VAP Profile
Overview
After parameters in a VAP profile are configured, and the VAP profile is bound to an AP group or AP, virtual access points (VAPs) are created on APs. VAPs provide wireless access services for STAs. You can configure parameters in the VAP profile to enable APs to provide different wireless services.
- SSID profile: used to configure SSIDs of WLANs. In the profile, you can also disable access of non-HT STAs and set the association aging time of STAs and delivery traffic indication message (DTIM) interval. For details, see Configuring an SSID Profile in the Configuration - User Access and Authentication Configuration Guide.
- Security profile: used to configure security policies of WLANs, including policies for authentication and encryption of STAs. Security policies include open system authentication, WEP, WPA/WPA2-PSK, WPA/WPA2-802.1X, WAPI-PSK, and WAPI-certificate. For details, see Security Policy Configuration in the Configuration - WLAN Security Configuration Guide.
- Traffic profile: used to configure priority mapping and traffic policing functions of WLANs. After the WMM function is enabled on the STA and AP, the priority mapping function allows you to configure methods for mapping upstream priorities of packets, upstream tunnel priorities, and downstream priorities. The traffic policing function limits packet sending rates of wireless STAs. For details, see Configuring Priority Mapping and Configuring Traffic Policing in the Configuration - QoS Configuration Guide.
- Attack defense profile: used to configure various security functions such as URL filtering, antivirus, and intrusion prevention. For details, see Configuring URL Filtering Profile, Configuring Intrusion Prevention, and Configuring Antivirus in the Configuration - WLAN Security Configuration Guide.
- User profile: used to reference a QoS CAR profile. You can bind the user profile that has QoS CAR profile referenced to a VAP profile to limit the rate of a STA using the VAP profile. For details, see Configuring Traffic Policing in the Configuration - QoS Configuration Guide.
- Authentication profile: used to manage network admission control (NAC) configurations. You can bind access profiles (including the 802.1X access profile, MAC access profile, and Portal access profile) to authentication profiles to determine configurations of the access protocols. After the authentication profile configuration is complete, bind it to an interface or VAP profile to authenticate and control access users. For details, see Configuring NAC in the Configuration - User Access and Authentication Configuration Guide.
- Hotspot2.0 profile: used to configure parameters of Hotspot2.0 networks, such as location, operator, and roaming consortium information, so that STAs can identify networks and access proper networks. For details, see Hotspot 2.0 Configuration Guide in the Configuration.
- SAC profile: used to identify and classify application protocols. The SAC feature can use the service awareness technology to detect and identify packets and protocols so that the system can classify applications intelligently and identify key services to provide sufficient bandwidths for them and limit traffic rates of non-critical services, thereby providing refined QoS policy control. For details, see Configuring SAC in the Configuration - QoS Configuration Guide.
- UCC profile: used to configure priorities for Skype4B voice, video, desktop sharing, and file transfer packets. For details, see Configuring Skype4B Traffic Optimization in the Configuration - QoS Configuration Guide.
CLI-based Procedure
For details on how to configure a VAP profile, see "Configuring a VAP" in the Configuration - WLAN Service Configuration Guide.
Web-based Procedure
- Log in to the web platform, and choose or . Click the AP group name or AP ID to access the AP group or AP configuration page.
Select Display all profiles. Click VAP Configuration, and select an existing profile or create one.
Access the profile page. For more configurations, click Advanced Configuration. Table 3-2 describes the parameters on this page.
Figure 3-18 VAP Profile
Item |
Description |
|---|---|
Status |
Whether to enable or disable the service mode of a VAP. |
Forwarding mode |
|
Direct forwarding for specified packets |
Direct forwarding takes effect for service packets that match specified ACL rules. If the packets match no ACL rule, tunnel forwarding still prevails. If no ACL rule is configured, tunnel forwarding works for service packets. |
Direct forwarding for IPv4 packets (ACL) |
Select an existing ACL or create an ACL. The ACL number ranges from 3000 to 3031. |
Service VLAN |
|
Service VLAN ID |
ID of the service VLAN. The value ranges from 1 to 4094. The default value is 1. |
VLAN Pool |
VLAN pool used for service VLANs. |
SoftGRE profile |
Name of the soft GRE profile bound to the VAP profile. This parameter can be configured only when Forwarding mode is set to SoftGRE. |
VAP type |
|
Policy for service holding upon link disconnection |
By default, the policy in an AP system profile is inherited. This parameter is applicable only to the direct data forwarding scenario. |
Monitor RADIUS server |
Name of a RADIUS server template. This parameter can be configured only when VAP type is set to Service backup. |
AC ID |
ID of the Navi AC specified on the local AC. |
WLAN ID |
WLAN ID of the Navi AC specified on the local AC. |
mDNS local termination |
mDNS packets are terminated on the local AC. |
Disconnect STAs without traffic |
If an online STA does not send DHCP Request messages within 5 seconds, the STA IP address matches no device entry, and only uplink traffic exists, this function can forcibly disconnect the STA. By default, this function is enabled. |
Automatically disable VAP |
Whether to enable the scheduled VAP auto-off function. By default, this function is disabled. |
Automatic disabling time |
Scheduled time during which a VAP is disabled. |
Allowed VLAN |
Whether to enable the authorization VLAN verification function. If this function is enabled, you can specify VLANs from which packets are allowed to pass through. The value range is 1 to 4094, in the format of 1,3-5,7. |
Service experience analysis |
When the SIP (eSpace) service runs on the WLAN, you can enable this function so that the device reports performance statistics about SIP traffic (such as IP addresses and port numbers of calling and called parties, and call quality data) to CampusInsight. In this manner, CampusInsight can analyze network performance and locate faults. By default, this function is disabled. |
SIP packet port number |
- |
Radio |
- |
Band steering |
Whether to enable the band steering function. This function enables an AP to preferentially steer STAs to the 5 GHz band. This reduces load and interference on the 2.4 GHz band and therefore improves user experience. By default, this function is enabled. |
Roaming |
- |
Home agent |
Home agent of roaming users. |
Roaming domain ID |
ID of the roaming domain. The value ranges from 1 to 4094, and the default value is 1. |
Layer 3 roaming |
Whether to enable Layer 3 roaming. By default, this function is enabled. |
SFN |
Whether to enable the SFN roaming function. This function can be enabled in scenarios that require high stability but do not pose high throughput requirement, for example, healthcare scenarios. This function enables STAs to freely move within the coverage range of the SFN without service interruption. By default, this function is disabled. |
IP Services |
- |
Appending Option 82 |
You can configure a device to insert the Option 82 field in a DHCP message to notify the DHCP server of the DHCP client location. |
RID format |
Format of the remote-ID in the Option 82 field inserted in DHCP packets sent from a STA. The sum of all Option 82 field lengths cannot exceed 255 bytes. Otherwise, some Option 82 information may be lost |
CID format |
Format of the circuit-ID in the Option 82 field inserted in DHCP packets sent from a STA. The sum of all Option 82 field lengths cannot exceed 255 bytes. Otherwise, some Option 82 information may be lost |
MAC address format |
Format of the AP's MAC address in the Option 82 field. |
Delimiter |
Format of the AP's MAC address and SSID in the Option 82 field. |
User-defined |
User-defined format in the Option 82 field. The value is a string of 1 to 255 characters. |
Sending mDNS packets over tunnels |
By default, this function is disabled. This parameter can be configured only when Forwarding mode is set to Direct. |
Sending DHCP packets over tunnels |
By default, this function is disabled. This parameter can be configured only when Forwarding mode is set to Direct. |
ARP probe |
Whether to enable the dynamic ARP inspection (DAI) function. This function prevents ARP packets of unauthorized users from accessing the external network through APs, protecting authorized users against interference or spoofing attacks. Additionally, the DAI function protects an AP's CPU from ARP attacks, which, if not prevented, will interrupt some functions on the AP or even crash the AP. By default, this function is disabled. |
IP binding check |
Whether to enable the IP binding check function, which prevents source address spoofing attacks. This function checks received IP packets against a binding table to prevent unauthorized packets from passing through an AP, improving network security. By default, this function is disabled. |
IP learning |
If a STA associates with an AP that has STA address learning enabled and obtains an IP address, the AP proactively reports the STA IP address to the AC to maintain the STA's IP address and MAC address binding entry. By default, this function is enabled. |
IP address check |
Whether to enable the IPv4 address conflict check function. This function does not take effect when tunnel forwarding is configured. |
Strict IP learning |
If a STA dynamically obtains an IP address through DHCP, the AP automatically reports the STA IP address to the AC so that the IP and MAC address binding of the STA is correctly maintained. If a STA uses a static IP address, configure the blacklist function to add the STA to the blacklist. By default, this function is disabled. |
Dynamic blacklist of static IPv4 addresses |
By default, this function is disabled. |
IP address check through DHCPv6 |
Whether to enable the IPv6 address conflict check function. This function does not take effect when tunnel forwarding is configured. By default, this function is disabled. |
Strict IP learning through DHCPv6 |
If the STA obtains an IPv6 address through DHCPv6, the AP will automatically report the STA's IP address to the AC to maintain the STA's IP address and MAC address binding entry. If a STA uses a static IP address, configure the blacklist function to add the STA to the blacklist. By default, this function is disabled. |
Dynamic blacklist of static IPv6 addresses |
By default, this function is disabled. |
ND trusted port |
If a bogus ND server exists at the user side, STAs may be unable to communicate due to obtaining incorrect IPv6 addresses or incorrect network parameters. After the ND trusted port is disabled on an AP, the AP considers the sender of ND OFFER, ACK, and NAK packets as a bogus ND server. The AP discards these packets and reports the server's IPv6 address to the connected AC. By default, this function is disabled. |
Flood Attack Detection |
- |
Protocol type |
Whether to enable flood attack detection for packets of a specified type. By default, this function is enabled. |
Traffic threshold (pps) |
The value range is 1 to 5000. The default value varies depending on the protocol type. |
Adding attackers to the blacklist |
By default, this function is disabled. |