Configuration Procedure

WLAN V200R019C00 Typical Configuration Examples

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Configuring the ACU2 Cards
Configuring the S12700 Core Switches
Configuring the S5700 Aggregation Switches
Configuring the S5700 PoE Switches
Configuring the OLT and ONU

Configuring the ACU2 Cards

Create VLAN 800 and VLAN 730 on AC_1 and AC_2. Add the interfaces on AC_1 and AC_2 connected to S12700_A and S12700_B to VLAN 800.

<ACU2> system-view
[ACU2] sysname AC_1
[AC_1] vlan batch 730 800
[AC_1] interface vlanif 800
[AC_1-Vlanif800] ip address 10.128.1.2 24
[AC_1-Vlanif800] quit
[AC_1] interface eth-trunk 1
[AC_1-Eth-Trunk1] description Connect to S12700_A_Eth-Trunk 
[AC_1-Eth-Trunk1] port link-type trunk 
[AC_1-Eth-Trunk1] port trunk allow-pass vlan 800 
[AC_1-Eth-Trunk1] undo port trunk allow-pass vlan 1 
[AC_1-Eth-Trunk1] quit
[AC_1] interface xgigabitethernet 0/0/1
[AC_1-XGigabitEthernet0/0/1] eth-trunk 1
[AC_1-XGigabitEthernet0/0/1] quit
[AC_1] interface xgigabitethernet 0/0/2
[AC_1-XGigabitEthernet0/0/2] eth-trunk 1
[AC_1-XGigabitEthernet0/0/2] quit

<ACU2> system-view
[ACU2] sysname AC_2
[AC_2] vlan batch 730 800
[AC_2] interface vlanif 800
[AC_2-Vlanif800] ip address 10.128.1.3 24
[AC_2-Vlanif800] quit
[AC_2] interface eth-trunk 1
[AC_2-Eth-Trunk1] description Connect to S12700_B_Eth-Trunk 
[AC_2-Eth-Trunk1] port link-type trunk 
[AC_2-Eth-Trunk1] port trunk allow-pass vlan 800 
[AC_2-Eth-Trunk1] undo port trunk allow-pass vlan 1 
[AC_2-Eth-Trunk1] quit
[AC_2] interface xgigabitethernet 0/0/1
[AC_2-XGigabitEthernet0/0/1] eth-trunk 1
[AC_2-XGigabitEthernet0/0/1] quit
[AC_2] interface xgigabitethernet 0/0/2
[AC_2-XGigabitEthernet0/0/2] eth-trunk 1
[AC_2-XGigabitEthernet0/0/2] quit

Configure a VLAN pool for service VLANs.
# Create VLAN pool sta-pool and add VLAN 730 to this VLAN pool. Add multiple VLANs to the VLAN pool as required.
```
[AC_1] vlan pool sta-pool 
[AC_1-vlan-pool-sta-pool] vlan 730 
[AC_1-vlan-pool-sta-pool] quit 
```

Configure VRRP HSB.

Configure HSB connectivity between AC_1 and AC_2.

# Add Eth-Trunk1 on AC_1 connected to AC_2 to VLAN 810.

[AC_1] vlan batch 810
[AC_1] interface vlanif 810
[AC_1-Vlanif810] ip address 10.1.1.253 30
[AC_1-Vlanif810] quit
[AC_1] interface eth-trunk 1
[AC_1-Eth-Trunk1] port trunk allow-pass vlan 810
[AC_1-Eth-Trunk1] quit

# Add Eth-Trunk1 on AC_2 connected to AC_1 to VLAN 810.

[AC_2] vlan batch 810
[AC_2] interface vlanif 810
[AC_2-Vlanif810] ip address 10.1.1.254 30
[AC_2-Vlanif810] quit
[AC_2] interface eth-trunk 1
[AC_2-Eth-Trunk1] port trunk allow-pass vlan 810
[AC_2-Eth-Trunk1] quit

Configure VRRP HSB on AC_1.

# Set the recovery delay of the VRRP group to 60 seconds.

[AC_1] vrrp recover-delay 60

# Create management VRRP group 1 on AC_1. Set the priority of AC_1 in the VRRP management group to 120 and the preemption time to 1200 seconds.

[AC_1] interface vlanif 800 
[AC_1-Vlanif800] vrrp vrid 1 virtual-ip 10.128.1.1 
[AC_1-Vlanif800] vrrp vrid 1 priority 120 
[AC_1-Vlanif800] vrrp vrid 1 preempt-mode timer delay 1200 
[AC_1-Vlanif800] admin-vrrp vrid 1  //Configure VRRP group 1 as the management VRRP group. 
[AC_1-Vlanif800] quit

# Create HSB service 0 on AC_1, and configure IP addresses and port numbers for the active and standby channels.

[AC_1] hsb-service 0 
[AC_1-hsb-service-0] service-ip-port local-ip 10.1.1.253 peer-ip 10.1.1.254 local-data-port 10241 peer-data-port 10241 
[AC_1-hsb-service-0] quit

# Create HSB group 0 on AC_1, and bind HSB service 0 and management VRRP group 1 to HSB group 0.

[AC_1] hsb-group 0
[AC_1-hsb-group-0] bind-service 0
[AC_1-hsb-group-0] track vrrp vrid 1 interface vlanif 800
[AC_1-hsb-group-0] quit

# Bind WLAN services on AC_1 to HSB group 0.

[AC_1] hsb-service-type access-user hsb-group 0  //Bind the NAC service to HSB group 0. 
[AC_1] hsb-service-type ap hsb-group 0  //Specify HSB group 0 for WLAN service backup.
[AC_1] hsb-service-type dhcp hsb-group 0  //Bind the DHCP server to HSB group 0. 
[AC_1] hsb-group 0 
[AC_1-hsb-group-0] hsb enable 
[AC_1-hsb-group-0] quit

Configure VRRP HSB on AC_2.

# Set the recovery delay of the VRRP group to 60 seconds.

[AC_2] vrrp recover-delay 60

# Create management VRRP group 1 on AC_2.

[AC_2] interface vlanif 800 
[AC_2-Vlanif800] vrrp vrid 1 virtual-ip 10.128.1.1 
[AC_2-Vlanif800] admin-vrrp vrid 1  //Configure VRRP group 1 as the management VRRP group.
[AC_2-Vlanif800] quit

# Create HSB service 0 on AC_2, and configure IP addresses and port numbers for the active and standby channels.

[AC_2] hsb-service 0 
[AC_2-hsb-service-0] service-ip-port local-ip 10.1.1.254 peer-ip 10.1.1.253 local-data-port 10241 peer-data-port 10241 
[AC_2-hsb-service-0] quit

# Create HSB group 0 on AC_2, and bind HSB service 0 and management VRRP group 1 to HSB group 0.

[AC_2] hsb-group 0
[AC_2-hsb-group-0] bind-service 0
[AC_2-hsb-group-0] track vrrp vrid 1 interface vlanif 800
[AC_2-hsb-group-0] quit

# Bind WLAN services on AC_2 to HSB group 0.

[AC_2] hsb-service-type access-user hsb-group 0  //Bind the NAC service to HSB group 0.
[AC_2] hsb-service-type ap hsb-group 0  //Specify HSB group 0 for WLAN service backup.
[AC_2] hsb-service-type dhcp hsb-group 0   //Bind the DHCP server to HSB group 0.
[AC_2] hsb-group 0 
[AC_2-hsb-group-0] hsb enable 
[AC_2-hsb-group-0] quit

Configure a RADIUS server template on the ACs, and configure authentication, accounting, and authorization servers in the template, so that the ACs can communicate with the RADIUS server.

Create and configure a RADIUS server template and an AAA scheme.

# Create and configure RADIUS server template radius_huawei.

[AC_1] radius-server template radius_huawei 
[AC_1-radius-radius_huawei] radius-server authentication 172.16.1.254 1812 weight 100 //Configure the primary RADIUS authentication server. 
[AC_1-radius-radius_huawei] radius-server authentication 172.16.1.253 1812 weight 80 //Configure the secondary RADIUS authentication server.
[AC_1-radius-radius_huawei] radius-server accounting 172.16.1.254 1813 weight 100 //Configure the primary RADIUS accounting server.
[AC_1-radius-radius_huawei] radius-server accounting 172.16.1.253 1813 weight 80 //Configure the secondary RADIUS accounting server. 
[AC_1-radius-radius_huawei] radius-server shared-key cipher huawei@123 
[AC_1-radius-radius_huawei] quit

# Create a RADIUS authorization server.

[AC_1] radius-server authorization 172.16.1.254 shared-key cipher huawei@123 //Configure the primary RADIUS authorization server. V200R021C00 and later versions, you must run the radius-server authorization server-source command to configures an IPv4 address for receiving and responding to request packets of a RADIUS authorization server so that the function of the RADIUS authorization server can take effect.
[AC_1] radius-server authorization 172.16.1.253 shared-key cipher huawei@123 //Configure the secondary RADIUS authorization server. V200R021C00 and later versions, you must run the radius-server authorization server-source command to configures an IPv4 address for receiving and responding to request packets of a RADIUS authorization server so that the function of the RADIUS authorization server can take effect.

# Configure a global source IP address on AC_1 and AC_2 for communicating with the RADIUS server.

[AC_1] radius-server source ip-address 10.128.1.1

[AC_2] radius-server source ip-address 10.128.1.1

# Create AAA scheme radius_huawei and set the authentication mode to RADIUS.

[AC_1] aaa
[AC_1-aaa] authentication-scheme radius_huawei
[AC_1-aaa-authen-radius_huawei] authentication-mode radius //Set the authentication mode to RADIUS.
[AC_1-aaa-authen-radius_huawei] quit
[AC_1-aaa] accounting-scheme radius_huawei
[AC_1-aaa-accounting-radius_huawei] accounting-mode radius //Set the accounting mode to RADIUS.
[AC_1-aaa-accounting-radius_huawei] accounting realtime 15 //Enable real-time accounting and set the interval for real-time accounting to 15 minutes. The accounting function is not used to charge fees actually, but to record RADIUS logs of users when the AC is interconnected with the Agile Controller-Campus.
[AC_1-aaa-accounting-radius_huawei] quit
[AC_1-aaa] quit

A shorter real-time accounting interval requires higher performance of network devices and the RADIUS server. Set a real-time accounting interval based on the user quantity. Set a real-time accounting interval based on the user quantity. Table 4-142 lists the recommended real-time accounting intervals for different user quantities.

Table 4-142 Recommended real-time accounting intervals for different user quantities

User Quantity	Real-Time Accounting Interval (Minutes)
1-99	3
100-499	6
500-999	12
≥ 1000	≥ 15

Configure a URL template and set the redirection URL for the Portal server. Specify parameters in the URL, which include the SSID with which users associate and the original URL that users access.

[AC_1] url-template name huawei1 //Configure a URL template for the primary Portal server.
[AC_1-url-template-huawei1] url http://172.16.1.254:8080/portal  //The URL's format is related to the authentication server connected to the AC and is not fixed.
[AC_1-url-template-huawei1] url-parameter ssid ssid redirect-url url 
[AC_1-url-template-huawei1] quit
[AC_1] url-template name huawei2 //Configure a URL template for the secondary Portal server.
[AC_1-url-template-huawei2] url http://172.16.1.253:8080/portal  //The URL's format is related to the authentication server connected to the AC and is not fixed.
[AC_1-url-template-huawei2] url-parameter ssid ssid redirect-url url 
[AC_1-url-template-huawei2] quit

Configure a Portal server template.

[AC_1] web-auth-server huawei1 
[AC_1-web-auth-server-huawei1] server-ip 172.16.1.254  //Configure an IP address for the primary Portal server.
[AC_1-web-auth-server-huawei1] shared-key cipher huawei@123  //Configure a shared key.
[AC_1-web-auth-server-huawei1] port 50200  //Configure a port number for the Portal server.
[AC_1-web-auth-server-huawei1] url-template huawei1 
[AC_1-web-auth-server-huawei1] server-detect interval 100 max-times 5 action log  //Enable the Portal server detection function.
[AC_1-web-auth-server-huawei1] quit
[AC_1] web-auth-server huawei2 
[AC_1-web-auth-server-huawei2] server-ip 172.16.1.253  //Configure an IP address for the secondary Portal server. 
[AC_1-web-auth-server-huawei2] shared-key cipher huawei@123  //Configure a shared key.
[AC_1-web-auth-server-huawei2] port 50200  //Configure a port number for the Portal server. 
[AC_1-web-auth-server-huawei2] url-template huawei2 
[AC_1-web-auth-server-huawei2] server-detect interval 100 max-times 5 action log  //Enable the Portal server detection function.
[AC_1-web-auth-server-huawei2] quit

Configure a global source IP address on AC_1 and AC_2 for communicating with the Portal server.
```
[AC_1] web-auth-server source-ip 10.128.1.1 
```
```
[AC_2] web-auth-server source-ip 10.128.1.1 
```

Configure routes from AC_1 and AC_2 to the Portal server with VLANIF 800 on the S12700 as the next hop.

[AC_1] ip route-static 0.0.0.0 0.0.0.0 10.128.1.254

[AC_2] ip route-static 0.0.0.0 0.0.0.0 10.128.1.254

Configure WLAN services on the ACs to meet the indoor wireless access requirements of transportation hubs.

Create VLAN description on AC_1 and AC_2.

[AC_1] vlan 730
[AC_1-vlan730] description wireless_city_transport_indoor
[AC_1-vlan730] quit
[AC_1] vlan 800
[AC_1-vlan800] description AP-management-vlan
[AC_1-vlan800] quit

[AC_2] vlan 730
[AC_2-vlan730] description wireless_city_transport_indoork
[AC_2-vlan730] quit
[AC_2] vlan 800
[AC_2-vlan800] description AP-management-vlan
[AC_2-vlan800] quit

Configure WLAN services on AC_1.

# Configure the CAPWAP source IP address.

[AC_1] capwap source ip-address 10.128.1.1 //Set the virtual IP address of the VRRP group to the CAPWAP source IP address.

# Create an AP group on AC_1 and add APs with the same configuration to it. The following example describes how to add AP_1, AP_2, and AP_3 to an AP group.

[AC_1] wlan
[AC_1-wlan-view] ap-group name transport_indoor
[AC_1-wlan-ap-group-transport_indoor] quit
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 1 ap-mac 845b-1275-5ee0
[AC_1-wlan-ap-1] ap-group transport_indoor
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-1] ap-name AP_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y  
[AC_1-wlan-ap-1] quit
[AC_1-wlan-view] ap-id 2 ap-mac d0d0-4b22-df00
[AC_1-wlan-ap-2] ap-group transport_indoor
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-2] ap-name AP_2
Warning: This operation may cause AP reset. Continue? [Y/N]:y 
[AC_1-wlan-ap-2] quit
[AC_1-wlan-view] ap-id 3 ap-mac 9404-9cd8-ca00
[AC_1-wlan-ap-3] ap-group transport_indoor
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-3] ap-name AP_3 
Warning: This operation may cause AP reset. Continue? [Y/N]:y 
[AC_1-wlan-ap-3] quit
[AC_1-wlan-view] quit

# Create other AP groups as required.

# Create MAC access profile wireless_city.

[AC_1] mac-access-profile name wireless_city
[AC_1-mac-access-profile-wireless_city] quit

# Create Portal access profile wireless_city.

[AC_1] portal-access-profile name wireless_city
[AC_1-portal-access-profile-wireless_city] web-auth-server huawei1 huawei2 direct
[AC_1-portal-access-profile-wireless_city] quit

# Create an authentication-free rule template.

[AC_1] free-rule-template name wireless_city 
[AC_1-free-rule-wireless_city] free-rule 1 destination ip 172.16.1.250 mask 32  //Set the IP address of the DNS server to 172.16.1.250. 
[AC_1-free-rule-wireless_city] quit

# Create authentication profile authen-pro_wireless_city.

[AC_1] authentication-profile name authen-pro_wireless_city
[AC_1-authentication-profile-authen-pro_wireless_city] mac-access-profile wireless_city
[AC_1-authentication-profile-authen-pro_wireless_city] portal-access-profile wireless_city
[AC_1-authentication-profile-authen-pro_wireless_city] free-rule-template wireless_city
[AC_1-authentication-profile-authen-pro_wireless_city] authentication-scheme radius_huawei
[AC_1-authentication-profile-authen-pro_wireless_city] accounting-scheme radius_huawei
[AC_1-authentication-profile-authen-pro_wireless_city] radius-server radius_huawei
[AC_1-authentication-profile-authen-pro_wireless_city] quit

# Create a security profile and configure a security policy. Set the security policy to open system authentication.

[AC_1] wlan
[AC_1-wlan-view] security-profile name wireless_city
[AC_1-wlan-sec-prof-wireless_city] security open
[AC_1-wlan-sec-prof-wireless_city] quit

# Create an SSID profile and configure an SSID in it.

[AC_1-wlan-view] ssid-profile name wireless_city
[AC_1-wlan-ssid-prof-wireless_city] ssid wireless_city
[AC_1-wlan-ssid-prof-wireless_city] association-timeout 1  //Set the STA association timeout period to 1 minute.
[AC_1-wlan-ssid-prof-wireless_city] quit

# Create traffic profile transport_indoor. Configure user isolation and set the STA rate limit to 2 Mbit/s (2048 kbit/s) in the profile.

[AC_1-wlan-view] traffic-profile name transport_indoor
[AC_1-wlan-traffic-prof-transport_indoor] user-isolate all
[AC_1-wlan-traffic-prof-transport_indoor] rate-limit client up 2048
[AC_1-wlan-traffic-prof-transport_indoor] rate-limit client down 2048
[AC_1-wlan-traffic-prof-transport_indoor] quit

# Enable automatic radio calibration. Set the calibration policies to load, noise-floor, non-wifi, and rogue-ap, and set the radio calibration sensitivity to high.

[AC_1-wlan-view] calibrate enable auto interval 1440 start-time 03:00:00  //Set the radio calibration mode to auto. 
[AC_1-wlan-view] calibrate policy load  //Set the radio calibration policy to load.
[AC_1-wlan-view] calibrate policy noise-floor  //Set the radio calibration policy to noise floor.
[AC_1-wlan-view] calibrate policy non-wifi  //Set the radio calibration policy to non-Wi-Fi.
[AC_1-wlan-view] calibrate policy rogue-ap  //Set the radio calibration policy to rogue AP.
[AC_1-wlan-view] calibrate sensitivity high  //Set the radio calibration sensitivity to high.

# Create an RRM profile on AC_1. In indoor scenarios, the configuration is as follows:

[AC_1-wlan-view] rrm-profile name transport_indoor  
[AC_1-wlan-rrm-prof-transport_indoor] undo smart-roam disable  //Enable smart roaming.
[AC_1-wlan-rrm-prof-transport_indoor] smart-roam roam-threshold snr 25  //Set the SNR-based threshold for smart roaming.
[AC_1-wlan-rrm-prof-transport_indoor] quit

# In outdoor scenarios, the function of disconnecting STAs is generally configured in an RRM profile.

[AC_1-wlan-view] rrm-profile name transport_indoor  
[AC_1-wlan-rrm-prof-transport_indoor] undo smart-roam quick-kickoff-threshold disable
   //Enable the function of quickly disconnecting STAs.
[AC_1-wlan-rrm-prof-transport_indoor] smart-roam quick-kickoff-threshold snr 20  //Set the SNR-based threshold for quickly disconnecting STAs.
[AC_1-wlan-rrm-prof-transport_indoor] quit

# Create a VAP profile. Configure the data forwarding mode and service VLANs in the profile. Bind the security profile, SSID profile, traffic profile, and authentication profile to the VAP profile

[AC_1-wlan-view] vap-profile name transport_indoor
[AC_1-wlan-vap-prof-transport_indoor] forward-mode direct-forward
[AC_1-wlan-vap-prof-transport_indoor] service-vlan vlan-pool sta-pool
[AC_1-wlan-vap-prof-transport_indoor] security-profile wireless_city
[AC_1-wlan-vap-prof-transport_indoor] ssid-profile wireless_city
[AC_1-wlan-vap-prof-transport_indoor] traffic-profile transport_indoor
[AC_1-wlan-vap-prof-transport_indoor] authentication-profile authen-pro_wireless_city
[AC_1-wlan-vap-prof-transport_indoor] quit

# Create radio profiles.

[AC_1-wlan-view] radio-2g-profile name 2G_transport_indoor
[AC_1-wlan-radio-2g-prof-2G_transport_indoor] rrm-profile transport_indoor
[AC_1-wlan-radio-2g-prof-2G_transport_indoor] quit
[AC_1-wlan-view] radio-5g-profile name 5G_transport_indoor
[AC_1-wlan-radio-5g-prof-5G_transport_indoor] rrm-profile transport_indoor
[AC_1-wlan-radio-5g-prof-5G_transport_indoor] quit

# Bind a VAP profile to an AP group and apply the VAP profile configuration to radios 0 and 1 of the AP.

[AC_1-wlan-view] ap-group name transport_indoor 
[AC_1-wlan-ap-group-transport_indoor] vap-profile transport_indoor wlan 1 radio all
[AC_1-wlan-ap-group-transport_indoor] radio 0
[AC_1-wlan-group-radio-transport_indoor/0] radio-2g-profile 2G_transport_indoor
Warning: This action may cause service interruption. Continue?[Y/N]y 
[AC_1-wlan-group-radio-transport_indoor/0] quit
[AC_1-wlan-ap-group-transport_indoor] radio 1
[AC_1-wlan-group-radio-transport_indoor/1] radio-5g-profile 5G_transport_indoor
Warning: This action may cause service interruption. Continue?[Y/N]y 
[AC_1-wlan-group-radio-transport_indoor/1] quit
[AC_1-wlan-ap-group-transport_indoor] quit
[AC_1-wlan-view] quit

Configure private WLAN service parameters on AC_2.
# Configure the source address of AC_2.
```
[AC_2] capwap source ip-address 10.128.1.1
```

Configure the wireless configuration synchronization function in VRRP HSB scenarios.

# Configure the wireless configuration synchronization function on AC_1.

[AC_1] wlan
[AC_1-wlan-view] master controller
[AC_1-master-controller] master-redundancy peer-ip ip-address 10.128.1.3 local-ip ip-address 10.128.1.2 psk huawei@123
[AC_1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 800
[AC_1-master-controller] quit
[AC_1-wlan-view] quit

# Configure the wireless configuration synchronization function on AC_2.

[AC_2] wlan
[AC_2-wlan-view] master controller
[AC_2-master-controller] master-redundancy peer-ip ip-address 10.128.1.2 local-ip ip-address 10.128.1.3 psk huawei@123
[AC_2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 800
[AC_2-master-controller] quit
[AC_2-wlan-view] quit

Trigger wireless configuration synchronization manually.

# When two ACs set up a configuration synchronization channel for the first time, run the display sync-configuration status command to check the status of wireless configuration synchronization. If Status displays cfg-mismatch, enable the master AC to synchronize configurations to the backup master AC. The backup master AC automatically restarts when configuration synchronization is complete. After the first successful synchronization, the master AC will automatically synchronize different configurations to the backup master AC.

[AC_1] display sync-configuration status
Controller role:Master/Backup/Local
------------------------------------------------------------------------------------------------- 
Controller    IP Role    Device Type     Version        Status                        Last synced                
-------------------------------------------------------------------------------------------------  
10.128.1.3    Backup     ACU2            V200R010C00    cfg-mismatch(config check fail)   -                        
-------------------------------------------------------------------------------------------------   
Total: 1
[AC_1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its configurations. Whether to continue? [Y/N]:y

Add a test user account on the Agile Controller-Campus.
1. Choose Resource > User > User Management, and click Add to add a test user account.
2. Configure account information and click OK.

Add an AC to the Service Manager of the Agile Controller-Campus, and configure parameters to ensure that the Agile Controller-Campus can communicate with the AC.

Choose Resource > Device > Device Management and click Add to add an AC.

Click to enlarge

Parameter	Description
IP address	Enter the virtual IP address of VLANIF 800, that is 10.128.1.1.
Authentication/Accounting key	Enter the same key as that configured using the radius-server shared-key cipher huawei@123 command in the RADIUS server template.
Authorization key	Enter the same key as that configured using the radius-server authorization 172.16.1.254 shared-key cipher huawei@123 command in the RADIUS authorization server template.
Real-time accounting interval	Enter the same interval as that configured using the accounting realtime 15 command.
Port	Enter the listening port number of the Portal server is (default: 2000).
Portal key	Enter the same key as that configured using the shared-key cipher huawei@123 command in the Portal server template.
Access terminal IP list	Enter the IP address pool for STAs.
Enable heartbeat between access device and Portal server	An access device is automatically connected to the secondary Portal server when detecting that the primary Portal server is unavailable. The Portal server can send heartbeat packets and synchronize user information to the access device, and the access device can periodically detect heartbeat packets sent by the Portal server to determine the Portal server's state and synchronize user information to the Portal server only when the following conditions are met: 1. Enable heartbeat between access device and Portal server is selected. 2. The Portal server's IP address is entered in the Portal server IP list text box.
Portal server IP list

Enable MAC address-prioritized Portal authentication on the Agile Controller-Campus.
# Choose System > Terminal Configuration > Global Parameters.

# On the Configure MAC Address-Prioritized Portal Authentication tab page, set MAC address-prioritized Portal Authentication to Enable, set Validity period of MAC address to 120, and click OK.

Configuring the S12700 Core Switches

Configure a CSS for core switches to ensure their reliability.
For details on CSS setup, search for Switch Stack & SVF Assistant at https://e.huawei.com.

Add S12700 interfaces connected to aggregation switches to VLAN 800 and VLAN 730, and interfaces connected to AC_1 and AC_2 to VLAN 800 and VLAN 810.

<HUAWEI> system-view
[HUAWEI] sysname CSS
[CSS] vlan batch 730 800 810 820
[CSS] interface eth-trunk 1
[CSS-Eth-Trunk1] description Connect to S5700_Eth-Trunk1 
[CSS-Eth-Trunk1] port link-type trunk 
[CSS-Eth-Trunk1] port trunk allow-pass vlan 730 800 
[CSS-Eth-Trunk1] undo port trunk allow-pass vlan 1 
[CSS-Eth-Trunk1] quit
[CSS] interface gigabitethernet 1/1/0/13
[CSS-GigabitEthernet1/1/0/13] eth-trunk 1
[CSS-GigabitEthernet1/1/0/13] quit
[CSS] interface gigabitethernet 2/1/0/14
[CSS-GigabitEthernet2/1/0/14] eth-trunk 1
[CSS-GigabitEthernet2/1/0/14] quit
[CSS] interface eth-trunk 2
[CSS-Eth-Trunk2] description Connect to AC_1_Eth-Trunk 
[CSS-Eth-Trunk2] port link-type trunk 
[CSS-Eth-Trunk2] port trunk allow-pass vlan 800 810
[CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1 
[CSS-Eth-Trunk2] quit
[CSS] interface xgigabitethernet 1/1/0/1
[CSS-XGigabitEthernet1/1/0/1] eth-trunk 2
[CSS-XGigabitEthernet1/1/0/1] quit
[CSS] interface xgigabitethernet 1/1/0/2
[CSS-XGigabitEthernet1/1/0/2] eth-trunk 2
[CSS-XGigabitEthernet1/1/0/2] quit
[CSS] interface eth-trunk 3
[CSS-Eth-Trunk3] description Connect to AC_2_Eth-Trunk 
[CSS-Eth-Trunk3] port link-type trunk 
[CSS-Eth-Trunk3] port trunk allow-pass vlan 800 810
[CSS-Eth-Trunk3] undo port trunk allow-pass vlan 1 
[CSS-Eth-Trunk3] quit
[CSS] interface xgigabitethernet 2/1/0/1
[CSS-XGigabitEthernet2/1/0/1] eth-trunk 3
[CSS-XGigabitEthernet2/1/0/1] quit
[CSS] interface xgigabitethernet 2/1/0/2
[CSS-XGigabitEthernet2/1/0/2] eth-trunk 3
[CSS-XGigabitEthernet2/1/0/2] quit

Configure the S12700 as a DHCP server to assign IP addresses to APs and configure an external DHCP server to assign IP addresses to STAs.

# Configure the S12700 as a DHCP server to assign IP addresses to APs.

[CSS] dhcp enable 
[CSS] interface vlanif 800 
[CSS-Vlanif800] ip address 10.128.1.254 255.255.255.0 
[CSS-Vlanif800] dhcp select global //Enable the interface to use a global address pool.
[CSS-Vlanif800] quit
[CSS] ip pool AP //Create a global address pool.
[CSS-ip-pool-AP] network 172.19.1.0 mask 24 //Configure an assignable network segment for the global address pool.
[CSS-ip-pool-AP] gateway-list 172.19.1.1 //Configure the aggregation switch S5700 as the egress gateway for DHCP clients.
[CSS-ip-pool-AP] option 43 sub-option 3 ascii 10.128.1.1 //Specify the AC IP address for APs. 
[CSS-ip-pool-AP] quit

# Configure the S12700 as a DHCP relay agent.

[CSS] interface vlanif 730
[CSS-Vlanif730] ip address 10.173.1.1 255.255.252.0
[CSS-Vlanif730] dhcp select relay
[CSS-Vlanif730] dhcp relay server-ip 172.16.1.252  //Set the IP address of the external DHCP server to 172.16.1.252. 
[CSS-Vlanif730] quit

# Configure a static route from the S12700 to an AP with the S5700's VLANIF 800 as the next hop.

[CSS] ip route-static 172.19.1.0 24 10.128.1.253

Create VLANIF 820 on S12700 for communicating with the Agile Controller-Campus server, and configure IP addresses for them. Add GE2/1/0/20 and GE2/1/0/21 on S12700 connected to the Agile Controller-Campus server to VLAN 820.

[CSS] interface vlanif 820 
[CSS-Vlanif820] ip address 172.16.1.1 255.255.255.0 
[CSS-Vlanif820] quit
[CSS] interface gigabitethernet 2/1/0/20
[CSS-GigabitEthernet2/1/0/20] description Connect to Server
[CSS-GigabitEthernet2/1/0/20] port link-type trunk
[CSS-GigabitEthernet2/1/0/20] port trunk allow-pass vlan 820
[CSS-GigabitEthernet2/1/0/20] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/20] quit
[CSS] interface gigabitethernet 2/1/0/21
[CSS-GigabitEthernet2/1/0/21] description Connect to Backup_Server
[CSS-GigabitEthernet2/1/0/21] port link-type trunk
[CSS-GigabitEthernet2/1/0/21] port trunk allow-pass vlan 820
[CSS-GigabitEthernet2/1/0/21] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/21] quit

Configuring the S5700 Aggregation Switches

Add GE0/0/1 on the S5700 connected to the PON to VLAN 900 and VLAN 730, and GE0/0/23 connected to S12700_A and GE0/0/24 connected to S12700_B to VLAN 800 and VLAN 730.

<HUAWEI> system-view
[HUAWEI] sysname S5700
[S5700] vlan batch 730 800 900
[S5700] interface eth-trunk 1
[S5700-Eth-Trunk1] description Connect to S12700_Eth-Trunk1 
[S5700-Eth-Trunk1] port link-type trunk
[S5700-Eth-Trunk1] port trunk allow-pass vlan 730 800 
[S5700-Eth-Trunk1] undo port trunk allow-pass vlan 1 
[S5700-Eth-Trunk1] quit 
[S5700] interface gigabitethernet 0/0/1
[S5700-GigabitEthernet0/0/1] description Connect to PON
[S5700-GigabitEthernet0/0/1] port link-type trunk
[S5700-GigabitEthernet0/0/1] port trunk allow-pass vlan 730 900
[S5700-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[S5700-GigabitEthernet0/0/1] quit
[S5700] interface gigabitethernet 0/0/23
[S5700-GigabitEthernet0/0/23] eth-trunk 1
[S5700-GigabitEthernet0/0/23] quit
[S5700] interface gigabitethernet 0/0/24
[S5700-GigabitEthernet0/0/24] eth-trunk 1
[S5700-GigabitEthernet0/0/24] quit
[S5700] interface vlanif 800
[S5700-Vlanif800] ip address 10.128.1.253 255.255.255.0
[S5700-Vlanif800] quit

Configure the S5700 as a DHCP relay.

[S5700] dhcp enable
[S5700] interface vlanif 900
[S5700-Vlanif900] ip address 172.19.1.1 255.255.255.0
[S5700-Vlanif900] dhcp select relay
[S5700-Vlanif900] dhcp relay server-ip 10.128.1.254 //Configure a DHCP server IP address on the interface enabled with DHCP relay.
[S5700-Vlanif900] quit

Configuring the S5700 PoE Switches

Configure S5700_A so that the APs can communicate with the ACs.

<HUAWEI> system-view
[HUAWEI] sysname S5700_A
[S5700_A] vlan batch 730 900
[S5700_A] interface gigabitethernet 0/0/1
[S5700_A-GigabitEthernet0/0/1] description Connect to AP_1
[S5700_A-GigabitEthernet0/0/1] port link-type trunk
[S5700_A-GigabitEthernet0/0/1] port trunk pvid vlan 900
[S5700_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 730 900
[S5700_A-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[S5700_A-GigabitEthernet0/0/1] port-isolate enable 
[S5700_A-GigabitEthernet0/0/1] quit
[S5700_A] interface gigabitethernet 0/0/2
[S5700_A-GigabitEthernet0/0/2] description Connect to AP_2
[S5700_A-GigabitEthernet0/0/2] port link-type trunk
[S5700_A-GigabitEthernet0/0/2] port trunk pvid vlan 900
[S5700_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 730 900
[S5700_A-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[S5700_A-GigabitEthernet0/0/2] port-isolate enable 
[S5700_A-GigabitEthernet0/0/2] quit
[S5700_A] interface gigabitethernet 0/0/3
[S5700_A-GigabitEthernet0/0/3] description Connect to AP_3
[S5700_A-GigabitEthernet0/0/3] port link-type trunk
[S5700_A-GigabitEthernet0/0/3] port trunk pvid vlan 900
[S5700_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 730 900
[S5700_A-GigabitEthernet0/0/3] undo port trunk allow-pass vlan 1
[S5700_A-GigabitEthernet0/0/3] port-isolate enable 
[S5700_A-GigabitEthernet0/0/3] quit
[S5700_A] interface gigabitethernet 0/0/24
[S5700_A-GigabitEthernet0/0/24] description Connect to PON
[S5700_A-GigabitEthernet0/0/24] port link-type trunk
[S5700_A-GigabitEthernet0/0/24] port trunk allow-pass vlan 730 900
[S5700_A-GigabitEthernet0/0/24] undo port trunk allow-pass vlan 1
[S5700_A-GigabitEthernet0/0/24] quit

Configure multicast packet suppression. Configure a traffic policy on the interfaces of access switches connected to APs to control the transmission rate of multicast packets.

# Create traffic classifier wireless_city and define a matching rule for traffic classification.

[S5700_A] traffic classifier wireless_city
[S5700_A-classifier-wireless_city] if-match destination-mac 0100-5e00-0000 ffff-ff00-0000 //Define a matching rule in the traffic classifier based on the destination MAC address of multicast packets. 
[S5700_A-classifier-wireless_city] quit

# Create traffic behavior wireless_city, enable statistics collection, and configure the traffic rate limit.

[S5700_A] traffic behavior wireless_city
[S5700_A-behavior-wireless_city] statistic enable
[S5700_A-behavior-wireless_city] car cir 100 //Set the traffic rate limit to 100 kbit/s. If multicast services are transmitted, it is recommended that the traffic rate be limited based on the actual service traffic. 
[S5700_A-behavior-wireless_city] quit

# Create traffic policy wireless_city, and bind the traffic classifier and traffic behavior to the traffic policy.

[S5700_A] traffic policy wireless_city
[S5700_A-trafficpolicy-wireless_city] classifier wireless_city behavior wireless_city
[S5700_A-trafficpolicy-wireless_city] quit

# Apply the traffic policy to the inbound and outbound interfaces.

[S5700_A] interface gigabitethernet 0/0/1
[S5700_A-GigabitEthernet0/0/1] traffic-policy wireless_city inbound
[S5700_A-GigabitEthernet0/0/1] traffic-policy wireless_city outbound
[S5700_A-GigabitEthernet0/0/1] quit
[S5700_A] interface gigabitethernet 0/0/2
[S5700_A-GigabitEthernet0/0/2] traffic-policy wireless_city inbound
[S5700_A-GigabitEthernet0/0/2] traffic-policy wireless_city outbound
[S5700_A-GigabitEthernet0/0/2] quit
[S5700_A] interface gigabitethernet 0/0/3
[S5700_A-GigabitEthernet0/0/3] traffic-policy wireless_city inbound
[S5700_A-GigabitEthernet0/0/3] traffic-policy wireless_city outbound
[S5700_A-GigabitEthernet0/0/3] quit

Configuring the OLT and ONU

Add Gpon0/2/1 on the OLT connected to the S5700 to VLAN 900 and VLAN 730.

huawei(config)#service-port vlan 900 gpon 0/2/1 ont 1 gemport 12 multi-service user-vlan 900
huawei(config)#service-port vlan 730 gpon 0/2/1 ont 1 gemport 12 multi-service user-vlan 730

Add Eth0/3/1 on the ONU connected to S5700_A to VLAN 900 and VLAN 730.

huawei(config)#service-port vlan 900 eth 0/3/1 multi-service user-vlan untagged   
huawei(config)#service-port vlan 730 eth 0/3/1 multi-service user-vlan 730

Configuring the ACU2 Cards
Configuring the S12700 Core Switches
Configuring the S5700 Aggregation Switches
Configuring the S5700 PoE Switches
Configuring the OLT and ONU

Translation

简体中文

Download

Updated: 2021-11-18

Document ID: EDOC1100096116

Downloads: 2545

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate