No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
WLAN V200R019C00 Typical Configuration Examples
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Solution Design

Solution Design

Network Diagram

The following figure shows the wireless coverage network in the office of an enterprise.

Figure 4-103 Network diagram

Network Design Analysis

  • Device Selection

    In this example, two AC6805s are used. For details about AP selection in specific scenarios, see WLAN Network Construction Standard.

    This solution meets the following requirements:

    • Provide wireless access.
    • Provide full and even wireless coverage.
  • Deployment Solution

    Based on the wired core network, indoor APs are deployed. The ACs are deployed in bypass mode at the core layer.

  • Wireless Roaming

    Configure the same SSID and security strategy for all APs to realize wireless roaming.

    Use MAC address–prioritized Portal authentication to simplify authentication of STAs during roaming. If 802.1X authentication is used, enable the 802.11r roaming function.

  • Reliability

    Link-level reliability

    Inter-chassis and inter-card connection using Eth-Trunk interfaces are deployed between aggregation switches and core switches. This ensures proper service running if a card or a link is faulty.

    Device-level reliability

    To ensure reliability, CSS is established for core switches, and MAD is configured.

    To ensure WLAN service reliability, two ACs are deployed and the Virtual Router Redundancy Protocol (VRRP) is configured on the ACs to implement AC hot standby (HSB). One AC functions as the master AC and the other functions as the backup AC. The master AC forwards services and the backup AC is inactive. The master AC periodically sends the backup AC the status information and other information that needs to be backed up. If the master AC becomes faulty, the backup AC takes over services from the master AC, which improves network reliability.

    Wireless configuration synchronization

    In VRRP HSB mode, WLAN service configurations must be consistent on the master and backup ACs. The wireless configuration synchronization function is enabled to reduce the configuration workload on the backup AC.

  • Security

    Port isolation is configured on the switch ports directly connected to APs to prevent broadcasting of Layer 2 packets from APs and avoid Layer 2 communication between STAs associated with different APs.

    Multicast suppression is configured on the access switch to prevent a large number of multicast packets.

    Layer 2 user isolation is configured in a WLAN traffic profile.

    In actual deployment, VLAN 1 is not recommended as the service VLAN. You need to delete all ports from VLAN 1. You must disable ports from transparently transmitting packets of all VLANs but allow transparent transmission based on actual service requirements.

    It is recommended that the ports connected to terminals or APs be configured as edge ports.

    The unused ports should be shut down.

    Strict STA IP address learning through DHCP, dynamic ARP inspection, and IPSG are enabled to prevent IP packets from unauthorized users from accessing the external network through APs, improving device security.

    To enable DHCP clients to obtain IP addresses through valid DHCP servers, and prevent bogus DHCP server attacks, DHCP server DoS attacks, and bogus DHCP packet attacks, you are advised to configure DHCP snooping. If both wired and wireless users exist on the network, you are not advised to enable DHCP snooping on switch interfaces connecting to APs. This may cause the number of user binding entries on switches to exceed the specification. Therefore, you are advised to configure DHCP snooping for wired users based on VLANs and to configure DHCP snooping for wireless users on the wireless-side VAP profiles.

    If multicast services are planned on the network, the multicast packet suppression function does not need to be configured.

    Broadcast suppression is configured for the switch ports by default, and the default threshold is 10%. The value can be changed based on network conditions.

    Other security functions are not required for the switch ports directly connected to APs, because they may affect the roaming function of STAs.

  • Authentication and Accounting

    802.1X authentication and MAC address–prioritized Portal authentication are used. For example, in enterprise scenarios, common guests use MAC address–prioritized Portal authentication to access enterprise home pages. Enterprise employees use employee accounts for network access through 802.1X authentication.

Involved NEs and Software Versions

The following table lists the applicable products and system versions of this solution.

Product

Software Version

AC6805

V200R010C00

AP

V200R010C00

S12700

V200R010C00

S7700

V200R010C00

S5700

V200R010C00
Translation
简体中文
Download
Updated: 2021-11-18

Document ID: EDOC1100096116

Views: 367729

Downloads: 2542

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :