests
	VLAN 106	Wired IPTV service VLAN

Table 4-211 Interface and IP address planning

Product Name	Interface number	Member Interface	VLAN to Which the Interface Belongs	IP Address	Description
AC6605_1	GE0/0/2	-	40	192.168.40.1/24	Connects to GE0/0/2 of the AC6605_2.
	Eth-Trunk 50	GE0/0/21	10 and 100	VLANIF 10: 10.1.0.3/24 VLANIF 100: 172.16.100.2/24	Connects to GE1/2/1/6 and GE2/2/1/6 of the S7706s.
	Eth-Trunk 50	GE0/0/22	10 and 100	VLANIF 10: 10.1.0.3/24 VLANIF 100: 172.16.100.2/24	Connects to GE1/2/1/6 and GE2/2/1/6 of the S7706s.
AC6605_2	GE0/0/2	-	40	192.168.40.2/24	Connects to GE0/0/2 of the AC6605_1.
	Eth-Trunk 50	GE0/0/21	10 and 100	VLANIF 10: 10.1.0.4/24 VLANIF 100: 172.16.100.3/24	Connects to GE1/2/1/8 and GE2/2/1/8 of the S7706s.
	Eth-Trunk 50	GE0/0/22	10 and 100	VLANIF 10: 10.1.0.4/24 VLANIF 100: 172.16.100.3/24	Connects to GE1/2/1/8 and GE2/2/1/8 of the S7706s.
S7706	GE2/2/1/5	-	10	10.1.0.1/24	Connects to the Agile Controller-Campus.
	Eth-Trunk 0	GE1/2/1/0	10, 100, 101, and 102	VLANIF 100: 172.16.100.4/24 VLANIF 101: 172.16.101.1/24 VLANIF 102: 172.16.102.1/24	Connects to the S5700-LI_1, hotel office network, and wired office service VLAN. Connects to the S5700-LI_1, hotel office network, and wireless office service VLAN.
	Eth-Trunk 0	GE2/2/1/0	10, 100, 101, and 102
	Eth-Trunk 1	GE1/2/1/1	10, 100, and 103	VLANIF 100: 172.16.100.4/24 VLANIF 103: 172.16.103.1/24	Connects to the S5700-LI_2, security surveillance network, and wired surveillance service VLAN.
	Eth-Trunk 1	GE2/2/1/1	10, 100, and 103	VLANIF 100: 172.16.100.4/24 VLANIF 103: 172.16.103.1/24
	Eth-Trunk 2	GE1/2/1/2	10, 100, 104, 105, and 106	VLANIF 100: 172.16.100.1/24 VLANIF 104: 172.16.104.1/24 VLANIF 105: 172.16.105.1/24 VLANIF 106: 172.16.106.1/24	Connects to the S5720EI-iStack, guest room network, and wireless service VLAN for visitors. Connects to the S5720EI-iStack, guest room network, and wireless service VLAN for guests. Connects to the S5720EI-iStack, guest room network, and wired IPTV service VLAN.
	Eth-Trunk 2	GE2/2/1/2	10, 100, 104, 105, and 106
	Eth-Trunk 10	GE1/2/1/6	10 and 100	VLANIF 100: 172.16.100.4/24	Connects to GE0/0/21 of the AC6605_1.
	Eth-Trunk 10	GE2/2/1/6			Connects to GE0/0/22 of the AC6605_1.
	Eth-Trunk 20	GE1/2/1/8			Connects to GE0/0/21 of the AC6605_2.
	Eth-Trunk 20	GE2/2/1/8			Connects to GE0/0/22 of the AC6605_2.
	GE1/1/1/7	-	-	-	Connects to S7706_2 to detect multi-active conflicts after a CSS spit.
	GE2/1/1/7	-	-	-	Connects to S7706_1 to detect multi-active conflicts after a CSS spit.
S5700-LI_1	Eth-Trunk 0	GE0/0/25	100, 101, and 102	-	Connects to Eth-Trunk 0 of the S7706.
	Eth-Trunk 0	GE0/0/26	100, 101, and 102	-	Connects to Eth-Trunk 0 of the S7706.
	GE0/0/1	-	101	-	Connects to wired terminals.
	GE0/0/2	-	100 and 102	-	Connects to AP_1.
S5700-LI_2	Eth-Trunk 0	GE0/0/25	100 and 103	-	Connects to Eth-Trunk 1 of the S7706.
	Eth-Trunk 0	GE0/0/26	100 and 103	-	Connects to Eth-Trunk 1 of the S7706.
	GE0/0/1	-	103	-	Connects to cameras.
S5720EI-iStack	Eth-Trunk 0	XGE0/0/1	100, 104, 105, and 106	-	Connects to Eth-Trunk 2 of the S7706.
	Eth-Trunk 0	XGE1/0/1	100, 104, 105, and 106	-	Connects to Eth-Trunk 2 of the S7706.
	GE1/0/1	-	100 and 104	-	Connects to AP_2.
	GE1/0/2	-	100, 105, and 106	-	Connects to GE0/0/24 of the AD9430DN.
AD9430DN	GE0/0/24	-	100, 105, and 106	-	Connects to GE1/0/2 of the S5720EI-iStack.
AD9430DN	GE0/0/0	-	100, 105, and 106	-	Connects to the R250D.
R250D	GE0/0/0	-	100, 105, and 106	-	Connects to GE0/0/0 of the AD9430DN.
R250D	GE0/0/1	-	106	-	Connects to the IPTV.

Table 4-212 Service data planning

Item	Data
IP address of the CAPWAP source interface	172.16.100.1
Management VLAN for APs	100
VRRP group	Virtual IP address of VLANIF 100: 172.16.100.1 ID of the management VRRP group: 1 Backup services: DHCP, user access, and AP services AC6605_1: Priority: 120 Preemption duration: 1200 seconds HSB service: The local and remote IP addresses are 192.168.40.1 and 192.168.40.2, respectively. The local and remote port numbers are both 10241. Recovery delay of the VRRP group: 60 seconds AC6605_2: HSB service: The local and remote IP addresses are 192.168.40.2 and 192.168.40.1, respectively. The local and remote port numbers are both 10241. Recovery delay of the VRRP group: 60 seconds
DHCP server	Gateway IP address of APs: 172.16.100.1/24 Gateway IP address of wired office users: 172.16.101.1/24 Gateway IP address of wireless office users: 172.16.102.1/24 Gateway IP address of surveillance cameras: 172.16.103.1/24 Gateway IP address of visitors (wireless users): 172.16.104.1/24 Gateway IP address of guests (wireless users): 172.16.105.1/24 Gateway IP address of IPTV terminals: 172.16.106.1/24
AAA	Authentication scheme: Name: hotel Authentication mode: RADIUS Accounting scheme: Name: hotel Accounting mode: RADIUS Real-time accounting: enabled Real-time accounting interval: 15 minutes
RADIUS server	Name of the server profile: hotel Authentication server IP address: 10.1.0.2 Authentication port number: 1812 Accounting server IP address: 10.1.0.2 Accounting port number: 1813 Shared key: Huawei@123 Source address: 10.1.0.1 RADIUS authorization server: Authorization server IP address: 10.1.0.2 RADIUS shared key: Huawei@123
Portal server template	Server name: hotel IP address: 10.1.0.2 URL: http://10.1.0.2:8080/portal Port number: 50100 Source address: 10.1.0.1 Shared key: Huawei@123
URL template	Profile name: hotel SSID carried in the URL: ssid Original URL that a user accesses carried in the URL: url
Portal access profile	Name: hotel Referenced profile: Portal server profile hotel
Authentication-free rule profile	Name: hotel Authentication-free destination IP address: 8.8.8.8/32 (DNS server IP address)
MAC access profile	Name: hotel
Authentication profile	Name: hotel Referenced profiles and authentication schemes: Portal access profile hotel, MAC access profile hotel, RADIUS server profile hotel, RADIUS authentication scheme hotel, RADIUS accounting scheme hotel, and authentication-free rule profile hotel.
AP group	Hotel employees (wireless users): Name: AP_group_office Country code: CHINA Security policy: open system authentication Referenced profiles: VAP profile hotel_employee, 2G radio profile 2G_hotel, and 5G radio profile 5G_hotel Visitors: Name: AP_group_lobby Country code: CHINA Security policy: open system authentication Referenced profiles: VAP profiles hotel_employee, hotel_guest, and hotel_visitor, 2G radio profile 2G_hotel, and 5G radio profile 5G_hotel Guests: Name: AP_group_room Country code: CHINA Security policy: open system authentication Referenced profiles: VAP profile hotel_guest, 2G radio profile 2G_hotel, 5G radio profile 5G_hotel, ETH0/0/0 wired interface profile wired_port1, and GE0/0/24 wired interface profile wired_port2
SSID profile	Hotel employees (wireless users): Name: hotel_employee SSID: hotel_employee Guests: Name: hotel_guest SSID: hotel_guest Visitors: Name: hotel_visitor SSID: hotel_visitor
Security profile	Name: hotel Security policy: open system authentication
Traffic profile	Name: hotel User isolation: Layer 2 and Layer 3 isolation Terminal-based rate limit: 10 Mbit/s
RRM profile	Name: hotel Smart roaming: enabled
2G radio profile	Name: 2G_hotel RTS-CTS mode: RTS-CTS with the threshold of 1400 bytes beacon-intervel: 160 Referenced profile: RRM profile hotel
5G radio profile	Name: 5G_hotel RTS-CTS mode: RTS-CTS with the threshold of 1400 bytes beacon-intervel: 160 Referenced profile: RRM profile hotel
Wired port profile	Name: wired_port1 VLAN PVID: 106 VLAN untagged: 106 Name: wired_port2 VLAN untagged: 106
Agile Controller-Campus	IP address: 10.1.0.2 Authentication port number: 1812 Accounting port number: 1813 RADIUS shared key: Huawei@123 Port number of the Portal server: 50100 Portal shared key: Huawei@123 MAC address validity period for MAC address-prioritized Portal authentication: 120 minutes
VAP	For wireless office employees: VAP profile: hotel_employee Forwarding mode: direct forwarding Service VLAN: VLAN 102 Security profile: hotel SSID profile: hotel_employee Authentication profile: hotel Traffic profile: hotel Rate threshold for ARP flood attack detection and suppression: 10 pps For guests: VAP profile: hotel_guest Forwarding mode: direct forwarding Service VLAN: VLAN 105 Security profile: hotel SSID profile: hotel_guest Authentication profile: hotel Traffic profile: hotel Rate threshold for ARP flood attack detection and suppression: 10 pps For visitors: VAP profile: hotel_visitor Forwarding mode: direct forwarding Service VLAN: VLAN 104 Security profile: hotel SSID profile: hotel_visitor Authentication profile: hotel Traffic profile: hotel Rate threshold for ARP flood attack detection and suppression: 10 pps

Configuration Procedure

Configuring the S7706

Configure the two S7706 switches to set up a CSS.
1. Install CSS cards on S7706_1 and S7706_2, and connect cluster cables. For details on CSS setup, see CSS of S Switches.
2. Check the CSS status to confirm that the CSS of S7706 switches has been successfully set up.

Log in to the switch through the console interface, and pre-configure the web management system account, Telnet account, and IP address of the management network interface.

<HUAWEI> system-view
[HUAWEI] sysname CSS
[CSS] telnet server enable 
[CSS] user-interface vty 0 4
[CSS-ui-vty0-4] user privilege level 15   
[CSS-ui-vty0-4] authentication-mode aaa  
[CSS-ui-vty0-4] protocol inbound all    
[CSS-ui-vty0-4] quit 
[CSS] aaa 
[CSS-aaa] local-user admin password irreversible-cipher Root@123 
[CSS-aaa] local-user admin privilege level 15             
[CSS-aaa] local-user admin service-type http telnet       
[CSS-aaa] quit
[CSS] interface ethernet 0/0/0/0 
[CSS-Ethernet0/0/0/0] ip address 192.168.0.3 24
[CSS-Ethernet0/0/0/0] quit

Log in to the CSS through the web management system.
1. Connect the PC to the management network interface of the S7706 and set the local connection IP address of the PC to 192.168.0.2/24. Enter https://192.168.0.3 in the browser address box. On the displayed page, enter the user name (admin) and password (Root@123), select EasyOperation, and click GO to enter the CSS.
2. The CSS is successfully established if the active and standby switches are displayed on the home page.

Configure multi-active detection (MAD) in direct mode on cluster interfaces. This function can only be enabled through the CLI. Click

on the bottom right corner of the page to enter the CLI.

Choose Tools > Internet Options > Security, select Custom level, choose Enable or Prompt next to Initialize and script ActiveX controls not marked as safe for scripting to display the CLI. Internet Explorer 10.0 is used in the preceding example.

Configure MAD in direct mode on GE1/1/1/7.

[CSS] interface gigabitethernet 1/1/1/7
[CSS-GigabitEthernet1/1/1/7] mad detect mode direct
Warning: This command will block the port, and no other configuration running on this port is recommended. Continue?[Y/N]:y
[CSS-GigabitEthernet1/1/1/7] quit

Configure MAD in direct mode on GE2/1/1/7.

[CSS] interface gigabitethernet 2/1/1/7
[CSS-GigabitEthernet2/1/1/7] mad detect mode direct
Warning: This command will block the port, and no other configuration running on this port is recommended. Continue?[Y/N]:y
[CSS-GigabitEthernet2/1/1/7] quit

Check detailed MAD configuration of the CSS.

[CSS] display mad verbose                                                        
Current MAD domain: 0                                                           
Current MAD status: Detect                                                      
Mad direct detect interfaces configured:                                        
 GigabitEthernet1/1/1/7                                                         
 GigabitEthernet2/1/1/7                                                         
Mad relay detect interfaces configured:                                         
Excluded ports(configurable):                                                   
Excluded ports(can not be configured):                                          
 XGigabitEthernet1/6/0/0                                                        
 XGigabitEthernet2/6/0/0

Configure Eth-Trunks connecting the S7706s to the AC6605s, S5700-LIs, and S5720-EI.

Choose Configuration > Basic Services > Interface Settings, and click Connect to Switch under Select Task. Select interfaces according to Table 4-213, select Enable link aggregation, and set Eth-Trunk and Allowed VLANs. After the configuration is complete, click Apply.

Table 4-213 Eth-Trunk configuration

Interface	Eth-Trunk	Eth-Trunk Mode	Allowed VLAN
GE1/2/1/6	10	Static LACP	10 and 100
GE2/2/1/6	10
GE1/2/1/8	20
GE2/2/1/8	20
GE1/2/1/0	0		10 and 100 to 102
GE2/2/1/0	0		10 and 100 to 102
GE1/2/1/1	1		10, 100, and 103
GE2/2/1/1	1		10, 100, and 103
GE1/2/1/2	2		10, 100, and 104 to 106
GE2/2/1/2	2		10, 100, and 104 to 106

Configure the interface on the S7706 connecting to the Agile Controller-Campus.
# Choose Configuration > Basic Services > Interface Settings, and click Connect to PC under Select Task. Select the interface (GE2/2/1/5) to be configured, and set Default VLAN to 10. After the configuration is complete, click Apply.
Create Loopback 0 and set the OSPF router ID to the loopback interface address. This function can only be enabled through the CLI. Click on the bottom right corner of the page to enter the CLI.
```
[CSS] interface loopback 0
[CSS-LoopBack0] ip address 3.3.3.3 32  //Router ID
[CSS-LoopBack0] quit
```
Configure an IP address for the VLANIF interface connected to the Agile Controller-Campus.
# Choose Configuration > Basic Services > VLAN, and select VLAN 10. In the Modify VLAN dialog box that is displayed, select Create VLANIF, and configure an IP address and a mask for VLANIF 10.
Configure DHCP on the S7706.
1. Enable DHCP globally.
  # Choose Configuration > Basic Services > DHCP, set DHCP status to ON.
2. Choose Configuration > Basic Services > VLAN, and select VLAN 106. In the Modify VLAN dialog box that is displayed, select Create VLANIF, and configure an IP address and a mask for VLANIF 106.
3. Choose Configuration > Basic Services > DHCP, and click Create. On the Create IP Pool page that is displayed, configure DHCP parameters and click OK.
4. Set IP addresses for each VLANIF interface of VLANs 100 through 105 to 172.16.100.4/24, 172.16.101.1/24, 172.16.102.1/24, 172.16.103.1/24, 172.16.104.1/24, and 172.16.105.1/24, respectively in the same way. Configure DHCP address pools for these VLANs.

Configure a route.

Configure an OSPF route. This function can only be configured through the CLI. Click

in the lower right corner of the page to enter the CLI.

[CSS] router id 3.3.3.3
[CSS] ospf 1
[CSS-ospf-1] area 0.0.0.0
[CSS-ospf-1-area-0.0.0.0] network 10.1.0.0 0.0.0.255 //Configure the network segment for connecting to the Agile Controller-Campus.
[CSS-ospf-1-area-0.0.0.0] network 172.16.100.0 0.0.0.255 //Configure the network segment of service VLAN 100.
[CSS-ospf-1-area-0.0.0.0] network 172.16.101.0 0.0.0.255 //Configure the network segment of service VLAN 101.
[CSS-ospf-1-area-0.0.0.0] network 172.16.102.0 0.0.0.255 //Configure the network segment of service VLAN 102.
[CSS-ospf-1-area-0.0.0.0] network 172.16.103.0 0.0.0.255 //Configure the network segment of service VLAN 103.
[CSS-ospf-1-area-0.0.0.0] network 172.16.104.0 0.0.0.255 //Configure the network segment of service VLAN 104.
[CSS-ospf-1-area-0.0.0.0] network 172.16.105.0 0.0.0.255 //Configure the network segment of service VLAN 105.
[CSS-ospf-1-area-0.0.0.0] network 172.16.106.0 0.0.0.255 //Configure the network segment of service VLAN 106.
[CSS-ospf-1-area-0.0.0.0] quit
[CSS-ospf-1] quit

Configure MAC address + Portal authentication for wired office users, and configure MAC address authentication for surveillance cameras and wired IPTV users.
1. Configure a RADIUS server template.
  1. Choose Configuration > Security Services > AAA, and click the RADIUS tab.
  2. Under RADIUS Server Profile, click Create. The Create RADIUS Server Profile page is displayed. Set Profile name to hotel and configure Profile default shared key. Click Create Server. The Create Server Configuration page is displayed.
    On the Create Server Configuration page, set IP Address to 10.1.0.2. Select Authentication under Server Settings, set Port number to 1812 and Source address of outgoing packets to 10.1.0.1, and retain the default values for other parameters. Select Accounting under Server Settings, set Port number to 1813 and Source address of outgoing packets to 10.1.0.1, and retain the default values for other parameters. On the Create Server Configuration page, click OK. On the Create RADIUS Server Profile page, click OK.
2. Configure parameters for the authorization servers.
  On the Authorization Server Template page, click Create. The Create Authorization Server page is displayed. Set Authorization server IP address to 10.1.0.2 and Profile name to hotel, and configure key. Click OK.
3. Configure an authentication scheme and an accounting scheme.
  1. Choose Configuration > Security Services > AAA. Click the Authentication/Authorization/Accounting Scheme tab. Click the arrow to the left of Authentication Scheme List and then click Create. On the Create Authentication Scheme page that is displayed, set Authentication scheme name to hotel and First authentication to RADIUS authentication. Use the default settings for the other parameters and click OK.
  2. Click the arrow to the left of Accounting Scheme List and then click Create. On the Create Accounting Scheme page that is displayed, set Accounting scheme name to hotel, Accounting mode to RADIUS accounting, Real-time accounting to ON, and Real-time accounting interval (minutes) to 15. Use the default settings for the other parameters and click OK.
4. Configure a domain profile.
  1. Choose Configuration > Security Services > AAA Profile Mgmt. Click Domain Profile under Authentication Profile, and click Create. On the page that is displayed, set Profile name to hotel and click OK.
  2. Choose domain profile hotel under Authentication Profile. Set Authentication scheme to hotel, Accounting scheme to hotel, and RADIUS server profile to hotel, and Authorization scheme to default. Use the default settings for the other parameters and click Apply.
5. Configure a Portal server template.
  # Choose Configuration > Security Services > AAA. Click the Portal Server Global Configuration tab. In Portal Authentication Server List, click Create. Configure parameters for the authentication server and then click OK.
6. Configure a MAC authentication profile and a Portal authentication profile.
  1. Choose Configuration > Security Services > AAA Profile Mgmt. On the Profile Management page that is displayed, choose MAC Authentication Profile from the navigation tree on the left. Click Create, set Profile name to hotel, and click OK.
  2. On the page that is displayed, set User name mode to MAC address and use the default settings for the other parameters. Click Apply.
  3. Click Portal Profile under Authentication Profile. Click Create, set Profile name to hotel, and click OK.
  4. On the page that is displayed, set Primary Portal server group to hotel and Authentication mode to Layer 2 authentication. Use the default settings for the other parameters and click Apply.
7. Configure an authentication-free rule profile.
  1. Choose Configuration > Security Services > AAA Profile Mgmt, and select default_free_rule under Authentication-free Rule Profile. Click Create. On the page that is displayed, set the rule number to 1 and destination IP address to Specified, enter the destination IP address 8.8.8.8/32, and click OK.
8. Configure an authentication profile.
  1. Choose Configuration > Security Services > AAA Profile Mgmt. Click Authentication Profile and then Create. Set Profile name to hotel and then click OK.
  2. Bind a Portal profile to an authentication profile. Click + to the left of authentication profile hotel and click Portal Profile. On the page that is displayed, set Portal Profile to hotel, Primary Portal server group to hotel, and Authentication mode to Layer 2 authentication. Use the default settings for the other parameters and click Apply.
  3. Bind a MAC authentication profile to an authentication profile. Click + to the left of authentication profile hotel and click MAC Authentication Profile. On the page that is displayed, set MAC Authentication Profile to hotel and click Apply.
  4. Bind the authentication-free rule profile to the authentication profile. Select Authentication-free Rule Profile under hotel, select default_free_rule, and click Apply.
  5. Bind an authentication profile to a domain profile. Click + to the left of authentication profile hotel and click Domain Profile. On the page that is displayed, set Domain Profile to hotel and click Apply.
9. Configure an authentication profile for dumb terminals.
  1. Choose Configuration > Security Services > AAA. Click the Authentication Profile tab and then click Create. Set Profile name to hotel_mac and then click OK.
  2. Click + to the left of authentication profile hotel_mac and click MAC Authentication Profile. On the page that is displayed, set MAC Authentication Profile to hotel and click Apply.
  3. Click + to the left of authentication profile hotel_mac and click Domain Profile. On the page that is displayed, set Domain Profile to hotel and click Apply.
10. Bind the authentication profile to the wired user VLAN, and enable user authentication.
  1. Choose Configuration > Security Services > AAA Service App and click the Wired Interface Authentication tab.
  2. Under VLAN Authentication, click next to the VLAN text box. On the page that is displayed, select VLAN101 and click OK.
  3. Set Authentication Profile to hotel and click Apply.
  4. Perform configurations for wired service VLANs 103 and 106 using the same method. Set Authentication Profile to hotel_mac. Click Apply.

Configure an ACL policy to manage network rights for different user groups. Table 4-214 lists the rights for different users to access the office server (on the IP address segment 10.100.2.0/24), IPTV server (on the IP address segment 10.100.3.0/24), and Internet.

Table 4-214 Network access rights for different types of users

User Type	Office Server	IPTV Server	Internet
Wired office users	√	×	√
Wireless office users	×	×	√
Wireless guests	×	×	√
Wireless visitors	×	×	√
Wired IPTV devices	×	√	×

Choose Configuration > Security Services > ACL Config > ACL Config. Click Create. In the dialog box that is displayed, configure an ACL policy for wired office users and click OK.
Select an ACL and click Add Rule. Configure an ACL rule that forbids hotelemployees from accessing the IPTV server.
Configure ACL policies acl-wireless, acl-visitor, and acl-guest for wireless office users, wireless visitors, and wireless guests, respectively in the same way. Forbid these users from accessing the IPTV and office servers, and allow them to access the Internet. Configure ACL policy acl-iptv for wired IPTV devices, allow these devices to access the IPTV server, and deny their access to the office server and Internet.
Configure and apply ACL rules on an interface to enable interface-based packet filtering. Choose Configuration > Security Services > ACL Reference. Select Interface ACL and configure an interface-based ACL rule. After the configuration is complete, click Apply.

Configure security functions only by running commands. Click

at the lower right corner of the page to access the CLI console.

Enable the user-level rate limiting (enabled by default) if X series cards are installed on switches.
```
<CSS> system-view  
[CSS] cpu-defend host-car enable 
```

Enable the port-based attack defense (enabled by default), and run the display auto-port-defend configuration command to display the command output. The Auto-port-defend field value is enable.

[CSS] display auto-port-defend configuration                                     
 ----------------------------------------------------------------------------   
 Name  : default                                                                
 Related slot : <1/1,1/6,2/1,2/6,1/8>                                           
 Auto-port-defend                       : enable                                
 Auto-port-defend sample                : 5                                     
 Auto-port-defend aging-time            : 300 second(s)                         
 Auto-port-defend arp-request threshold : 60 pps(enable)                        
 Auto-port-defend arp-reply threshold   : 60 pps(enable)                        
 Auto-port-defend dhcp threshold        : 60 pps(enable)                        
 Auto-port-defend icmp threshold        : 60 pps(enable)                        
 Auto-port-defend igmp threshold        : 60 pps(enable)                        
 Auto-port-defend ip-fragment threshold : 30 pps(enable)                        
 Auto-port-defend alarm                 : disable                               
 ----------------------------------------------------------------------------

Enable attack source tracing (enabled by default), and run the display cpu-defend configuration all command to confirm the configuration.

[CSS] display cpu-defend configuration all                                       
Car configurations on mainboard.                                                
----------------------------------------------------------------------          
Packet Name         Status     Cir(Kbps)   Cbs(Byte)  Queue  Port-Type          
----------------------------------------------------------------------          
8021x               Enabled          128       24064      3         NA          
8021x-ident         Enabled           64       12032      3         NA          
8021x-ident-wlan    Enabled           64       12032      3         NA          
8021x-start         Enabled           64       12032      3         NA          
8021x-start-wlan    Enabled           16       10000      3         NA          
8021x-wireless      Enabled          128       24064      3         NA          
arp-miss            Enabled           64       12032      3         NA          
arp-reply           Enabled          128       24064      3         NA          
arp-request         Enabled          128       24064      3         NA          
asdp                Enabled          256       48128      6         NA          
bfd                 Enabled          512       96256      6         NA          
bgp                 Enabled          512       96256      5         NA          
bgp4plus            Enabled          128       24064      5         NA          
bpdu-tunnel         Enabled          512       96256      5         NA          
capwap-association  Enabled           16       10000      4         NA          
capwap-disassoc     Enabled           24       10000      3         NA          
capwap-discov-bc    Enabled           16       10000      2         NA          
capwap-discov-uc    Enabled           16       10000      2         NA          
capwap-echo         Enabled         1024      192512      6         NA          
capwap-keepalive    Enabled         1024      192512      6         NA          
capwap-other        Enabled          400       75200      3         NA          
cdp                 Enabled          128       24064      5         NA          
dhcp-client         Enabled          512       96256      3         NA          
dhcp-server         Enabled          512       96256      3         NA  
.......................................
 ----------------------------------------------------------------------------

Configuring the AC6605

Create VLANs, and configure interfaces to allow packets from the VLANs to pass to ensure network communication.

Create VLAN 10, VLAN 40, and VLANs 100 through 106 on AC6605_1, and add the interfaces on AC6605_1 connected to S7706_1 and S7706_2 to VLAN 10 and VLAN 100, respectively.

<AC6605> system-view
[AC6605] sysname AC6605_1
[AC6605_1] vlan batch 10 40 100 to 106
[AC6605_1] dhcp enable
[AC6605_1] interface vlanif 10
[AC6605_1-Vlanif10] ip address 10.1.0.3 24
[AC6605_1-Vlanif10] quit
[AC6605_1] interface vlanif 100
[AC6605_1-Vlanif100] ip address 172.16.100.2 24
[AC6605_1-Vlanif100] dhcp select interface
[AC6605_1-Vlanif100] dhcp server excluded-ip-address 172.16.100.3
[AC6605_1-Vlanif100] quit
[AC6605_1] interface eth-trunk 50  
[AC6605_1-Eth-Trunk50] description Connect to S7706_Eth-Trunk 
[AC6605_1-Eth-Trunk50] port link-type trunk 
[AC6605_1-Eth-Trunk50] port trunk allow-pass vlan 10 100 
[AC6605_1-Eth-Trunk50] undo port trunk allow-pass vlan 1 
[AC6605_1-Eth-Trunk50] quit
[AC6605_1] interface gigabitethernet 0/0/21
[AC6605_1-GigabitEthernet0/0/21] eth-trunk 50
[AC6605_1-GigabitEthernet0/0/21] quit
[AC6605_1] interface gigabitethernet 0/0/22
[AC6605_1-GigabitEthernet0/0/22] eth-trunk 50
[AC6605_1-GigabitEthernet0/0/22] quit

Create VLAN 10, VLAN 40, and VLANs 100 through 106 on AC6605_2, and add the interfaces on AC6605_2 connected to S7706_1 and S7706_2 to VLAN 10 and VLAN 100, respectively.

<AC6605> system-view
[AC6605] sysname AC6605_2
[AC6605_2] vlan batch 10 40 100 to 106
[AC6605_2] dhcp enable
[AC6605_2] interface vlanif 10
[AC6605_2-Vlanif10] ip address 10.1.0.4 24
[AC6605_2-Vlanif10] quit
[AC6605_2] interface vlanif 100
[AC6605_2-Vlanif100] ip address 172.16.100.3 24
[AC6605_2-Vlanif100] dhcp select interface
[AC6605_2-Vlanif100] dhcp server excluded-ip-address 172.16.100.2
[AC6605_2-Vlanif100] quit
[AC6605_2] interface eth-trunk 50  
[AC6605_2-Eth-Trunk50] description Connect to S7706_Eth-Trunk 
[AC6605_2-Eth-Trunk50] port link-type trunk 
[AC6605_2-Eth-Trunk50] port trunk allow-pass vlan 10 100 
[AC6605_2-Eth-Trunk50] undo port trunk allow-pass vlan 1 
[AC6605_2-Eth-Trunk50] quit
[AC6605_2] interface gigabitethernet 0/0/21
[AC6605_2-GigabitEthernet0/0/21] eth-trunk 50
[AC6605_2-GigabitEthernet0/0/21] quit
[AC6605_2] interface gigabitethernet 0/0/22
[AC6605_2-GigabitEthernet0/0/22] eth-trunk 50
[AC6605_2-GigabitEthernet0/0/22] quit

Configure VRRP + HSB.

Configure HSB connectivity between AC6605_1 and AC6605_2.

Add GE0/0/2 on AC6605_1 connected to AC6605_2 to VLAN 40.

[AC6605_1] vlan 40
[AC6605_1-vlan40] quit
[AC6605_1] interface vlanif 40
[AC6605_1-Vlanif40] ip address 192.168.40.1 24
[AC6605_1-Vlanif40] quit
[AC6605_1] interface gigabitethernet 0/0/2
[AC6605_1-GigabitEthernet0/0/2] port link-type trunk   
[AC6605_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 40                 
[AC6605_1-GigabitEthernet0/0/2] quit

Add GE0/0/2 on AC6605_2 connected to AC6605_1 to VLAN 40.

[AC6605_2] vlan 40
[AC6605_2-vlan40] quit
[AC6605_2] interface vlanif 40
[AC6605_2-Vlanif40] ip address 192.168.40.2 24
[AC6605_2-Vlanif40] quit
[AC6605_2] interface gigabitethernet 0/0/2
[AC6605_2-GigabitEthernet0/0/2] port link-type trunk   
[AC6605_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 40                 
[AC6605_2-GigabitEthernet0/0/2] quit

Configure VRRP on AC6605_1 to implement AC hot standby.

Set the recovery delay of the VRRP group to 60s.
```
[AC6605_1] vrrp recover-delay 60
```

Create management VRRP group 1 on AC6605_1, set the priority of AC6605_1 in the VRRP management group to 120, and set the preemption time to 1200 seconds.

[AC6605_1] interface vlanif 100
[AC6605_1-Vlanif100] vrrp vrid 1 virtual-ip 172.16.100.1 
[AC6605_1-Vlanif100] vrrp vrid 1 priority 120 
[AC6605_1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1200 
[AC6605_1-Vlanif100] admin-vrrp vrid 1  //Configure VRRP group 1 as the management VRRP.
[AC6605_1-Vlanif100] quit

Create HSB service 0 on AC6605_1, and configure the IP addresses and port numbers for the active and standby HSB channels.

[AC6605_1] hsb-service 0 
[AC6605_1-hsb-service-0] service-ip-port local-ip 192.168.40.1 peer-ip 192.168.40.2 local-data-port 10241 peer-data-port 10241
[AC6605_1-hsb-service-0] quit

Create HSB group 0 on AC6605_1, and bind it to HSB service 0 and management VRRP group 1.

[AC6605_1] hsb-group 0
[AC6605_1-hsb-group-0] bind-service 0
[AC6605_1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC6605_1-hsb-group-0] quit

Bind AC6605_1 services to the HSB group.

[AC6605_1] hsb-service-type access-user hsb-group 0  //Bind the NAC service to HSB group 0.
[AC6605_1] hsb-service-type ap hsb-group 0  //Specify HSB group 0 for WLAN service backup.
[AC6605_1] hsb-service-type dhcp hsb-group 0  //Bind DHCP servers to HSB group 0.
[AC6605_1] hsb-group 0 
[AC6605_1-hsb-group-0] hsb enable 
[AC6605_1-hsb-group-0] quit

Configure VRRP on AC6605_2 to implement AC hot standby.

Set the recovery delay of the VRRP group to 60s.
```
[AC6605_2] vrrp recover-delay 60
```

Create management VRRP group 1 on AC6605_2.

[AC6605_2] interface vlanif 100
[AC6605_2-Vlanif100] vrrp vrid 1 virtual-ip 172.16.100.1 
[AC6605_2-Vlanif100] admin-vrrp vrid 1  //Configure VRRP group 1 as the management VRRP.
[AC6605_2-Vlanif100] quit

Create HSB service 0 on AC6605_2, and configure the IP addresses and port numbers for the active and standby HSB channels.

[AC6605_2] hsb-service 0 
[AC6605_2-hsb-service-0] service-ip-port local-ip 192.168.40.2 peer-ip 192.168.40.1 local-data-port 10241 peer-data-port 10241 
[AC6605_2-hsb-service-0] quit

Create HSB group 0 on AC6605_2, and bind it to HSB service 0 and management VRRP group 1.

[AC6605_2] hsb-group 0
[AC6605_2-hsb-group-0] bind-service 0
[AC6605_2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC6605_2-hsb-group-0] quit

Bind AC6605_2 services to the HSB group.

[AC6605_2] hsb-service-type access-user hsb-group 0  //Bind the NAC service to HSB group 0. 
[AC6605_2] hsb-service-type ap hsb-group 0  //Specify HSB group 0 for WLAN service backup.
[AC6605_2] hsb-service-type dhcp hsb-group 0   //Bind DHCP servers to HSB group 0.
[AC6605_2] hsb-group 0 
[AC6605_2-hsb-group-0] hsb enable 
[AC6605_2-hsb-group-0] quit

Configure wireless user authentication on AC6605_1.

Create and configure a RADIUS server template and an AAA scheme.

Create and configure RADIUS server template hotel.

[AC6605_1] radius-server template hotel
[AC6605_1-radius-hotel] radius-server authentication 10.1.0.2 1812 source ip-address 172.16.100.1 weight 80 //Configure the authentication server. 
[AC6605_1-radius-hotel] radius-server accounting 10.1.0.2 1813 source ip-address 172.16.100.1 weight 80 //Configure the accounting server.
[AC6605_1-radius-hotel] radius-server shared-key cipher Huawei@123 
[AC6605_1-radius-hotel] quit

Configure a RADIUS authorization server.

[AC6605_1] radius-server authorization 10.1.0.2 shared-key cipher Huawei@123

Create AAA authentication scheme hotel and set the authentication mode to RADIUS.

[AC6605_1] aaa
[AC6605_1-aaa] authentication-scheme hotel
[AC6605_1-aaa-authen-hotel] authentication-mode radius //Set the authentication mode to RADIUS.
[AC6605_1-aaa-authen-hotel] quit
[AC6605_1-aaa] accounting-scheme hotel
[AC6605_1-aaa-accounting-hotel] accounting-mode radius //Set the accounting mode to RADIUS.
[AC6605_1-aaa-accounting-hotel] accounting realtime 15 //Enable realtime accounting and set the accounting interval to 15 minutes.
[AC6605_1-aaa-accounting-hotel] quit
[AC6605_1-aaa] quit

A shorter real-time accounting interval requires higher performance of network devices and the RADIUS server. Set a real-time accounting interval based on the user quantity. Table 4-215 lists the recommended real-time accounting intervals for different user quantities.

Table 4-215 Recommended real-time accounting intervals for different user quantities

User Quantity	Real-Time Accounting Interval (Minutes)
1-99	3
100-499	6
500-999	12
≥ 1000	≥ 15

Configure a URL profile and set the redirection URL for the Portal server. Specify parameters in the URL, which include the SSID with which users associate and the original URL that users access.

[AC6605_1] url-template name hotel 
[AC6605_1-url-template-hotel] url http://10.1.0.2:8080/portal 
[AC6605_1-url-template-hotel] url-parameter ssid ssid redirect-url url 
[AC6605_1-url-template-hotel] quit

Configure a Portal server template.

[AC6605_1] web-auth-server hotel  
[AC6605_1-web-auth-server-hotel] server-ip 10.1.0.2 //Configure the IP address of the Portal server.
[AC6605_1-web-auth-server-hotel] shared-key cipher Huawei@123  //Configure the shared key.
[AC6605_1-web-auth-server-hotel] port 50100  //Configure the port number of the portal server.
[AC6605_1-web-auth-server-hotel] source-ip 172.16.100.1  //Configure the source IP address.
[AC6605_1-web-auth-server-hotel] url-template hotel
[AC6605_1-web-auth-server-hotel] quit

Configure routes from AC6605_1 and AC6605_2 to the Agile Controller-Campus, and set the next hop to VLANIF 100 of the S7706.
```
[AC6605_1] ip route-static 0.0.0.0 0.0.0.0 172.16.100.4
```
```
[AC6605_2] ip route-static 0.0.0.0 0.0.0.0 172.16.100.4
```

Configure WLAN services on the ACs to allow wireless access of users.

Configure WLAN services on AC6605_1.

Configure the source IP address of the CAPWAP tunnel.
```
[AC6605_1] capwap source ip-address 172.16.100.1
```

Create an AP group on AC6605_1 to which APs with the same configuration can be added. The following uses AP_1 as an example.

[AC6605_1] wlan
[AC6605_1-wlan-view] ap-group name AP_group_office
[AC6605_1-wlan-ap-group-AP_group_office] quit
[AC6605_1-wlan-view] ap auth-mode mac-auth
[AC6605_1-wlan-view] ap-id 0 ap-mac 7079-90bb-1980 
[AC6605_1-wlan-ap-0] ap-group AP_group_office
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC6605_1-wlan-ap-0] quit

Configure other AP groups and add related APs based on the planning.

[AC6605_1-wlan-view] ap-group name AP_group_lobby
[AC6605_1-wlan-ap-group-AP_group_lobby] quit
[AC6605_1-wlan-view] ap-id 1 ap-mac 4cfa-cafe-c600
[AC6605_1-wlan-ap-1] ap-group AP_group_lobby
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC6605_1-wlan-ap-1] quit
[AC6605_1-wlan-view] ap-group name AP_group_room
[AC6605_1-wlan-ap-group-AP_group_room] quit
[AC6605_1-wlan-view] ap-id 2 ap-mac 002b-a376-fd00
[AC6605_1-wlan-ap-2] ap-group AP_group_room
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC6605_1-wlan-ap-2] quit
[AC6605_1-wlan-view] ap-id 3 ap-mac 60de-4476-e360 
[AC6605_1-wlan-ap-3] ap-group AP_group_room
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC6605_1-wlan-ap-3] quit
[AC6605_1-wlan-view] quit

Create AP system profile hotel and configure service holding upon CAPWAP link disconnection.

[AC6605_1] wlan                                                             
[AC6605_1-wlan-view] ap-system-profile name hotel             
[AC6605_1-wlan-ap-system-prof-hotel] keep-service enable        
[AC6605_1-wlan-ap-system-prof-hotel] quit
[AC6605_1-wlan-view] quit

Create AP system profile hotel on AC6605_2 and configure service holding upon CAPWAP link disconnection in the same way.

Bind the AP system profile to AP groups.

[AC6605_1] wlan
[AC6605_1-wlan-view] ap-group name AP_group_office
[AC6605_1-wlan-ap-group-AP_group_office] ap-system-profile hotel 
[AC6605_1-wlan-ap-group-AP_group_office] quit
[AC6605_1-wlan-view] ap-group name AP_group_lobby
[AC6605_1-wlan-ap-group-AP_group_lobby] ap-system-profile hotel 
[AC6605_1-wlan-ap-group-AP_group_lobby] quit
[AC6605_1-wlan-view] ap-group name AP_group_room
[AC6605_1-wlan-ap-group-AP_group_room] ap-system-profile hotel 
[AC6605_1-wlan-ap-group-AP_group_room] quit
[AC6605_1-wlan-view] quit

Configure MAC access profile hotel.

[AC6605_1] mac-access-profile name hotel 
[AC6605_1-mac-access-profile-hotel] quit

Configure Portal access profile hotel.

[AC6605_1] portal-access-profile name hotel 
[AC6605_1-portal-access-profile-hotel] web-auth-server hotel direct 
[AC6605_1-portal-access-profile-hotel] quit

Configure an authentication-free rule profile.

[AC6605_1] free-rule-template name hotel 
[AC6605_1-free-rule-hotel] quit

Configure authentication profile hotel.

[AC6605_1] authentication-profile name hotel
[AC6605_1-authentication-profile-hotel] mac-access-profile hotel
[AC6605_1-authentication-profile-hotel] portal-access-profile hotel
[AC6605_1-authentication-profile-hotel] free-rule-template hotel
[AC6605_1-authentication-profile-hotel] authentication-scheme hotel
[AC6605_1-authentication-profile-hotel] accounting-scheme hotel
[AC6605_1-authentication-profile-hotel] radius-server hotel
[AC6605_1-authentication-profile-hotel] quit

Create a security profile and configure a security policy. By default, the security policy is open system authentication.
```
[AC6605_1] wlan
[AC6605_1-wlan-view] security-profile name hotel
[AC6605_1-wlan-sec-prof-hotel] quit
```

Create SSID profile hotel_employee for wireless office users.

[AC6605_1-wlan-view] ssid-profile name hotel_employee
[AC6605_1-wlan-ssid-prof-hotel_employee] ssid hotel_employee
[AC6605_1-wlan-ssid-prof-hotel_employee] association-timeout 1        
[AC6605_1-wlan-ssid-prof-hotel_employee] quit

Create SSID profiles hotel_visitor and hotel_guest for guests and visitors respectively in the same way.

Create traffic profile hotel, enable isolation of all users, and set the STA-based rate limit to 10 Mbit/s.

[AC6605_1-wlan-view] traffic-profile name hotel
[AC6605_1-wlan-traffic-prof-hotel] user-isolate all
[AC6605_1-wlan-traffic-prof-hotel] rate-limit client up 10000
[AC6605_1-wlan-traffic-prof-hotel] rate-limit client down 10000
[AC6605_1-wlan-traffic-prof-hotel] quit

Enable automatic radio calibration, enable policies load, noise-floor, non-wifi, and rogue-ap, and set the calibration sensitivity to high.

[AC6605_1-wlan-view] calibrate enable auto interval 1440 start-time 03:00:00
[AC6605_1-wlan-view] calibrate policy load 
[AC6605_1-wlan-view] calibrate policy noise-floor  
[AC6605_1-wlan-view] calibrate policy non-wifi 
[AC6605_1-wlan-view] calibrate policy rogue-ap 
[AC6605_1-wlan-view] calibrate sensitivity high

Configure RRM profile hotel. Enable smart roaming, dynamic EDCA parameter adjustment, and dynamic load balancing to reduce co-channel interference when APs are densely deployed and alleviate the load on a single AP. Dynamic load balancing and smart roaming are enabled by default.

[AC6605_1-wlan-view] rrm-profile name hotel   
[AC6605_1-wlan-rrm-prof-hotel] smart-roam roam-threshold snr 25 
[AC6605_1-wlan-rrm-prof-hotel] smart-roam quick-kickoff-threshold snr 20
[AC6605_1-wlan-rrm-prof-hotel] dynamic-edca enable                                                   [AC6605_1-wlan-rrm-prof-hotel] quit

Create a VAP profile for wireless office users, set the service data forwarding mode and service VLAN, and bind the security, SSID, traffic, and authentication profiles to the VAP profile. Configure broadcast flood detection and suppression.

[AC6605_1-wlan-view] vap-profile name hotel_employee
[AC6605_1-wlan-vap-prof-hotel_employee] forward-mode direct-forward
[AC6605_1-wlan-vap-prof-hotel_employee] service-vlan vlan-id 102
[AC6605_1-wlan-vap-prof-hotel_employee] security-profile hotel
[AC6605_1-wlan-vap-prof-hotel_employee] ssid-profile hotel_employee
[AC6605_1-wlan-vap-prof-hotel_employee] traffic-profile hotel
[AC6605_1-wlan-vap-prof-hotel_employee] authentication-profile hotel
[AC6605_1-wlan-vap-prof-hotel_employee] anti-attack flood arp sta-rate-threshold 10
[AC6605_1-wlan-vap-prof-hotel_employee] quit

Create VAP profiles for guests and visitors in the same way. Table 4-216 lists the specific configuration parameters.

Table 4-216 VAP configuration parameters

Object	VAP Profile	Data
Office employees	hotel_employee	Forwarding mode: direct forwarding Service VLAN: VLAN 102 Security profile: hotel SSID profile: hotel_employee Authentication profile: hotel Traffic profile: hotel Rate threshold for ARP flood attack detection and suppression: 10 pps
Guests	hotel_guest	Forwarding mode: direct forwarding Service VLAN: VLAN 105 Security profile: hotel SSID profile: hotel_guest Authentication profile: hotel Traffic profile: hotel Rate threshold for ARP flood attack detection and suppression: 10 pps
Visitors	hotel_visitor	Forwarding mode: direct forwarding Service VLAN: VLAN 104 Security profile: hotel SSID profile: hotel_visitor Authentication profile: hotel Traffic profile: hotel Rate threshold for ARP flood attack detection and suppression: 10 pps

Create radio profiles on AC6605_1.

[AC6605_1-wlan-view] radio-2g-profile name 2G_hotel
[AC6605_1-wlan-radio-2g-prof-2G_hotel] rrm-profile hotel
[AC6605_1-wlan-radio-2g-prof-2G_hotel] beacon-interval 160
[AC6605_1-wlan-radio-2g-prof-2G_hotel] quit
[AC6605_1-wlan-view] radio-5g-profile name 5G_hotel
[AC6605_1-wlan-radio-5g-prof-5G_hotel] rrm-profile hotel
[AC6605_1-wlan-radio-5g-prof-5G_hotel] rts-cts-mode rts-cts
[AC6605_1-wlan-radio-5g-prof-5G_hotel] quit

Bind corresponding VAP profiles to the AP groups, and apply the VAP profile configurations to radio 0 and radio 1 of the APs.

[AC6605_1-wlan-view] ap-group name AP_group_office 
[AC6605_1-wlan-ap-group-AP_group_office] vap-profile hotel_employee wlan 1 radio all
[AC6605_1-wlan-ap-group-AP_group_office] radio 0
[AC6605_1-wlan-group-radio-AP_group_office/0] radio-2g-profile 2G_hotel 
[AC6605_1-wlan-group-radio-AP_group_office/0] quit
[AC6605_1-wlan-ap-group-AP_group_office] radio 1
[AC6605_1-wlan-group-radio-AP_group_office/1] radio-5g-profile 5G_hotel 
[AC6605_1-wlan-group-radio-AP_group_office/1] quit
[AC6605_1-wlan-ap-group-AP_group_office] quit
[AC6605_1-wlan-view] ap-group name AP_group_lobby 
[AC6605_1-wlan-ap-group-AP_group_lobby] vap-profile hotel_employee wlan 1 radio all
[AC6605_1-wlan-ap-group-AP_group_lobby] vap-profile hotel_guest wlan 2 radio all
[AC6605_1-wlan-ap-group-AP_group_lobby] vap-profile hotel_visitor wlan 3 radio all
[AC6605_1-wlan-ap-group-AP_group_lobby] radio 0
[AC6605_1-wlan-group-radio-AP_group_lobby/0] radio-2g-profile 2G_hotel 
[AC6605_1-wlan-group-radio-AP_group_lobby/0] quit
[AC6605_1-wlan-ap-group-AP_group_lobby] radio 1
[AC6605_1-wlan-group-radio-AP_group_lobby/1] radio-5g-profile 5G_hotel 
[AC6605_1-wlan-group-radio-AP_group_lobby/1] quit
[AC6605_1-wlan-ap-group-AP_group_lobby] quit
[AC6605_1-wlan-view] ap-group name AP_group_room 
[AC6605_1-wlan-ap-group-AP_group_room] vap-profile hotel_guest wlan 1 radio all
[AC6605_1-wlan-ap-group-AP_group_room] radio 0
[AC6605_1-wlan-group-radio-AP_group_room/0] radio-2g-profile 2G_hotel 
[AC6605_1-wlan-group-radio-AP_group_room/0] quit
[AC6605_1-wlan-ap-group-AP_group_room] radio 1
[AC6605_1-wlan-group-radio-AP_group_room/1] radio-5g-profile 5G_hotel 
[AC6605_1-wlan-group-radio-AP_group_room/1] quit
[AC6605_1-wlan-ap-group-AP_group_room] quit

Configure AP wired port profiles.

[AC6605_1-wlan-view] wired-port-profile name wired_port1
[AC6605_1-wlan-wired-port-wired_port1] vlan pvid 106 
[AC6605_1-wlan-wired-port-wired_port1] vlan untagged 106            
[AC6605_1-wlan-wired-port-wired_port1] mode endpoint
[AC6605_1-wlan-wired-port-wired_port1] quit
[AC6605_1-wlan-view] wired-port-profile name wired_port2
[AC6605_1-wlan-wired-port-wired_port2] vlan tagged 106                   
[AC6605_1-wlan-wired-port-wired_port2] quit

Bind the AP wired port profiles to AP group AP_group_room.

[AC6605_1-wlan-view] ap-group name AP_group_room 
[AC6605_1-wlan-ap-group-AP_group_room] wired-port-profile wired_port1 gigabitethernet 1 
[AC6605_1-wlan-ap-group-AP_group_room] wired-port-profile wired_port2 gigabitethernet 24
[AC6605_1-wlan-ap-group-AP_group_room] quit
[AC6605_1-wlan-view] quit

Configure private WLAN service parameters on AC6605_2.
# Configure the source IP address of AC6605_2.
```
[AC6605_2] capwap source ip-address 172.16.100.1
```

Configure wireless configuration synchronization in VRRP HSB scenarios.

After wireless configuration synchronization is configured, the functions that are not manually configured on AC6605_2 (such as the RADIUS server template and WLAN services) are automatically synchronized to AC6605_2.

Configure wireless configuration synchronization on AC6605_1.

[AC6605_1] wlan
[AC6605_1-wlan-view] master controller
[AC6605_1-master-controller] master-redundancy peer-ip ip-address 172.16.100.3 local-ip ip-address 172.16.100.2 psk Huawei@123
[AC6605_1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
[AC6605_1-master-controller] quit
[AC6605_1-wlan-view] quit

Configure wireless configuration synchronization on AC6605_2.

[AC6605_2] wlan
[AC6605_2-wlan-view] master controller
[AC6605_2-master-controller] master-redundancy peer-ip ip-address 172.16.100.2 local-ip ip-address 172.16.100.3 psk Huawei@123
[AC6605_2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
[AC6605_2-master-controller] quit
[AC6605_2-wlan-view] quit

Trigger wireless configuration synchronization manually. Run the display sync-configuration status command to check the wireless configuration synchronization status. If the status in the command output is displayed as cfg-mismatch, manually trigger wireless configuration synchronization on AC6605_1. Wireless configurations are then synchronized to AC6605_2 after a restart.

[AC6605_1] display sync-configuration status
Controller role:Master/Backup/Local
------------------------------------------------------------------------------------
Controller     IP Role    Device Type     Version       Status
------------------------------------------------------------------------------------
172.16.100.3   Backup     AC6605          V200R010C00   cfg-mismatch(config check fail)
------------------------------------------------------------------------------------
Total: 1
[AC6605_1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its configurations. Whether to continue? [Y/N]:y

Configuring the S5700-LI

Configure VLANs on S5700-LI_1 for the office network.

Create VLANs 100 through 102. VLAN 100 is the management VLAN of APs, VLAN 101 is the wired office service VLAN, and VLAN 102 is the wireless office service VLAN.

<HUAWEI> system-view                                                
[HUAWEI] sysname S5700_1 
[S5700_1] vlan batch 100 to 102

Configure the interfaces connected to the S7706s to allow packets from VLANs 100 through 102 to pass through.

[S5700_1] interface eth-trunk 0                         
[S5700_1-Eth-Trunk0] port link-type trunk                 
[S5700_1-Eth-Trunk0] port trunk allow-pass vlan 100 to 102 
[S5700_1-Eth-Trunk0] quit 
[S5700_1] interface gigabitethernet 0/0/25
[S5700_1-GigabitEthernet0/0/25] eth-trunk 0                  
[S5700_1-GigabitEthernet0/0/25] quit
[S5700_1] interface gigabitethernet 0/0/26
[S5700_1-GigabitEthernet0/0/26] eth-trunk 0                  
[S5700_1-GigabitEthernet0/0/26] quit

Configure the interface connected to the PC.

[S5700_1] interface gigabitethernet 0/0/1                           
[S5700_1-GigabitEthernet0/0/1] port link-type access                 
[S5700_1-GigabitEthernet0/0/1] port default vlan 101                 
[S5700_1-GigabitEthernet0/0/1] quit

Configure the interface connected to AP_1, and enable port isolation.

[S5700_1] interface gigabitethernet 0/0/2                           
[S5700_1-GigabitEthernet0/0/2] port link-type trunk          
[S5700_1-GigabitEthernet0/0/2] port trunk pvid vlan 100
[S5700_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[S5700_1-GigabitEthernet0/0/2] port-isolate enable 
[S5700_1-GigabitEthernet0/0/2] quit

Configure DHCP snooping on S5700-LI_1.

Enable DHCP globally.
```
[S5700_1] dhcp enable 
```
Enable DHCP snooping globally.
```
[S5700_1] dhcp snooping enable 
```

Enable DHCP snooping in VLAN 101.

[S5700_1] vlan 101                                      
[S5700_1-Vlanif101] dhcp snooping enable
[S5700_1-Vlanif101] quit

Configure multicast packet suppression.

# If direct forwarding is used to forward wireless service data, it is recommended that multicast packet suppression be configured on the interface directly connected to the AP.

Create traffic classifier test and define a matching rule.

[S5700_1] traffic classifier test                      
[S5700_1-classifier-test] if-match destination-mac 0100-5e00-0000 ffff-ff00-0000 
[S5700_1-classifier-test] quit

Create traffic behavior test, enable traffic statistics collection, and set the traffic rate limit.

[S5700_1] traffic behavior test                          
[S5700_1-behavior-test] statistic enable                 
[S5700_1-behavior-test] car cir 100                       
[S5700_1-behavior-test] quit

Create traffic policy test, and bind the traffic classifier and traffic behavior to the traffic policy.

[S5700_1] traffic policy test
[S5700_1-trafficpolicy-test] classifier test behavior test
[S5700_1-trafficpolicy-test] quit

Apply the traffic policy to the inbound and outbound directions of the interface.

[S5700_1] interface gigabitethernet 0/0/2
[S5700_1-GigabitEthernet0/0/2] traffic-policy test inbound 
[S5700_1-GigabitEthernet0/0/2] traffic-policy test outbound
[S5700_1-GigabitEthernet0/0/2] quit

Configure VLANs on S5700-LI_2 for the security surveillance network.

Create VLAN 100 and VLAN 103. VLAN 100 is the management VLAN of APs, and VLAN 103 is the wired service VLAN for surveillance cameras.

<HUAWEI> system-view                                                
[HUAWEI] sysname S5700_2
[S5700_2] vlan batch 100 103

Configure the interfaces connected to the S7706s to allow packets from VLANs 100 and 103 to pass through.

[S5700_2] interface eth-trunk 0                         
[S5700_2-Eth-Trunk0] port link-type trunk                  
[S5700_2-Eth-Trunk0] port trunk allow-pass vlan 100 103   
[S5700_2-Eth-Trunk0] quit 
[S5700_2] interface gigabitethernet 0/0/25
[S5700_2-GigabitEthernet0/0/25] eth-trunk 0                  
[S5700_2-GigabitEthernet0/0/25] quit
[S5700_2] interface gigabitethernet 0/0/26
[S5700_2-GigabitEthernet0/0/26] eth-trunk 0                  
[S5700_2-GigabitEthernet0/0/26] quit

Configure the interface connected to the surveillance camera.

[S5700_2] interface gigabitethernet 0/0/1                           
[S5700_2-GigabitEthernet0/0/1] port link-type access                 
[S5700_2-GigabitEthernet0/0/1] port default vlan 103                 
[S5700_2-GigabitEthernet0/0/1] quit

Configure DHCP snooping on S5700-LI_2.

Enable DHCP globally.
```
[S5700_2] dhcp enable 
```
Enable DHCP snooping globally.
```
[S5700_2] dhcp snooping enable 
```

Enable DHCP snooping in VLAN 103.

[S5700_2] vlan 103                                     
[S5700_2-Vlanif103] dhcp snooping enable
[S5700_2-Vlanif103] quit

Configuring the S5720-EI

Configure the two S5720-EI switches to set up a stack.
1. Install stack cards on the two S5720-EI switches and connect them using stack cables. The switches then automatically set up a stack. For details, see iStack of S Switch.
2. Check the stack status and verify that the stack is successfully set up.

Configure VLANs.

Create VLAN 100 and VLANs 104 through 106. VLAN 100 is the management VLAN of the AC6605, and VLANs 104 through 106 are VLANs for wireless visitors, wireless guests, and wired IPTV services, respectively.

<HUAWEI> system-view                                                
[HUAWEI] sysname S5720EI-iStack 
[S5720EI-iStack] vlan batch 100 104 to 106

Configure the interfaces connected to the S7706s to allow packets from VLAN 100 and VLANs 104 through 106 to pass through.

[S5720EI-iStack] interface eth-trunk 0                            
[S5720EI-iStack-Eth-Trunk0] port link-type trunk                   
[S5720EI-iStack-Eth-Trunk0] port trunk allow-pass vlan 100 104 to 106 
[S5720EI-iStack-Eth-Trunk0] quit
[S5720EI-iStack] interface xgigabitethernet 0/0/1                   
[S5720EI-iStack-XGigabitEthernet0/0/1] eth-trunk 0                   
[S5720EI-iStack-XGigabitEthernet0/0/1] quit                          
[S5720EI-iStack] interface xgigabitethernet 1/0/1                    
[S5720EI-iStack-XGigabitEthernet1/0/1] eth-trunk 0                   
[S5720EI-iStack-XGigabitEthernet1/0/1] quit

Configure the interface connected to AP_2 and enable port isolation.

[S5720EI-iStack] interface gigabitethernet 1/0/1            
[S5720EI-iStack-GigabitEthernet1/0/1] port link-type trunk           
[S5720EI-iStack-GigabitEthernet1/0/1] port trunk pvid vlan 100       
[S5720EI-iStack-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 104 to 105
[S5720EI-iStack-GigabitEthernet1/0/1] port-isolate enable            
[S5720EI-iStack-GigabitEthernet1/0/1] quit

Configure the interface connected to the AD9430DN and enable port isolation.

[S5720EI-iStack] interface gigabitethernet 1/0/2                     
[S5720EI-iStack-GigabitEthernet1/0/2] port link-type trunk           
[S5720EI-iStack-GigabitEthernet1/0/2] port trunk pvid vlan 100 
[S5720EI-iStack-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 105 to 106          
[S5720EI-iStack-GigabitEthernet1/0/2] port-isolate enable            
[S5720EI-iStack-GigabitEthernet1/0/2] quit

Configure multicast packet suppression.

# If direct forwarding is used to forward wireless service data, it is recommended that multicast packet suppression be configured on the interface directly connected to the AP.

Create traffic classifier test and define a matching rule.

[S5720EI-iStack] traffic classifier test                      
[S5720EI-iStack-classifier-test] if-match destination-mac 0100-5e00-0000 ffff-ff00-0000 
[S5720EI-iStack-classifier-test] quit

Create traffic behavior test, enable traffic statistics collection, and set the traffic rate limit.

[S5720EI-iStack] traffic behavior test                          
[S5720EI-iStack-behavior-test] statistic enable                 
[S5720EI-iStack-behavior-test] car cir 100                       
[S5720EI-iStack-behavior-test] quit

Create traffic policy test, and bind the traffic classifier and traffic behavior to the traffic policy.

[S5720EI-iStack] traffic policy test
[S5720EI-iStack-trafficpolicy-test] classifier test behavior test
[S5720EI-iStack-trafficpolicy-test] quit

Apply the traffic policy to the inbound and outbound directions of the interfaces.

[S5720EI-iStack] interface gigabitethernet 1/0/1
[S5720EI-iStack-GigabitEthernet1/0/1] traffic-policy test inbound 
[S5720EI-iStack-GigabitEthernet1/0/1] traffic-policy test outbound
[S5720EI-iStack-GigabitEthernet1/0/1] quit
[S5720EI-iStack] interface gigabitethernet 1/0/2
[S5720EI-iStack-GigabitEthernet1/0/2] traffic-policy test inbound 
[S5720EI-iStack-GigabitEthernet1/0/2] traffic-policy test outbound
[S5720EI-iStack-GigabitEthernet1/0/2] quit

Configure DHCP snooping.

Enable DHCP globally.
```
[S5720EI-iStack] dhcp enable 
```
Enable DHCP snooping globally.
```
[S5720EI-iStack] dhcp snooping enable 
```

Enable DHCP snooping in VLANs 104 and 105.

[S5720EI-iStack] vlan 104                                      
[S5720EI-iStack-Vlanif104] dhcp snooping enable
[S5720EI-iStack-Vlanif104] quit
[S5720EI-iStack] vlan 105                                      
[S5720EI-iStack-Vlanif105] dhcp snooping enable
[S5720EI-iStack-Vlanif105] quit

Configuring the Agile Controller-Campus

Open the browser, and enter the address for accessing the Agile Controller-Campus in the address box. On the displayed page, enter the user name and password, and click GO to log in to the Agile Controller-Campus.

If you log in to the Agile Controller-Campus for the first time, use the super administrator user name admin and password Changeme123. Change the password immediately after logging in. Otherwise, the Agile Controller-Campus cannot be used.

The following table describes addresses for accessing the Agile Controller-Campus.

Access Mode	Description
https://Agile Controller-Campus-IP:8443	Agile Controller-Campus-IP specifies the IP address of the Agile Controller-Campus.
IP address of the Agile Controller-Campus	If interface 80 is enabled during installation, you can access the Agile Controller-Campus by entering its IP address without the interface number. The URL of the Agile Controller-Campus will automatically change to https://Agile Controller-Campus-IP:8443.

Configure user groups and users.
1. Choose Resource > User > User Management. Click to add a user group. On the page that is displayed, enter user group name employee (wired office users) and click OK.
2. Select the new user group in the navigation tree and click Add. The Add Account page is displayed. Set Account type to Common account, set Account, Password, and User name, deselect Change password upon next login, and click OK.
3. Create user groups wireless, guest, and visitor for wireless office users, guests, and visitors, respectively. Add users to these groups.
Configure device management for the S7706 and AC6605.
1. Choose Resource > Device > Device Management. Click Add to add the S7706. Configure authentication parameters and click OK.
2. Add AC6605_1. Configure authentication parameters and click OK.
3. Add AC6605_2. Configure authentication parameters and click OK.
Click System > Terminal Configuration > Global Parameters, and configure MAC address-prioritized Portal authentication in Configure MAC Address-Prioritized Portal Authentication.
Configure authentication and authorization rules and results.
1. Configure authentication rules.
  # The default authentication rule is used in this case. Confirm whether a new authentication rule needs to be created according to the existing network status. Click Policy > Permission Control > Authentication & Authorization > Authentication Rule, and click Add to create a new authentication rule.
2. Configure authorization results.
  # The default authorization result is used in this example. To create an authorization result based on the actual situation, choose Policy > Permission Control > Authentication & Authorization > Authorization Result. Click Add to create an authorization result.
3. Configure an authorization rule for wired and wireless users.
  1. Choose Policy > Permission Control > Authentication & Authorization > Authorization Rule. Click Add to create authorization rule wired_and_wireless. Add employee, wireless, guest, and lodger to User Group, and set the authorization result to Permit Access.
Configure authorization rules for IPTV and security surveillance devices.
1. Choose Resource > Terminal > Terminal List. Click Device Group and then Add to create device groups iptv and monitor.
2. Select a device group. Click Add in Device List to create a device account.
3. Create an account for device group monitor in the same way.
4. Configure authentication rules.
  # The default authentication rule is used in this case. Confirm whether a new authentication rule needs to be created according to the existing network status. Click Policy > Permission Control > Authentication & Authorization > Authentication Rule, and click Add to create a new authentication rule.
5. Configure authorization results.
  # The default authorization result is used in this example. To create an authorization result based on the actual situation, choose Policy > Permission Control > Authentication & Authorization > Authorization Result. Click Add to create an authorization result.
6. Configure authorization rules.
  1. Choose Policy > Authentication & Authorization > Authentication Rule, and click Add to create authorization rule iptv_authorization_result. Set Service type to MAC bypass authentication, Terminal Group to iptv, and Authorization result to Permit Access. After the configuration is complete, click OK.
  2. Create authorization rule monitor_authorization_result in the same way.

Verification

Access the network using the wireless user account hotel_employee, hotel_visitor, or hotel_guest. After authentication is successful, you can view user information (such as the AP to which the user is connected) on the AC6605 and information about online users on the Agile Controller-Campus.
Perform access authentication using the account of hotel_employee, hotel_visitor, hotel_guest, or an IPTV user, and verify user network rights. For example, wired office users cannot access the IPTV server, but can access the Internet and office server.

Configuration Script

S7706

#
sysname CSS
#
router id 3.3.3.3
#
vlan batch 10 100 to 106 
# 
authentication-profile name hotel
 mac-access-profile hotel
 portal-access-profile hotel
 free-rule-template default_free_rule
 access-domain hotel
authentication-profile name hotel_mac  
 mac-access-profile hotel 
#
telnet server enable
#
dhcp enable
#
radius-server template hotel
 radius-server shared-key cipher %^%#jFB$;|}{hPY&{yGWzOA<OAG43)~]B(Nq\V;&`rXF%^%#
 radius-server authentication 10.1.0.2 1812 source ip-address 10.1.0.1 weight 80
 radius-server accounting 10.1.0.2 1813 source ip-address 10.1.0.1 weight 80
radius-server authorization 10.1.0.2 shared-key cipher %^%#$]p}HMl';I2u/&H>9[aMEEg%PQzIRF#a6='+l=<Z%^%# server-group hotel
#
acl name acl-employee 3001
 rule 5 permit ip source 172.16.101.0 0.0.0.255 destination 10.100.2.0 0.0.0.255
 rule 10 deny ip source 172.16.101.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
acl name acl-wireless 3002
 rule 5 deny ip source 172.16.102.0 0.0.0.255 destination 10.100.2.0 0.0.0.255
 rule 10 deny ip source 172.16.102.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
acl name acl-visitor 3003
 rule 5 deny ip source 172.16.103.0 0.0.0.255 destination 10.100.2.0 0.0.0.255
 rule 10 deny ip source 172.16.103.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
acl name acl-guest 3004
 rule 5 deny ip source 172.16.103.0 0.0.0.255 destination 10.100.2.0 0.0.0.255
 rule 10 deny ip source 172.16.103.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
acl name acl-iptv 3005
 rule 5 deny ip source 172.16.103.0 0.0.0.255 destination 10.100.2.0 0.0.0.255
 rule 10 permit ip source 172.16.103.0 0.0.0.255 destination 10.100.3.0 0.0.0.255
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 8.8.8.8 mask 255.255.255.255
#
web-auth-server hotel server-ip 10.1.0.2 port 50100  shared-key cipher %^%#cctY6)Rb~OHH"J$ah^F2GWM{-97UEZ2$Y1)3HF:B%^% url http://10.1.0.2:8080/portal#
portal-access-profile name hotel
 web-auth-server hotel direct
#
aaa
 authentication-scheme hotel
  authentication-mode radius
 accounting-scheme hotel
  accounting-mode radius
  accounting realtime 15
 domain hotel
  authentication-scheme hotel
  accounting-scheme hotel
  radius-server hotel
 local-user admin password irreversible-cipher $1a$2)#3@S3Jx/$$=X(#mQlVVM9*y&_#4G~ON\A@vM7H-G>\tErxdhL$
 local-user admin privilege level 15
 local-user admin service-type telnet http
#
interface Vlanif10
 ip address 10.1.0.1 255.255.255.0
#
interface Vlanif100
 ip address 172.16.100.4 255.255.255.0
#
interface Vlanif101
 ip address 172.16.101.1 255.255.255.0
 authentication-profile hotel
 dhcp select interface
 dhcp server dns-list 8.8.8.8
#
interface Vlanif102
 ip address 172.16.102.1 255.255.255.0
 dhcp select interface
 dhcp server dns-list 8.8.8.8
#
interface Vlanif103
 ip address 172.16.103.1 255.255.255.0
 authentication-profile hotel_mac
 dhcp select interface
 dhcp server dns-list 8.8.8.8
#
interface Vlanif104
 ip address 172.16.104.1 255.255.255.0
 dhcp select interface
 dhcp server dns-list 8.8.8.8
#
interface Vlanif105
 ip address 172.16.105.1 255.255.255.0
 dhcp select interface
 dhcp server dns-list 8.8.8.8
#
interface Vlanif106
 ip address 172.16.106.1 255.255.255.0
 authentication-profile hotel_mac
 dhcp select interface
 dhcp server dns-list 8.8.8.8
#
interface Eth-Trunk0
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 100 to 102
 traffic-filter inbound acl name acl-employee
 traffic-filter inbound acl name acl-wired
 mode lacp
 port description switch
#
interface Eth-Trunk1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 100 103
 traffic-filter inbound acl name acl-monitor
 mode lacp
 port description switch
#
interface Eth-Trunk2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 104 to 106
 traffic-filter inbound acl name acl-employee
 traffic-filter inbound acl name acl-guest
 traffic-filter inbound acl name acl-iptv
 mode lacp
 port description switch
#
interface Eth-Trunk10
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 100
 mode lacp
 port description switch
#
interface Eth-Trunk20
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 100
 mode lacp
 port description switch
#
interface Ethernet0/0/0/0
 ip address 192.168.0.3 255.255.255.0
#
interface GigabitEthernet1/1/1/7
 mad detect mode direct
#
interface GigabitEthernet1/2/1/0
 eth-trunk 0
#
interface GigabitEthernet1/2/1/1
 eth-trunk 1
#
interface GigabitEthernet1/2/1/2
 eth-trunk 2
#
interface GigabitEthernet1/2/1/6
 eth-trunk 10
#
interface GigabitEthernet1/2/1/8
 eth-trunk 20
#
interface GigabitEthernet2/1/1/7
 mad detect mode direct
#
interface GigabitEthernet2/2/1/0
 eth-trunk 0
#
interface GigabitEthernet2/2/1/1
 eth-trunk 1
#
interface GigabitEthernet2/2/1/2
 eth-trunk 2
#
interface GigabitEthernet2/2/1/5
 port link-type access
 port default vlan 10
 loopback-detect enable
 port description desktop
#
interface GigabitEthernet2/2/1/6
 eth-trunk 10
#
interface GigabitEthernet2/2/1/8
 eth-trunk 20
#
interface LoopBack0
 ip address 3.3.3.3 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 10.1.0.0 0.0.0.255
  network 172.16.100.0 0.0.0.255
  network 172.16.101.0 0.0.0.255
  network 172.16.102.0 0.0.0.255
  network 172.16.103.0 0.0.0.255
  network 172.16.104.0 0.0.0.255
  network 172.16.105.0 0.0.0.255
  network 172.16.106.0 0.0.0.255
#
traffic-secure inbound acl name Auto_PGM_OPEN_POLICY
traffic-filter inbound acl name Auto_PGM_PREFER_POLICY
traffic-filter inbound acl name Auto_PGM_U10
traffic-filter inbound acl name Auto_PGM_U11
traffic-filter inbound acl name Auto_PGM_U12
traffic-filter inbound acl name Auto_PGM_U13
#
user-interface vty 0 4
 authentication-mode aaa  
 user privilege level 15 
 protocol inbound all  
#
mac-access-profile name hotel
#
return

AC6605_1

#                       
 sysname AC6605_1                         
# 
vrrp recover-delay 60
#                      
vlan batch 10 40 100 to 106
# 
authentication-profile name hotel       
 mac-access-profile hotel               
 portal-access-profile hotel   
 free-rule-template hotel        
 authentication-scheme hotel           
 accounting-scheme hotel                
 radius-server hotel                   
#                       
dhcp enable              
# 
radius-server template hotel 
 radius-server shared-key cipher %^%#n#*3'4mNq~&xt8=kB,d,D=3v6lEJX%}L)hU**ky=%^%
 radius-server authentication 10.1.0.2 1812 source ip-address 172.16.100.1 weight 80                  
 radius-server accounting 10.1.0.2 1813 source ip-address 172.16.100.1 weight 80   
radius-server authorization 10.1.0.2 shared-key cipher %^%#+P#@*(4vRP9R<03ds(*RHvPB:A(SR9X*Q!Tj,[0P%^%#      
# 
free-rule-template name hotel 
#  
url-template name hotel  
 url http://10.1.0.2:8080/portal   
 url-parameter ssid ssid redirect-url url 
# 
web-auth-server hotel 
 server-ip 10.1.0.2 
 port 50100                     
 shared-key cipher %^%#>F<uRsRA'<d"RH;sG|e,@ffH3J3NOCrIu0,\!Dg+%^%#             
 url-template hotel
 source-ip 172.16.100.1 
# 
portal-access-profile name hotel 
 web-auth-server hotel direct
#
aaa 
 authentication-scheme hotel  
  authentication-mode radius 
 accounting-scheme hotel
  accounting-mode radius
  accounting realtime 15 
#
interface Vlanif10
 ip address 10.1.0.3 255.255.255.0
#
interface Vlanif40
 ip address 192.168.40.1 255.255.255.0
#
interface Vlanif100 
 ip address 172.16.100.2 255.255.255.0 
 vrrp vrid 1 virtual-ip 172.16.100.1
 admin-vrrp vrid 1
 vrrp vrid 1 priority 120                    
 vrrp vrid 1 preempt-mode timer delay 1200 
 dhcp select interface
 dhcp server excluded-ip-address 172.16.100.3  
#
interface Eth-Trunk50
 description Connect to S7706_Eth-Trunk  
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 100
# 
interface GigabitEthernet0/0/2  
 port link-type trunk       
 port trunk allow-pass vlan 40                   
# 
interface GigabitEthernet0/0/21
 eth-trunk 50 
# 
interface GigabitEthernet0/0/22   
 eth-trunk 50 
# 
ip route-static 0.0.0.0 0.0.0.0 172.16.100.4  
#  
capwap source ip-address 172.16.100.1  
# 
hsb-service 0
 service-ip-port local-ip 192.168.40.1 peer-ip 192.168.40.2 local-data-port 10241 peer-data-port 10241 
#  
hsb-group 0
 track vrrp vrid 1 interface Vlanif100
 bind-service 0 
 hsb enable 
#  
hsb-service-type access-user hsb-group 0 
# 
hsb-service-type dhcp hsb-group 0 
#  
hsb-service-type ap hsb-group 0 
#
wlan 
 calibrate policy rogue-ap 
 calibrate policy non-wifi
 calibrate policy load  
 calibrate policy noise-floor
 calibrate sensitivity high  
 traffic-profile name hotel
  rate-limit client up 10000 
  rate-limit client down 10000 
  user-isolate all 
 security-profile name hotel
 ssid-profile name hotel_employee 
  ssid hotel_employee  
  association-timeout 1 
 ssid-profile name hotel_guest 
  ssid hotel_guest 
  association-timeout 1
 ssid-profile name hotel_visitor
  ssid hotel_visitor  
  association-timeout 1 
 vap-profile name hotel_employee  
  service-vlan vlan-id 102 
  ssid-profile  
  security-profile hotel 
  traffic-profile hotel 
  authentication-profile hotel
 vap-profile name hotel_guest  
  service-vlan vlan-id 105 
  ssid-profile hotel_guest
  security-profile hotel  
  traffic-profile hotel 
  authentication-profile hotel
 vap-profile name hotel_visitor 
  service-vlan vlan-id 104
  ssid-profile hotel_visitor
  security-profile hotel
  traffic-profile hotel 
  authentication-profile hotel 
 rrm-profile name hotel  
  smart-roam roam-threshold snr 25 
  smart-roam quick-kickoff-threshold snr 20
  dynamic-edca enable           
 radio-2g-profile name 2G_hotel
  beacon-interval 160  
  rrm-profile hotel  
 radio-5g-profile name 5G_hotel 
  beacon-interval 160
  rrm-profile hotel
 ap-system-profile name hotel   
  keep-service enable 
 wired-port-profile name wired_port1
  mode endpoint
  vlan pvid 106
  vlan untagged 106
 wired-port-profile name wired_port2
  vlan tagged 106
 ap-group name AP_group_room   
  ap-system-profile hotel
  wired-port-profile wired_port1 gigabitethernet 1  
  wired-port-profile wired_port2 gigabitethernet 24 
  radio 0  
   radio-2g-profile 2G_hotel  
   vap-profile hotel_guest wlan 1  
  radio 1   
   radio-5g-profile 5G_hotel
   vap-profile hotel_guest wlan 1  
 ap-group name AP_group_lobby  
  ap-system-profile hotel  
  radio 0  
   radio-2g-profile 2G_hotel  
   vap-profile hotel_employee wlan 1
   vap-profile hotel_guest wlan 2 
   vap-profile hotel_visitor wlan 3
  radio 1   
   radio-5g-profile 5G_hotel
   vap-profile hotel_employee wlan 1
   vap-profile hotel_guest wlan 2 
   vap-profile hotel_visitor wlan 3
 ap-group name AP_group_office   
  ap-system-profile hotel  
  radio 0  
   radio-2g-profile 2G_hotel  
   vap-profile hotel_employee wlan 1  
  radio 1   
   radio-5g-profile 5G_hotel
   vap-profile hotel_employee wlan 1  
 ap-id 0 type-id 56 ap-mac 7079-90bb-1980 ap-sn 210235810810EC005283     
  ap-group AP_group_office
 ap-id 1 type-id 56 ap-mac 4cfa-cafe-c600  ap-sn 21500826412SF9906934
  ap-group AP_group_lobby
 ap-id 2 type-id 52 ap-mac 002b-a376-fd00 ap-sn 2102350KGF9WGA000106
  ap-group AP_group_room
 ap-id 3 type-id 65 ap-mac 60de-4476-e360 ap-sn 21500827352SG8913066
  ap-group AP_group_room
 provision-ap  
 master controller   
  master-redundancy track-vrrp vrid 1 interface Vlanif100 
  master-redundancy peer-ip ip-address 172.16.100.3 local-ip ip-address 172.16.100.2 psk %^%#rZ/r9y.:f!VEk92}rOQLOhNU+_MIg2v*_DS&4P&-%^%#
# 
mac-access-profile name hotel
#                 
return

AC6605_2

#                       
 sysname AC6605_2                         
#                      
vlan batch 10 40 100 to 106
# 
authentication-profile name hotel       
 mac-access-profile hotel               
 portal-access-profile hotel   
 free-rule-template hotel        
 authentication-scheme hotel           
 accounting-scheme hotel                
 radius-server hotel                   
#                       
dhcp enable              
# 
radius-server template hotel 
 radius-server shared-key cipher %^%#n#*3'4mNq~&xt8=kB,d,D=3v6lEJX%}L)hU**ky=%^%
 radius-server authentication 10.1.0.2 1812 source ip-address 172.16.100.1 weight 80                  
 radius-server accounting 10.1.0.2 1813 source ip-address 172.16.100.1 weight 80   
radius-server authorization 10.1.0.2 shared-key cipher %^%#+P#@*(4vRP9R<03ds(*RHvPB:A(SR9X*Q!Tj,[0P%^%#      
# 
free-rule-template name hotel 
#  
url-template name hotel  
 url http://10.1.0.2:8080/portal   
 url-parameter ssid ssid redirect-url url 
# 
web-auth-server hotel 
 server-ip 10.1.0.2 
 port 50100                     
 shared-key cipher %^%#>F<uRsRA'<d"RH;sG|e,@ffH3J3NOCrIu0,\!Dg+%^%#             
 url-template hotel
 source-ip 172.16.100.1
# 
portal-access-profile name hotel 
 web-auth-server hotel direct
#
aaa 
 authentication-scheme hotel  
  authentication-mode radius 
 accounting-scheme hotel
  accounting-mode radius
  accounting realtime 15 
#
interface Vlanif10
 ip address 10.1.0.4 255.255.255.0
#
interface Vlanif40
 ip address 192.168.40.2 255.255.255.0
#
interface Vlanif100 
 ip address 172.16.100.3 255.255.255.0 
 vrrp vrid 1 virtual-ip 172.16.100.1
 admin-vrrp vrid 1 
 dhcp select interface
 dhcp server excluded-ip-address 172.16.100.2  
#
interface Eth-Trunk50
 description Connect to S7706_Eth-Trunk  
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 100
# 
interface GigabitEthernet0/0/2  
 port link-type trunk       
 port trunk allow-pass vlan 40                   
# 
interface GigabitEthernet0/0/21
 eth-trunk 50 
# 
interface GigabitEthernet0/0/22   
 eth-trunk 50 
#
ip route-static 0.0.0.0 0.0.0.0 172.16.100.4  
#  
capwap source ip-address 172.16.100.1  
# 
hsb-service 0
 service-ip-port local-ip 192.168.40.2 peer-ip 192.168.40.1 local-data-port 10241 peer-data-port 10241 
#  
hsb-group 0
 track vrrp vrid 1 interface Vlanif100
 bind-service 0 
 hsb enable 
#  
hsb-service-type access-user hsb-group 0 
# 
hsb-service-type dhcp hsb-group 0 
#  
hsb-service-type ap hsb-group 0 
#
wlan 
 calibrate policy rogue-ap 
 calibrate policy non-wifi
 calibrate policy load  
 calibrate policy noise-floor
 calibrate sensitivity high  
 traffic-profile name hotel
  rate-limit client up 10000 
  rate-limit client down 10000 
  user-isolate all 
 security-profile name hotel
 ssid-profile name hotel_employee 
  ssid hotel_employee    
  association-timeout 1 
 ssid-profile name hotel_guest 
  ssid hotel_guest 
  association-timeout 1
 ssid-profile name hotel_guest
  ssid hotel_guest  
  association-timeout 1 
 vap-profile name hotel_employee  
  service-vlan vlan-id 102 
  ssid-profile  
  security-profile hotel 
  traffic-profile hotel 
  authentication-profile hotel
 vap-profile name hotel_guest  
  service-vlan vlan-id 105 
  ssid-profile hotel_guest 
  security-profile hotel  
  traffic-profile hotel 
  authentication-profile hotel
 vap-profile name hotel_visitor 
  service-vlan vlan-id 104
  ssid-profile hotel_visitor
  security-profile hotel
  traffic-profile hotel 
  authentication-profile hotel 
 rrm-profile name hotel  
  smart-roam enable 
  smart-roam roam-threshold snr 25 
  smart-roam quick-kickoff-threshold snr 20
  dynamic-edca enable 
  sta-load-balance dynamic enable 
 radio-2g-profile name 2G_hotel
  beacon-interval 160  
  rrm-profile hotel  
  rts-cts-threshold 1400 
  rts-cts-mode rts-cts  
 radio-5g-profile name 5G_hotel 
  beacon-interval 160
  rrm-profile hotel
  rts-cts-threshold 1400  
  rts-cts-mode rts-cts
 ap-system-profile name hotel   
  keep-service enable 
 wired-port-profile name wired_port1
  mode endpoint
  vlan pvid 106
  vlan untagged 106
 wired-port-profile name wired_port2
  vlan tagged 106
 ap-group name AP_group_room   
  ap-system-profile hotel
  wired-port-profile wired_port1 gigabitethernet 1  
  wired-port-profile wired_port2 gigabitethernet 24 
  radio 0  
   radio-2g-profile 2G_hotel  
   vap-profile hotel_guest wlan 1  
  radio 1   
   radio-5g-profile 5G_hotel
   vap-profile hotel_guest wlan 1  
 ap-group name AP_group_lobby  
  ap-system-profile hotel  
  radio 0  
   radio-2g-profile 2G_hotel  
   vap-profile hotel_employee wlan 1
   vap-profile hotel_guest wlan 2 
   vap-profile hotel_visitor wlan 3
  radio 1   
   radio-5g-profile 5G_hotel
   vap-profile hotel_employee wlan 1
   vap-profile hotel_guest wlan 2 
   vap-profile hotel_visitor wlan 3 
 ap-group name AP_group_office   
  ap-system-profile hotel  
  radio 0  
   radio-2g-profile 2G_hotel  
   vap-profile hotel_employee wlan 1  
  radio 1   
   radio-5g-profile 5G_hotel
   vap-profile hotel_employee wlan 1 
 ap-id 0 type-id 56 ap-mac 7079-90bb-1980 ap-sn 210235810810EC005283     
  ap-group AP_group_office
 ap-id 1 type-id 56 ap-mac 4cfa-cafe-c600  ap-sn 21500826412SF9906934
  ap-group AP_group_lobby
 ap-id 2 type-id 52 ap-mac 002b-a376-fd00 ap-sn 2102350KGF9WGA000106
  ap-group AP_group_room
 ap-id 3 type-id 65 ap-mac 60de-4476-e360 ap-sn 21500827352SG8913066
  ap-group AP_group_room
 provision-ap  
 master controller   
  master-redundancy track-vrrp vrid 1 interface Vlanif100 
  master-redundancy peer-ip ip-address 172.16.100.2 local-ip ip-address 172.16.100.3 psk %^%#rZ/r9y.:f!VEk92}rOQLOhNU+_MIg2v*_DS&4P&-%^%#
# 
mac-access-profile name hotel
#                 
return

S5700-LI_1

#                                                                               
sysname S5700_1                                                                 
#                                                                               
vlan batch 100 to 102                                                           
#                                                                               
dhcp enable                                                                     
#                                                                               
dhcp snooping enable 
#                                                                                  
traffic classifier test operator and                                            
 if-match destination-mac 0100-5e00-0000 ffff-ff00-0000                         
#                                                                               
traffic behavior test                                                           
 statistic enable                                                               
 car cir 100 pir 100 cbs 12500 pbs 12500 green pass yellow pass red discard     
#                                                                               
traffic policy test match-order config                                          
 classifier test behavior test 
#
vlan 101                                                                         
 dhcp snooping enable  
#  
interface Eth-Trunk0                                                           
 port link-type trunk                                                           
 port trunk allow-pass vlan 100 to 102                                     
#
interface GigabitEthernet0/0/1                                                  
 port link-type access                                                          
 port default vlan 101 
# 
interface GigabitEthernet0/0/2                                                
 port link-type trunk   
 port trunk pvid vlan 100                                                       
 port trunk allow-pass vlan 100 102
 traffic-policy test inbound                                                    
 traffic-policy test outbound
 port-isolate enable
#
interface GigabitEthernet0/0/25                                                 
 eth-trunk 0
#  
interface GigabitEthernet0/0/26                                                 
 eth-trunk 0
#                                                   
return

S5700-LI_2

#                                                                               
sysname S5700_2                                                                 
#                                                                               
vlan batch 100 103                                                          
#                                                                               
dhcp enable                                                                     
#                                                                               
dhcp snooping enable 
#                                                                                  
vlan 103                                                                         
 dhcp snooping enable  
#                                                                                      
interface Eth-Trunk0                                                           
 port link-type trunk                                                           
 port trunk allow-pass vlan 100 103                                     
#
interface GigabitEthernet0/0/1                                                  
 port link-type access                                                          
 port default vlan 103                                                                
# 
interface GigabitEthernet0/0/25                                                 
 eth-trunk 0
#  
interface GigabitEthernet0/0/26                                                 
 eth-trunk 0
#                                                   
return

S5720-EI

#                                                                               
sysname S5720EI-iStack    
#                                                                               
vlan batch 100 104 to 106 
#                                                                               
dhcp enable                                                                     
#                                                                               
dhcp snooping enable 
#   
traffic classifier test operator and                                            
 if-match destination-mac 0100-5e00-0000 ffff-ff00-0000                         
#                                                                               
traffic behavior test                                                           
 statistic enable                                                               
 car cir 100 pir 100 cbs 12500 pbs 12500 green pass yellow pass red discard     
#                                                                               
traffic policy test match-order config                                          
 classifier test behavior test 
#
vlan 104                                                                         
 dhcp snooping enable  
#
vlan 105                                                                         
 dhcp snooping enable  
#                                                                              
interface Eth-Trunk0                                                           
 port link-type trunk                                                           
 port trunk allow-pass vlan 100 104 to 106  
#                                                                               
interface GigabitEthernet1/0/1                                                  
 port link-type trunk                                                           
 port trunk pvid vlan 100                                                       
 port trunk allow-pass vlan 100 104 to 105  
 traffic-policy test inbound                                                    
 traffic-policy test outbound                                                   
 port-isolate enable                                                     
#                                                                               
interface GigabitEthernet1/0/2                                                  
 port link-type trunk   
 port trunk pvid vlan 100   
 port trunk allow-pass vlan 100 105 to 106 
 traffic-policy test inbound                                                    
 traffic-policy test outbound                                                   
 port-isolate enable
#   
interface XGigabitEthernet0/0/1                                                 
 eth-trunk 0                                                                   
#
interface XGigabitEthernet1/0/1 
 eth-trunk 0                                   
#                                                                               
return

Applicable Scenarios and Service Requirements
Solution Design
Configuration Roadmap and Data Planning
Configuration Procedure
Verification
Configuration Script

Translation

Favorite

Download

Update Date：2024-03-04

Document ID：EDOC1100064368

Downloads：3036

Average rating：5.0Points