Example for Configuring STAs on the Fat AP to Access the Public Network Through NAT
Networking Requirements
As shown in Figure 4-10, a Fat AP is connected to the Internet in wired mode and connected to STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for mobile office so that enterprise employees can access the enterprise internal network anywhere, anytime. The administrator wants enterprise employees to access the public network using public IP addresses.
- A WLAN named wlan-net is available.
- Enterprise employees are assigned IP addresses on 10.23.101.0/24. These IP addresses are translated to the IP address of the Fat AP outbound interface using Easy-IP for employees to access the public network.
Data planning
Item |
Data |
|---|---|
Service VLAN for STAs |
VLAN 101 |
DHCP server |
The AP functions as a DHCP server to assign IP addresses to STAs. |
IP address pool for STAs |
10.23.101.2 to 10.23.101.254/24 |
SSID profile |
|
Security profile |
|
VAP profile |
|
NAT Outbound |
The private IP address segment 10.23.101.0/24 is mapped to the public IP address 1.1.1.1. |
Configuration Roadmap
The configuration roadmap is as follows:
- Configure the AP as a DHCP server to assign IP addresses to STAs from an IP address pool on an interface.
- Configure the AP's system parameters, including the country code.
- Configure a VAP so that STAs can access the WLAN.
- Configure NAT so that STAs can access the public network using public IP addresses.
You are advised to log in to the Fat AP in wireless mode for service configuration. You can also log in to the Fat AP by directly connecting a PC to the Fat AP using network cables and then connect the Fat AP to the upstream device after services are configured and saved.
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression on switch interfaces connected to APs to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected. For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.
Procedure
- Configure the AP to communicate with the network devices.# On the AP, create VLANIF 200, set its IP address to 1.1.1.1/24, and add GE0/0/0 to VLAN 200.
<Huawei> system-view [Huawei] sysname AP [AP] vlan batch 200 [AP] interface vlanif 200 [AP-Vlanif200] ip address 1.1.1.1 24 [AP-Vlanif200] quit [AP] interface gigabitethernet 0/0/0 [AP-GigabitEthernet0/0/0] port link-type trunk [AP-GigabitEthernet0/0/0] port trunk allow-pass vlan 200 [AP-GigabitEthernet0/0/0] port trunk pvid vlan 200 [AP-GigabitEthernet0/0/0] quit
If the PC connects to the AP through GE0/0/0, modifying the interface may cause a network interruption. In this case, you need to change the PC's IP address to 1.1.1.x and access the AP's new IP address 1.1.1.1 to log in to the AP again for further operations.
If the uplink NE of the AP is assigned to a VLAN, it is recommended that the uplink interface of the AP be configured in the same VLAN as the peer interface. If the AP directly connects to an uplink router that typically does not involve VLAN assignment, you can configure the uplink interface as an access interface.
# Configure a default route. The following assumes that the public IP address of the peer end is 1.1.1.2/24.[AP] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
- Configure the DHCP server to assign IP addresses to STAs.
# Configure the AP as a DHCP server to assign IP addresses to STAs from the IP address pool on VLANIF 101.
Configure the DNS server as required. The common methods are as follows:- In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
- In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.
[AP] dhcp enable [AP] vlan batch 101 [AP] interface vlanif 101 [AP-Vlanif101] ip address 10.23.101.1 24 [AP-Vlanif101] dhcp select interface [AP-Vlanif101] quit - Configure the AP's system parameters.
# Configure the country code for the AP.
[AP] wlan [AP-wlan-view] country-code cn
- Configure WLAN service parameters.# Create security profile wlan-net and set the security policy in the profile.
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual situations, the security policy must be configured according to service requirements.
[AP-wlan-view] security-profile name wlan-net [AP-wlan-sec-prof-wlan-net] security wpa2 psk pass-phrase a1234567 aes [AP-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AP-wlan-view] ssid-profile name wlan-net [AP-wlan-ssid-prof-wlan-net] ssid wlan-net [AP-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the service VLAN, and apply the security profile and SSID profile to the VAP profile.
[AP-wlan-view] vap-profile name wlan-net [AP-wlan-vap-prof-wlan-net] service-vlan vlan-id 101 [AP-wlan-vap-prof-wlan-net] security-profile wlan-net [AP-wlan-vap-prof-wlan-net] ssid-profile wlan-net [AP-wlan-vap-prof-wlan-net] quit
- Configure radio parameters for the VAP and AP.
Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled. The settings of the AP channel and power in this example are for reference only. You need to configure the AP channel and power based on the actual country code and network planning.
# Disable automatic channel and power calibration functions of the radio, and configure the channel and power for the radio.[AP-wlan-view] quit [AP] interface wlan-radio0/0/0 [AP-Wlan-Radio0/0/0] vap-profile wlan-net wlan 2 [AP-Wlan-Radio0/0/0] calibrate auto-channel-select disable [AP-Wlan-Radio0/0/0] calibrate auto-txpower-select disable [AP-Wlan-Radio0/0/0] channel 20mhz 6 Warning: This action may cause service interruption. Continue?[Y/N]y [AP-Wlan-Radio0/0/0] eirp 127 [AP-Wlan-Radio0/0/0] quit [AP] interface wlan-radio0/0/1 [AP-Wlan-Radio0/0/1] vap-profile wlan-net wlan 2 [AP-Wlan-Radio0/0/1] calibrate auto-channel-select disable [AP-Wlan-Radio0/0/1] calibrate auto-txpower-select disable [AP-Wlan-Radio0/0/1] channel 20mhz 149 Warning: This action may cause service interruption. Continue?[Y/N]y [AP-Wlan-Radio0/0/1] eirp 127 [AP-Wlan-Radio0/0/1] quit
- Configure the NAT function.# Configure NAT outbound on the AP.
[AP] acl 2000 [AP-acl-basic-2000] rule 5 permit source 10.23.101.0 0.0.0.255 [AP-acl-basic-2000] quit [AP] interface vlanif 200 [AP-Vlanif200] nat outbound 2000 [AP-Vlanif200] quit [AP] quit
- Verify the configuration.
# The configuration automatically takes effect after it is completed. Run the display vap ssid wlan-net command. If Status in the command output is displayed as ON, the VAP has been successfully created on the AP radios.
<AP> display vap ssid wlan-net WID : WLAN ID ----------------------------------------------------------------------------------------- AP MAC RfID WID BSSID Status Auth type STA SSID ----------------------------------------------------------------------------------------- 00bc-da3f-e900 0 2 00BC-DA3F-E901 ON WPA/WPA2-PSK 0 wlan-net 00bc-da3f-e900 1 2 00BC-DA3F-E911 ON WPA/WPA2-PSK 0 wlan-net ----------------------------------------------------------------------------------------- Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the display station ssid wlan-net command on the AC. The command output shows that the STAs are connected to the WLAN wlan-net.
<AP> display station all Rf/WLAN: Radio ID/WLAN ID Rx/Tx: link receive rate/link transmit rate(Mbps) ----------------------------------------------------------------------------------------------------- STA MAC Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address SSID ----------------------------------------------------------------------------------------------------- 14cf-9202-13dc 00bc-da3f-e900 0/2 2.4G 11n 19/13 -63 101 10.23.101.254 wlan-net ----------------------------------------------------------------------------------------------------- Total: 1 2.4G: 1 5G: 0
# Run the display nat outbound command on the AP to check the IP address translation result.<AP> display nat outbound NAT Outbound Information: -------------------------------------------------------------------------------- Interface Acl Address-group/IP/Interface Type -------------------------------------------------------------------------------- Vlanif200 2000 1 easyip -------------------------------------------------------------------------------- Total : 1
# Run the ping command on the AP to verify that STAs on the private network can access the public network.<AP> ping -a 10.23.101.1 1.1.1.2 PING 1.1.1.2: 56 data bytes, press CTRL_C to break Reply from 1.1.1.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 1.1.1.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 1.1.1.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 1.1.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 1.1.1.2: bytes=56 Sequence=5 ttl=255 time=1 ms -- 1.1.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms
Configuration Files
AP configuration file
# sysname AP # vlan batch 101 200 # dhcp enable # acl number 2000 rule 5 permit source 10.23.101.0 0.0.0.255 # interface Vlanif101 ip address 10.23.101.1 255.255.255.0 dhcp select interface # interface Vlanif200 ip address 1.1.1.1 255.255.255.0 nat outbound 2000 # interface GigabitEthernet0/0/0 port link-type trunk port trunk pvid vlan 200 port trunk allow-pass vlan 200 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # wlan security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#(yk#Q+M[\CMK]1)AWMX7MjZ)=e`fy@fA+.J\ht3Y%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net # interface Wlan-Radio0/0/0 vap-profile wlan-net wlan 2 channel 20mhz 6 calibrate auto-channel-select disable calibrate auto-txpower-select disable # interface Wlan-Radio0/0/1 vap-profile wlan-net wlan 2 channel 20mhz 149 calibrate auto-channel-select disable calibrate auto-txpower-select disable # return