No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
WLAN V200R019C00 Typical Configuration Examples
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Roadmap and Data Plan

Configuration Roadmap and Data Plan

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a cluster switch system (CSS) for core switches to ensure their reliability. Configure the Virtual Router Redundancy Protocol (VRRP) on the ACs to ensure the reliability of WLAN services.
  2. Configure MAC address–prioritized Portal authentication and 802.1X authentication. Common guests use MAC address–prioritized Portal authentication to access the enterprise home page. Enterprise employees use employee accounts for network access through 802.1X authentication.
  3. Configure WLAN services on the ACs to meet wireless access requirements in offices.
  4. Configure wireless configuration synchronization so that public configurations can be synchronized from the master AC to the backup AC.
  5. Add the ACs to the Service Manager of Agile Controller-Campus and configure parameters to ensure that Agile Controller-Campus can communicate with the ACs.
  6. Add an authorization result and authorization rule to grant access control permission to employees after they are successfully authenticated.

Data Planning

Table 4-137 and Table 4-138 describe data required for completing the configuration tasks.

Table 4-137 Network data plan

Item

No.

Interface Number

VLAN to Which the Interface Belongs

IP Address

Description

Access switch S5700_A

1

GE0/0/1

VLAN 800

VLAN 700

VLAN 701

-

Connects to AP_1.

2

GE0/0/2

VLAN 800

VLAN 700

VLAN 701

-

Connects to AP_2.

3

GE0/0/3

VLAN 800

VLAN 700

VLAN 701

-

Connects to the aggregation switch S7700.

Aggregation switch S7700

13

GE1/0/3

VLAN 800

VLAN 700

VLAN 701

-

Access switch S5700_A

17

GE1/0/17

VLAN 800

VLAN 700

VLAN 701

-

Connects to S12700_A.

18

GE2/0/18

VLAN 800

VLAN 700

VLAN 701

-

Connects to S12700_B.

S12700_A and S12700_B in a cluster

19

GE1/1/0/19

VLAN 800

VLAN 700

VLAN 701

-

Connects to the aggregation switch S7700.

22

GE2/1/0/22

VLAN 800

VLAN 700

VLAN701

-

20

GE1/1/0/20

VLAN 800

VLAN 820

VLAN 700

VLAN 701

-

Connects to AC_1.

23

GE2/1/0/23

VLAN 800

VLAN 820

VLAN 700

VLAN 701

-

Connects to AC_2.

21

GE1/1/0/21

VLAN 820

VLAN 700

VLAN 701

-

Connects to the router.

24

GE2/1/0/18

VLAN 820

VLAN 700

VLAN 701

-

Connects to the router.

AC_1

25

GE0/0/24

VLAN 800

VLAN 820

VLAN 700

VLAN 701

VLANIF 800: 10.128.1.2/24

VLANIF 820: 172.16.1.2/24

Connects to S12700_A.

26

GE0/0/23

VLAN 810

VLANIF 810: 10.1.1.253/30

Connects to AC_2.

AC_2

27

GE0/0/24

VLAN 800

VLAN 820

VLAN 700

VLAN 701

VLANIF 800: 10.128.1.3/24

VLANIF 820: 172.16.1.3/24

Connects to S12700_B.

28

GE0/0/23

VLAN 810

VLANIF 810: 10.1.1.254/30

Connects to AC_1.

Router

29

-

-

-

Connects to S12700_A.

30

-

-

-

Connects to S12700_B.
Table 4-138 Service data plan

Item

Description

Management VLAN for APs

VLAN800

Service VLANs

VLAN 700 and VLAN 701

HSB channel VLAN

VLAN 810

VLAN used for communication with servers

VLAN 820

VRRP group
  • Virtual IP address of VLANIF 800: 10.128.1.1
  • ID of the management VRRP group: 1
  • Backup services: DHCP, user access, and AP services
  • ACU2_1:
    • Priority: 120
    • Preemption duration: 1200 seconds
    • HSB service: The local and remote IP addresses are 10.1.1.253 and 10.1.1.254, respectively. The local and remote port numbers are both 10241.
    • Recovery delay of the VRRP group: 60 seconds
  • ACU2_2:
    • HSB service: The local and remote IP addresses are 10.1.1.254 and 10.1.1.253, respectively. The local and remote port numbers are both 10241.
    • Recovery delay of the VRRP group: 60 seconds
  • Virtual IP address of VLANIF 820: 172.16.1.1
  • Member VRRP group ID: 2
  • Association between VRRP group 2 and VRRP group 1

DHCP server
  • DHCP server for APs: AC
  • DHCP server for STAs: external DHCP server with IP address 172.16.1.252, and S7700 used as the DHCP relay agent (VLANIF 700: 10.129.1.2/20; VLANIF 701: 10.130.1.2/20)

IP address pool for APs

10.128.1.4–10.128.1.254/24

IP address pool for STAs

VLAN 700: 10.129.0.1–10.129.15.254/20

VLAN 701: 10.130.0.1–10.130.15.254/20

Authentication, authorization, and accounting (AAA) parameters

Authentication scheme:

  • Name: radius_huawei
  • Authentication mode: RADIUS

Accounting scheme:

  • Name: radius_huawei
  • Accounting mode: RADIUS
  • Real-time accounting: enabled
  • Real-time accounting interval: 15 minutes

RADIUS parameters

RADIUS server template name: radius_huawei

  • Authentication server IP address: 172.16.1.254
  • Authentication port number: 1812
  • Accounting server IP address: 172.16.1.254
  • Accounting port number: 1813
  • Shared key: huawei@123

RADIUS authorization server:

  • Authorization server IP address: 172.16.1.254
  • RADIUS shared key: huawei@123

Portal server template
  • Name: huawei
  • IP address: 172.16.1.254
  • URL address: http://172.16.1.254:8080/portal
  • Authentication port number: 50200
  • Shared key: huawei@123

URL template
  • Name: huawei
  • SSID carried in the URL: ssid
  • URL parameter carried in the URL: url

Portal access profile
  • Name: wlan_net
  • Referenced template: Portal server template huawei

802.1X access profile
  • Name: huawei

MAC access profile
  • Name: mac

Authentication-free rule profile
  • Name: default_free_rule
  • Authentication-free resource: DNS server with IP address 172.16.1.253

Portal authentication profile
  • Name: wlan_net_portal_auth
  • Referenced profiles and schemes: Portal access profile wlan_net, RADIUS server template radius_huawei, RADIUS authentication scheme radius_huawei, RADIUS accounting scheme radius_huawei, and authentication-free rule profile default_free_rule, and MAC access profile mac

802.1X authentication profile
  • Name: wlan_net_dot1x_auth
  • Referenced profiles and schemes: 802.1X access profile huawei, RADIUS server template radius_huawei, RADIUS authentication scheme radius_huawei, and RADIUS accounting scheme radius_huawei.

DNS server

IP address: 172.16.1.253

AP group
  • Name: wlan_net
  • Country code: CHINA
  • Security policy: Open system and 802.1X authentication
  • Referenced profiles: VAP profiles wlan_net_portal_auth and wlan_net_dot1x_auth, 2G radio profile 2G, and 5G radio profile 5G

SSID profile
  • Name: wlan_net_portal_auth (for common guests)
  • SSID: wlan_net_portal_auth
  • Name: wlan_net_dot1x_auth (for employees)
  • SSID: wlan_net_dot1x_auth

Security profile
  • Name: open
  • Security policy: open system authentication
  • Name: dot1x
  • Security policy: 802.1X authentication

Traffic profile
  • Name: wlan_net
  • User isolation: Layer 2 isolation

VAP profile

wlan_net_portal_auth
  • Name: wlan_net_portal_auth
  • Forwarding mode: direct forwarding
  • Service VLAN: VLAN 700
  • Band steering: enabled (by default)
  • IP Source Guard (IPSG): enabled
  • Dynamic ARP probing (DAI): enabled
  • STA address learning: Strict STA IP address learning through DHCP is enabled.
  • Referenced profiles: SSID profile wlan_net_portal_auth, security profile open, authentication profile authen-pro_ wlan_net_portal_auth, and traffic profile wlan_net

VAP profile

wlan_net_dot1x_auth
  • Name: wlan_net_dot1x_auth
  • Forwarding mode: direct forwarding
  • Service VLAN: VLAN 701
  • Band steering: enabled (by default)
  • IPSG: enabled
  • DAI: enabled
  • STA address learning: Strict STA IP address learning through DHCP is enabled.
  • Referenced profiles: SSID profile wlan_net_dot1x_auth, security profile dot1x, authentication profile authen-pro_ wlan_net_dot1x_auth, and traffic profile wlan_net

2G radio profile
  • Name: 2G
  • RTS-CTS mode: rts-cts with a threshold of 1400 bytes
  • Referenced profile: RRM profile wlan_net

5G radio profile
  • Name: 5G
  • RTS-CTS mode: rts-cts with a threshold of 1400 bytes
  • Referenced profile: RRM profile wlan_net

Agile Controller-Campus
  • IP address: 172.16.1.254
  • Authentication port number: 1812
  • Accounting port number: 1813
  • RADIUS shared key: huawei@123
  • Port number in the packets received by the Portal server: 50200
  • Portal shared key: huawei@123
Translation
简体中文
Download
Updated: 2021-11-18

Document ID: EDOC1100096116

Views: 365536

Downloads: 2538

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :