Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Deployment Case
Application Scope and Service Requirements
Application Scope
This document is applicable to WDS backhaul scenarios, including video surveillance and wireless data backhaul.
Service Requirements
Video surveillance and wireless data backhaul are involved in WDS backhaul scenarios which are characterized by the following:
- Open outdoor scenarios where bridge APs are reachable in the line of sight (LOS), without any obstacles between them.
- Flexible networking in point-to-point (P2P), point-to-multipoint (P2MP), and back-to-back mode
WDS backhaul scenarios have the following requirements:
- Access
Easy deployment of stylishly designed outdoor wireless devices
Stable bridge link rate, meeting requirements for high rate and received signal strength indicator (RSSI) for setting up links.
High-speed and low-latency data transmission
4M to 8M video backhaul, without jitter, frame freezing, or latency
- Wireless roaming
Terminal mobility in different outdoor coverage areas
Fast switchover, low network latency, and uninterrupted services
- Security
Prevention of user communication at Layer 2
Defense against flood attacks and brute force PSK cracking attacks for stability and security of the WLAN
- Reliability
Network reliability when a single AC becomes faulty
Solution Design
Networking Diagram
Figure 4-108 shows the networking of outdoor WDS backhaul.
Network Design Analysis
- Basic access requirements
Wireless backhaul requires a long distance between APs. The AP8130DN or AP8150DN is recommended.
The following conditions must be met to ensure a stable bridge link rate, high rate and RSSI for setting up links, and low latency:
- Wireless backhaul APs are reachable in the LOS, without any obstacles between them.
- Wireless bridging is implemented using 5G channels and avoid using radar channels. Disable automatic radio calibration and manually set the channel and power for each bridge link.
- Ensure that APs of the same model with 5G directional antennas are used for wireless backhaul. A longer distance between APs requires higher gains. The maximum distance can reach 10 km.
- In projects, it is recommended that one root AP connect to no more than three leaf APs.
- The RSSI value of no less than –70 dBm is recommended for setting up links between the root AP and leaf APs.
- Set the RTS/CTS threshold to reduce the impact of hidden STAs. Adjust the Beacon interval to optimize air interface performance.
- Wireless roaming requirements
To achieve wireless roaming, configure the same SSID and security policy for all APs.
To address difficult STA roaming issues, enable smart roaming and enable the AC to disconnect weak-signal STAs to improve sticky STA roaming experience and system performance.
- Security requirements
Improve WLAN security by way of the following:
- Configure port isolation on the switch ports directly connected to APs to prevent Layer 2 communication between STAs that are associated with different APs.
- Configure Layer 2 and Layer 3 isolation in the traffic profile to prevent users in the same VAP user from directly communicating with each other to improve communication security.
- (Optional) Configure flood attack detection and brute force PSK cracking detection to ensure stability and security of the WLAN.
- Reliability requirements
To ensure reliability of core switches, configure the switches in a Cluster Switch System (CSS).
To ensure WLAN service reliability, deploy two ACs on the network and the Virtual Router Redundancy Protocol (VRRP) on the ACs to implement AC hot standby (HSB). In AC HSB mode, the ACs determine the master and backup roles. The master device forwards services and the backup device monitors the forwarding. The master device periodically sends to the backup device the status information and information to be backed up. When the master device becomes faulty, the backup device takes over services on the master service, which improves network reliability.
Involved NEs and Software Versions
The following table lists the applicable products and software versions used in this solution.
Table 4-150 Involved products and software versions
Product |
Software Version |
|---|---|
S7706 |
V200R010C00SPC600 |
S5720EI |
V200R010C00SPC600 |
S2750EI |
V200R010C00SPC600 |
AC6805 |
V200R010C00 |
AP8150DN |
V200R010C00 |
Configuration Roadmap and Data Planning
Configuration Roadmap
The configuration roadmap is as follows:
- Configure a CSS of core switches to ensure reliability of the core layer.
- Configure switches and ACs to communicate with each other.
- Configure the DHCP service to enable AC6805s to assign IP addresses to APs and the S7706 CSS to assign IP addresses to STAs.
- Configure VRRP on the ACs to ensure reliability of WLAN services.
- Configure the root and leaf nodes for WDS to ensure that all APs can go online properly.
- Configure ports on leaf APs to work in endpoint mode and add the ports to video service VLANs to ensure normal video services.
- Configure WLAN services on the ACs to meet the wireless access requirements in wireless backhaul scenarios.
- Configure wireless configuration synchronization in VRRP HSB scenarios, so that the standby AC synchronizes public configurations from the active AC.
Data Planning
The following describes the data planning of VLANs, interfaces, IP addresses, routes, and services involved in this case.
Table 4-151 VLAN planning
Parameter |
Description |
|---|---|
VLAN 10 |
Switch management network segment, through which all switches communicate |
VLAN 20 |
Wireless user network segment |
VLAN 30 |
Video server network segment |
VLAN 800 |
AP management network segment |
VLAN 51 |
HSB network segment |
Table 4-152 Network data planning
Device |
Interface Number |
Member Interface |
Allowed VLAN |
VLANIF/IP Address |
Peer Device |
Peer Interface Number |
|---|---|---|---|---|---|---|
S7706 CSS |
Eth-Trunk 10 |
GE1/1/1/0 |
800 |
- |
AC6805_1 |
GE0/0/23 |
GE2/1/1/0 |
GE0/0/24 |
|||||
Eth-Trunk 20 |
GE1/1/1/1 |
800 |
- |
AC6805_2 |
GE0/0/23 |
|
GE2/1/1/1 |
GE0/0/24 |
|||||
Eth-Trunk 1 |
GE1/1/1/6 |
10, 20, 30, 800 |
VLANIF 10: 172.16.10.1/24 VLANIF 20: 172.16.20.1/24 |
S5720EI |
GE0/0/23 |
|
GE2/1/1/6 |
GE0/0/24 |
|||||
GE2/1/1/2 |
- |
30 |
VLANIF 30: 172.16.30.1/24 |
Video server |
- |
|
S5720EI |
Eth-Trunk 1 |
GE0/0/23 |
10, 20, 30, 800 |
VLANIF 10: 172.16.10.2/24 |
S7706 CSS |
GE1/1/1/6 |
GE0/0/24 |
GE2/1/1/6 |
|||||
GE0/0/1 |
- |
10, 20, 30, 800 |
- |
Root-AP1 |
GE0/0/0 |
|
GE0/0/2 |
- |
10, 20, 30, 800 |
- |
Root-AP4 |
GE0/0/0 |
|
AC6805_1 |
Eth-Trunk 50 |
GE0/0/23 |
800 |
VLANIF 800: 10.128.1.2/24 (virtual IP address: 10.128.1.1) |
S7706 CSS |
GE1/1/1/0 |
GE0/0/24 |
GE2/1/1/0 |
|||||
GE0/0/1 |
- |
51 |
10.51.0.1/24 |
AC6805_2 |
GE0/0/1 |
|
AC6805_2 |
Eth-Trunk 50 |
GE0/0/23 |
800 |
VLANIF 800: 10.128.1.3/24 (virtual IP address: 10.128.1.1) |
S7706 CSS |
GE1/1/1/1 |
GE0/0/24 |
GE2/1/1/1 |
|||||
GE0/0/1 |
- |
51 |
10.51.0.2/24 |
AC6805_1 |
GE0/0/1 |
|
S2750EI_1 |
E0/0/1 |
- |
10, 30 |
VLANIF 10: 172.16.10.11/24 |
Leaf-AP2 |
GE0/0/0 |
E0/0/2 |
- |
30 |
- |
Camera |
- |
|
E0/0/3 |
- |
30 |
- |
Camera |
- |
|
S2750EI_2 |
E0/0/1 |
- |
10, 20, 30, 800 |
VLANIF 10: 172.16.10.12/24 |
Leaf-AP5 |
GE0/0/0 |
E0/0/2 |
- |
20, 800 |
- |
AP6 |
GE0/0/0 |
|
E0/0/3 |
- |
30 |
- |
Camera |
- |
|
E0/0/4 |
- |
30 |
- |
Camera |
- |
|
E0/0/5 |
- |
30 |
- |
Camera |
- |
|
E0/0/6 |
- |
10, 30, 800 |
- |
Root-AP7 |
GE0/0/0 |
|
S2750EI_3 |
E0/0/1 |
- |
10, 30 |
VLANIF 10: 172.16.10.13/24 |
Leaf-AP8 |
GE0/0/0 |
E0/0/2 |
- |
30 |
- |
Camera |
- |
|
E0/0/3 |
- |
30 |
- |
Camera |
- |
|
E0/0/4 |
- |
30 |
- |
Camera |
- |
Table 4-153 Service data planning
Item |
Data |
|---|---|
IP address of the CAPWAP source interface |
10.128.1.1 |
Management VLAN for APs |
800 |
VRRP group |
On AC6805_1:
On AC6805_2:
|
DHCP server |
|
IP address pool for APs |
10.128.1.4–10.128.1.254/24 |
IP address pool for STAs |
172.16.20.1–172.16.20.254/24 |
AP group |
|
|
|
|
|
|
|
|
|
Regulatory domain profile |
|
RRM profile |
|
|
|
2G radio profile |
|
5G radio profile |
|
Radio calibration |
|
WDS security profile |
|
WDS profile |
|
|
|
WDS whitelist |
|
AP wired port profile |
|
SSID profile |
|
Security profile |
|
Traffic profile |
|
VAP profile |
|
(Optional) WIDS profile |
|
(Optional) AP system profile |
|
Configuration Procedure
Configuring the S7706 Core Switches
- Configure a CSS of core switches to ensure reliability of the core layer.
For details on CSS setup, search for Switch Stack & SVF Assistant at https://e.huawei.com.
- Create Eth-Trunks to connect to AC6805s.
# Create Eth-Trunks 10 and 20 to connect to AC6805_1 and AC6805_2, respectively, and add member interfaces to the Eth-Trunks.
<HUAWEI> system-view [HUAWEI] sysname CSS [CSS] interface eth-trunk 10 //Create Eth-Trunk 10 to connect to the AC6805_1. [CSS-Eth-Trunk10] quit [CSS] interface gigabitethernet 1/1/1/0 [CSS-GigabitEthernet1/1/1/0] eth-trunk 10 [CSS-GigabitEthernet1/1/1/0] quit [CSS] interface gigabitethernet 2/1/1/0 [CSS-GigabitEthernet2/1/1/0] eth-trunk 10 [CSS-GigabitEthernet2/1/1/0] quit [CSS] interface eth-trunk 20 //Create Eth-Trunk 20 to connect to the AC6805_2. [CSS-Eth-Trunk20] quit [CSS] interface gigabitethernet 1/1/1/1 [CSS-GigabitEthernet1/1/1/1] eth-trunk 20 [CSS-GigabitEthernet1/1/1/1] quit [CSS] interface gigabitethernet 2/1/1/1 [CSS-GigabitEthernet2/1/1/1] eth-trunk 20 [CSS-GigabitEthernet2/1/1/1] quit
- Create an Eth-Trunk to connect to the aggregation switch.
# Create Eth-Trunk 1 to connect to the aggregation switch S5720EI, and add member interfaces to Eth-Trunk 1.
[CSS] interface eth-trunk 1 //Create Eth-Trunk 1 to connect to the S5720EI. [CSS-Eth-Trunk1] quit [CSS] interface gigabitethernet 1/1/1/6 [CSS-GigabitEthernet1/1/1/6] eth-trunk 1 [CSS-GigabitEthernet1/1/1/6] quit [CSS] interface gigabitethernet 2/1/1/6 [CSS-GigabitEthernet2/1/1/6] eth-trunk 1 [CSS-GigabitEthernet2/1/1/6] quit
- Configure Eth-Trunks to allow packets from specified VLANs so that the S7706 CSS can communicate with the S5720EI and AC6805s.
[CSS] vlan batch 10 20 30 800 //Create VLANs in a batch. [CSS] interface eth-trunk 10 [CSS-Eth-Trunk10] description Connect to AC6805_1 [CSS-Eth-Trunk10] port link-type trunk [CSS-Eth-Trunk10] port trunk allow-pass vlan 800 [CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk10] quit [CSS] interface eth-trunk 20 [CSS-Eth-Trunk20] description Connect to AC6805_2 [CSS-Eth-Trunk20] port link-type trunk [CSS-Eth-Trunk20] port trunk allow-pass vlan 800 [CSS-Eth-Trunk20] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk20] quit [CSS] interface eth-trunk 1 [CSS-Eth-Trunk1] description Connect to S5720 [CSS-Eth-Trunk1] port link-type trunk [CSS-Eth-Trunk1] port trunk allow-pass vlan 10 20 30 800 [CSS-Eth-Trunk1] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk1] quit
- Configure the interface that connects to the video server.
[CSS] interface gigabitethernet 2/1/1/2 [CSS-GigabitEthernet2/1/1/2] description Connect to Camera-Server [CSS-GigabitEthernet2/1/1/2] port link-type trunk [CSS-GigabitEthernet2/1/1/2] port trunk pvid vlan 30 [CSS-GigabitEthernet2/1/1/2] port trunk allow-pass vlan 30 [CSS-GigabitEthernet2/1/1/2] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/1/1/2] quit
- Create VLANIF interfaces and configure IP addresses for them.
[CSS] interface vlanif 10 [CSS-Vlanif10] ip address 172.16.10.1 24 //Configure an IP address for the management VLANIF interface that connects to the aggregation switch and access switches. [CSS-Vlanif10] quit [CSS] interface vlanif 30 [CSS-Vlanif30] ip address 172.16.30.1 24 //Configure an IP address for the VLANIF interface that connects to the video server. [CSS-Vlanif30] quit
- Configure the S7706 as a DHCP server to assign IP addresses to STAs.
[CSS] dhcp enable [CSS] interface vlanif 20 [CSS-Vlanif20] ip address 172.16.20.1 24 [CSS-Vlanif20] dhcp select interface [CSS-Vlanif20] dhcp server lease day 0 hour 1 minute 0 //Set the DHCP aging time to 1 hour. [CSS-Vlanif20] quit
Configuring the S5720EI Aggregation Switch
- On the S5720EI, configure GE0/0/1 and GE0/0/2 connected to APs, GE0/0/23 connected to S7706_1, and GE0/0/24 connected to S7706_2. Add the four ports to VLANs 10, 20, 30, and 800, respectively.
<HUAWEI> system-view [HUAWEI] sysname S5720EI [S5720EI] vlan batch 10 20 30 800 [S5720EI] interface gigabitethernet 0/0/1 [S5720EI-GigabitEthernet0/0/1] description Connect to Root-AP1 [S5720EI-GigabitEthernet0/0/1] port link-type trunk [S5720EI-GigabitEthernet0/0/1] port trunk pvid vlan 800 [S5720EI-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20 30 800 [S5720EI-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1 [S5720EI-GigabitEthernet0/0/1] port-isolate enable //Configure port isolation. [S5720EI-GigabitEthernet0/0/1] quit [S5720EI] interface gigabitethernet 0/0/2 [S5720EI-GigabitEthernet0/0/2] description Connect to Root-AP4 [S5720EI-GigabitEthernet0/0/2] port link-type trunk [S5720EI-GigabitEthernet0/0/2] port trunk pvid vlan 800 [S5720EI-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20 30 800 [S5720EI-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1 [S5720EI-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation. [S5720EI-GigabitEthernet0/0/2] quit [S5720EI] interface eth-trunk 1 [S5720EI-Eth-Trunk1] description Connect to S7706 [S5720EI-Eth-Trunk1] port link-type trunk [S5720EI-Eth-Trunk1] port trunk allow-pass vlan 10 20 30 800 [S5720EI-Eth-Trunk1] undo port trunk allow-pass vlan 1 [S5720EI-Eth-Trunk1] quit [S5720EI] interface gigabitethernet 0/0/23 [S5720EI-GigabitEthernet0/0/23] eth-trunk 1 [S5720EI-GigabitEthernet0/0/23] quit [S5720EI] interface gigabitethernet 0/0/24 [S5720EI-GigabitEthernet0/0/24] eth-trunk 1 [S5720EI-GigabitEthernet0/0/24] quit
- Create a VLANIF interface and configure an IP address for it.
[S5720EI] interface vlanif 10 [S5720EI-Vlanif10] ip address 172.16.10.2 24 //Configure an IP address for the management VLANIF interface that connects to core switches and access switches. [S5720EI-Vlanif10] quit
Configuring AC6805s
- Configure AC6805_1 and AC6805_2 to communicate with the core switch CSS.
# On AC6805_1, create Eth-Trunk 50 that connects to the S7706 CSS, add Eth-Trunk 50 to VLAN 800, and configure VLANIF 800.
<AC6805_1> system-view [AC6805_1] sysname AC_1 [AC_1] vlan batch 10 20 30 800 [AC_1] interface vlanif 800 [AC_1-Vlanif800] ip address 10.128.1.2 24 [AC_1-Vlanif800] quit [AC_1] interface eth-trunk 50 [AC_1-Eth-Trunk50] description Connect to S7706 [AC_1-Eth-Trunk50] port link-type trunk [AC_1-Eth-Trunk50] port trunk allow-pass vlan 800 [AC_1-Eth-Trunk50] undo port trunk allow-pass vlan 1 [AC_1-Eth-Trunk50] quit [AC_1] interface Gigabitethernet 0/0/23 [AC_1-GigabitEthernet0/0/23] eth-trunk 50 [AC_1-GigabitEthernet0/0/23] quit [AC_1] interface Gigabitethernet 0/0/24 [AC_1-GigabitEthernet0/0/24] eth-trunk 50 [AC_1-GigabitEthernet0/0/24] quit
# On AC6805_2, create Eth-Trunk 50 that connects to the S7706 CSS, add Eth-Trunk 50 to VLAN 800, and configure VLANIF 800.
<AC6805_2> system-view [AC6805_2] sysname AC_2 [AC_2] vlan batch 10 20 30 800 [AC_2] interface vlanif 800 [AC_2-Vlanif800] ip address 10.128.1.3 24 [AC_2-Vlanif800] quit [AC_2] interface eth-trunk 50 [AC_2-Eth-Trunk50] description Connect to S7706 [AC_2-Eth-Trunk50] port link-type trunk [AC_2-Eth-Trunk50] port trunk allow-pass vlan 800 [AC_2-Eth-Trunk50] undo port trunk allow-pass vlan 1 [AC_2-Eth-Trunk50] quit [AC_2] interface Gigabitethernet 0/0/23 [AC_2-GigabitEthernet0/0/23] eth-trunk 50 [AC_2-GigabitEthernet0/0/23] quit [AC_2] interface Gigabitethernet 0/0/24 [AC_2-GigabitEthernet0/0/24] eth-trunk 50 [AC_2-GigabitEthernet0/0/24] quit
- Configure AC6805_1 and AC6805_2 to communicate with each other.
# Add GE0/0/1 that connects AC6805_1 to AC6805_2 to VLAN 51.
[AC_1] vlan batch 51 [AC_1] interface gigabitethernet 0/0/1 [AC_1-GigabitEthernet0/0/1] port link-type trunk [AC_1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1 [AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 51 [AC_1-GigabitEthernet0/0/1] quit [AC_1] interface vlanif 51 [AC_1-Vlanif51] ip address 10.51.0.1 24 [AC_1-Vlanif51] quit
# Add GE0/0/1 that connects AC6805_2 to AC6805_1 to VLAN 51.
[AC_2] vlan batch 51 [AC_2] interface gigabitethernet 0/0/1 [AC_2-GigabitEthernet0/0/1] port link-type trunk [AC_2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1 [AC_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 51 [AC_2-GigabitEthernet0/0/1] quit [AC_2] interface vlanif 51 [AC_2-Vlanif51] ip address 10.51.0.2 24 [AC_2-Vlanif51] quit
- Configure AC6805_1 as a DHCP server to assign IP addresses to APs. The configuration on AC6805_2 is similar to that on AC6805_1.
[AC_1] dhcp enable [AC_1] interface vlanif 800 [AC_1-Vlanif800] dhcp select interface [AC_1-Vlanif800] quit
[AC_2] dhcp enable [AC_2] interface vlanif 800 [AC_2-Vlanif800] dhcp select interface [AC_2-Vlanif800] quit
- Configure VRRP on AC6805_1 to implement AC HSB.
# Set the recovery delay of the VRRP group to 60 seconds.
[AC_1] vrrp recover-delay 60
# Create a management VRRP group on AC6805_1, set the priority of AC6805_1 in the VRRP group to 120, and set the preemption time to 1200 seconds.
[AC_1] interface vlanif 800 [AC_1-Vlanif800] vrrp vrid 1 virtual-ip 10.128.1.1 [AC_1-Vlanif800] vrrp vrid 1 priority 120 [AC_1-Vlanif800] vrrp vrid 1 preempt-mode timer delay 1200 [AC_1-Vlanif800] admin-vrrp vrid 1 //Configure this VRRP group as a management VRRP group. [AC_1-Vlanif800] quit
# Create HSB service 0 on AC6805_1, and configure the IP addresses and port numbers for the active and standby HSB channels.
[AC_1] hsb-service 0 [AC_1-hsb-service-0] service-ip-port local-ip 10.51.0.1 peer-ip 10.51.0.2 local-data-port 10241 peer-data-port 10241 [AC_1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6 //Set the retransmission times of HSB service 0 to 3, and the retransmission interval to 6 seconds. [AC_1-hsb-service-0] quit
# Create HSB group 0 on AC6805_1, and bind it to HSB service 0 and management VRRP group 1.
[AC_1] hsb-group 0 [AC_1-hsb-group-0] bind-service 0 [AC_1-hsb-group-0] track vrrp vrid 1 interface vlanif 800 [AC_1-hsb-group-0] quit
# Bind the NAC service to the HSB group.
[AC_1] hsb-service-type access-user hsb-group 0
# Bind the WLAN service to the HSB group.
[AC_1] hsb-service-type ap hsb-group 0
# Bind the DHCP service to the HSB group.
[AC_1] hsb-service-type dhcp hsb-group 0
# Enable HSB.
[AC_1] hsb-group 0 [AC_1-hsb-group-0] hsb enable [AC_1-hsb-group-0] quit
- Configure VRRP on AC6805_2 to implement AC HSB.
# Set the recovery delay of the VRRP group to 60 seconds.
[AC_2] vrrp recover-delay 60
# Create management VRRP group 1 on AC6805_2.
[AC_2] interface vlanif 800 [AC_2-Vlanif800] vrrp vrid 1 virtual-ip 10.128.1.1 [AC_2-Vlanif800] admin-vrrp vrid 1 [AC_2-Vlanif800] quit
# Create HSB service 0 on AC6805_2, and configure the IP addresses and port numbers for the active and standby HSB channels.
[AC_2] hsb-service 0 [AC_2-hsb-service-0] service-ip-port local-ip 10.51.0.2 peer-ip 10.51.0.1 local-data-port 10241 peer-data-port 10241 [AC_2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6 //Set the retransmission times of HSB service 0 to 3, and the retransmission interval to 6 seconds. [AC_2-hsb-service-0] quit
# Create HSB group 0 on AC6805_2, and bind it to HSB service 0 and management VRRP group 1.
[AC_2] hsb-group 0 [AC_2-hsb-group-0] bind-service 0 [AC_2-hsb-group-0] track vrrp vrid 1 interface vlanif 800 [AC_2-hsb-group-0] quit
# Bind the NAC service to the HSB group.
[AC_2] hsb-service-type access-user hsb-group 0
# Bind the WLAN service to the HSB group.
[AC_2] hsb-service-type ap hsb-group 0
# Bind the DHCP service to the HSB group.
[AC_2] hsb-service-type dhcp hsb-group 0
# Enable HSB.
[AC_2] hsb-group 0 [AC_2-hsb-group-0] hsb enable [AC_2-hsb-group-0] quit
- Configure source interfaces of the ACs.
# Configure the source interface of AC6805_1.
[AC_1] capwap source ip-address 10.128.1.1 //Configure a virtual IP address as the CAPWAP source address.
# Configure the source interface of AC6805_2.
[AC_2] capwap source ip-address 10.128.1.1
- Configure P2MP WDS.
Group APs by AP type (root or leaf AP). Configure specific parameters of leaf APs in the AP view, such as distance parameter.
- Configure AP groups.
# Create AP groups ROOT1 and LEAF1, and add root and leaf APs in P2MP scenarios to the AP groups by type.
[AC_1] wlan [AC_1-wlan-view] ap-group name ROOT1 [AC_1-wlan-ap-group-ROOT1] quit [AC_1-wlan-view] ap-group name LEAF1 [AC_1-wlan-ap-group-LEAF1] quit [AC_1-wlan-view] ap-id 1 ap-mac 60de-4476-e100 [AC_1-wlan-ap-1] ap-name Root-AP1 Warning: This operation may cause AP reset. Continue? [Y/N]y [AC_1-wlan-ap-1] ap-group ROOT1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AC_1-wlan-ap-1] quit [AC_1-wlan-view] ap-id 2 ap-mac 60de-4476-e200 [AC_1-wlan-ap-2] ap-name Leaf-AP2 Warning: This operation may cause AP reset. Continue? [Y/N]y [AC_1-wlan-ap-2] ap-group LEAF1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AC_1-wlan-ap-2] quit [AC_1-wlan-view] ap-id 3 ap-mac 60de-4476-e300 [AC_1-wlan-ap-3] ap-name Leaf-AP3 Warning: This operation may cause AP reset. Continue? [Y/N]y [AC_1-wlan-ap-3] ap-group LEAF1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AC_1-wlan-ap-3] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name domain1 [AC_1-wlan-regulate-domain-domain1] country-code cn [AC_1-wlan-regulate-domain-domain1] quit [AC_1-wlan-view] ap-group name ROOT1 [AC_1-wlan-ap-group-ROOT1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AC_1-wlan-ap-group-ROOT1] quit [AC_1-wlan-view] ap-group name LEAF1 [AC_1-wlan-ap-group-LEAF1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AC_1-wlan-ap-group-LEAF1] quit
- Configure WDS service parameters.
# Disable automatic radio calibration.
[AC_1-wlan-view] ap-group name ROOT1 [AC_1-wlan-ap-group-ROOT1] radio 1 [AC_1-wlan-group-radio-ROOT1/1] calibrate auto-txpower-select disable [AC_1-wlan-group-radio-ROOT1/1] calibrate auto-channel-select disable [AC_1-wlan-group-radio-ROOT1/1] quit [AC_1-wlan-ap-group-ROOT1] quit [AC_1-wlan-view] ap-group name LEAF1 [AC_1-wlan-ap-group-LEAF1] radio 1 [AC_1-wlan-group-radio-LEAF1/1] calibrate auto-txpower-select disable [AC_1-wlan-group-radio-LEAF1/1] calibrate auto-channel-select disable [AC_1-wlan-group-radio-LEAF1/1] quit [AC_1-wlan-ap-group-LEAF1] quit
# Create a 5G radio profile, configure the GI mode and RTS-CTS parameters.
[AC_1-wlan-view] radio-5g-profile name wds [AC_1-wlan-radio-5g-prof-wds] guard-interval-mode short //Set the GI mode to short. [AC_1-wlan-radio-5g-prof-wds] rts-cts-mode rts-cts //Set the RTS-CTS mode is set for the radio profile. [AC_1-wlan-radio-5g-prof-wds] rts-cts-threshold 1400 //Set the RTS-CTS threshold in the radio profile to 1400 Byte. [AC_1-wlan-radio-5g-prof-wds] quit
# Configure the security profile wds-security used by WDS links. The profile uses the security policy WPA2+PSK+AES.
[AC_1-wlan-view] security-profile name wds-security [AC_1-wlan-sec-prof-wds-security] security wpa2 psk pass-phrase a1234567 aes [AC_1-wlan-sec-prof-wds-security] quit
# Configure a WDS whitelist. Create the WDS whitelist profile wds-list1, bind it to Root-AP1, and allow the access from Leaf-AP2 and Leaf-AP3.
[AC_1-wlan-view] wds-whitelist-profile name wds-list1 [AC_1-wlan-wds-whitelist-wds-list1] peer-ap mac 60de-4476-e200 //Add the MAC address of Leaf-AP2. [AC_1-wlan-wds-whitelist-wds-list1] peer-ap mac 60de-4476-e300 //Add the MAC address of Leaf-AP3. [AC_1-wlan-wds-whitelist-wds-list1] quit
# Create the WDS profile ROOT. Set the bridge identifier to wds-net and bridge mode to root. Bind the security profile wds-security to the WDS profile. Allow packets from VLANs 10, 20, and 30 to pass through in tagged mode.
[AC_1-wlan-view] wds-profile name ROOT [AC_1-wlan-wds-prof-ROOT] wds-name wds-net [AC_1-wlan-wds-prof-ROOT] wds-mode root [AC_1-wlan-wds-prof-ROOT] security-profile wds-security [AC_1-wlan-wds-prof-ROOT] vlan tagged 10 20 30 [AC_1-wlan-wds-prof-ROOT] quit
# Create the WDS profile LEAF. Set the bridge identifier to wds-net and bridge mode to leaf. Bind the security profile wds-security to the WDS profile. Allow packets from VLANs 10, 20, and 30 to pass through in tagged mode.
[AC_1-wlan-view] wds-profile name LEAF [AC_1-wlan-wds-prof-LEAF] wds-name wds-net [AC_1-wlan-wds-prof-LEAF] wds-mode leaf [AC_1-wlan-wds-prof-LEAF] security-profile wds-security [AC_1-wlan-wds-prof-LEAF] vlan tagged 10 20 30 [AC_1-wlan-wds-prof-LEAF] quit
# Apply the 5G radio profile and WDS-related profiles to radio 1 of the AP group. Configure radio parameters for WDS nodes.
[AC_1-wlan-view] ap-group name ROOT1 [AC_1-wlan-ap-group-ROOT1] radio 1 [AC_1-wlan-group-radio-ROOT1/1] radio-5g-profile wds Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-group-radio-ROOT1/1] channel 40mhz-plus 149 //Configure the bandwidth and channel. Avoid using radar channels. Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-group-radio-ROOT1/1] coverage distance 10 //Set the radio coverage distance. The default value is 3, in the unit of 100 m. In this example, Root-AP1, Leaf-AP2, and leaf-AP3 are 1 km away from each other. Set this parameter to 10. Set this parameter as required. [AC_1-wlan-group-radio-ROOT1/1] wds-profile ROOT Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-group-radio-ROOT1/1] wds-whitelist-profile wds-list1 //Bind MAC addresses of Leaf-AP2 and Leaf-AP3. [AC_1-wlan-group-radio-ROOT1/1] quit [AC_1-wlan-ap-group-ROOT1] quit [AC_1-wlan-view] ap-group name LEAF1 [AC_1-wlan-ap-group-LEAF1] radio 1 [AC_1-wlan-group-radio-LEAF1/1] radio-5g-profile wds Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-group-radio-LEAF1/1] coverage distance 10 [AC_1-wlan-group-radio-LEAF1/1] wds-profile LEAF Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-group-radio-LEAF1/1] quit [AC_1-wlan-ap-group-LEAF1] quit
- Configure a wired port profile for leaf APs.
# Configure the wired port profile used by wired ports of leaf APs and set the wired port mode to endpoint. In this example, the PVID of wired ports is set to VLAN 30 and the wired port is added to VLAN 30 in untagged mode and to VLANs 10 and 20 in tagged mode.
[AC_1-wlan-view] wired-port-profile name wds-sw [AC_1-wlan-wired-port-wds-sw] mode endpoint Warning: If the AP goes online through a wired port, the incorrect port mode con figuration will cause the AP to go out of management. This fault can be recovere d only by modifying the configuration on the AP. Continue? [Y/N]:y [AC_1-wlan-wired-port-wds-sw] vlan pvid 30 [AC_1-wlan-wired-port-wds-sw] vlan untagged 30 [AC_1-wlan-wired-port-wds-sw] vlan tagged 10 20 [AC_1-wlan-wired-port-wds-sw] quit
# Bind the wired port profile to the wired port GE0 of APs in the leaf AP group.
[AC_1-wlan-view] ap-group name LEAF1 [AC_1-wlan-ap-group-LEAF1] wired-port-profile wds-sw gigabitethernet 0 [AC_1-wlan-ap-group-LEAF1] quit
# Run the display ap all command to check the current AP status. When the following information is displayed, APs go online successfully.
[AC_1-wlan-view] display ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor : normal [3] ExtraInfo : Extra information P : insufficient power supply ------------------------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ------------------------------------------------------------------------------------------------------------------ 1 60de-4476-e100 Root-AP1 ROOT1 10.128.1.19 AP8150DN nor 0 58M:18S - 2 60de-4476-e200 Leaf-AP2 LEAF1 10.128.1.70 AP8150DN nor 0 50M:51S - 3 60de-4476-e300 Leaf-AP3 LEAF1 10.128.1.134 AP8150DN nor 0 52M:46S - ------------------------------------------------------------------------------------------------------------------ Total: 3
# Restart leaf APs that have gone online to make the port configuration take effect.
Changing the port mode of a leaf AP to endpoint takes effect only after the AP is restarted.
[AC_1-wlan-view] ap-reset ap-id 2 Warning: Reset AP(s), continue?[Y/N]: y [AC_1-wlan-view] ap-reset ap-id 3 Warning: Reset AP(s), continue?[Y/N]: y
- Configure AP groups.
- Configure back-to-back WDS.
Group APs by AP type (root or leaf AP). Configure specific parameters of leaf APs in the AP view. In this example, Root-AP4 and Root-AP7 are added to the same AP group, in which only the radio profile and WDS profile are bound. The distance parameter, WDS whitelist parameter, and channel & power parameters are independently bound to the specific AP views. The configuration for Leaf-AP5 and Leaf-AP8 is similar to that for Root-AP4 and Root-AP7.
- Configure AP groups.
# Create AP groups ROOT2 and LEAF2, and add root and leaf APs in back-to-back scenarios to the AP groups by type.
[AC_1-wlan-view] ap-group name ROOT2 [AC_1-wlan-ap-group-ROOT2] quit [AC_1-wlan-view] ap-group name LEAF2 [AC_1-wlan-ap-group-LEAF2] quit [AC_1-wlan-view] ap-id 4 ap-mac 60de-4476-e600 [AC_1-wlan-ap-4] ap-name Root-AP4 Warning: This operation may cause AP reset. Continue? [Y/N]y [AC_1-wlan-ap-4] ap-group ROOT2 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AC_1-wlan-ap-4] quit [AC_1-wlan-view] ap-id 5 ap-mac 60de-4476-e700 [AC_1-wlan-ap-5] ap-name Leaf-AP5 Warning: This operation may cause AP reset. Continue? [Y/N]y [AC_1-wlan-ap-5] ap-group LEAF2 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AC_1-wlan-ap-5] quit [AC_1-wlan-view] ap-id 7 ap-mac 60de-4476-e900 [AC_1-wlan-ap-7] ap-name Root-AP7 Warning: This operation may cause AP reset. Continue? [Y/N]y [AC_1-wlan-ap-7] ap-group ROOT2 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AC_1-wlan-ap-7] quit [AC_1-wlan-view] ap-id 8 ap-mac 60de-4476-ea00 [AC_1-wlan-ap-8] ap-name Leaf-AP8 Warning: This operation may cause AP reset. Continue? [Y/N]y [AC_1-wlan-ap-8] ap-group LEAF2 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AC_1-wlan-ap-8] quit
# Bind the regulatory domain profile domain1 to the AP groups.
[AC_1-wlan-view] ap-group name ROOT2 [AC_1-wlan-ap-group-ROOT2] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AC_1-wlan-ap-group-ROOT2] quit [AC_1-wlan-view] ap-group name LEAF2 [AC_1-wlan-ap-group-LEAF2] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AC_1-wlan-ap-group-LEAF2] quit
- Configure WDS service parameters.
# Configure WDS whitelists. Create the WDS whitelist profile wds-list2, bind it to Root-AP4, and allow the access only from Leaf-AP5. Create the WDS whitelist profile wds-list3, bind it to Root-AP7, and allow the access only from Leaf-AP8.
[AC_1-wlan-view] wds-whitelist-profile name wds-list2 [AC_1-wlan-wds-whitelist-wds-list2] peer-ap mac 60de-4476-e700 //Add the MAC address of Leaf-AP5. [AC_1-wlan-wds-whitelist-wds-list2] quit [AC_1-wlan-view] wds-whitelist-profile name wds-list3 [AC_1-wlan-wds-whitelist-wds-list3] peer-ap mac 60de-4476-ea00 //Add the MAC address of Leaf-AP8. [AC_1-wlan-wds-whitelist-wds-list3] quit
# Bind the 5G radio profile wds and WDS profiles ROOT and LEAF created in Step 7 to the AP groups.
[AC_1-wlan-view] ap-group name ROOT2 [AC_1-wlan-ap-group-ROOT2] radio 1 [AC_1-wlan-group-radio-ROOT2/1] radio-5g-profile wds Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-group-radio-ROOT2/1] wds-profile ROOT Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-group-radio-ROOT2/1] quit [AC_1-wlan-ap-group-ROOT2] quit [AC_1-wlan-view] ap-group name LEAF2 [AC_1-wlan-ap-group-LEAF2] radio 1 [AC_1-wlan-group-radio-LEAF2/1] radio-5g-profile wds Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-group-radio-LEAF2/1] wds-profile LEAF Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-group-radio-LEAF2/1] quit [AC_1-wlan-ap-group-LEAF2] quit
# Bind the WDS whitelist profiles in the AP radio view, and configure parameters such as the channel and distance.
[AC_1-wlan-view] ap-id 4 [AC_1-wlan-ap-4] radio 1 [AC_1-wlan-radio-4/1] coverage distance 8 //Set the radio coverage distance. The default value is 3, in the unit of 100 m. In this example, Root-AP4 and Leaf-AP5 are 0.8 km away from each other. Set this parameter to 8. Set this parameter as required. [AC_1-wlan-radio-4/1] channel 40mhz-plus 157 //Configure the bandwidth and channel. Avoid using radar channels. Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-radio-4/1] wds-whitelist-profile wds-list2 //Bind the MAC address of Leaf-AP5. [AC_1-wlan-radio-4/1] quit [AC_1-wlan-ap-4] quit [AC_1-wlan-view] ap-id 5 [AC_1-wlan-ap-5] radio 1 [AC_1-wlan-radio-5/1] coverage distance 8 [AC_1-wlan-radio-5/1] quit [AC_1-wlan-ap-5] quit [AC_1-wlan-view] ap-id 7 [AC_1-wlan-ap-7] radio 1 [AC_1-wlan-radio-7/1] coverage distance 15 //Set the radio coverage distance. The default value is 3, in the unit of 100 m. In this example, Root-AP7 and Leaf-AP8 are 1.5 km away from each other. Set this parameter to 15. Set this parameter as required. [AC_1-wlan-radio-7/1] channel 40mhz-plus 149 Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-radio-7/1] wds-whitelist-profile wds-list3 //Bind the MAC address of Leaf-AP8. [AC_1-wlan-radio-7/1] quit [AC_1-wlan-ap-7] quit [AC_1-wlan-view] ap-id 8 [AC_1-wlan-ap-8] radio 1 [AC_1-wlan-radio-8/1] coverage distance 15 [AC_1-wlan-radio-8/1] quit
- Configure a wired port profile for leaf APs.
# Leaf-AP5 is connected to AP6 and Root-AP7. Retain the default port mode (root)
# Leaf-AP8 is connected only to a switch or cameras. Set its port mode to endpoint by binding the wired port profile wds-sw created in Step 7 to the AP.
[AC_1-wlan-ap-8] wired-port-profile wds-sw gigabitethernet 0 [AC_1-wlan-ap-8] quit
# Run the display ap all command to check the current AP status. When the following information is displayed, APs go online successfully.
[AC_1-wlan-view] display ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor : normal [7] ExtraInfo : Extra information P : insufficient power supply -------------------------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ------------------------------------------------------------------------------------------------------------------- 1 60de-4476-e100 Root-AP1 ROOT1 10.128.1.19 AP8150DN nor 0 58M:18S - 2 60de-4476-e200 Leaf-AP2 LEAF1 10.128.1.70 AP8150DN nor 0 50M:51S - 3 60de-4476-e300 Leaf-AP3 LEAF1 10.128.1.134 AP8150DN nor 0 52M:46S - 4 60de-4476-e600 Root-AP4 ROOT2 10.128.1.155 AP8150DN nor 0 57M:46S - 5 60de-4476-e700 Leaf-AP5 LEAF2 10.128.1.119 AP8150DN nor 0 46M:18S - 7 60de-4476-e900 Root-AP7 ROOT2 10.128.1.8 AP8150DN nor 0 43M:46S - 8 60de-4476-ea00 Leaf-AP8 LEAF2 10.128.1.68 AP8150DN nor 0 38M:46S - ------------------------------------------------------------------------------------------------------------------- Total: 7
# Restart Leaf-AP8 that has gone online to make the port configuration take effect.
Changing the port mode of Leaf-AP8 to endpoint takes effect only after the AP is restarted.
[AC_1-wlan-view] ap-reset ap-id 8 Warning: Reset AP(s), continue?[Y/N]: y
- Configure AP groups.
- Configure basic WLAN services so that wireless users can connect to the WLAN.
5G channels are used for WDS backhaul. To prevent channel conflicts, this example only uses 2.4G channels for wireless service coverage.
- Configure a VAP profile.# Create the AP group coverage for wireless service coverage.
[AC_1-wlan-view] ap-group name coverage [AC_1-wlan-ap-group-coverage] quit [AC_1-wlan-view] ap-id 6 ap-mac 60de-4476-e800 [AC_1-wlan-ap-6] ap-name AP6 Warning: This operation may cause AP reset. Continue? [Y/N]y [AC_1-wlan-ap-6] ap-group coverage Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y [AC_1-wlan-ap-6] quit
# Bind the regulatory domain profile domain1 created in Step 7 to the AP group.
[AC_1-wlan-view] ap-group name coverage [AC_1-wlan-ap-group-coverage] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y [AC_1-wlan-ap-group-coverage] quit
# Create the security profile wlan-net and set the security policy in the profile.
[AC_1-wlan-view] security-profile name wlan-net [AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes [AC_1-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net [AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net [AC_1-wlan-ssid-prof-wlan-net] quit
# Create the traffic profile wlan-net, enable isolation of all users, and set the STA-based rate limit to 2 Mbit/s.
[AC_1-wlan-view] traffic-profile name wlan-net [AC_1-wlan-traffic-prof-wlan-net] user-isolate all [AC_1-wlan-traffic-prof-wlan-net] rate-limit client up 2048 [AC_1-wlan-traffic-prof-wlan-net] rate-limit client down 2048 [AC_1-wlan-traffic-prof-wlan-net] quit
# Create the VAP profile wlan-net, set the data forwarding mode (default) and service VLAN, and apply the security profile, SSID profile, and traffic profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net [AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 20 [AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net [AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net [AC_1-wlan-vap-prof-wlan-net] traffic-profile wlan-net [AC_1-wlan-vap-prof-wlan-net] quit
- Configure radio calibration parameters.
# Create the RRM profile coverage and disconnection of weak-signal STAs.
[AC_1-wlan-view] rrm-profile name coverage [AC_1-wlan-rrm-prof-coverage] smart-roam roam-threshold snr 25 [AC_1-wlan-rrm-prof-coverage] smart-roam quick-kickoff-threshold snr 20 [AC_1-wlan-rrm-prof-coverage] quit
# Create the 2G radio profile coverage, bind the RRM profile to it, and configure radio parameters.
[AC_1-wlan-view] radio-2g-profile name coverage [AC_1-wlan-radio-2g-prof-coverage] rrm-profile coverage [AC_1-wlan-radio-2g-prof-coverage] rts-cts-mode rts-cts //Set the RTS-CTS mode is set for the radio profile. [AC_1-wlan-radio-2g-prof-coverage] rts-cts-threshold 1400 //Set the RTS-CTS threshold in the radio profile to 1400. [AC_1-wlan-radio-2g-prof-coverage] quit
# Enable automatic radio calibration, enable policies load, noise-floor, non-wifi, and rogue-ap, and set the calibration sensitivity to high.
[AC_1-wlan-view] calibrate enable auto interval 1440 start-time 03:00:00 //Configure the radio calibration mode. [AC_1-wlan-view] calibrate policy load //Set the radio calibration policy to the load mode. [AC_1-wlan-view] calibrate policy noise-floor //Set the radio calibration policy to the noise floor mode. [AC_1-wlan-view] calibrate policy non-wifi //Set the radio calibration policy to the non-Wi-Fi mode. [AC_1-wlan-view] calibrate policy rogue-ap //Set the radio calibration policy to the rogue AP mode. [AC_1-wlan-view] calibrate sensitivity high //Configure high radio calibration sensitivity.
- Bind the radio profile and VAP profile to radio 0 of the AP group.
[AC_1-wlan-view] ap-group name coverage [AC_1-wlan-ap-group-coverage] radio 0 [AC_1-wlan-group-radio-coverage/0] radio-2g-profile coverage Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-group-radio-coverage/0] vap-profile wlan-net wlan 1 [AC_1-wlan-group-radio-coverage/0] quit [AC_1-wlan-ap-group-coverage] quit
- Configure a VAP profile.
- (Optional) Configure attack detection.
- Configure attack detection.
# Enable brute force PSK cracking detection for WPA2-PSK authentication and flood attack detection.
[AC_1-wlan-view] ap-group name coverage [AC_1-wlan-ap-group-coverage] radio 0 [AC_1-wlan-group-radio-coverage/0] wids attack detect enable wpa2-psk Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-group-radio-coverage/0] wids attack detect enable flood Warning: This action may cause service interruption. Continue?[Y/N]y [AC_1-wlan-group-radio-coverage/0] quit [AC_1-wlan-ap-group-coverage] quit
# Create the WIDS profile wlan-wids.
[AC_1-wlan-view] wids-profile name wlan-wids
# Set the interval for brute force PSK cracking detection to 70 seconds, the maximum number of key negotiation failures allowed within a period to 25, and the quiet time for attack detection to 700 seconds.
[AC_1-wlan-wids-prof-wlan-wids] brute-force-detect interval 70 [AC_1-wlan-wids-prof-wlan-wids] brute-force-detect threshold 25 [AC_1-wlan-wids-prof-wlan-wids] brute-force-detect quiet-time 700
# Set the interval for flood attack detection to 70 seconds, the detection threshold to 350, and the quiet tine for attack detection to 700 seconds.
[AC_1-wlan-wids-prof-wlan-wids] flood-detect interval 70 [AC_1-wlan-wids-prof-wlan-wids] flood-detect threshold 350 [AC_1-wlan-wids-prof-wlan-wids] flood-detect quiet-time 700
- Configure the dynamic blacklist function.
# Enable the dynamic blacklist function.
[AC_1-wlan-wids-prof-wlan-wids] dynamic-blacklist enable [AC_1-wlan-wids-prof-wlan-wids] quit
# Create the AP system profile wlan-system and set the dynamic blacklist aging time to 200 seconds.
[AC_1-wlan-view] ap-system-profile name wlan-system [AC_1-wlan-ap-system-prof-wlan-system] dynamic-blacklist aging-time 200 [AC_1-wlan-ap-system-prof-wlan-system] quit
- Bind the WIDS profile and AP system profile to the AP group.
[AC_1-wlan-view] ap-group name coverage [AC_1-wlan-ap-group-coverage] wids-profile wlan-wids [AC_1-wlan-ap-group-coverage] ap-system-profile wlan-system [AC_1-wlan-ap-group-coverage] quit
- Configure attack detection.
- Configure wireless configuration synchronization in VRRP HSB scenarios.# Configure wireless configuration synchronization on AC6805_1.
[AC_1-wlan-view] master controller [AC_1-master-controller] master-redundancy peer-ip ip-address 10.128.1.3 local-ip ip-address 10.128.1.2 psk huawei@123 [AC_1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 800 [AC_1-master-controller] quit [AC_1-wlan-view] quit
# Configure wireless configuration synchronization on AC6805_2.[AC_2] wlan [AC_2-wlan-view] master controller [AC_2-master-controller] master-redundancy peer-ip ip-address 10.128.1.2 local-ip ip-address 10.128.1.3 psk huawei@123 [AC_2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 800 [AC_2-master-controller] quit [AC_2-wlan-view] quit
- Trigger wireless configuration synchronization manually.
# When the configuration synchronization channel is set up for the first time, run the display sync-configuration status command to check the wireless configuration synchronization status, which is cfg-mismatch. In this case, manually trigger wireless configuration synchronization on the master AC. When the backup master AC restarts automatically, synchronization is completed. If public configurations on the master AC and backup master AC are inconsistent subsequently, the public configuration on the master A is automatically synchronized to the backup master AC.
[AC_1] display sync-configuration status Controller role:Master/Backup/Local ------------------------------------------------------------------------------------------------- Controller IP Role Device Type Version Status Last synced ------------------------------------------------------------------------------------------------- 10.128.1.3 Backup AC6805 V200R010C00 cfg-mismatch(config check fail) - ------------------------------------------------------------------------------------------------- Total: 1 [AC_1] synchronize-configuration Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its configurations. Whether to continue? [Y/N]:y
Configuring the S2750EI_1 Access Switches
- On S2750EI_1, add E0/0/1 connected to an AP to VLANs 10 and 30, and E0/0/2 and E0/0/3 connected to cameras to VLAN 30.
<HUAWEI> system-view [HUAWEI] sysname S2750EI_1 [S2750EI_1] vlan batch 10 30 [S2750EI_1] interface ethernet 0/0/1 [S2750EI_1-Ethernet0/0/1] description Connect to Leaf-AP2 [S2750EI_1-Ethernet0/0/1] port link-type trunk [S2750EI_1-Ethernet0/0/1] port trunk allow-pass vlan 10 30 [S2750EI_1-Ethernet0/0/1] undo port trunk allow-pass vlan 1 [S2750EI_1-Ethernet0/0/1] quit [S2750EI_1] interface ethernet 0/0/2 [S2750EI_1-Ethernet0/0/2] description Connect to camera [S2750EI_1-Ethernet0/0/2] port link-type trunk [S2750EI_1-Ethernet0/0/2] port trunk pvid vlan 30 [S2750EI_1-Ethernet0/0/2] port trunk allow-pass vlan 30 [S2750EI_1-Ethernet0/0/2] undo port trunk allow-pass vlan 1 [S2750EI_1-Ethernet0/0/2] port-isolate enable //Configure port isolation. [S2750EI_1-Ethernet0/0/2] quit [S2750EI_1] interface ethernet 0/0/3 [S2750EI_1-Ethernet0/0/3] description Connect to camera [S2750EI_1-Ethernet0/0/3] port link-type trunk [S2750EI_1-Ethernet0/0/3] port trunk pvid vlan 30 [S2750EI_1-Ethernet0/0/3] port trunk allow-pass vlan 30 [S2750EI_1-Ethernet0/0/3] undo port trunk allow-pass vlan 1 [S2750EI_1-Ethernet0/0/3] port-isolate enable [S2750EI_1-Ethernet0/0/3] quit
- Create a VLANIF interface and configure an IP address for it.
[S2750EI_1] interface vlanif 10 [S2750EI_1-Vlanif10] ip address 172.16.10.11 24 //Configure an IP address for the management VLANIF interface that connects to the aggregation switch and core switches. [S2750EI_1-Vlanif10] quit
Configuring the S2750EI_2 Access Switches
- On S2750EI_2, configure VLANs for ports as follows:
- E0/0/1 connected to Leaf-AP5: VLANs 10, 20, 30, and 800
- E0/0/2 connected to AP6: VLANs 20 and 800
- E0/0/3, E0/0/4, and E0/0/5 connected to cameras: VLAN 30
- E0/0/6 connected to Root-AP7: VLANs 10, 30, and 800
<HUAWEI> system-view [HUAWEI] sysname S2750EI_2 [S2750EI_2] vlan batch 10 20 30 800 [S2750EI_2] interface ethernet 0/0/1 [S2750EI_2-Ethernet0/0/1] description Connect to Leaf-AP5 [S2750EI_2-Ethernet0/0/1] port link-type trunk [S2750EI_2-Ethernet0/0/1] port trunk allow-pass vlan 10 20 30 800 [S2750EI_2-Ethernet0/0/1] quit [S2750EI_2] interface ethernet 0/0/2 [S2750EI_2-Ethernet0/0/2] description Connect to AP6 [S2750EI_2-Ethernet0/0/2] port link-type trunk [S2750EI_2-Ethernet0/0/2] port trunk allow-pass vlan 20 800 [S2750EI_2-Ethernet0/0/2] port-isolate enable //Configure port isolation. [S2750EI_2-Ethernet0/0/2] quit [S2750EI_2] interface ethernet 0/0/3 [S2750EI_2-Ethernet0/0/3] description Connect to camera [S2750EI_2-Ethernet0/0/3] port link-type trunk [S2750EI_2-Ethernet0/0/3] port trunk pvid vlan 30 [S2750EI_2-Ethernet0/0/3] port trunk allow-pass vlan 30 [S2750EI_2-Ethernet0/0/3] undo port trunk allow-pass vlan 1 [S2750EI_2-Ethernet0/0/3] port-isolate enable [S2750EI_2-Ethernet0/0/3] quit [S2750EI_2] interface ethernet 0/0/4 [S2750EI_2-Ethernet0/0/4] description Connect to camera [S2750EI_2-Ethernet0/0/4] port link-type trunk [S2750EI_2-Ethernet0/0/4] port trunk pvid vlan 30 [S2750EI_2-Ethernet0/0/4] port trunk allow-pass vlan 30 [S2750EI_2-Ethernet0/0/4] undo port trunk allow-pass vlan 1 [S2750EI_2-Ethernet0/0/4] port-isolate enable [S2750EI_2-Ethernet0/0/4] quit [S2750EI_2] interface ethernet 0/0/5 [S2750EI_2-Ethernet0/0/5] description Connect to camera [S2750EI_2-Ethernet0/0/5] port link-type trunk [S2750EI_2-Ethernet0/0/5] port trunk pvid vlan 30 [S2750EI_2-Ethernet0/0/5] port trunk allow-pass vlan 30 [S2750EI_2-Ethernet0/0/5] undo port trunk allow-pass vlan 1 [S2750EI_2-Ethernet0/0/5] port-isolate enable [S2750EI_2-Ethernet0/0/5] quit [S2750EI_2] interface ethernet 0/0/6 [S2750EI_2-Ethernet0/0/6] description Connect to Root-AP7 [S2750EI_2-Ethernet0/0/6] port link-type trunk [S2750EI_2-Ethernet0/0/6] port trunk allow-pass vlan 10 30 800 [S2750EI_2-Ethernet0/0/6] port-isolate enable [S2750EI_2-Ethernet0/0/6] quit
- Create a VLANIF interface and configure an IP address for it.
[S2750EI_2] interface vlanif 10 [S2750EI_2-Vlanif10] ip address 172.16.10.12 24 //Configure an IP address for the management VLANIF interface that connects to the aggregation switch and core switches. [S2750EI_2-Vlanif10] quit
Configuring the S2750EI_3 Access Switches
- On S2750EI_3, add E0/0/1 connected to an AP to VLANs 10 and 30, and E0/0/2, E0/0/3, and E0/0/4 connected to cameras to VLAN 30.
<HUAWEI> system-view [HUAWEI] sysname S2750EI_3 [S2750EI_3] vlan batch 10 30 [S2750EI_3] interface ethernet 0/0/1 [S2750EI_3-Ethernet0/0/1] description Connect to Leaf-AP8 [S2750EI_3-Ethernet0/0/1] port link-type trunk [S2750EI_3-Ethernet0/0/1] port trunk allow-pass vlan 10 30 [S2750EI_3-Ethernet0/0/1] undo port trunk allow-pass vlan 1 [S2750EI_3-Ethernet0/0/1] quit [S2750EI_3] interface ethernet 0/0/2 [S2750EI_3-Ethernet0/0/2] description Connect to camera [S2750EI_3-Ethernet0/0/2] port link-type trunk [S2750EI_3-Ethernet0/0/2] port trunk pvid vlan 30 [S2750EI_3-Ethernet0/0/2] port trunk allow-pass vlan 30 [S2750EI_3-Ethernet0/0/2] undo port trunk allow-pass vlan 1 [S2750EI_3-Ethernet0/0/2] port-isolate enable //Configure port isolation. [S2750EI_3-Ethernet0/0/2] quit [S2750EI_3] interface ethernet 0/0/3 [S2750EI_3-Ethernet0/0/3] description Connect to camera [S2750EI_3-Ethernet0/0/3] port link-type trunk [S2750EI_3-Ethernet0/0/3] port trunk pvid vlan 30 [S2750EI_3-Ethernet0/0/3] port trunk allow-pass vlan 30 [S2750EI_3-Ethernet0/0/3] undo port trunk allow-pass vlan 1 [S2750EI_3-Ethernet0/0/3] port-isolate enable [S2750EI_3-Ethernet0/0/3] quit [S2750EI_3] interface ethernet 0/0/4 [S2750EI_3-Ethernet0/0/4] description Connect to camera [S2750EI_3-Ethernet0/0/4] port link-type trunk [S2750EI_3-Ethernet0/0/4] port trunk pvid vlan 30 [S2750EI_3-Ethernet0/0/4] port trunk allow-pass vlan 30 [S2750EI_3-Ethernet0/0/4] undo port trunk allow-pass vlan 1 [S2750EI_3-Ethernet0/0/4] port-isolate enable [S2750EI_3-Ethernet0/0/4] quit
- Create a VLANIF interface and configure an IP address for it.
[S2750EI_3] interface vlanif 10 [S2750EI_3-Vlanif10] ip address 172.16.10.13 24 //Configure an IP address for the management VLANIF interface that connects to the aggregation switch and core switches. [S2750EI_3-Vlanif10] quit
Verification
- After the CSS of core switches is set up and the core switches are restarted, check the CSS status. The MASTER indicator on the CSS card of the master switch is steady green, and that on the standby switch is off.
- Run the display ap all command on AC6805_1 and AC6805_2 to check the current AP status. When the following information is displayed, APs go online successfully.
[AC_1] display ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: nor : normal [8] ExtraInfo : Extra information P : insufficient power supply ---------------------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ---------------------------------------------------------------------------------------------------------------- 1 60de-4476-e100 Root-AP1 ROOT1 10.128.1.19 AP8150DN nor 0 58M:18S - 2 60de-4476-e200 Leaf-AP2 LEAF1 10.128.1.70 AP8150DN nor 0 50M:51S - 3 60de-4476-e300 Leaf-AP3 LEAF1 10.128.1.134 AP8150DN nor 0 52M:46S - 4 60de-4476-e600 Root-AP4 ROOT2 10.128.1.155 AP8150DN nor 0 57M:46S - 5 60de-4476-e700 Leaf-AP5 LEAF2 10.128.1.119 AP8150DN nor 0 46M:18S - 6 60de-4476-e800 AP6 coverage 10.128.1.170 AP8150DN nor 0 40M:51S - 7 60de-4476-e900 Root-AP7 ROOT2 10.128.1.8 AP8150DN nor 0 43M:46S - 8 60de-4476-ea00 Leaf-AP8 LEAF2 10.128.1.68 AP8150DN nor 0 38M:46S - ---------------------------------------------------------------------------------------------------------------- Total: 8
[AC_2] display ap all Info: This operation may take a few seconds. Please wait for a moment.done. Total AP information: stdby: standby [8] ExtraInfo : Extra information P : insufficient power supply ---------------------------------------------------------------------------------------------------------------- ID MAC Name Group IP Type State STA Uptime ExtraInfo ---------------------------------------------------------------------------------------------------------------- 1 60de-4476-e100 Root-AP1 ROOT1 10.128.1.19 AP8150DN stdby 0 - - 2 60de-4476-e200 Leaf-AP2 LEAF1 10.128.1.70 AP8150DN stdby 0 - - 3 60de-4476-e300 Leaf-AP3 LEAF1 10.128.1.134 AP8150DN stdby 0 - - 4 60de-4476-e600 Root-AP4 ROOT2 10.128.1.155 AP8150DN stdby 0 - - 5 60de-4476-e700 Leaf-AP5 LEAF2 10.128.1.119 AP8150DN stdby 0 - - 6 60de-4476-e800 AP6 coverage 10.128.1.170 AP8150DN stdby 0 - - 7 60de-4476-e900 Root-AP7 ROOT2 10.128.1.8 AP8150DN stdby 0 - - 8 60de-4476-ea00 Leaf-AP8 LEAF2 10.128.1.68 AP8150DN stdby 0 - - ---------------------------------------------------------------------------------------------------------------- Total: 8
- Run the display hsb-service 0 command on AC6805_1 and AC6805_2 to check the HSB service status. The Service State field displays Connected, indicating that the HSB channel has been established.
[AC_1] display hsb-service 0 Hot Standby Service Information: ---------------------------------------------------------- Local IP Address : 10.51.0.1 Peer IP Address : 10.51.0.2 Source Port : 10241 Destination Port : 10241 Keep Alive Times : 3 Keep Alive Interval : 6 Service State : Connected Service Batch Modules : Shared-key : - ----------------------------------------------------------
[AC_2]display hsb-service 0 Hot Standby Service Information: ---------------------------------------------------------- Local IP Address : 10.51.0.2 Peer IP Address : 10.51.0.1 Source Port : 10241 Destination Port : 10241 Keep Alive Times : 3 Keep Alive Interval : 6 Service State : Connected Service Batch Modules : Shared-key : - ----------------------------------------------------------
- Run the display hsb-group 0 command on AC6805_1 and AC6805_2 to check the HSB group status.
[AC_1] display hsb-group 0 Hot Standby Group Information: ---------------------------------------------------------- HSB-group ID : 0 Vrrp Group ID : 1 Vrrp Interface : Vlanif800 Service Index : 0 Group Vrrp Status : Master Group Status : Active Group Backup Process : Realtime Peer Group Device Name : AC6805 Peer Group Software Version : V200R010C00 Group Backup Modules : Access-user AP DHCP ----------------------------------------------------------[AC_2] display hsb-group 0 Hot Standby Group Information: ---------------------------------------------------------- HSB-group ID : 0 Vrrp Group ID : 1 Vrrp Interface : Vlanif800 Service Index : 0 Group Vrrp Status : Backup Group Status : Inactive Group Backup Process : Realtime Peer Group Device Name : AC6805 Peer Group Software Version : V200R010C00 Group Backup Modules : Access-user AP DHCP ---------------------------------------------------------- - Run the display sync-configuration status command on the master AC and backup master AC to view the wireless configuration synchronization status.
[AC_1] display sync-configuration status Info: This operation may take a few seconds. Please wait for a moment.done. Controller role:Master/Backup/Local --------------------------------------------------------------------------------------------- Controller IP Role Device Type Version Status Last synced --------------------------------------------------------------------------------------------- 10.128.1.3 Backup AC6805 V200R010C00 up - --------------------------------------------------------------------------------------------- Total: 1
[AC_2] display sync-configuration status Info: This operation may take a few seconds. Please wait for a moment.done. Controller role:Master/Backup/Local --------------------------------------------------------------------------------------------- Controller IP Role Device Type Version Status Last synced --------------------------------------------------------------------------------------------- 10.128.1.2 Master AC6805 V200R010C00 up - --------------------------------------------------------------------------------------------- Total: 1
- Run the display wlan wds link all command to check information about WDS links.
[AC_1] display wlan wds link all Rf : radio ID Dis : coverage distance(100m) Ch : channel Per : drop percent(%) TSNR : total SNR(dB) P- : peer WDS : WDS mode Re : retry ratio(%) RSSI : RSSI(dBm) MaxR : max RSSI(dBm) ------------------------------------------------------------------------------------------------- APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re TS NR SNR(Ch0~3:dB) ------------------------------------------------------------------------------------------------- Root-AP1 Leaf-AP2 1 10 149 root normal -54 -40 0 3 50 45/49/-/- Root-AP1 Leaf-AP3 1 10 149 root normal -52 -36 0 49 57 36/31/57/- Leaf-AP2 Root-AP1 1 10 149 leaf normal -56 -40 0 3 50 45/49/-/- Leaf-AP3 Root-AP1 1 10 149 leaf normal -51 -36 0 49 57 36/31/57/- Root-AP4 Leaf-AP5 1 8 157 root normal -47 -40 0 3 50 45/49/-/- Leaf-AP5 Root-AP4 1 8 157 root normal -48 -36 0 49 57 36/31/57/- Root-AP7 Leaf-AP8 1 15 149 root normal -51 -7 0 1 83 81/80/-/- Leaf-AP8 Root-AP7 1 15 149 leaf normal -56 -40 0 3 50 45/49/-/- ------------------------------------------------------------------------------------------------- Total: 8
- Verify that video information from all cameras can be displayed clearly on the video server, without jitter, frame freezing, or latency.
- The WLAN with the SSID wlan-net is available for STAs. STAs can connect to the WLAN after users enter the password a1234567.
Configuration Scripts
S7706 CSS |
|---|
# sysname CSS # vlan batch 10 20 30 800 # dhcp enable # interface Vlanif10 ip address 172.16.10.1 255.255.255.0 # interface Vlanif20 ip address 172.16.20.1 255.255.255.0 dhcp select interface dhcp server lease day 0 hour 1 minute 0 # interface Vlanif30 ip address 172.16.30.1 255.255.255.0 # interface Eth-Trunk1 description Connect to S5720 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20 30 800 # interface Eth-Trunk10 description Connect to AC6805_1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 800 # interface Eth-Trunk20 description Connect to AC6805_2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 800 # interface Gigabitethernet1/1/1/0 eth-trunk 10 # interface Gigabitethernet1/1/1/1 eth-trunk 20 # interface Gigabitethernet1/1/1/6 eth-trunk 1 # interface Gigabitethernet2/1/1/0 eth-trunk 10 # interface Gigabitethernet2/1/1/1 eth-trunk 20 # interface Gigabitethernet2/1/1/2 description Connect to Camera-Server port link-type trunk port trunk pvid vlan 30 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 30 # interface Gigabitethernet2/1/1/6 eth-trunk 1 # return |
S5720EI |
|---|
# sysname S5720EI # vlan batch 10 20 30 800 # interface Vlanif10 ip address 172.16.10.2 255.255.255.0 # interface Eth-Trunk1 description Connect to S7706 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20 30 800 # interface GigabitEthernet0/0/1 description Connect to Root-AP1 port link-type trunk port trunk pvid vlan 800 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20 30 800 port-isolate enable group 1 # interface GigabitEthernet0/0/2 description Connect to Root-AP4 port link-type trunk port trunk pvid vlan 800 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20 30 800 port-isolate enable group 1 # interface GigabitEthernet0/0/23 eth-trunk 1 # interface GigabitEthernet0/0/24 eth-trunk 1 # return |
AC6805_1 |
|---|
# sysname AC_1 # vrrp recover-delay 60 # vlan batch 10 20 30 51 800 # dhcp enable # interface Vlanif51 ip address 10.51.0.1 255.255.255.0 # interface Vlanif800 ip address 10.128.1.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.128.1.1 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1200 dhcp select interface # interface Eth-Trunk50 description Connect to S7706 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 800 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 51 # interface GigabitEthernet0/0/23 eth-trunk 50 # interface GigabitEthernet0/0/24 eth-trunk 50 # capwap source ip-address 10.128.1.1 # hsb-service 0 service-ip-port local-ip 10.51.0.1 peer-ip 10.51.0.2 local-data-port 10241 peer-data-port 10241 service-keep-alive detect retransmit 3 interval 6 # hsb-group 0 track vrrp vrid 1 interface Vlanif800 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan calibrate policy rogue-ap calibrate policy non-wifi calibrate policy load calibrate policy noise-floor calibrate sensitivity high traffic-profile name wlan-net rate-limit client up 2048 rate-limit client down 2048 user-isolate all security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#]Rt%'Fw'<'96_X5.],PSo\<;EdR5s""fR</~/I*8%^%# aes security-profile name wds-security security wpa2 psk pass-phrase %^%#~3d\>.rEv7px;%SuB=(~JBm>M,\n4Y/pGwFx8tU.%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 20 ssid-profile wlan-net security-profile wlan-net traffic-profile wlan-net wds-whitelist-profile name wds-list1 peer-ap mac 60de-4476-e200 peer-ap mac 60de-4476-e300 wds-whitelist-profile name wds-list2 peer-ap mac 60de-4476-e700 wds-whitelist-profile name wds-list3 peer-ap mac 60de-4476-ea00 wds-profile name LEAF security-profile wds-security vlan tagged 10 20 30 wds-name wds-net wds-profile name ROOT security-profile wds-security vlan tagged 10 20 30 wds-name wds-net wds-mode root regulatory-domain-profile name domain1 rrm-profile name coverage smart-roam roam-threshold snr 25 smart-roam quick-kickoff-threshold snr 20 radio-2g-profile name coverage rrm-profile coverage radio-5g-profile name wds wids-profile name wlan-wids flood-detect interval 70 flood-detect threshold 350 flood-detect quiet-time 700 brute-force-detect interval 70 brute-force-detect threshold 25 brute-force-detect quiet-time 700 dynamic-blacklist enable ap-system-profile name wlan-system dynamic-blacklist aging-time 200 wired-port-profile name wds-sw mode endpoint vlan pvid 30 vlan tagged 10 20 vlan untagged 30 ap-group name LEAF1 wired-port-profile wds-sw gigabitethernet 0 regulatory-domain-profile domain1 radio 1 radio-5g-profile wds wds-profile LEAF coverage distance 10 calibrate auto-channel-select disable calibrate auto-txpower-select disable ap-group name LEAF2 regulatory-domain-profile domain1 radio 1 radio-5g-profile wds wds-profile LEAF ap-group name ROOT1 regulatory-domain-profile domain1 radio 1 radio-5g-profile wds wds-profile ROOT wds-whitelist-profile wds-list1 channel 40mhz-plus 149 coverage distance 10 calibrate auto-channel-select disable calibrate auto-txpower-select disable ap-group name ROOT2 regulatory-domain-profile domain1 radio 1 radio-5g-profile wds wds-profile ROOT ap-group name coverage ap-system-profile wlan-system regulatory-domain-profile domain1 wids-profile wlan-wids radio 0 radio-2g-profile coverage vap-profile wlan-net wlan 1 wids attack detect enable flood wids attack detect enable wpa2-psk ap-id 1 type-id 81 ap-mac 60de-4476-e100 ap-sn 21023581089WF7000337 ap-name Root-AP1 ap-group ROOT1 ap-id 2 type-id 81 ap-mac 60de-4476-e200 ap-sn 21023581099WG1000061 ap-name Leaf-AP2 ap-group LEAF1 ap-id 3 type-id 81 ap-mac 60de-4476-e300 ap-sn 210235810810EC004612 ap-name Leaf-AP3 ap-group LEAF1 ap-id 4 type-id 81 ap-mac 60de-4476-e600 ap-sn 210235810814EC001652 ap-name Root-AP4 ap-group ROOT2 radio 1 wds-whitelist-profile wds-list2 channel 40mhz-plus 157 coverage distance 8 ap-id 5 type-id 81 ap-mac 60de-4476-e700 ap-sn 210235810816EA004636 ap-name Leaf-AP5 ap-group LEAF2 radio 1 coverage distance 8 ap-id 6 type-id 81 ap-mac 60de-4476-e800 ap-sn 21023581074WF8000110 ap-name AP6 ap-group coverage ap-id 7 type-id 81 ap-mac 60de-4476-e900 ap-sn 21023581098WG8000158 ap-name Root-AP7 ap-group ROOT2 radio 1 wds-whitelist-profile wds-list3 channel 40mhz-plus 149 coverage distance 15 ap-id 8 type-id 81 ap-mac 60de-4476-e600 ap-sn 210235810814EC001652 ap-name Leaf-AP8 ap-group LEAF2 wired-port-profile wds-sw gigabitethernet 0 radio 1 coverage distance 15 master controller master-redundancy track-vrrp vrid 1 interface Vlanif800 master-redundancy peer-ip ip-address 10.128.1.3 local-ip ip-address 10.128.1.2 psk %^%#P3h9Gz1"o9G%/@C]84ABogt7XWu((-1swV%hdz\1%^%# # return |
AC6805_2 |
|---|
# sysname AC_2 # vrrp recover-delay 60 # vlan batch 10 20 30 51 800 # dhcp enable # interface Vlanif51 ip address 10.51.0.2 255.255.255.0 # interface Vlanif800 ip address 10.128.1.3 255.255.255.0 vrrp vrid 1 virtual-ip 10.128.1.1 admin-vrrp vrid 1 dhcp select interface # interface Eth-Trunk50 description Connect to S7706 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 800 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 51 # interface GigabitEthernet0/0/23 eth-trunk 50 # interface GigabitEthernet0/0/24 eth-trunk 50 # capwap source ip-address 10.128.1.1 # hsb-service 0 service-ip-port local-ip 10.51.0.2 peer-ip 10.51.0.1 local-data-port 10241 peer-data-port 10241 service-keep-alive detect retransmit 3 interval 6 # hsb-group 0 track vrrp vrid 1 interface Vlanif800 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan master controller master-redundancy track-vrrp vrid 1 interface Vlanif800 master-redundancy peer-ip ip-address 10.128.1.2 local-ip ip-address 10.128.1.3 psk %^%#P3h9Gz1"o9G%/@C]84ABogt7XWu((-1swV%hdz\1%^%# # return |
S2750EI_1 |
|---|
# sysname S2750EI_1 # vlan batch 10 30 # interface Vlanif10 ip address 172.16.10.11 255.255.255.0 # interface Ethernet0/0/1 description Connect to Leaf-AP2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 30 # interface Ethernet0/0/2 description Connect to camera port link-type trunk port trunk pvid vlan 30 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 30 port-isolate enable group 1 # interface Ethernet0/0/3 description Connect to camera port link-type trunk port trunk pvid vlan 30 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 30 port-isolate enable group 1 # return |
S2750EI_2 |
|---|
# sysname S2750EI_2 # vlan batch 10 20 30 800 # interface Vlanif10 ip address 172.16.10.12 255.255.255.0 # interface Ethernet0/0/1 description Connect to Leaf-AP5 port link-type trunk port trunk allow-pass vlan 10 20 30 800 # interface Ethernet0/0/2 description Connect to AP6 port link-type trunk port trunk allow-pass vlan 20 800 port-isolate enable group 1 # interface Ethernet0/0/3 description Connect to camera port link-type trunk port trunk pvid vlan 30 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 30 port-isolate enable group 1 # interface Ethernet0/0/4 description Connect to camera port link-type trunk port trunk pvid vlan 30 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 30 port-isolate enable group 1 # interface Ethernet0/0/5 description Connect to camera port link-type trunk port trunk pvid vlan 30 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 30 port-isolate enable group 1 # interface Ethernet0/0/6 description Connect to Root-AP7 port link-type trunk port trunk allow-pass vlan 10 30 800 port-isolate enable group 1 # return |
S2750EI_3 |
|---|
# sysname S2750EI_3 # vlan batch 10 30 # interface Vlanif10 ip address 172.16.10.13 255.255.255.0 # interface Ethernet0/0/1 description Connect to Leaf-AP8 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 30 # interface Ethernet0/0/2 description Connect to camera port link-type trunk port trunk pvid vlan 30 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 30 port-isolate enable group 1 # interface Ethernet0/0/3 description Connect to camera port link-type trunk port trunk pvid vlan 30 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 30 port-isolate enable group 1 # interface Ethernet0/0/4 description Connect to camera port link-type trunk port trunk pvid vlan 30 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 30 port-isolate enable group 1 # return |
Troubleshooting During Network Deployment
- The network access speed is slow.
For details, see Revelations of Troublesolving > WLAN > STA Performance Fault > Slow Network Access Speed.
- STAs fail to associate with a WLAN.
For details, see Revelations of Troublesolving > WLAN > STA Performance Fault > STAs Fail to Associate with a WLAN.
- A low rate is displayed on a STA.
For details, see Revelations of Troublesolving > WLAN > STA Performance Fault > Low Rate Displayed on a STA.
- A STA goes offline unexpectedly.
For details, see Revelations of Troublesolving > WLAN > STA Performance Fault > A STA Goes Offline Unexpectedly.
- A STA fails to ping the gateway.
For details, see Revelations of Troublesolving > WLAN > STA Performance Fault > A STA Fails to Ping the Gateway
- An AC upgrade fails.
For details, see Revelations of Troublesolving > WLAN > Device Management Fault > AC Upgrade Fails.
- WLAN web login fails.
For details, see Revelations of Troublesolving > WLAN > Device Management Fault > WLAN Web Login Failure.
- License activation fails
For details, see Revelations of Troublesolving > WLAN > Device Management Fault > License Activation Failure.
- A PoE exception occurs.
For details, see Revelations of Troublesolving > WLAN > Device Management Fault > PoE Exception.
- A Fit AP upgrade fails.
For details, see Revelations of Troublesolving > WLAN > AP Management Fault > Fit AP Upgrade Fails.
- An AP fails to go online.
For details, see Revelations of Troublesolving > WLAN > AP Management Fault > AP Online Failure.
- An AP goes offline unexpectedly.
For details, see Revelations of Troublesolving > WLAN > AP Management Fault > An AP Goes Offline Unexpectedly
- WDS leaf APs cannot go online.
For details, see Revelations of Troublesolving > WLAN Service Fault > WDS Leaf APs Cannot Go Online.
- The negotiated rate is slow after a WDS link is set up.
For details, see Revelations of Troublesolving > WLAN Service Fault > Slow Negotiated Rate After WDS Link Setup.