Wireless Access Controller (AC and Fit AP) V200R019C00 CLI-based Configuration Guide

VRRP HSB Configuration

Understanding VRRP HSB
Configuring a VRRP Group
Configuring an HSB Service
Configuring an HSB Group
Enabling an HSB Group
Configuring Wireless Configuration Synchronization
Verifying the Wireless Configuration Synchronization Configuration
Example for Configuring VRRP HSB (Tunnel Forwarding)
Example for Configuring VRRP HSB (Direct Forwarding)
Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios
Example for Configuring VRRP HSB (CAPWAP Dual-Stack)

Understanding VRRP HSB

Purpose

VRRP hot standby (HSB) ensures high reliability by preventing STA network access from being affected by failures of an AC or CAPWAP links.

Definition

VRRP HSB is implemented through VRRP and HSB. The master and backup ACs are determined through VRRP negotiation. The master AC manages APs and provides services for them. The backup AC receives information synchronized from the master AC and monitors the working status of the master AC. The AC in working state backs up entries to the AC in backup state in real time through HSB. If the working AC fails, the AC in backup state quickly takes over services from the master AC.

Implementation

VRRP HSB is implemented through master/backup negotiation, data backup, active/standby switchover, and active/standby switchback.

Master/backup negotiation

An HSB group is bound to a VRRP group, and the ACs determine the master and backup roles through VRRP negotiation. As shown in Figure 23-4, AC1 and AC2 are added to a VRRP group, and they send VRRP packets carrying priority information through the HSB channel for negotiation. AC1 is the master and AC2 is the backup. That is, AC1 is in working state and AC2 is in backup state.

The master AC sends gratuitous ARP packets to notify devices or hosts that are connected to it of the virtual MAC address, and then starts forwarding packets. In addition, the master AC periodically sends VRRP Advertisement packets to the backup AC to advertise its configuration (such as the priority) and working status. An AP sets up a CAPWAP link with the VRRP virtual IP address. In this case, the AP is managed by the master AC.

VRRP HSB supports only the active/standby networking but not the load balancing networking.

Figure 23-4 Master/backup negotiation

Data backup

An HSB group instructs the service modules of the master AC to synchronize and back up STA entries, CAPWAP link entries, and AP entries to the backup AC through the HSB channel. Synchronization modes include batch, real-time, and periodic backup. For details, see HSB.

Figure 23-5 Data backup

Active/standby switchover

As shown in Figure 23-6, AC1 processes services of all APs and sends session information to AC2 through an HSB channel. AC2 only backs up data but does not process services.

If AC1 or its uplink/downlink is faulty, AC2 switches its working state from backup to working, and AC1 switches from working to backup. AC2 processes all AP services. Because session information has been backed up on AC2, new sessions can be set up and the current session is not interrupted. This improves network reliability.

Figure 23-6 Data flows before and after the switchover

As shown in Figure 23-6, (1) indicates that the downlink of the master AC fails, (2) indicates that the uplink of the master AC fails, and (3) indicates that the master AC fails. The active/standby switchover process varies according to the failure point. The following describes the active/standby switchover processes with different failure points.

Active/standby switchover process after the downlink of the master AC fails:

The VLANIF interface (for example, the VLANIF interface corresponding to the management VLAN) bound to the HSB group is added to the downlink. When the downlink of AC1 fails, the HSB group on AC1 detects that the VLANIF interface is Down and notifies AC2 of the fault through the HSB channel.
After AC2 receives the notification, it instructs its service module to change the AP status to Normal.
The VRRP mechanism will detect a VRRP heartbeat timeout upon a downlink disconnection, and AC2 then becomes the master. In addition, the HSB group also detects the change. After the offset time elapses, AC2 sends a gratuitous ARP packet carrying the virtual MAC address and virtual IP address to update the MAC address entries on the connected hosts or devices. In this way, service traffic is diverted to the new master (AC2), and AC2 changes from backup to working to manage APs.

Active/standby switchover process after the uplink of the master AC fails:

The VRRP association function monitors the status of the uplink or interface. When the uplink of AC1 fails, the VRRP group reduces the priority of AC1 and notifies AC2 of such action.
Upon receiving the notification, AC2 finds that the priority of AC1 is lower than its own priority and then switches to the working state. AC1 knows that AC2 has a higher priority and switches to the backup state. Service traffic is switched to AC2. Note that AC1 and AC2 must both work in preemption mode.

Active/standby switchover process after the master AC fails:

When the master AC fails, the HSB channel is disconnected and the HSB module cannot notify AC2 of the failure. AC2 waits until the HSB channel heartbeat or the VRRP Master_Down_Interval timer times out.
By default, the VRRP timer first expires, when AC2 becomes the master AC. AC2 checks its HSB group status. Because the HSB channel heartbeat does not time out at this time, the HSB group is still in backup state on AC2.
When the HSB channel heartbeat times out, the HSB group of AC2 changes to the independent running state and instructs its service module to change the AP status to Normal. AC2 changes from the backup state to the working state. The active/standby switchover is completed.

If the heartbeat timeout period of the HSB channel is changed to smaller than the VRRP timer timeout period, the HSB group status changes before the VRRP status changes. In this case, the HSB group requests service modules to change the AP status immediately after the VRRP timer expires. The active/standby switchover is completed. Because the heartbeat timeout period of the HSB channel is short, backup data may be lost when a large amount of data needs to be backed up.

Active/standby switchback

When the link of the original master AC (AC1) recovers, an active/standby switchback is triggered after the preemption delay expires. AC1 switches to the working state, and AC2 switches to the backup state. The switchback process is as follows:

After AC1 recovers, the VRRP status of AC1 changes from Initialize to Backup and AC1 listens to VRRP packets. When receiving a VRRP packet from AC2, AC1 starts the preemption delay.
When the VRRP status of AC1 changes from Initialize to Backup, the HSB group detects the status change, and triggers batch data backup to ensure consistent data on AC1 and AC2. The corresponding AP status changes to Standby. Because AC1 is in backup state and AC2 is in working state now, entry information is synchronized only from AC2 to AC1.
After the preemption delay expires, the VRRP status of AC1 changes to master, and AC1 sends a notification to activate its own link. After receiving the VRRP packet, AC2 compares the VRRP priority with its own priority, and changes its own VRRP status to backup.
When detecting that the VRRP status has changed to master, the HSB group on AC1 immediately negotiates with the HSB group on AC2. As a result, AC1 switches back to the working state, and the status of APs on AC1 changes to Normal. AC2 switches back to the backup state, and the status of APs on AC2 changes to Standby. The active/standby switchback is completed.

Application Scenario

VRRP HSB applies to scenarios where high network reliability is required and the master and backup ACs are deployed at the same location. VRRP is a Layer 2 protocol. Therefore, VRRP HSB can be deployed only when the master and backup ACs can communicate with each other at Layer 2.

An enterprise requires high reliability to ensure normal service running, and allows two ACs to be deployed in the same equipment room. VRRP HSB networking is recommended. As shown in Figure 23-7, AC1 and AC2 form a VRRP group, SwitchB and SwitchC form a CSS, and an Eth-Trunk is configured between SwitchB and SwitchA to improve link reliability between the AP and ACs. In addition to VRRP HSB, wireless configuration synchronization is recommended. This function automatically synchronizes public configurations from the master AC to the backup AC, ensuring public configuration consistency on the two ACs and reducing manual configuration workload.

Figure 23-7 VRRP HSB application scenario

Configuring a VRRP Group

Context

A VRRP group can virtualize multiple devices into one gateway and set the next hop address of the default route on the host to the IP address of the virtual gateway to implement gateway backup without changing the networking. After a VRRP group is configured, traffic is forwarded through the master. If the master fails, a new master is selected from the backups to forward traffic. This implements gateway backup.

You can perform the following steps to implement basic configurations of a VRRP group. For other configurations and precautions of a VRRP group, see VRRP Configuration.

When multiple VRRP groups are configured on a device, you are advised to set the same parameters for the VRRP groups to ensure that the VRRP groups have the same status. If the VRRP groups are in different states, services on the VRRP groups that are not bound to HSB will be affected after a master/backup switchover is performed on the VRRP groups that are bound to HSB.

Procedure

Configure an IPv4 VRRP group.
1. Run system-view
  The system view is displayed.
2. Run interface vlanif vlan-id
  The VLANIF interface view is displayed.
3. Run vrrp vrid virtual-router-id virtual-ip virtual-address
  The IPv4 VRRP group is created, and a virtual IP address is configured.
  
  By default, no IPv4 VRRP group is created.
4. Run vrrp vrid virtual-router-id priority priority-value
  The priority of a device in the IPv4 VRRP group is configured.
  
  By default, the priority of a device in the IPv4 VRRP group is 100.
Configure an IPv6 VRRP group.
1. Run system-view
  The system view is displayed.
2. Run ipv6
  The IPv6 function is enabled globally.
3. Run interface vlanif vlan-id
  The VLANIF interface view is displayed.
4. Run ipv6 enable
  The IPv6 service is enabled on the interface.
5. Run vrrp6 vrid virtual-router-id virtual-ip virtual-ipv6-address [ link-local ]
  An IPv6 VRRP group is created, and a virtual IPv6 address is configured.
  
  By default, no IPv6 VRRP group is configured on a device.
6. Run vrrp6 vrid virtual-router-id priority priority-value
  The priority of a device in an IPv6 VRRP group is configured.
  
  By default, the priority of a device in an IPv6 VRRP group is 100.

Configuring an HSB Service

Context

An HSB service establishes an HSB channel for transmitting packets of other services and maintains the link status by notifying the HSB group of the faulty link.

An HSB service provides the following functions:

Establishing an HSB channel: A TCP channel is established for sending HSB packets by setting the IP addresses and port numbers of the local and peer devices. The HSB service provides packet sending and receiving for other services and notifies link status changes.
Maintaining the link status of the HSB channel: HSB packets are sent and retransmitted to prevent long TCP interruption that is not detected by the protocol stack. If a device does not receive an HSB packet from the peer device within the period (retransmission interval x retransmission times), the local device receives a message indicating the exception and then re-establishes a channel to the peer.

Parameters for the HSB channel must be configured on the local and remote ends at the same time. The source IP address, destination IP address, source port, and destination port of the local end are the destination IP address, source IP address, destination port, and source port of the remote end, respectively. In addition, the IP address protocol stacks of the local and remote ends must be the same and must be IPv4 or IPv6 at the same time.
Parameters of HSB service packets, including the interval and packet retransmission times, must be the same on both ends.
Pay attention to the following points when configuring a shared key:
- Configuring a shared key for HSB service is not recommended in a secure network environment because this configuration will degrade the HSB performance. If the shared key is required, ensure that the same shared key is configured at both ends of the HSB service. Inconsistent keys on both ends will cause frequent interruption of the HSB channel.
- The key command must be configured before the service-ip-port command; otherwise, the key command will fail to be configured.

Procedure

Run system-view
The system view is displayed.
Run hsb-service service-index
An HSB service is created and the HSB service view is displayed.

By default, no HSB service is created.
(Optional) Run key cipher key-string
The key used by the HSB devices is configured.

By default, the key used by HSB devices is not configured.
Run service-ip-port local-ip { local-ipv4-address | local-ipv6-address } peer-ip { peer-ipv4-address | peer-ipv6-address } local-data-port local-port peer-data-port peer-port
The IP address and port number of an HSB channel is configured.

By default, the IP address and port number of an HSB channel are not configured.
(Optional) Run service-keep-alive detect retransmit retransmit-times interval interval-value
The retransmission times and interval of HSB packets are set.

The default number of retransmission times is 5, and the default retransmission interval is 3 seconds.

Configuring an HSB Group

Context

An HSB group instructs service modules to perform batch backup, real-time backup, and status synchronization. Service backup depends on the status negotiation and event notification mechanisms provided by an HSB group to synchronize services between the active and standby devices.

An HSB group synchronizes backup information and responds to link status changes through the HSB channel established by an HSB service. The HSB service needs to be bound to the HSB group so that the HSB group can work properly. In addition, the HSB group must be bound to a VRRP group to negotiate the service status based on the VRRP status. By monitoring the changes in the bound channel status and VRRP status, the HSB group instructs service modules to perform batch backup, real-time backup, and status synchronization.

During the configuration of VRRP HSB, two ACs form a virtual AC, and all the APs connected to the ACs communicate with the virtual AC. Therefore, the source IP address of the ACs must be the virtual IP address of the VRRP group bound to the HSB group. To configure the source IP address of the ACs, run the capwap source command.
If both IPv4 VRRP and IPv6 VRRP groups are configured on the device, an HSB group can have only one of them bound to it.
When multiple VRRP groups are configured on a device, you are advised to set the same parameters for the VRRP groups to ensure that the VRRP groups have the same status. If the VRRP groups are in different states, services on the VRRP groups that are not bound to HSB will be affected after a master/backup switchover is performed on the VRRP groups that are bound to HSB.

Procedure

Run system-view
The system view is displayed.
Run hsb-group group-index
An HSB group is created and the HSB group view is displayed.

By default, no HSB group is created.
Run bind-service service-index
An HSB service is bound to the HSB group.

By default, no HSB service is bound to an HSB group.
Bind an IPv4 VRRP or IPv6 VRRP group to the HSB group.
HSB implements traffic switchover using VRRP or link backup. The following describes how HSB implements traffic switchover using VRRP. To configure the HSB group to work in load balancing mode, you need to configure the HSB group to switch traffic through link backup.
- Run track vrrp vrid virtual-router-id interface interface-type interface-number
  An IPv4 VRRP group is bound to the HSB group.
- Run track vrrp6 vrid virtual-router-id interface interface-type interface-number
  An IPv6 VRRP group is bound to the HSB group.
By default, no VRRP group is bound to an HSB group.
Run quit
The system view is displayed.
(Optional) Bind services to the HSB group.
The HSB group can be bound to different services to provide the backup function, improving service reliability.

Services can be bound to an HSB group only before the HSB group is enabled.
- Bind NAC services to the HSB group.
  
  Run hsb-service-type access-user hsb-group group-index
  
  NAC services are bound to the HSB group.
- Bind DHCP services to the HSB group.
  
  Run hsb-service-type dhcp hsb-group group-index
  
  DHCP services are bound to the HSB group.
- Bind WLAN services to the HSB group.
  
  Run hsb-service-type ap hsb-group group-index
  
  WLAN services are bound to the HSB group.

Enabling an HSB Group

Context

An HSB group takes effect and notifies the service modules of status changes only after the HSB group is enabled.

Procedure

Run system-view
The system view is displayed.
Run hsb-group group-index
The HSB group view is displayed.
Run hsb enable
The HSB group is enabled.

Before APs go online on active and standby ACs, you need to add the APs offline on the two ACs. If you add APs offline on the standby AC but the APs have gone online on the active AC, the status of these APs displays as fault. You need to run the undo hsb enable command in the HSB group view of the standby AC to disable the HSB function and then run the hsb enable command to enable the HSB function so that information on the active AC is backed up to the standby AC. The status of the APs on the standby AC displays as standby.

Configuring Wireless Configuration Synchronization

Context

During wireless configuration synchronization in VRRP HSB scenarios, two ACs are bound to the same VRRP group. VRRP selects the master AC and backup master AC through negotiation, and establishes an inter-AC CAPWAP tunnel using the local and peer IP addresses configured on the ACs. The master AC then synchronizes wireless configurations and data to the backup master AC via the CAPWAP tunnel.

It is recommended that wireless configuration synchronization and VRRP HSB use the same VRRP group. In this way, the active AC becomes the master AC, and public configurations configured on the master AC are automatically synchronized to the backup master AC.

After the master AC and backup master AC are configured, manually trigger wireless configuration synchronization to ensure consistent public configurations on the two ACs. Any subsequent public configurations on the master AC will be automatically synchronized to the backup master AC.

Procedure

Configure wireless configuration synchronization on the master AC and backup master AC to synchronize the IP addresses of the local and peer ACs.
```
system-view
wlan
master controller
master-redundancy peer-ip { ip-address ipv4-address1 | ipv6-address ipv6-address1 } local-ip { ip-address ipv4-address2 | ipv6-address ipv6-address2 } psk psk
```
The parameter psk must be configured the same on the master AC and backup master AC, and the local and peer AC IP addresses configured on the master AC and backup master AC must be opposite.
Enable VRRP to track the status of an interface to negotiate the master AC and backup master AC roles.
```
master-redundancy track-vrrp vrid vrid interface interface-type interface-number
Or master-redundancy track-vrrp6 vrid vrid interface interface-type interface-number
```
Ensure that this configuration is consistent on the master AC and backup master AC. Otherwise, the wireless configuration synchronization function cannot take effect.

Configure scheduled wireless configuration synchronization on the master AC.

undo synchronize-configuration auto disable
synchronize-configuration auto interval interval-value start-time start-time

Manually trigger wireless configuration synchronization on the master AC.
```
synchronize-configuration
```

Verifying the Wireless Configuration Synchronization Configuration

Context

Perform the following operations on the active and standby ACs.

Procedure

Run the display hsb-group group-index command to check HSB group information.
Run the display hsb-service service-index command to check HSB service information.
Run the display vrrp command to check the status and parameters of the VRRP group.
Run the display sync-configuration master-redundancy command to check the wireless configuration synchronization configuration of the AC in VRRP HSB scenarios.
Run the display sync-configuration status command to check the status of the peer AC in wireless configuration synchronization scenarios.
Run the display current-configuration sync command to check the currently effective public configuration parameters.
Run the display sync-configuration fail-record command to check the records of public configuration synchronization failures.
Run the display sync-configuration compare command to check whether the public configurations on the two ACs are the same. You need to run this command only on the master AC.

Example for Configuring VRRP HSB (Tunnel Forwarding)

Service Requirements

An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires that VRRP HSB be used to improve data transmission reliability.

Networking Requirements

AC networking mode: Layer 2 networking in bypass mode
DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to APs and STAs.
Service data forwarding mode: tunnel forwarding
Switch cluster: A cluster is set up using CSS cards, containing SwitchB and SwitchC at the core layer. SwitchB is the master switch, and SwitchC is the standby switch.

Figure 23-8 Networking diagram for configuring VRRP HSB (tunnel forwarding)

Data Planning

Table 23-9 AC data planning

Item	Data
AC1's source interface	VLANIF 100: 10.23.100.3/24
AC2's source interface	VLANIF 100: 10.23.100.3/24
Virtual IP address of the management VRRP group	10.23.100.3/24
Virtual IP address of the service VRRP group	10.23.101.3/24
VAP profile	Name: wlan-net Forwarding mode: tunnel forwarding Service VLAN: VLAN 101 Referenced profiles: security profile wlan-net and SSID profile wlan-net
AP group	Name: ap-group1 Referenced profiles: VAP profile wlan-net and regulatory domain profile default
Regulatory domain profile	Name: default Country code: CN
SSID profile	Name: wlan-net SSID name: wlan-net
Security profile	Name: wlan-net Security policy: WPA-WPA2+PSK+AES Password: a1234567
DHCP server	The AC functions as a DHCP server to assign IP addresses to APs and STAs.
Gateway for APs	VLANIF 100: 10.23.100.3/24
IP address pool for APs	10.23.100.4-10.23.100.254/24
Gateway for STAs	VLANIF 101: 10.23.101.3/24
IP address pool for STAs	10.23.101.4-10.23.101.254/24
IP address and port number of the HSB channel for AC1	IP address: 10.23.102.1/24 of VLANIF 102 Port number: 10241
IP address and port number of the HSB channel for AC2	IP address: 10.23.102.2/24 of VLANIF 102 Port number: 10241

Configuration Roadmap

The configuration roadmap is as follows:

Configure a cluster between SwitchB and SwitchC through cluster cards to improve the core layer reliability and configure SwitchB as the master switch.
Configure network connectivity between the AC, APs, and other network devices.
Configure basic WLAN services to ensure that users can connect to the Internet through the WLAN.
Configure a VRRP group on AC1 and AC2. Configure a high priority for AC1 as the active device to forward traffic, and a low priority for AC2 as the standby device.
Configure the hot standby (HSB) function on the ACs so that service information on AC1 is backed up to AC2 in real time or in a batch, ensuring seamless service switchover from the active AC to the standby AC.

During the configuration, check whether loops occur on the wired network. If so, configure MSTP on corresponding NEs.

Configuration Notes

No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
- In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
- In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.
Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only packets from the management VLAN are transmitted between the AC and APs. Packets from the service VLAN are not allowed between the AC and APs.
In the VRRP HSB networking, the configurations of the DHCP address pools on the master and backup ACs must be consistent. For example, the ranges of IP addresses that cannot be automatically assigned to clients in the DHCP address pools must be consistent.

Procedure

Establish a cluster using CSS card.

# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card connection for SwitchB.

<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100

# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card connection for SwitchC.

<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10

# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master force     
------------------------------------------------------------------------------  
1            1            Off          CSS card    100         Off

# Check the CSS configuration on SwitchC.

[SwitchC] display css status saved
Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master force     
------------------------------------------------------------------------------  
1            2            Off          CSS card    10          Off

# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Enable the CSS function on SwitchC and restart SwitchC.

[SwitchC] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Log in to the CSS through the console port on any MPU to check whether the CSS is established successfully.

<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot  Sub Type         Online    Power      Register       Status     Role  
-------------------------------------------------------------------------------
1     -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
5     -   ET1D2G48SEC0 Present   PowerOn    Registered     Normal     NA    
7     -   ET1D2X16SSC0 Present   PowerOn    Registered     Normal     NA    
9     -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Slave 
10    -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Master
12    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
13    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
14    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
PWR1  -   -            Present   PowerOn    Registered     Normal     NA    
PWR2  -   -            Present   PowerOn    Registered     Normal     NA    
CMU2  -   EH1D200CMU00 Present   PowerOn    Registered     Normal     Master
FAN1  -   -            Present   PowerOn    Registered     Normal     NA    
FAN2  -   -            Present   PowerOn    Registered     Normal     NA    
FAN3  -   -            Present   PowerOn    Registered     Normal     NA    
FAN4  -   -            Present   PowerOn    Registered     Normal     NA    
Chassis 2 (Standby Switch)
S12708's Device status:
Slot  Sub Type         Online    Power      Register       Status     Role  
-------------------------------------------------------------------------------
1     -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
3     -   ET1D2G48SEC0 Present   PowerOn    Registered     Normal     NA    
4     -   ET1D2X16SSC0 Present   PowerOn    Registered     Normal     NA    
9     -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Slave 
10    -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Master
12    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
13    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
14    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
PWR1  -   -            Present   PowerOn    Registered     Normal     NA    
PWR2  -   -            Present   PowerOn    Registered     Normal     NA    
CMU1  -   EH1D200CMU00 Present   PowerOn    Registered     Normal     Master
FAN1  -   -            Present   PowerOn    Registered     Normal     NA    
FAN2  -   -            Present   PowerOn    Registered     Normal     NA    
FAN3  -   -            Present   PowerOn    Registered     Normal     NA    
FAN4  -   -            Present   PowerOn    Registered     Normal     NA    
<SwitchB> display css status
CSS Enable switch On                                                            
                                                                                
Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force  
------------------------------------------------------------------------------  
1            On           Master          CSS card    100         Off           
2            On           Standby         CSS card    10          Off

The command output shows the card status and CSS status of both member switches, indicating that the CSS is established successfully.

# Check whether the cluster links are normal.

<SwitchB> display css channel
               Chassis 1               ||             Chassis 2                 
--------------------------------------------------------------------------------
Num      [Port]         [Speed]        ||        [Speed]         [Port]
 1       1/1/0/1        10G                      10G             2/1/0/1      
 2       1/1/0/2        10G                      10G             2/1/0/2      
 3       1/1/0/3        10G                      10G             2/1/0/3      
 4       1/1/0/4        10G                      10G             2/1/0/4      
 5       1/1/0/5        10G                      10G             2/1/0/5      
 6       1/1/0/6        10G                      10G             2/1/0/6      
 7       1/1/0/7        10G                      10G             2/1/0/7      
 8       1/1/0/8        10G                      10G             2/1/0/8      
 9       1/12/0/1       10G                      10G             2/12/0/1      
10       1/12/0/2       10G                      10G             2/12/0/2      
11       1/12/0/3       10G                      10G             2/12/0/3      
12       1/12/0/4       10G                      10G             2/12/0/4      
13       1/12/0/5       10G                      10G             2/12/0/5      
14       1/12/0/6       10G                      10G             2/12/0/6      
15       1/12/0/7       10G                      10G             2/12/0/7      
16       1/12/0/8       10G                      10G             2/12/0/8      
17       1/13/0/1       10G                      10G             2/13/0/1      
18       1/13/0/2       10G                      10G             2/13/0/2      
19       1/13/0/3       10G                      10G             2/13/0/3      
20       1/13/0/4       10G                      10G             2/13/0/4      
21       1/13/0/5       10G                      10G             2/13/0/5      
22       1/13/0/6       10G                      10G             2/13/0/6      
23       1/13/0/7       10G                      10G             2/13/0/7      
24       1/13/0/8       10G                      10G             2/13/0/8      
25       1/14/0/1       10G                      10G             2/14/0/1      
26       1/14/0/2       10G                      10G             2/14/0/2      
27       1/14/0/3       10G                      10G             2/14/0/3      
28       1/14/0/4       10G                      10G             2/14/0/4      
29       1/14/0/5       10G                      10G             2/14/0/5      
30       1/14/0/6       10G                      10G             2/14/0/6      
31       1/14/0/7       10G                      10G             2/14/0/7      
32       1/14/0/8       10G                      10G             2/14/0/8      
--------------------------------------------------------------------------------

The command output shows that all the cluster links are in Up state, indicating that the CSS has been established successfully.

Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 to ensure that APs and ACs can exchange CAPWAP packets.

# On SwitchA, set the PVID of GE0/0/1 connected to the AP to management VLAN 100, add GE0/0/1 to VLAN 100, and add GE0/0/2 connected to SwitchB and GE0/0/3 connected to SwitchC to Eth-Trunk 10.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100
[SwitchA-Eth-Trunk10] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo port link-type
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10
[SwitchA-GigabitEthernet0/0/3] quit

# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add E1/1/0/1 on SwitchB and GE2/1/0/1 on SwitchC both to VLANs 100 and 101.

[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] undo port link-type
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
[CSS-GigabitEthernet1/1/0/2] quit
[CSS] interface gigabitethernet 2/1/0/2
[CSS-GigabitEthernet2/1/0/2] undo port link-type
[CSS-GigabitEthernet2/1/0/2] eth-trunk 10
[CSS-GigabitEthernet2/1/0/2] quit

# Add GE0/0/1 on AC1 connected to SwitchB to VLANs 100 and 101, and configure IP addresses for VLANIF 100 and VLANIF 101.

<HUAWEI> system-view
[HUAWEI] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] quit
[AC1] interface vlanif 101
[AC1-Vlanif101] ip address 10.23.101.1 24
[AC1-Vlanif101] quit

# Add GE0/0/1 on AC2 connected to SwitchC to VLANs 100 and 101, and configure IP addresses for VLANIF 100 and VLANIF 101.

<HUAWEI> system-view
[HUAWEI] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC2-GigabitEthernet0/0/1] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.2 24
[AC2-Vlanif100] quit
[AC2] interface vlanif 101
[AC2-Vlanif101] ip address 10.23.101.2 24
[AC2-Vlanif101] quit

Configure the communication between AC1 and AC2.

# Add GE0/0/2 on AC1 connected to AC2 to VLAN 102.

[AC1] vlan batch 102
[AC1] interface gigabitethernet 0/0/2
[AC1-GigabitEthernet0/0/2] port link-type trunk
[AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC1-GigabitEthernet0/0/2] quit
[AC1] interface vlanif 102
[AC1-Vlanif102] ip address 10.23.102.1 24
[AC1-Vlanif102] quit

# Add GE0/0/2 on AC2 connected to AC1 to VLAN 102.

[AC2] vlan batch 102
[AC2] interface gigabitethernet 0/0/2
[AC2-GigabitEthernet0/0/2] port link-type trunk
[AC2-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC2-GigabitEthernet0/0/2] quit
[AC2] interface vlanif 102
[AC2-Vlanif102] ip address 10.23.102.2 24
[AC2-Vlanif102] quit

Configure AC1 as a DHCP server to assign IP addresses to APs and STAs. The configurations on AC2 are similar to those on AC1. Exclude the following IP addresses from the interface address pools on the active and standby ACs: 10.23.100.1 and 10.23.101.1 of the active AC; 10.23.100.2 and 10.23.101.2 of the standby AC; and 10.23.100.3 and 10.23.101.3 of the VRRP group.
Configure the DNS server as required. The common methods are as follows:
- In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
- In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.
```
[AC1] dhcp enable
[AC1] dhcp server database enable
[AC1] dhcp server database recover
[AC1] interface vlanif 100
[AC1-Vlanif100] dhcp select interface
[AC1-Vlanif100] dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
[AC1-Vlanif100] quit
[AC1] interface vlanif 101
[AC1-Vlanif101] dhcp select interface
[AC1-Vlanif101] dhcp server excluded-ip-address 10.23.101.1 10.23.101.3
[AC1-Vlanif101] quit
```

Configure VRRP HSB on AC1.

# Set the recovery delay of the VRRP group to 30 seconds.

[AC1] vrrp recover-delay 30

# Create a management VRRP group on AC1. Set the VRRP priority of AC1 to 120 and the preemption delay to 1800 seconds.

[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
[AC1-Vlanif100] quit

# Create a service VRRP group on AC1 and set the preemption delay to 1800 seconds.

[AC1] interface vlanif 101
[AC1-Vlanif101] vrrp vrid 2 virtual-ip 10.23.101.3
[AC1-Vlanif101] vrrp vrid 2 preempt-mode timer delay 1800
[AC1-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1 unflowdown
[AC1-Vlanif101] quit

# Create HSB service 0 on AC1, and configure the IP addresses and port numbers for establishing an HSB channel. Set the retransmission time and interval of HSB packets.

[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit

# Create HSB group 0 on AC1, and bind HSB service 0 and the management VRRP group to the HSB group.

[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC1] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC1] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC1] hsb-service-type dhcp hsb-group 0

# Enable the HSB function.

[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable
[AC1-hsb-group-0] quit

Configure VRRP HSB on AC2.

# Set the recovery delay of the VRRP group to 30 seconds.

[AC2] vrrp recover-delay 30

# Create a management VRRP group on AC2.

[AC2] interface vlanif 100
[AC2-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC2-Vlanif100] admin-vrrp vrid 1
[AC2-Vlanif100] quit

# Create a service VRRP group on AC2.

[AC2] interface vlanif 101
[AC2-Vlanif101] vrrp vrid 2 virtual-ip 10.23.101.3
[AC2-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1 unflowdown
[AC2-Vlanif101] quit

# Create HSB service 0 on AC2, and configure the IP addresses and port numbers for establishing an HSB channel. Set the retransmission time and interval of HSB packets.

[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit

# Create HSB group 0 on AC2, and bind HSB service 0 and the management VRRP group to the HSB group.

[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC2] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC2] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC2] hsb-service-type dhcp hsb-group 0

Configure WLAN services on AC1. The configurations on AC2 are similar to those on AC1. The difference is that when an AP is in normal state on AC1, it is in standby state on AC2.

Configure system parameters for AC1.

[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y  
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source ip-address 10.23.100.3

Import an AP offline on AC1.

[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
[AC1-wlan-ap-0] quit
[AC1-wlan-view] display ap all
Total AP information:
nor  : normal          [1]
Extra information: P  : insufficient power supply
--------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP              Type            State STA Uptime      ExtraInfo
--------------------------------------------------------------------------------------------------
0    00e0-fc76-e360 area_1 ap-group1 10.23.100.254   AP5030DN        nor   0   10S         -
--------------------------------------------------------------------------------------------------
Total: 1

Configure WLAN service parameters on AC1.

# Create security profile wlan-net and configure a security policy in the profile.

In this example, the security policy is set to WPA-WPA2+PSK+AES and the password to a1234567. In actual situations, configure the security policy according to service requirements.

[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.

[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit

# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply the security profile and SSID profile to the VAP profile.

[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit

# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of APs in the AP group.

[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit

Enable HSB on AC2.

# Enable the HSB function.

[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit

Verify the configuration.

# After the configurations are complete, run the display vrrp command on AC1 and AC2. The State field of AC1 is displayed as Master and that of AC2 is displayed as Backup.

[AC1] display vrrp
  Vlanif100 | Virtual Router 1
    State : Master
    Virtual IP : 10.23.100.3
    Master IP : 10.23.100.1
    PriorityRun : 120
    PriorityConfig : 120
    MasterPriority : 120
    Preempt : YES   Delay Time : 1800 s
    TimerRun : 2 s
    TimerConfig : 2 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0101
    Check TTL : YES
    Config type : admin-vrrp
    Backup-forward : disabled
    Create time : 2005-07-31 01:25:55 UTC+08:00
    Last change time : 2005-07-31 02:48:22 UTC+08:00
                                                                                
  Vlanif101 | Virtual Router 2
    State : Master
    Virtual IP : 10.23.101.3
    Master IP : 10.23.101.1
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 100
    Preempt : YES   Delay Time : 1800 s
    TimerRun : 2 s
    TimerConfig : 2 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0102
    Check TTL : YES
    Config type : member-vrrp
    Backup-forward : disabled
    Create time : 2005-07-30 23:45:50 UTC+08:00
    Last change time : 2005-07-31 02:48:22 UTC+08:00

[AC2] display vrrp
  Vlanif100 | Virtual Router 1
    State : Backup
    Virtual IP : 10.23.100.3
    Master IP : 10.23.100.1
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
    TimerRun : 2 s
    TimerConfig : 2 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0101
    Check TTL : YES
    Config type : admin-vrrp
    Backup-forward : disabled
    Create time : 2005-07-31 02:11:07 UTC+08:00
    Last change time : 2005-07-31 03:40:45 UTC+08:00

  Vlanif101 | Virtual Router 2
    State : Backup
    Virtual IP : 10.23.101.3
    Master IP : 0.0.0.0
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 100
    Preempt : YES   Delay Time : 0 s
    TimerRun : 2 s
    TimerConfig : 2 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0102
    Check TTL : YES
    Config type : member-vrrp
    Backup-forward : disabled
    Create time : 2005-07-31 00:32:33 UTC+08:00
    Last change time : 2005-07-31 03:40:45 UTC+08:00

# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service status. The following command output shows that the Service State field displays Connected, indicating that the HSB channel has been established.

[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
  Local IP Address       : 10.23.102.1
  Peer IP Address        : 10.23.102.2
  Source Port            : 10241
  Destination Port       : 10241
  Keep Alive Times       : 2
  Keep Alive Interval    : 1
  Service State          : Connected
  Service Batch Modules  : 
  Shared-key             : -
----------------------------------------------------------

[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
  Local IP Address       : 10.23.102.2
  Peer IP Address        : 10.23.102.1
  Source Port            : 10241
  Destination Port       : 10241
  Keep Alive Times       : 2
  Keep Alive Interval    : 1
  Service State          : Connected
  Service Batch Modules  : 
  Shared-key             : -
----------------------------------------------------------

# Run the display hsb-group 0 command on AC1 and AC2 to check the running status of the HSB group.

[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
  HSB-group ID                : 0
  Vrrp Group ID               : 1
  Vrrp Interface              : Vlanif100
  Service Index               : 0
  Group Vrrp Status           : Master
  Group Status                : Active
  Group Backup Process        : Realtime
  Peer Group Device Name      : AC2
  Peer Group Software Version : V200R019C00
  Group Backup Modules        : Access-user
                                DHCP
                                AP
----------------------------------------------------------

[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
  HSB-group ID                : 0
  Vrrp Group ID               : 1
  Vrrp Interface              : Vlanif100
  Service Index               : 0
  Group Vrrp Status           : Backup
  Group Status                : Inactive
  Group Backup Process        : Realtime
  Peer Group Device Name      : AC1
  Peer Group Software Version : V200R019C00
  Group Backup Modules        : Access-user
                                DHCP
                                AP
----------------------------------------------------------

# The WLAN with SSID wlan-net is available for STAs connected to the AP, and these STAs can connect to the WLAN and go online normally.

# Simulate a master AC fault by restarting the master AC to verify the backup configuration. Restart AC1. When an AP detects a fault on the link connected to AC1, AC2 takes the active role, ensuring service stability.

Before restarting the AC, run the save command to save the configuration file on the AC to prevent configuration loss after the restart.

# During the restart of AC1, services on the STAs are not interrupted. The AP goes online on AC2. Run the display ap all command on AC2. The command output shows that the AP status changes from standby to normal.

# After AC1 recovers from the restart, an active/standby switchback is triggered. The AP automatically goes online on AC1.

Configuration Files

SwitchA configuration file

#
sysname SwitchA
#
vlan batch 100
#
interface Eth-Trunk10
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100
 port-isolate enable group 1
#
interface GigabitEthernet0/0/2
 eth-trunk 10
#
interface GigabitEthernet0/0/3
 eth-trunk 10
#
return

CSS configuration file

#
sysname CSS
#
vlan batch 100 to 101
#
interface Eth-Trunk10
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100
#  
interface GigabitEthernet1/1/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet1/1/0/2
 eth-trunk 10
#
interface GigabitEthernet2/1/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet2/1/0/2
 eth-trunk 10
#
return

AC1 and AC2 have similar configuration files, which are listed in the following table. (Configurations highlighted in bold are the dual-link backup configurations on AC1 and AC2.)

Table 23-10 Configuration files of AC1 and AC2

AC1	AC2
# sysname AC1 # vrrp recover-delay 30 # vlan batch 100 to 102 # dhcp enable # dhcp server database enable dhcp server database recover # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 vrrp vrid 1 virtual-ip 10.23.100.3 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1800 dhcp select interface dhcp server excluded-ip-address 10.23.100.1 10.23.100.3 # interface Vlanif101 ip address 10.23.101.1 255.255.255.0 vrrp vrid 2 virtual-ip 10.23.101.3 vrrp vrid 2 preempt-mode timer delay 1800 vrrp vrid 2 track admin-vrrp interface Vlanif100 vrid 1 unflowdown dhcp select interface dhcp server excluded-ip-address 10.23.101.1 10.23.101.3 # interface Vlanif102 ip address 10.23.102.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 to 101 # interface GigabitEthernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 # capwap source ip-address 10.23.100.3 # hsb-service 0 service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241 service-keep-alive detect retransmit 3 interval 6 # hsb-group 0 track vrrp vrid 1 interface Vlanif100 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyroM)KMgcsR}!GUWLa"%G_E.^B%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net forward-mode tunnel service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net regulatory-domain-profile name default ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 35 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 # return	# sysname AC2 # vrrp recover-delay 30 # vlan batch 100 to 102 # dhcp enable # dhcp server database enable dhcp server database recover # interface Vlanif100 ip address 10.23.100.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.23.100.3 admin-vrrp vrid 1 dhcp select interface dhcp server excluded-ip-address 10.23.100.1 10.23.100.3 # interface Vlanif101 ip address 10.23.101.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.23.101.3 vrrp vrid 2 track admin-vrrp interface Vlanif100 vrid 1 unflowdown dhcp select interface dhcp server excluded-ip-address 10.23.100.1 10.23.101.3 # interface Vlanif102 ip address 10.23.102.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 to 101 # interface GigabitEthernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 # capwap source ip-address 10.23.100.3 # hsb-service 0 service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-data-port 10241 service-keep-alive detect retransmit 3 interval 6 # hsb-group 0 track vrrp vrid 1 interface Vlanif100 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyroM)KMgcsR}!GUWLa"%G_E.^B%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net forward-mode tunnel service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net regulatory-domain-profile name default ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 35 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 # return

AC1

AC2

#
 sysname AC1
#
vrrp recover-delay 30
#
vlan batch 100 to 102
#
dhcp enable
#
dhcp server database enable
dhcp server database recover
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 vrrp vrid 1 virtual-ip 10.23.100.3
 admin-vrrp vrid 1
 vrrp vrid 1 priority 120
 vrrp vrid 1 preempt-mode timer delay 1800
 dhcp select interface
 dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 vrrp vrid 2 virtual-ip 10.23.101.3
 vrrp vrid 2 preempt-mode timer delay 1800
 vrrp vrid 2 track admin-vrrp interface Vlanif100 vrid 1 unflowdown
 dhcp select interface
 dhcp server excluded-ip-address 10.23.101.1 10.23.101.3
#
interface Vlanif102
 ip address 10.23.102.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 102
#
capwap source ip-address 10.23.100.3
#
hsb-service 0
 service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241
 service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
 track vrrp vrid 1 interface Vlanif100
 bind-service 0
 hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
 security-profile name wlan-net
  security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyr*oM)KMgc*sR}!GUWLa"%G_E.^B%^%# aes
 ssid-profile name wlan-net
  ssid wlan-net
 vap-profile name wlan-net
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-net
  security-profile wlan-net
 regulatory-domain-profile name default
 ap-group name ap-group1
  radio 0
   vap-profile wlan-net wlan 1
  radio 1
   vap-profile wlan-net wlan 1
 ap-id 0 type-id 35 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
#
return

#
 sysname AC2
#
vrrp recover-delay 30
#
vlan batch 100 to 102
#
dhcp enable
#
dhcp server database enable
dhcp server database recover
#
interface Vlanif100
 ip address 10.23.100.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.23.100.3
 admin-vrrp vrid 1
 dhcp select interface
 dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
#
interface Vlanif101
 ip address 10.23.101.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.23.101.3
 vrrp vrid 2 track admin-vrrp interface Vlanif100 vrid 1 unflowdown
 dhcp select interface
 dhcp server excluded-ip-address 10.23.100.1 10.23.101.3
#
interface Vlanif102
 ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 102
#
capwap source ip-address 10.23.100.3
#
hsb-service 0
 service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-data-port 10241
 service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
 track vrrp vrid 1 interface Vlanif100
 bind-service 0
 hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
 security-profile name wlan-net
  security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyr*oM)KMgc*sR}!GUWLa"%G_E.^B%^%# aes
 ssid-profile name wlan-net
  ssid wlan-net
 vap-profile name wlan-net
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-net
  security-profile wlan-net
 regulatory-domain-profile name default
 ap-group name ap-group1
  radio 0
   vap-profile wlan-net wlan 1
  radio 1
   vap-profile wlan-net wlan 1
 ap-id 0 type-id 35 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
#
return

Example for Configuring VRRP HSB (Direct Forwarding)

Service Requirements

An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires that VRRP HSB be used to improve data transmission reliability.

Networking Requirements

AC networking mode: Layer 2 networking in bypass mode
DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to APs, and a CSS functions as a DHCP server to assign IP addresses to STAs.
Service data forwarding mode: direct forwarding
Switch cluster: A cluster is set up using CSS cards, containing SwitchB and SwitchC at the core layer. SwitchB is the master switch, and SwitchC is the standby switch.

Figure 23-9 Networking diagram for configuring VRRP HSB (direct forwarding)

Data Planning

Table 23-11 AC data planning

Item	Data
AC1's source interface	VLANIF 100: 10.23.100.3/24
AC2's source interface	VLANIF 100: 10.23.100.3/24
Virtual IP address of the management VRRP group	10.23.100.3/24
VAP profile	Name: wlan-net Forwarding mode: direct forwarding Service VLAN: VLAN 101 Referenced profiles: security profile wlan-net and SSID profile wlan-net
AP group	Name: ap-group1 Referenced profiles: VAP profile wlan-net and regulatory domain profile default
Regulatory domain profile	Name: default Country code: CN
SSID profile	Name: wlan-net SSID name: wlan-net
Security profile	Name: wlan-net Security policy: WPA-WPA2+PSK+AES Password: a1234567
DHCP server	The AC functions as a DHCP server to assign IP addresses to APs, and a CSS functions as a DHCP server to assign IP addresses to STAs.
Gateway for APs	VLANIF 100: 10.23.100.3/24
IP address pool for APs	10.23.100.4-10.23.100.254/24
Gateway for STAs	VLANIF 101: 10.23.101.1/24
IP address pool for STAs	10.23.101.2-10.23.101.254/24
IP address and port number of the HSB channel for AC1	IP address: 10.23.102.1/24 of VLANIF 102 Port number: 10241
IP address and port number of the HSB channel for AC2	IP address: 10.23.102.2/24 of VLANIF 102 Port number: 10241

Configuration Roadmap

The configuration roadmap is as follows:

Configure a cluster between SwitchB and SwitchC through cluster cards to improve the core layer reliability and configure SwitchB as the master switch.
Configure network connectivity between the AC, APs, and other network devices.
Configure basic WLAN services to ensure that users can connect to the Internet through the WLAN.
Configure a VRRP group on AC1 and AC2. Configure a high priority for AC1 as the active device to forward traffic, and a low priority for AC2 as the standby device.
Configure the hot standby (HSB) function so that service information on AC1 is backed up to AC2 in real time or in a batch, ensuring seamless service switchover from the active AC to the standby AC.

During the configuration, check whether loops occur on the wired network. If so, configure MSTP on corresponding NEs.

Configuration Notes

No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
- In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
- In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.
Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only packets from the management VLAN are transmitted between the AC and APs. Packets from the service VLAN are not allowed between the AC and APs.
In the VRRP HSB networking, the configurations of the DHCP address pools on the master and backup ACs must be consistent. For example, the ranges of IP addresses that cannot be automatically assigned to clients in the DHCP address pools must be consistent.

Procedure

Establish a cluster using CSS card.

# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card connection for SwitchB.

<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100

# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card connection for SwitchC.

<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10

# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master force     
------------------------------------------------------------------------------  
1            1            Off          CSS card    100         Off

# Check the CSS configuration on SwitchC.

[SwitchC] display css status saved
Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master force     
------------------------------------------------------------------------------  
1            2            Off          CSS card    10          Off

# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Enable the CSS function on SwitchC and restart SwitchC.

[SwitchC] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Log in to the CSS through the console port on any MPU to check whether the CSS is established successfully.

<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot  Sub Type         Online    Power      Register       Status     Role  
-------------------------------------------------------------------------------
1     -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
5     -   ET1D2G48SEC0 Present   PowerOn    Registered     Normal     NA    
7     -   ET1D2X16SSC0 Present   PowerOn    Registered     Normal     NA    
9     -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Slave 
10    -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Master
12    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
13    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
14    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
PWR1  -   -            Present   PowerOn    Registered     Normal     NA    
PWR2  -   -            Present   PowerOn    Registered     Normal     NA    
CMU2  -   EH1D200CMU00 Present   PowerOn    Registered     Normal     Master
FAN1  -   -            Present   PowerOn    Registered     Normal     NA    
FAN2  -   -            Present   PowerOn    Registered     Normal     NA    
FAN3  -   -            Present   PowerOn    Registered     Normal     NA    
FAN4  -   -            Present   PowerOn    Registered     Normal     NA    
Chassis 2 (Standby Switch)
S12708's Device status:
Slot  Sub Type         Online    Power      Register       Status     Role  
-------------------------------------------------------------------------------
1     -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
3     -   ET1D2G48SEC0 Present   PowerOn    Registered     Normal     NA    
4     -   ET1D2X16SSC0 Present   PowerOn    Registered     Normal     NA    
9     -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Slave 
10    -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Master
12    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
13    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
14    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
PWR1  -   -            Present   PowerOn    Registered     Normal     NA    
PWR2  -   -            Present   PowerOn    Registered     Normal     NA    
CMU1  -   EH1D200CMU00 Present   PowerOn    Registered     Normal     Master
FAN1  -   -            Present   PowerOn    Registered     Normal     NA    
FAN2  -   -            Present   PowerOn    Registered     Normal     NA    
FAN3  -   -            Present   PowerOn    Registered     Normal     NA    
FAN4  -   -            Present   PowerOn    Registered     Normal     NA    
<SwitchB> display css status
CSS Enable switch On                                                            
                                                                                
Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force  
------------------------------------------------------------------------------  
1            On           Master          CSS card    100         Off           
2            On           Standby         CSS card    10          Off

The command output shows the card status and CSS status of both member switches, indicating that the CSS is established successfully.

# Check whether the cluster links are normal.

<SwitchB> display css channel
               Chassis 1               ||             Chassis 2                 
--------------------------------------------------------------------------------
Num      [Port]         [Speed]        ||        [Speed]         [Port]
 1       1/1/0/1        10G                      10G             2/1/0/1      
 2       1/1/0/2        10G                      10G             2/1/0/2      
 3       1/1/0/3        10G                      10G             2/1/0/3      
 4       1/1/0/4        10G                      10G             2/1/0/4      
 5       1/1/0/5        10G                      10G             2/1/0/5      
 6       1/1/0/6        10G                      10G             2/1/0/6      
 7       1/1/0/7        10G                      10G             2/1/0/7      
 8       1/1/0/8        10G                      10G             2/1/0/8      
 9       1/12/0/1       10G                      10G             2/12/0/1      
10       1/12/0/2       10G                      10G             2/12/0/2      
11       1/12/0/3       10G                      10G             2/12/0/3      
12       1/12/0/4       10G                      10G             2/12/0/4      
13       1/12/0/5       10G                      10G             2/12/0/5      
14       1/12/0/6       10G                      10G             2/12/0/6      
15       1/12/0/7       10G                      10G             2/12/0/7      
16       1/12/0/8       10G                      10G             2/12/0/8      
17       1/13/0/1       10G                      10G             2/13/0/1      
18       1/13/0/2       10G                      10G             2/13/0/2      
19       1/13/0/3       10G                      10G             2/13/0/3      
20       1/13/0/4       10G                      10G             2/13/0/4      
21       1/13/0/5       10G                      10G             2/13/0/5      
22       1/13/0/6       10G                      10G             2/13/0/6      
23       1/13/0/7       10G                      10G             2/13/0/7      
24       1/13/0/8       10G                      10G             2/13/0/8      
25       1/14/0/1       10G                      10G             2/14/0/1      
26       1/14/0/2       10G                      10G             2/14/0/2      
27       1/14/0/3       10G                      10G             2/14/0/3      
28       1/14/0/4       10G                      10G             2/14/0/4      
29       1/14/0/5       10G                      10G             2/14/0/5      
30       1/14/0/6       10G                      10G             2/14/0/6      
31       1/14/0/7       10G                      10G             2/14/0/7      
32       1/14/0/8       10G                      10G             2/14/0/8      
--------------------------------------------------------------------------------

The command output shows that all the cluster links are in Up state, indicating that the CSS has been established successfully.

Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 to ensure that APs and ACs can exchange CAPWAP packets.

If direct forwarding is used, configure port isolation on GE0/0/1 of SwitchA connected to the AP. If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.

# On SwitchA, set the PVID of GE0/0/1 connected to the AP to management VLAN 100, add GE0/0/1 to VLAN 100 amd VLAN 101 (service VLAN), and add GE0/0/2 connected to SwitchB and GE0/0/3 connected to SwitchC to Eth-Trunk 10.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo port link-type
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10
[SwitchA-GigabitEthernet0/0/3] quit

# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add E1/1/0/1 on SwitchB and GE2/1/0/1 on SwitchC both to VLAN 100.

[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] undo port link-type
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
[CSS-GigabitEthernet1/1/0/2] quit
[CSS] interface gigabitethernet 2/1/0/2
[CSS-GigabitEthernet2/1/0/2] undo port link-type
[CSS-GigabitEthernet2/1/0/2] eth-trunk 10
[CSS-GigabitEthernet2/1/0/2] quit

# Add GE0/0/1 on AC1 connected to SwitchB to VLAN 100, and configure an IP address for VLANIF 100.

<HUAWEI> system-view
[HUAWEI] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] quit

# Add GE0/0/1 on AC2 connected to SwitchC to VLAN 100, and configure an IP address for VLANIF 100.

<HUAWEI> system-view
[HUAWEI] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC2-GigabitEthernet0/0/1] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.2 24
[AC2-Vlanif100] quit

Configure the communication between AC1 and AC2.

# Add GE0/0/2 on AC1 connected to AC2 to VLAN 102.

[AC1] vlan batch 102
[AC1] interface gigabitethernet 0/0/2
[AC1-GigabitEthernet0/0/2] port link-type trunk
[AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC1-GigabitEthernet0/0/2] quit
[AC1] interface vlanif 102
[AC1-Vlanif102] ip address 10.23.102.1 24
[AC1-Vlanif102] quit

# Add GE0/0/2 on AC2 connected to AC1 to VLAN 102.

[AC2] vlan batch 102
[AC2] interface gigabitethernet 0/0/2
[AC2-GigabitEthernet0/0/2] port link-type trunk
[AC2-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC2-GigabitEthernet0/0/2] quit
[AC2] interface vlanif 102
[AC2-Vlanif102] ip address 10.23.102.2 24
[AC2-Vlanif102] quit

Configure a DHCP server.
Configure the DNS server as required. The common methods are as follows:
- In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
- In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.
# Configure AC1 as a DHCP server to assign IP addresses to APs and STAs. Exclude the following IP addresses from the interface address pools on the active and standby ACs: 10.23.100.1 of the active AC; 10.23.100.2 of the standby AC; and 10.23.100.3 of the VRRP group.
```
[AC1] dhcp enable
[AC1] dhcp server database enable
[AC1] dhcp server database recover
[AC1] interface vlanif 100
[AC1-Vlanif100] dhcp select interface
[AC1-Vlanif100] dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
[AC1-Vlanif100] quit
```
# The configurations on AC2 are the same as those on AC1.
# Configure the CSS as a DHCP server to assign IP addresses to STAs.
```
[CSS] dhcp enable
[CSS] interface vlanif 101
[CSS-Vlanif101] ip address 10.23.101.1 24
[CSS-Vlanif101] dhcp select interface
[CSS-Vlanif101] quit
```

Configure VRRP HSB on AC1.

# Set the recovery delay of the VRRP group to 60 seconds.

[AC1] vrrp recover-delay 60

# Create a management VRRP group on AC1. Set the VRRP priority of AC1 to 120 and the preemption delay to 1800 seconds.

[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
[AC1-Vlanif100] quit

# Create HSB service 0 on AC1, and configure the IP addresses and port numbers for establishing an HSB channel. Set the retransmission time and interval of HSB packets.

[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit

# Create HSB group 0 on AC1, and bind HSB service 0 and the management VRRP group to the HSB group.

[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC1] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC1] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC1] hsb-service-type dhcp hsb-group 0

# Enable the HSB function.

[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable
[AC1-hsb-group-0] quit

Configure VRRP HSB on AC2.

# Set the recovery delay of the VRRP group to 60 seconds.

[AC2] vrrp recover-delay 60

# Create a management VRRP group on AC2.

[AC2] interface vlanif 100
[AC2-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC2-Vlanif100] admin-vrrp vrid 1
[AC2-Vlanif100] quit

# Create HSB service 0 on AC2, and configure the IP addresses and port numbers for establishing an HSB channel. Set the retransmission time and interval of HSB packets.

[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit

# Create HSB group 0 on AC2, and bind HSB service 0 and the management VRRP group to the HSB group.

[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC2] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC2] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC2] hsb-service-type dhcp hsb-group 0

Configure WLAN services on AC1. The configurations on AC2 are similar to those on AC1. The difference is that when an AP is in normal state on AC1, it is in standby state on AC2.

Configure system parameters for AC1.

[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y  
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source ip-address 10.23.100.3

Import an AP offline on AC1.

[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
[AC1-wlan-ap-0] quit
[AC1-wlan-view] display ap all
Total AP information:
nor  : normal          [1]
Extra information: P  : insufficient power supply
--------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP              Type            State STA Uptime      ExtraInfo
--------------------------------------------------------------------------------------------------
0    00e0-fc76-e360 area_1 ap-group1 10.23.100.254   AP5030DN        nor   0   10S         -
--------------------------------------------------------------------------------------------------
Total: 1

Configure WLAN service parameters on AC1.

# Create security profile wlan-net and configure a security policy.

In this example, the security policy is set to WPA-WPA2+PSK+AES and the password to a1234567. In actual situations, configure the security policy according to service requirements.

[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.

[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit

# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply the security profile and SSID profile to the VAP profile.

[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit

# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of APs in the AP group.

[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit

Enable HSB on AC2.

# Enable the HSB function.

[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit

Verify the configuration.

# After the configurations are complete, run the display vrrp command on AC1 and AC2. The State field of AC1 is displayed as Master and that of AC2 is displayed as Backup.

[AC1] display vrrp
  Vlanif100 | Virtual Router 1
    State : Master
    Virtual IP : 10.23.100.3
    Master IP : 10.23.100.1
    PriorityRun : 120
    PriorityConfig : 120
    MasterPriority : 120
    Preempt : YES   Delay Time : 1800 s
    TimerRun : 2 s
    TimerConfig : 2 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0101
    Check TTL : YES
    Config type : admin-vrrp
    Backup-forward : disabled
    Create time : 2005-07-31 01:25:55 UTC+08:00
    Last change time : 2005-07-31 02:48:22 UTC+08:00

[AC2] display vrrp
  Vlanif100 | Virtual Router 1
    State : Backup
    Virtual IP : 10.23.100.3
    Master IP : 10.23.100.1
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
    TimerRun : 2 s
    TimerConfig : 2 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0101
    Check TTL : YES
    Config type : admin-vrrp
    Backup-forward : disabled
    Create time : 2005-07-31 02:11:07 UTC+08:00
    Last change time : 2005-07-31 03:40:45 UTC+08:00

[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
  Local IP Address       : 10.23.102.1
  Peer IP Address        : 10.23.102.2
  Source Port            : 10241
  Destination Port       : 10241
  Keep Alive Times       : 2
  Keep Alive Interval    : 1
  Service State          : Connected
  Service Batch Modules  : 
  Shared-key             : -
----------------------------------------------------------

[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
  Local IP Address       : 10.23.102.2
  Peer IP Address        : 10.23.102.1
  Source Port            : 10241
  Destination Port       : 10241
  Keep Alive Times       : 2
  Keep Alive Interval    : 1
  Service State          : Connected
  Service Batch Modules  : 
  Shared-key             : -
----------------------------------------------------------

# Run the display hsb-group 0 command on AC1 and AC2 to check the running status of the HSB group.

[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
  HSB-group ID                : 0
  Vrrp Group ID               : 1
  Vrrp Interface              : Vlanif100
  Service Index               : 0
  Group Vrrp Status           : Master
  Group Status                : Active
  Group Backup Process        : Realtime
  Peer Group Device Name      : AC2
  Peer Group Software Version : V200R019C00
  Group Backup Modules        : Access-user
                                DHCP
                                AP
----------------------------------------------------------

[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
  HSB-group ID                : 0
  Vrrp Group ID               : 1
  Vrrp Interface              : Vlanif100
  Service Index               : 0
  Group Vrrp Status           : Backup
  Group Status                : Inactive
  Group Backup Process        : Realtime
  Peer Group Device Name      : AC1
  Peer Group Software Version : V200R019C00
  Group Backup Modules        : Access-user
                                DHCP
                                AP
----------------------------------------------------------

# The WLAN with SSID wlan-net is available for STAs connected to the AP, and these STAs can connect to the WLAN and go online normally.

Before restarting the AC, run the save command to save the configuration file on the AC to prevent configuration loss after the restart.

# After AC1 recovers from the restart, an active/standby switchback is triggered. The AP automatically goes online on AC1.

Configuration Files

SwitchA configuration file

#
sysname SwitchA
#
vlan batch 100 to 101
#
interface Eth-Trunk10
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 to 101
 port-isolate enable group 1
#
interface GigabitEthernet0/0/2
 eth-trunk 10
#
interface GigabitEthernet0/0/3
 eth-trunk 10
#
return

CSS configuration file

#
sysname CSS
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
#
interface Eth-Trunk10
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 to 101
#  
interface GigabitEthernet1/1/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100
#
interface GigabitEthernet1/1/0/2
 eth-trunk 10
#
interface GigabitEthernet2/1/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100
#
interface GigabitEthernet2/1/0/2
 eth-trunk 10
#
return

AC1 and AC2 have similar configuration files, which are listed in the following table. (Configurations highlighted in bold are the dual-link backup configurations on AC1 and AC2.)

Table 23-12 Configuration files of AC1 and AC2

AC1	AC2
# sysname AC1 # vrrp recover-delay 60 # vlan batch 100 to 102 # dhcp enable # dhcp server database enable dhcp server database recover # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 vrrp vrid 1 virtual-ip 10.23.100.3 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1800 dhcp select interface dhcp server excluded-ip-address 10.23.100.1 10.23.100.3 # interface Vlanif102 ip address 10.23.102.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 # interface GigabitEthernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 # capwap source ip-address 10.23.100.3 # hsb-service 0 service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241 service-keep-alive detect retransmit 3 interval 6 # hsb-group 0 track vrrp vrid 1 interface Vlanif100 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyroM)KMgcsR}!GUWLa"%G_E.^B%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net regulatory-domain-profile name default ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 35 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 # return	# sysname AC2 # vrrp recover-delay 60 # vlan batch 100 to 102 # dhcp enable # dhcp server database enable dhcp server database recover # interface Vlanif100 ip address 10.23.100.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.23.100.3 admin-vrrp vrid 1 dhcp select interface dhcp server excluded-ip-address 10.23.100.1 10.23.100.3 # interface Vlanif102 ip address 10.23.102.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 # interface GigabitEthernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 # capwap source ip-address 10.23.100.3 # hsb-service 0 service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-data-port 10241 service-keep-alive detect retransmit 3 interval 6 # hsb-group 0 track vrrp vrid 1 interface Vlanif100 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyroM)KMgcsR}!GUWLa"%G_E.^B%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net regulatory-domain-profile name default ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 35 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042 ap-name area_1 ap-group ap-group1 # return

AC1

AC2

#
 sysname AC1
#
vrrp recover-delay 60
#
vlan batch 100 to 102
#
dhcp enable
#
dhcp server database enable
dhcp server database recover
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 vrrp vrid 1 virtual-ip 10.23.100.3
 admin-vrrp vrid 1
 vrrp vrid 1 priority 120
 vrrp vrid 1 preempt-mode timer delay 1800
 dhcp select interface
 dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
#
interface Vlanif102
 ip address 10.23.102.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 102
#
capwap source ip-address 10.23.100.3
#
hsb-service 0
 service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241
 service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
 track vrrp vrid 1 interface Vlanif100
 bind-service 0
 hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
 security-profile name wlan-net
  security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyr*oM)KMgc*sR}!GUWLa"%G_E.^B%^%# aes
 ssid-profile name wlan-net
  ssid wlan-net
 vap-profile name wlan-net
  service-vlan vlan-id 101
  ssid-profile wlan-net
  security-profile wlan-net
 regulatory-domain-profile name default
 ap-group name ap-group1
  radio 0
   vap-profile wlan-net wlan 1
  radio 1
   vap-profile wlan-net wlan 1
 ap-id 0 type-id 35 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
#
return

#
 sysname AC2
#
vrrp recover-delay 60
#
vlan batch 100 to 102
#
dhcp enable
#
dhcp server database enable
dhcp server database recover
#
interface Vlanif100
 ip address 10.23.100.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.23.100.3
 admin-vrrp vrid 1
 dhcp select interface
 dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
#
interface Vlanif102
 ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 102
#
capwap source ip-address 10.23.100.3
#
hsb-service 0
 service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-data-port 10241
 service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
 track vrrp vrid 1 interface Vlanif100
 bind-service 0
 hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
 security-profile name wlan-net
  security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyr*oM)KMgc*sR}!GUWLa"%G_E.^B%^%# aes
 ssid-profile name wlan-net
  ssid wlan-net
 vap-profile name wlan-net
  service-vlan vlan-id 101
  ssid-profile wlan-net
  security-profile wlan-net
 regulatory-domain-profile name default
 ap-group name ap-group1
  radio 0
   vap-profile wlan-net wlan 1
  radio 1
   vap-profile wlan-net wlan 1
 ap-id 0 type-id 35 ap-mac 00e0-fc76-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
#
return

Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios

Service Requirements

To ensure that services are running normally, an enterprise wants to improve network reliability while reducing the configuration maintenance workload. Wireless configuration synchronization can be deployed in VRRP HSB to meet this requirement. In this solution, the master and backup ACs are often deployed in the same location, and the service switchover is fast and has higher reliability than dual-link HSB.

Networking Requirements

AC networking mode: Layer 2 networking in bypass mode
DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to APs, and a CSS functions as a DHCP server to assign IP addresses to STAs.
Service data forwarding mode: direct forwarding
Switch cluster: A cluster is set up using CSS cards, containing SwitchB and SwitchC at the core layer. SwitchB is the master switch, and SwitchC is the standby switch.

Figure 23-10 Networking for configuring wireless configuration synchronization in VRRP HSB scenarios (direct forwarding)

Data Planning

Table 23-13 AC data planning

Item	Data
AC1's source interface	Virtual IP address: 10.23.100.3/24
AC2's source interface	Virtual IP address: 10.23.100.3/24
Virtual IP address of the management VRRP group	10.23.100.3/24
VAP profile	Name: wlan-net Forwarding mode: direct forwarding Service VLAN: VLAN 101 Referenced profiles: security profile wlan-net and SSID profile wlan-net
AP group	Name: ap-group1 Referenced profiles: VAP profile wlan-net and regulatory domain profile default
Regulatory domain profile	Name: default Country code: CN
SSID profile	Name: wlan-net SSID name: wlan-net
Security profile	Name: wlan-net Security policy: WPA-WPA2+PSK+AES Password: a1234567
DHCP server	The AC functions as the DHCP server to assign IP addresses to APs, and a CSS functions as the DHCP server to assign IP addresses to STAs.
Gateway for APs	VLANIF 100: 10.23.100.3/24
IP address pool for APs	10.23.100.4-10.23.100.254/24
Gateway for STAs	VLANIF 101: 10.23.101.1/24
IP address pool for STAs	10.23.101.2-10.23.101.254/24
IP address and port number of the HSB channel for AC1	IP address: 10.23.102.1/24 of VLANIF 102 Port number: 10241
IP address and port number of the HSB channel for AC2	IP address: 10.23.102.2/24 of VLANIF 102 Port number: 10241
Scheduled wireless configuration synchronization	Start time of scheduled synchronization: 01:00 Interval for scheduled synchronization: 1440 minutes

Configuration Roadmap

Configure a cluster between SwitchB and SwitchC through cluster cards to improve the core layer reliability and configure SwitchB as the master switch.
Configure network connectivity between the AC, APs, and other network devices.
Configure a VRRP group on AC1 and AC2. Configure a high priority for AC1 as the active device to forward traffic, and a low priority for AC2 as the standby device.
Configure basic WLAN services to ensure that users can connect to the Internet through the WLAN.
Configure the hot standby (HSB) function on the ACs so that service information on AC1 is backed up to AC2 in real time or in batches, ensuring seamless service switchover from the active device to the standby device.
Configure wireless configuration synchronization in VRRP HSB scenarios.

Configuration Notes

No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
- In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
- In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.
Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only packets from the management VLAN are transmitted between the AC and APs. Packets from the service VLAN are not allowed between the AC and APs.
During the configuration, check whether loops occur on the wired network. If so, configure MSTP on corresponding NEs.
In the VRRP HSB networking, the configurations of the DHCP address pools on the master and backup ACs must be consistent. For example, the ranges of IP addresses that cannot be automatically assigned to clients in the DHCP address pools must be consistent.

Procedure

Establish a cluster using CSS card.

# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card connection for SwitchB.

<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100

# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card connection for SwitchC.

<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10

# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master force     
------------------------------------------------------------------------------  
1            1            Off          CSS card    100         Off

# Check the CSS configuration on SwitchC.

[SwitchC] display css status saved
Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master force     
------------------------------------------------------------------------------  
1            2            Off          CSS card    10          Off

# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Enable the CSS function on SwitchC and restart SwitchC.

[SwitchC] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Log in to the CSS through the console port on any MPU to check whether the CSS is established successfully.

<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot  Sub Type         Online    Power      Register       Status     Role  
-------------------------------------------------------------------------------
1     -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
5     -   ET1D2G48SEC0 Present   PowerOn    Registered     Normal     NA    
7     -   ET1D2X16SSC0 Present   PowerOn    Registered     Normal     NA    
9     -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Slave 
10    -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Master
12    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
13    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
14    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
PWR1  -   -            Present   PowerOn    Registered     Normal     NA    
PWR2  -   -            Present   PowerOn    Registered     Normal     NA    
CMU2  -   EH1D200CMU00 Present   PowerOn    Registered     Normal     Master
FAN1  -   -            Present   PowerOn    Registered     Normal     NA    
FAN2  -   -            Present   PowerOn    Registered     Normal     NA    
FAN3  -   -            Present   PowerOn    Registered     Normal     NA    
FAN4  -   -            Present   PowerOn    Registered     Normal     NA    
Chassis 2 (Standby Switch)
S12708's Device status:
Slot  Sub Type         Online    Power      Register       Status     Role  
-------------------------------------------------------------------------------
1     -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
3     -   ET1D2G48SEC0 Present   PowerOn    Registered     Normal     NA    
4     -   ET1D2X16SSC0 Present   PowerOn    Registered     Normal     NA    
9     -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Slave 
10    -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Master
12    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
13    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
14    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
PWR1  -   -            Present   PowerOn    Registered     Normal     NA    
PWR2  -   -            Present   PowerOn    Registered     Normal     NA    
CMU1  -   EH1D200CMU00 Present   PowerOn    Registered     Normal     Master
FAN1  -   -            Present   PowerOn    Registered     Normal     NA    
FAN2  -   -            Present   PowerOn    Registered     Normal     NA    
FAN3  -   -            Present   PowerOn    Registered     Normal     NA    
FAN4  -   -            Present   PowerOn    Registered     Normal     NA    
<SwitchB> display css status
CSS Enable switch On                                                            
                                                                                
Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force  
------------------------------------------------------------------------------  
1            On           Master          CSS card    100         Off           
2            On           Standby         CSS card    10          Off

The command output shows the card status and CSS status of both member switches, indicating that the CSS is established successfully.

# Check whether the cluster links are normal.

<SwitchB> display css channel
               Chassis 1               ||             Chassis 2                 
--------------------------------------------------------------------------------
Num      [Port]         [Speed]        ||        [Speed]         [Port]
 1       1/1/0/1        10G                      10G             2/1/0/1      
 2       1/1/0/2        10G                      10G             2/1/0/2      
 3       1/1/0/3        10G                      10G             2/1/0/3      
 4       1/1/0/4        10G                      10G             2/1/0/4      
 5       1/1/0/5        10G                      10G             2/1/0/5      
 6       1/1/0/6        10G                      10G             2/1/0/6      
 7       1/1/0/7        10G                      10G             2/1/0/7      
 8       1/1/0/8        10G                      10G             2/1/0/8      
 9       1/12/0/1       10G                      10G             2/12/0/1      
10       1/12/0/2       10G                      10G             2/12/0/2      
11       1/12/0/3       10G                      10G             2/12/0/3      
12       1/12/0/4       10G                      10G             2/12/0/4      
13       1/12/0/5       10G                      10G             2/12/0/5      
14       1/12/0/6       10G                      10G             2/12/0/6      
15       1/12/0/7       10G                      10G             2/12/0/7      
16       1/12/0/8       10G                      10G             2/12/0/8      
17       1/13/0/1       10G                      10G             2/13/0/1      
18       1/13/0/2       10G                      10G             2/13/0/2      
19       1/13/0/3       10G                      10G             2/13/0/3      
20       1/13/0/4       10G                      10G             2/13/0/4      
21       1/13/0/5       10G                      10G             2/13/0/5      
22       1/13/0/6       10G                      10G             2/13/0/6      
23       1/13/0/7       10G                      10G             2/13/0/7      
24       1/13/0/8       10G                      10G             2/13/0/8      
25       1/14/0/1       10G                      10G             2/14/0/1      
26       1/14/0/2       10G                      10G             2/14/0/2      
27       1/14/0/3       10G                      10G             2/14/0/3      
28       1/14/0/4       10G                      10G             2/14/0/4      
29       1/14/0/5       10G                      10G             2/14/0/5      
30       1/14/0/6       10G                      10G             2/14/0/6      
31       1/14/0/7       10G                      10G             2/14/0/7      
32       1/14/0/8       10G                      10G             2/14/0/8      
--------------------------------------------------------------------------------

The command output shows that all the cluster links are in Up state, indicating that the CSS has been established successfully.

Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 to ensure that APs and ACs can exchange CAPWAP packets.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface eth-trunk 10
[SwitchA-Eth-Trunk10] port link-type trunk
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101
[SwitchA-Eth-Trunk10] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo port link-type
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo port link-type
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10
[SwitchA-GigabitEthernet0/0/3] quit

# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add E1/1/0/1 on SwitchB and GE2/1/0/1 on SwitchC both to VLAN 100.

[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] undo port link-type
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10
[CSS-GigabitEthernet1/1/0/2] quit
[CSS] interface gigabitethernet 2/1/0/2
[CSS-GigabitEthernet2/1/0/2] undo port link-type
[CSS-GigabitEthernet2/1/0/2] eth-trunk 10
[CSS-GigabitEthernet2/1/0/2] quit

# Add GE0/0/1 on AC1 connected to SwitchB to VLAN 100, and configure an IP address for VLANIF 100.

<HUAWEI> system-view
[HUAWEI] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] quit

# Add GE0/0/1 on AC2 connected to SwitchC to VLAN 100, and configure an IP address for VLANIF 100.

<HUAWEI> system-view
[HUAWEI] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC2-GigabitEthernet0/0/1] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.2 24
[AC2-Vlanif100] quit

Configure the communication between AC1 and AC2.

# Add GE0/0/2 on AC1 connected to AC2 to VLAN 102.

[AC1] vlan batch 102
[AC1] interface gigabitethernet 0/0/2
[AC1-GigabitEthernet0/0/2] port link-type trunk
[AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC1-GigabitEthernet0/0/2] quit
[AC1] interface vlanif 102
[AC1-Vlanif102] ip address 10.23.102.1 24
[AC1-Vlanif102] quit

# Add GE0/0/2 on AC2 connected to AC1 to VLAN 102.

[AC2] vlan batch 102
[AC2] interface gigabitethernet 0/0/2
[AC2-GigabitEthernet0/0/2] port link-type trunk
[AC2-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/2] port trunk allow-pass vlan 102
[AC2-GigabitEthernet0/0/2] quit
[AC2] interface vlanif 102
[AC2-Vlanif102] ip address 10.23.102.2 24
[AC2-Vlanif102] quit

Configure a DHCP server.
Configure the DNS server as required. The common methods are as follows:
- In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
- In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.
# Configure AC1 as a DHCP server to assign IP addresses to APs and STAs. Exclude the following IP addresses from the interface address pools on the active and standby ACs: 10.23.100.1 of the active AC; 10.23.100.2 of the standby AC; and 10.23.100.3 of the VRRP group.
```
[AC1] dhcp enable
[AC1] dhcp server database enable
[AC1] dhcp server database recover
[AC1] interface vlanif 100
[AC1-Vlanif100] dhcp select interface
[AC1-Vlanif100] dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
[AC1-Vlanif100] quit
```
# The configurations on AC2 are the same as those on AC1.
# Configure the CSS as a DHCP server to assign IP addresses to STAs.
```
[CSS] dhcp enable
[CSS] interface vlanif 101
[CSS-Vlanif101] ip address 10.23.101.1 24
[CSS-Vlanif101] dhcp select interface
[CSS-Vlanif101] quit
```

Configure VRRP HSB on AC1.

# Set the recovery delay of the VRRP group to 60 seconds.

[AC1] vrrp recover-delay 60

# Create a management VRRP group on AC1. Set the VRRP priority of AC1 to 120 and the preemption delay to 1800 seconds.

[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
[AC1-Vlanif100] quit

# Create HSB service 0 on AC1, and configure the IP addresses and port numbers for establishing an HSB channel. Set the retransmission time and interval of HSB packets.

[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit

# Create HSB group 0 on AC1, and bind HSB service 0 and the management VRRP group to the HSB group.

[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC1] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC1] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC1] hsb-service-type dhcp hsb-group 0

# Enable the HSB function.

[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable
[AC1-hsb-group-0] quit

Configure VRRP HSB on AC2.

# Set the recovery delay of the VRRP group to 60 seconds.

[AC2] vrrp recover-delay 60

# Create a management VRRP group on AC2.

[AC2] interface vlanif 100
[AC2-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC2-Vlanif100] admin-vrrp vrid 1
[AC2-Vlanif100] quit

# Create HSB service 0 on AC2, and configure the IP addresses and port numbers for establishing an HSB channel. Set the retransmission time and interval of HSB packets.

[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit

# Create HSB group 0 on AC2, and bind HSB service 0 and the management VRRP group to the HSB group.

[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC2] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC2] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC2] hsb-service-type dhcp hsb-group 0

Configure WLAN services on AC1.

Configure system parameters for AC1.

[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y  
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source ip-address 10.23.100.3

Import an AP offline on AC1.

[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
[AC1-wlan-ap-0] quit
[AC1-wlan-view] display ap all
Total AP information:
nor  : normal          [1]
Extra information: P  : insufficient power supply
--------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP              Type            State STA Uptime      ExtraInfo
--------------------------------------------------------------------------------------------------
0    00e0-fc76-e360 area_1 ap-group1 10.23.100.254   AP5030DN        nor   0   10S         -
--------------------------------------------------------------------------------------------------
Total: 1

Configure WLAN service parameters on AC1.

# Create security profile wlan-net and configure a security policy.

In this example, the security policy is set to WPA-WPA2+PSK+AES and the password to a1234567. In actual situations, configure the security policy according to service requirements.

[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.

[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit

# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply the security profile and SSID profile to the VAP profile.

[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit

# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of APs in the AP group.

[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit

Configure private WLAN parameters on AC2.
# Configure the source address for AC2.
```
[AC2] capwap source ip-address 10.23.100.3
```

Configure DTLS encryption for an inter-AC control tunnel.

# Configure DTLS encryption for an inter-AC control tunnel on AC1.

[AC1] capwap dtls inter-controller psk a1234567
[AC1] capwap dtls inter-controller control-link encrypt 
Warning: This operation may cause devices using CAPWAP connections to reset or go offline. Continue? [Y/N]:y 
[AC1] wlan

# Configure DTLS encryption for an inter-AC control tunnel on AC2.

[AC2] capwap dtls inter-controller psk a1234567
[AC2] capwap dtls inter-controller control-link encrypt 
Warning: This operation may cause devices using CAPWAP connections to reset or go offline. Continue? [Y/N]:y 
[AC2] wlan

Configure wireless configuration synchronization in VRRP HSB scenarios.

# Configure wireless configuration synchronization on AC1.

[AC1-wlan-view] master controller
[AC1-master-controller] master-redundancy peer-ip ip-address 10.23.102.2 local-ip ip-address 10.23.102.1 psk H@123456
[AC1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
[AC1-master-controller] quit
[AC1-wlan-view] quit

# Configure wireless configuration synchronization on AC2.

[AC2-wlan-view] master controller
[AC2-master-controller] master-redundancy peer-ip ip-address 10.23.102.1 local-ip ip-address 10.23.102.2 psk H@123456
[AC2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
[AC2-master-controller] quit
[AC2-wlan-view] quit

# Configure scheduled wireless configuration synchronization on AC1.

[AC1-wlan-view] synchronize-configuration auto interval 1440 start-time 01:00:00

Trigger wireless configuration synchronization manually.

# Run the display sync-configuration status command to check the wireless configuration synchronization status. The Status field is displayed as cfg-mismatch. Manually trigger wireless configuration synchronization from the master AC to the backup master AC. Wait until the backup master AC automatically restarts.

[AC1] display sync-configuration status
Controller role:Master/Backup/Local
----------------------------------------------------------------------------------------------------
Controller IP Role    Device Type     Version        Status                           Last synced
----------------------------------------------------------------------------------------------------
10.23.102.2   Backup  AC6805          V200R019C00    cfg-mismatch(config check fail)  -
----------------------------------------------------------------------------------------------------
Total: 1
[AC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its configurations. Whether to conti
nue? [Y/N]:y

Enable HSB on AC2.

# Enable the HSB function.

[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit

Verify the configuration.

Check VRRP.

# After the configurations are complete, run the display vrrp command on AC1 and AC2. The State field of AC1 is displayed as Master and that of AC2 is displayed as Backup.

[AC1] display vrrp
  Vlanif100 | Virtual Router 1
    State : Master
    Virtual IP : 10.23.100.3
    Master IP : 10.23.100.1
    PriorityRun : 120
    PriorityConfig : 120
    MasterPriority : 120
    Preempt : YES   Delay Time : 1800 s
    TimerRun : 2 s
    TimerConfig : 2 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0101
    Check TTL : YES
    Config type : admin-vrrp
    Backup-forward : disabled
    Create time : 2016-11-17 16:58:22
    Last change time : 2016-11-17 16:58:25

[AC2] display vrrp
  Vlanif100 | Virtual Router 1
    State : Backup
    Virtual IP : 10.23.100.3
    Master IP : 10.23.100.1
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
    TimerRun : 2 s
    TimerConfig : 2 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0101
    Check TTL : YES
    Config type : admin-vrrp
    Backup-forward : disabled
    Create time : 2016-11-17 02:31:42 UTC-07:00
    Last change time : 2016-11-17 02:32:21 UTC-07:00

[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
  Local IP Address       : 10.23.102.1
  Peer IP Address        : 10.23.102.2
  Source Port            : 10241
  Destination Port       : 10241
  Keep Alive Times       : 3
  Keep Alive Interval    : 6
  Service State          : Connected
  Service Batch Modules  :
  Shared-key             : -
----------------------------------------------------------

[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
  Local IP Address       : 10.23.102.2
  Peer IP Address        : 10.23.102.1
  Source Port            : 10241
  Destination Port       : 10241
  Keep Alive Times       : 3
  Keep Alive Interval    : 6
  Service State          : Connected
  Service Batch Modules  :
  Shared-key             : -
----------------------------------------------------------

# Run the display hsb-group 0 command on AC1 and AC2 to check the running status of the HSB group.

[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
  HSB-group ID                : 0
  Vrrp Group ID               : 1
  Vrrp Interface              : Vlanif100
  Service Index               : 0
  Group Vrrp Status           : Master
  Group Status                : Active
  Group Backup Process        : Realtime
  Peer Group Device Name      : AC6805
  Peer Group Software Version : V200R019C00
  Group Backup Modules        : Access-user
                                AP
                                DHCP
----------------------------------------------------------

[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
  HSB-group ID                : 0
  Vrrp Group ID               : 1
  Vrrp Interface              : Vlanif100
  Service Index               : 0
  Group Vrrp Status           : Backup
  Group Status                : Inactive
  Group Backup Process        : Realtime
  Peer Group Device Name      : AC6805
  Peer Group Software Version : V200R019C00
  Group Backup Modules        : Access-user
                                AP
                                DHCP
---------------------------------------------------------

Verify wireless configuration synchronization.

# Run the display sync-configuration status command on the master AC and backup master AC to view the wireless configuration synchronization status. If the status is up, the wireless configuration synchronization function is normal.

[AC1] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------
Controller IP Role    Device Type     Version              Status        Last synced
-----------------------------------------------------------------------------------------
10.23.102.2   Backup  AC6805          V200R019C00          up       2017-09-01/11:18:15
-----------------------------------------------------------------------------------------
Total: 1

[AC2] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------
Controller IP Role    Device Type     Version              Status        Last synced
-----------------------------------------------------------------------------------------
10.23.102.1   Master  AC6805          V200R019C00          up       2017-09-01/11:18:25
-----------------------------------------------------------------------------------------
Total: 1

The WLAN with SSID wlan-net is available for STAs connected to the AP, and these STAs can connect to the WLAN and go online normally.

# Simulate a master AC fault by restarting the master AC to verify the backup configuration. Restart AC1. When an AP detects a fault on the link connected to AC1, AC2 takes the active role, ensuring service stability.

Before restarting the AC, run the save command to save the configuration file on the AC to prevent configuration loss after the restart.

# During the restart of AC1, services on the STAs are not interrupted. The AP goes online on AC2. Run the display ap all command on AC2. The command output shows that the AP status changes from standby to normal.

# After AC1 recovers from the restart, an active/standby switchback is triggered. The AP automatically goes online on AC1.

Configuration Files

SwitchA configuration file

#
sysname SwitchA
#
vlan batch 100 to 101
#
interface Eth-Trunk10
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 to 101
 port-isolate enable group 1
#
interface GigabitEthernet0/0/2
 eth-trunk 10
#
interface GigabitEthernet0/0/3
 eth-trunk 10
#
return

CSS configuration file

#
sysname CSS
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
#
interface Eth-Trunk10
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 to 101
#  
interface GigabitEthernet1/1/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100
#
interface GigabitEthernet1/1/0/2
 eth-trunk 10
#
interface GigabitEthernet2/1/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100
#
interface GigabitEthernet2/1/0/2
 eth-trunk 10
#
return

Comparison between AC1 and AC2 configuration files (The information in bold is settings about the HSB and wireless configuration synchronization functions. The information in italic is public configurations automatically synchronized from AC1 to AC2.)

Table 23-14 Configuration files of AC1 and AC2

AC1	AC2
# sysname AC1 # vrrp recover-delay 60 # vlan batch 100 to 102 # dhcp enable # dhcp server database enable dhcp server database recover # interface Vlanif100 ip address 10.23.100.1 255.255.255.0 vrrp vrid 1 virtual-ip 10.23.100.3 admin-vrrp vrid 1 vrrp vrid 1 priority 120 vrrp vrid 1 preempt-mode timer delay 1800 dhcp select interface dhcp server excluded-ip-address 10.23.100.1 10.23.100.3 # interface Vlanif102 ip address 10.23.102.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 # interface GigabitEthernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 # capwap source ip-address 10.23.100.3 capwap dtls inter-controller control-link encrypt on capwap dtls inter-controller psk %^%#w\Z<afXL3.gRk5g\|%CD62YcG!x.)Ks:m6(}V:PD%^% # hsb-service 0* service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241 service-keep-alive detect retransmit 3 interval 6 # hsb-group 0 track vrrp vrid 1 interface Vlanif100 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#l{2<+jk#}MLoI!=wMR^@U")pIh<wUY3&FbIb(>"P%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net regulatory-domain-profile name default synchronize-configuration auto interval 1440 start-time 01:00:00 ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 46 ap-mac 00e0-fc76-e360 ap-sn 21500826402SF6902787 ap-name area_1 ap-group ap-group1 master controller master-redundancy track-vrrp vrid 1 interface Vlanif100 *master-redundancy peer-ip ip-address 10.23.102.2 local-ip ip-address 10.23.102.1 psk %^%#`P0}pN+2P=Qf%V={&JQX(NhE"MP,/rC"F6%vqZF%^%#** # return	# sysname AC2 # vrrp recover-delay 60 # vlan batch 100 to 102 # dhcp enable # dhcp server database enable dhcp server database recover # interface Vlanif100 ip address 10.23.100.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.23.100.3 admin-vrrp vrid 1 dhcp select interface dhcp server excluded-ip-address 10.23.100.1 10.23.100.3 # interface Vlanif102 ip address 10.23.102.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 # interface GigabitEthernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 # capwap source ip-address 10.23.100.3 capwap dtls inter-controller control-link encrypt on capwap dtls inter-controller psk %^%#w\Z<afXL3.gRk5g\|%CD62YcG!x.)Ks:m6(}V:PD%^% # hsb-service 0* service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-data-port 10241 service-keep-alive detect retransmit 3 interval 6 hsb-group 0 track vrrp vrid 1 interface Vlanif100 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#l{2<+jk#}MLoI!=wMR^@U")pIh<wUY3&FbIb(>"P%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net regulatory-domain-profile name default synchronize-configuration auto interval 1440 start-time 01:00:00 ap-group name ap-group1 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 46 ap-mac 00e0-fc76-e360 ap-sn 21500826402SF6902787 ap-name area_1 ap-group ap-group1 master controller master-redundancy track-vrrp vrid 1 interface Vlanif100 master-redundancy peer-ip ip-address 10.23.102.1 local-ip ip-address 10.23.102.2 psk %^%#7KXNDf(-X/No\4)i&z\|./NQ@)WDlUT'`K33Mef47%^%# # return

AC1

AC2

#
 sysname AC1
#
vrrp recover-delay 60
#
vlan batch 100 to 102
#
dhcp enable
#
dhcp server database enable
dhcp server database recover
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 vrrp vrid 1 virtual-ip 10.23.100.3
 admin-vrrp vrid 1
 vrrp vrid 1 priority 120
 vrrp vrid 1 preempt-mode timer delay 1800
 dhcp select interface
 dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
#
interface Vlanif102
 ip address 10.23.102.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 102
#
capwap source ip-address 10.23.100.3
capwap dtls inter-controller control-link encrypt on
capwap dtls inter-controller psk %^%#*w\Z<afXL3.gRk5g|%CD62YcG!x.)Ks:m6(}V:PD%^%
#
hsb-service 0
 service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241
 service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
 track vrrp vrid 1 interface Vlanif100
 bind-service 0
 hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
 security-profile name wlan-net
  security wpa-wpa2 psk pass-phrase %^%#l{2<+jk#}MLoI!=wMR^@U")pIh<wUY3&FbIb(>"P%^%# aes
 ssid-profile name wlan-net
  ssid wlan-net
 vap-profile name wlan-net
  service-vlan vlan-id 101
  ssid-profile wlan-net
  security-profile wlan-net
 regulatory-domain-profile name default
 synchronize-configuration auto interval 1440 start-time 01:00:00
 ap-group name ap-group1
  radio 0
   vap-profile wlan-net wlan 1
  radio 1
   vap-profile wlan-net wlan 1
 ap-id 0 type-id 46 ap-mac 00e0-fc76-e360 ap-sn 21500826402SF6902787
  ap-name area_1
  ap-group ap-group1
 master controller
  master-redundancy track-vrrp vrid 1 interface Vlanif100
  master-redundancy peer-ip ip-address 10.23.102.2 local-ip ip-address 10.23.102.1 psk %^%#`P0}*pN+2P=Qf%V={&JQX(NhE"MP,/rC"F6%vqZF%^%#
#
return

#
 sysname AC2
#
vrrp recover-delay 60
#
vlan batch 100 to 102
#
dhcp enable
#
dhcp server database enable 
dhcp server database recover 
#
interface Vlanif100
 ip address 10.23.100.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.23.100.3
 admin-vrrp vrid 1 
 dhcp select interface
 dhcp server excluded-ip-address 10.23.100.1 10.23.100.3
#
interface Vlanif102
 ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 102
#
capwap source ip-address 10.23.100.3
capwap dtls inter-controller control-link encrypt on
capwap dtls inter-controller psk %^%#*w\Z<afXL3.gRk5g|%CD62YcG!x.)Ks:m6(}V:PD%^%
#
hsb-service 0 
 service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-data-port 10241
 service-keep-alive detect retransmit 3 interval 6  
hsb-group 0
 track vrrp vrid 1 interface Vlanif100
 bind-service 0
 hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
 security-profile name wlan-net
  security wpa-wpa2 psk pass-phrase %^%#l{2<+jk#}MLoI!=wMR^@U")pIh<wUY3&FbIb(>"P%^%# aes
 ssid-profile name wlan-net
  ssid wlan-net
 vap-profile name wlan-net
  service-vlan vlan-id 101
  ssid-profile wlan-net
  security-profile wlan-net
 regulatory-domain-profile name default
 synchronize-configuration auto interval 1440 start-time 01:00:00
 ap-group name ap-group1
  radio 0
   vap-profile wlan-net wlan 1
  radio 1
   vap-profile wlan-net wlan 1
 ap-id 0 type-id 46 ap-mac 00e0-fc76-e360 ap-sn 21500826402SF6902787
  ap-name area_1
  ap-group ap-group1
 master controller
  master-redundancy track-vrrp vrid 1 interface Vlanif100
  master-redundancy peer-ip ip-address 10.23.102.1 local-ip ip-address 10.23.102.2 psk %^%#7KXNDf(-X/No\4)i&z|./NQ@)WDlUT'`K33Mef47%^%#
#
return

Example for Configuring VRRP HSB (CAPWAP Dual-Stack)

Service Requirements

An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires that VRRP HSB be used to improve data transmission reliability in the CAPWAP dual-stack networking.

Networking Requirements

AC networking mode: Layer 2 networking in bypass mode
DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to APs, and a CSS functions as a DHCP server to assign IP addresses to STAs.
Service data forwarding mode: direct forwarding
Switch cluster: A cluster is set up using CSS cards, containing SwitchB and SwitchC at the core layer. SwitchB is the master switch, and SwitchC is the standby switch.

Figure 23-11 Networking diagram for configuring VRRP HSB (CAPWAP dual-stack + direct forwarding)

Data Planning

Table 23-15 AC data planning

Item	Data
AC1's source interface	VLANIF 100: IPv4: 10.23.100.3/24 IPv6: FC01::3/64
AC2's source interface	VLANIF 100: IPv4: 10.23.100.3/24 IPv6: FC01::3/64
Virtual IP address of the management VRRP group	IPv4: 10.23.100.3/24 IPv6: FC01::3/64
VAP profile	Name: wlan-net Forwarding mode: direct forwarding Service VLAN: VLAN 101 Referenced profiles: security profile wlan-net and SSID profile wlan-net
AP group	Name: ap-group_ipv4 and ap-group_ipv6 Referenced profiles: VAP profile wlan-net and regulatory domain profile default
Regulatory domain profile	Name: default Country code: CN
SSID profile	Name: wlan-net SSID name: wlan-net
Security profile	Name: wlan-net Security policy: WPA-WPA2+PSK+AES Password: a1234567
DHCP server	The AC functions as a DHCP server to assign IP addresses to APs, and a CSS functions as a DHCP server to assign IP addresses to STAs.
Gateway for APs	VLANIF 100: IPv4: 10.23.100.3/24 IPv6: FC01::3/64
IP address pool for APs	IPv4: 10.23.100.4-10.23.100.254/24 IPv6: FC01::4/64-FC01::FFFF:FFFF:FFFF:FFFF/64
Gateway for STAs	VLANIF 101: IPv4: 10.23.101.1/24 IPv6: FC02::1/64
IP address pool for STAs	IPv4: 10.23.101.2-10.23.101.254/24 IPv6: FC02::2/64-FC02::FFFF:FFFF:FFFF:FFFF/64

Configuration Roadmap

The configuration roadmap is as follows:

Configure a cluster between SwitchB and SwitchC through cluster cards to improve the core layer reliability and configure SwitchB as the master switch.
Configure network connectivity between the AC, APs, and other network devices.
Configure basic WLAN services on AC1 so that STAs can connect to the Internet through the WLAN.
Configure a VRRP group and a VRRP6 group on AC1 and AC2. Configure a high priority for AC1 as the active device to forward traffic, and a low priority for AC2 as the standby device.
Configure the hot standby (HSB) function so that service information on AC1 is backed up to AC2 in real time or in a batch, ensuring seamless service switchover from the active AC to the standby AC.
Configure the wireless configuration synchronization function.

During the configuration, check whether loops occur on the wired network. If so, configure MSTP on corresponding NEs.

Configuration Notes

No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
- In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
- In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.
Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only packets from the management VLAN are transmitted between the AC and APs. Packets from the service VLAN are not allowed between the AC and APs.
In the VRRP HSB networking, the configurations of the DHCP address pools on the master and backup ACs must be consistent. For example, the ranges of IP addresses that cannot be automatically assigned to clients in the DHCP address pools must be consistent.
In this example, if a service VRRP group and a service VRRP6 group exist on the AC, run the vrrp vrid virtual-router-id1 track admin-vrrp6 interface interface-type interface-number vrid virtual-router-id2 unflowdown and vrrp6 vrid virtual-router-id1 track admin-vrrp6 interface interface-type interface-number vrid virtual-router-id2 unflowdown commands to bind both the service VRRP group and service VRRP6 groups to the mVRRP6 group rather than the mVRRP group. The following shows a configuration example.
```
[AC1-Vlanif101] vrrp vrid 2 track admin-vrrp6 interface vlanif 100 vrid 1 unflowdown
[AC1-Vlanif101] vrrp6 vrid 2 track admin-vrrp6 interface vlanif 100 vrid 1 unflowdown
```

Procedure

Establish a cluster using CSS card.

# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card connection for SwitchB.

<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100

# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card connection for SwitchC.

<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10

# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master force     
------------------------------------------------------------------------------  
1            1            Off          CSS card    100         Off

# Check the CSS configuration on SwitchC.

[SwitchC] display css status saved
Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master force     
------------------------------------------------------------------------------  
1            2            Off          CSS card    10          Off

# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Enable the CSS function on SwitchC and restart SwitchC.

[SwitchC] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Log in to the CSS through the console port on any MPU to check whether the CSS is established successfully.

<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot  Sub Type         Online    Power      Register       Status     Role  
-------------------------------------------------------------------------------
1     -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
5     -   ET1D2G48SEC0 Present   PowerOn    Registered     Normal     NA    
7     -   ET1D2X16SSC0 Present   PowerOn    Registered     Normal     NA    
9     -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Slave 
10    -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Master
12    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
13    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
14    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
PWR1  -   -            Present   PowerOn    Registered     Normal     NA    
PWR2  -   -            Present   PowerOn    Registered     Normal     NA    
CMU2  -   EH1D200CMU00 Present   PowerOn    Registered     Normal     Master
FAN1  -   -            Present   PowerOn    Registered     Normal     NA    
FAN2  -   -            Present   PowerOn    Registered     Normal     NA    
FAN3  -   -            Present   PowerOn    Registered     Normal     NA    
FAN4  -   -            Present   PowerOn    Registered     Normal     NA    
Chassis 2 (Standby Switch)
S12708's Device status:
Slot  Sub Type         Online    Power      Register       Status     Role  
-------------------------------------------------------------------------------
1     -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
3     -   ET1D2G48SEC0 Present   PowerOn    Registered     Normal     NA    
4     -   ET1D2X16SSC0 Present   PowerOn    Registered     Normal     NA    
9     -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Slave 
10    -   ET1D2MPUA000 Present   PowerOn    Registered     Normal     Master
12    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
13    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
14    -   ET1D2SFUD000 Present   PowerOn    Registered     Normal     NA    
      1   EH1D2VS08000 Present   PowerOn    Registered     Normal     NA    
PWR1  -   -            Present   PowerOn    Registered     Normal     NA    
PWR2  -   -            Present   PowerOn    Registered     Normal     NA    
CMU1  -   EH1D200CMU00 Present   PowerOn    Registered     Normal     Master
FAN1  -   -            Present   PowerOn    Registered     Normal     NA    
FAN2  -   -            Present   PowerOn    Registered     Normal     NA    
FAN3  -   -            Present   PowerOn    Registered     Normal     NA    
FAN4  -   -            Present   PowerOn    Registered     Normal     NA    
<SwitchB> display css status
CSS Enable switch On                                                            
                                                                                
Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force  
------------------------------------------------------------------------------  
1            On           Master          CSS card    100         Off           
2            On           Standby         CSS card    10          Off

The command output shows the card status and CSS status of both member switches, indicating that the CSS is established successfully.

# Check whether the cluster links are normal.

<SwitchB> display css channel
               Chassis 1               ||             Chassis 2                 
--------------------------------------------------------------------------------
Num      [Port]         [Speed]        ||        [Speed]         [Port]
 1       1/1/0/1        10G                      10G             2/1/0/1      
 2       1/1/0/2        10G                      10G             2/1/0/2      
 3       1/1/0/3        10G                      10G             2/1/0/3      
 4       1/1/0/4        10G                      10G             2/1/0/4      
 5       1/1/0/5        10G                      10G             2/1/0/5      
 6       1/1/0/6        10G                      10G             2/1/0/6      
 7       1/1/0/7        10G                      10G             2/1/0/7      
 8       1/1/0/8        10G                      10G             2/1/0/8      
 9       1/12/0/1       10G                      10G             2/12/0/1      
10       1/12/0/2       10G                      10G             2/12/0/2      
11       1/12/0/3       10G                      10G             2/12/0/3      
12       1/12/0/4       10G                      10G             2/12/0/4      
13       1/12/0/5       10G                      10G             2/12/0/5      
14       1/12/0/6       10G                      10G             2/12/0/6      
15       1/12/0/7       10G                      10G             2/12/0/7      
16       1/12/0/8       10G                      10G             2/12/0/8      
17       1/13/0/1       10G                      10G             2/13/0/1      
18       1/13/0/2       10G                      10G             2/13/0/2      
19       1/13/0/3       10G                      10G             2/13/0/3      
20       1/13/0/4       10G                      10G             2/13/0/4      
21       1/13/0/5       10G                      10G             2/13/0/5      
22       1/13/0/6       10G                      10G             2/13/0/6      
23       1/13/0/7       10G                      10G             2/13/0/7      
24       1/13/0/8       10G                      10G             2/13/0/8      
25       1/14/0/1       10G                      10G             2/14/0/1      
26       1/14/0/2       10G                      10G             2/14/0/2      
27       1/14/0/3       10G                      10G             2/14/0/3      
28       1/14/0/4       10G                      10G             2/14/0/4      
29       1/14/0/5       10G                      10G             2/14/0/5      
30       1/14/0/6       10G                      10G             2/14/0/6      
31       1/14/0/7       10G                      10G             2/14/0/7      
32       1/14/0/8       10G                      10G             2/14/0/8      
--------------------------------------------------------------------------------

The command output shows that all the cluster links are in Up state, indicating that the CSS has been established successfully.

Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 to ensure that APs and ACs can exchange CAPWAP packets.

<HUAWEI> system-view 
[HUAWEI] sysname SwitchA 
[SwitchA] vlan batch 100 101 
[SwitchA] interface gigabitethernet 0/0/1 
[SwitchA-GigabitEthernet0/0/1] port link-type trunk 
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100 
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1 
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 
[SwitchA-GigabitEthernet0/0/1] port-isolate enable 
[SwitchA-GigabitEthernet0/0/1] quit 
[SwitchA] interface gigabitethernet 0/0/4 
[SwitchA-GigabitEthernet0/0/4] port link-type trunk 
[SwitchA-GigabitEthernet0/0/4] port trunk pvid vlan 100 
[SwitchA-GigabitEthernet0/0/4] undo port trunk allow-pass vlan 1 
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101 
[SwitchA-GigabitEthernet0/0/4] port-isolate enable 
[SwitchA-GigabitEthernet0/0/4] quit 
[SwitchA] interface eth-trunk 10 
[SwitchA-Eth-Trunk10] port link-type trunk 
[SwitchA-Eth-Trunk10] undo port trunk allow-pass vlan 1 
[SwitchA-Eth-Trunk10] port trunk allow-pass vlan 100 101 
[SwitchA-Eth-Trunk10] quit 
[SwitchA] interface gigabitethernet 0/0/2 
[SwitchA-GigabitEthernet0/0/2] eth-trunk 10 
[SwitchA-GigabitEthernet0/0/2] quit 
[SwitchA] interface gigabitethernet 0/0/3 
[SwitchA-GigabitEthernet0/0/3] eth-trunk 10 
[SwitchA-GigabitEthernet0/0/3] quit

# Add GE1/1/0/2 on SwitchB and GE2/1/0/2 on SwitchC to Eth-Trunk 10, and add E1/1/0/1 on SwitchB and GE2/1/0/1 on SwitchC both to VLAN 100.

[SwitchB] sysname CSS 
[CSS] vlan batch 100 101 
[CSS] interface gigabitethernet 1/1/0/1 
[CSS-GigabitEthernet1/1/0/1] port link-type trunk 
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1 
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 
[CSS-GigabitEthernet1/1/0/1] quit 
[CSS] interface gigabitethernet 2/1/0/1 
[CSS-GigabitEthernet2/1/0/1] port link-type trunk 
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1 
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100
[CSS-GigabitEthernet2/1/0/1] quit 
[CSS] interface eth-trunk 10 
[CSS-Eth-Trunk10] port link-type trunk 
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1 
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 101 
[CSS-Eth-Trunk10] quit 
[CSS] interface gigabitethernet 1/1/0/2 
[CSS-GigabitEthernet1/1/0/2] eth-trunk 10 
[CSS-GigabitEthernet1/1/0/2] quit 
[CSS] interface gigabitethernet 2/1/0/2 
[CSS-GigabitEthernet2/1/0/2] eth-trunk 10 
[CSS-GigabitEthernet2/1/0/2] quit

# Add GE0/0/1 on AC1 connected to SwitchB to VLAN 100.

<HUAWEI> system-view 
[HUAWEI] sysname AC1 
[AC1] vlan batch 100 101 
[AC1] interface gigabitethernet 0/0/1 
[AC1-GigabitEthernet0/0/1] port link-type trunk 
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1 
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 
[AC1-GigabitEthernet0/0/1] quit

# Add GE0/0/1 on AC2 connected to SwitchC to VLAN 100.

<HUAWEI> system-view 
[HUAWEI] sysname AC2 
[AC2] vlan batch 100 101 
[AC2] interface gigabitethernet 0/0/1 
[AC2-GigabitEthernet0/0/1] port link-type trunk 
[AC2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1 
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 
[AC2-GigabitEthernet0/0/1] quit

Configure the communication between AC1 and AC2.

# Add GE0/0/2 on AC1 connected to AC2 to VLAN 102.

[AC1] vlan batch 102 
[AC1] interface gigabitethernet 0/0/2 
[AC1-GigabitEthernet0/0/2] port link-type trunk 
[AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1 
[AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 102 
[AC1-GigabitEthernet0/0/2] quit 
[AC1] interface vlanif 102 
[AC1-Vlanif102] ip address 10.23.102.1 24 
[AC1-Vlanif102] quit

# Add GE0/0/2 on AC2 connected to AC1 to VLAN 102.

[AC2] vlan batch 102 
[AC2] interface gigabitethernet 0/0/2 
[AC2-GigabitEthernet0/0/2] port link-type trunk 
[AC2-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1 
[AC2-GigabitEthernet0/0/2] port trunk allow-pass vlan 102 
[AC2-GigabitEthernet0/0/2] quit 
[AC2] interface vlanif 102 
[AC2-Vlanif102] ip address 10.23.102.2 24 
[AC2-Vlanif102] quit

Configure a DHCP server.

Configure the DNS server as required. The common methods are as follows:

In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.

# Configure AC1 as a DHCP server to assign IP addresses to APs and STAs. Exclude the following IP addresses from the interface address pools on the active and standby ACs: 10.23.100.1 and fc01::1 of the active AC; 10.23.100.2 and fc01::2 of the standby AC; and 10.23.100.3 and fc01::3 of the VRRP group.

[AC1] dhcp enable 
[AC1] dhcp server database enable 
[AC1] dhcp server database recover 
[AC1] ipv6 
[AC1] dhcpv6 pool ap_pool 
[AC1-dhcpv6-pool-ap_pool] address prefix fc01::/64 
[AC1-dhcpv6-pool-ap_pool] excluded-address fc01::1 to fc01::3 
[AC1-dhcpv6-pool-ap_pool] quit 
[AC1] interface vlanif 100 
[AC1-Vlanif100] ip address 10.23.100.1 24 
[AC1-Vlanif100] dhcp select interface 
[AC1-Vlanif100] dhcp server excluded-ip-address 10.23.100.1 10.23.100.3 
[AC1-Vlanif100] ipv6 enable 
[AC1-Vlanif100] ipv6 address fc01::1/64 
[AC1-Vlanif100] undo ipv6 nd ra halt 
[AC1-Vlanif100] ipv6 nd autoconfig managed-address-flag 
[AC1-Vlanif100] ipv6 nd autoconfig other-flag 
[AC1-Vlanif100] dhcpv6 server ap_pool 
[AC1-Vlanif100] quit

# Configure AC2 as a DHCP server to assign IP addresses to APs and STAs. Exclude the following IP addresses from the interface address pools on the active and standby ACs: 10.23.100.1 and fc01::1 of the active AC; 10.23.100.2 and fc01::2 of the standby AC; and 10.23.100.3 and fc01::3 of the VRRP group.

[AC2] dhcp enable 
[AC2] dhcp server database enable 
[AC2] dhcp server database recover 
[AC2] ipv6 
[AC2] dhcpv6 pool ap_pool 
[AC2-dhcpv6-pool-ap_pool] address prefix fc01::/64 
[AC2-dhcpv6-pool-ap_pool] excluded-address fc01::1 to fc01::3 
[AC2-dhcpv6-pool-ap_pool] quit 
[AC2] interface vlanif 100 
[AC2-Vlanif100] ip address 10.23.100.2 24 
[AC2-Vlanif100] dhcp select interface 
[AC2-Vlanif100] dhcp server excluded-ip-address 10.23.100.1 10.23.100.3 
[AC2-Vlanif100] ipv6 enable 
[AC2-Vlanif100] ipv6 address fc01::2/64 
[AC2-Vlanif100] undo ipv6 nd ra halt 
[AC2-Vlanif100] ipv6 nd autoconfig managed-address-flag 
[AC2-Vlanif100] ipv6 nd autoconfig other-flag 
[AC2-Vlanif100] dhcpv6 server ap_pool 
[AC2-Vlanif100] quit

# Configure the CSS as a DHCP server to assign IP addresses to STAs.

[CSS] dhcp enable 
[CSS] ipv6 
[CSS] dhcpv6 pool sta_pool 
[CSS-dhcpv6-pool-sta_pool] address prefix fc02::/64 
[CSS-dhcpv6-pool-sta_pool] quit 
[CSS] interface vlanif 101 
[CSS-Vlanif101] ip address 10.23.101.1 24 
[CSS-Vlanif101] dhcp select interface 
[CSS-Vlanif101] ipv6 enable 
[CSS-Vlanif101] ipv6 address fc02::1/64 
[CSS-Vlanif101] undo ipv6 nd ra halt 
[CSS-Vlanif101] ipv6 nd autoconfig managed-address-flag 
[CSS-Vlanif101] ipv6 nd autoconfig other-flag 
[CSS-Vlanif101] dhcpv6 server sta_pool 
[CSS-Vlanif101] quit

Configure VRRP HSB on AC1.

# Set the recovery delay of the VRRP group to 60 seconds.

[AC1] vrrp recover-delay 60

# Create a management VRRP group on AC1. Set the VRRP priority of AC1 to 120 and the preemption delay to 1800 seconds.

[AC1] interface vlanif 100 
[AC1-Vlanif100] vrrp6 vrid 1 virtual-ip FE80::3 link-local 
[AC1-Vlanif100] vrrp6 vrid 1 virtual-ip FC01::3 
[AC1-Vlanif100] vrrp6 vrid 1 priority 120 
[AC1-Vlanif100] vrrp6 vrid 1 preempt-mode timer delay 1800 
[AC1-Vlanif100] admin-vrrp6 vrid 1 
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3 
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800 
[AC1-Vlanif100] vrrp vrid 1 track admin-vrrp6 interface Vlanif100 vrid 1 unflowdown 
[AC1-Vlanif100] quit

# Create HSB service 0 on AC1, and configure the IP addresses and port numbers for establishing an HSB channel. Set the retransmission time and interval of HSB packets.

[AC1] hsb-service 0 
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241 
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6 
[AC1-hsb-service-0] quit

# Create HSB group 0 on AC1, and bind HSB service 0 and the management VRRP group to the HSB group.

[AC1] hsb-group 0 
[AC1-hsb-group-0] bind-service 0 
[AC1-hsb-group-0] track vrrp6 vrid 1 interface vlanif 100 
[AC1-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC1] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC1] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC1] hsb-service-type dhcp hsb-group 0

# Enable the HSB function.

[AC1] hsb-group 0 
[AC1-hsb-group-0] hsb enable 
[AC1-hsb-group-0] quit

Configure VRRP HSB on AC2.

# Set the recovery delay of the VRRP group to 60 seconds.

[AC2] vrrp recover-delay 60

# Create a management VRRP group on AC2.

[AC2] interface vlanif 100 
[AC2-Vlanif100] vrrp6 vrid 1 virtual-ip FE80::3 link-local 
[AC2-Vlanif100] vrrp6 vrid 1 virtual-ip FC01::3 
[AC2-Vlanif100] admin-vrrp6 vrid 1 
[AC2-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3 
[AC2-Vlanif100] vrrp vrid 1 track admin-vrrp6 interface Vlanif100 vrid 1 unflowdown 
[AC2-Vlanif100] quit

# Create HSB service 0 on AC2, and configure the IP addresses and port numbers for establishing an HSB channel. Set the retransmission time and interval of HSB packets.

[AC2] hsb-service 0 
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-data-port 10241 
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6 
[AC2-hsb-service-0] quit

# Create HSB group 0 on AC2, and bind HSB service 0 and the management VRRP group to the HSB group.

[AC2] hsb-group 0 
[AC2-hsb-group-0] bind-service 0 
[AC2-hsb-group-0] track vrrp6 vrid 1 interface vlanif 100 
[AC2-hsb-group-0] quit

# Bind the NAC service to the HSB group.

[AC2] hsb-service-type access-user hsb-group 0

# Bind the WLAN service to the HSB group.

[AC2] hsb-service-type ap hsb-group 0

# Bind the DHCP service to the HSB group.

[AC2] hsb-service-type dhcp hsb-group 0

Configure WLAN services on AC1.

Configure system parameters for AC1, divide AP groups by area, add APs in the same area to the same AP group, and specify the IP address version for APs to go online.

[AC1] wlan 
[AC1-wlan-view] regulatory-domain-profile name default 
[AC1-wlan-regulate-domain-default] country-code cn 
[AC1-wlan-regulate-domain-default] quit 
[AC1-wlan-view] ap-group name ap-group_ipv4 
[AC1-wlan-ap-group-ap-group_ipv4] ap ip version ipv4 
Warning: This operation may cause AP offline, Whether to continue? [Y/N]:y  
[AC1-wlan-ap-group-ap-group_ipv4] regulatory-domain-profile default 
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y  
[AC1-wlan-ap-group-ap-group_ipv4] quit 
[AC1-wlan-view] ap-group name ap-group_ipv6 
[AC1-wlan-ap-group-ap-group_ipv6] ap ip version ipv6 
Warning: This operation may cause AP offline, Whether to continue? [Y/N]:y  
[AC1-wlan-ap-group-ap-group_ipv6] regulatory-domain-profile default 
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y  
[AC1-wlan-ap-group-ap-group_ipv6] quit 
[AC1-wlan-view] quit 
[AC1] capwap double-stack enable 
[AC1] capwap source ip-address 10.23.100.3 
[AC1] capwap source ipv6-address fc01::3

Import an AP offline on AC1.

[AC1] wlan 
[AC1-wlan-view] ap auth-mode mac-auth 
[AC1-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360 
[AC1-wlan-ap-0] ap-name area_1 
Warning: This operation may cause AP reset. Continue? [Y/N]:y  
[AC1-wlan-ap-0] ap-group ap-group_ipv4 
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
[AC1-wlan-ap-0] quit 
[AC1-wlan-view] ap-id 1 ap-mac 00e0-fc76-e380 
[AC1-wlan-ap-1] ap-name area_2 
Warning: This operation may cause AP reset. Continue? [Y/N]:y  
[AC1-wlan-ap-1] ap-group ap-group_ipv6 
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
[AC1-wlan-ap-1] quit 
[AC1-wlan-view] display ap all 
Total AP information: 
nor   : normal          [2] 
ExtraInfo : Extra information 
P     : insufficient power supply 
-------------------------------------------------------------------------------------------------------- 
ID    MAC            Name   Group         IP           Type     State  STA Uptime     ExtraInfo 
-------------------------------------------------------------------------------------------------------- 
0     00e0-fc76-e360 area_1 ap-group_ipv4 10.23.100.67 AP4050DN nor    1   2H:38M:4S  - 
1     00e0-fc76-e380 area_2 ap-group_ipv6 FC01::13     AP4050DN nor    0   2H:38M:13S - 
-------------------------------------------------------------------------------------------------------- 
Total: 2

Configure WLAN service parameters on AC1.
# Create security profile wlan-net and configure a security policy.

In this example, the security policy is set to WPA-WPA2+PSK+AES and the password to a1234567. In actual situations, configure the security policy according to service requirements.

[AC1-wlan-view] security-profile name wlan-net 
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes 
[AC1-wlan-sec-prof-wlan-net] quit

# Create SSID profile wlan-net and set the SSID name to wlan-net.

[AC1-wlan-view] ssid-profile name wlan-net 
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net 
[AC1-wlan-ssid-prof-wlan-net] quit

# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply the security profile and SSID profile to the VAP profile.

[AC1-wlan-view] vap-profile name wlan-net 
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward 
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101 
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net 
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net 
[AC1-wlan-vap-prof-wlan-net] quit

# Bind the VAP profile to the AP group and apply configurations in VAP profile wlan-net to radio 0 and radio 1 of the APs in the AP group.

[AC1-wlan-view] ap-group name ap-group_ipv4 
[AC1-wlan-ap-group-ap-group_ipv4] vap-profile wlan-net wlan 1 radio 0 
[AC1-wlan-ap-group-ap-group_ipv4] vap-profile wlan-net wlan 1 radio 1 
[AC1-wlan-ap-group-ap-group_ipv4] quit 
[AC1-wlan-view] ap-group name ap-group_ipv6 
[AC1-wlan-ap-group-ap-group_ipv6] vap-profile wlan-net wlan 1 radio 0 
[AC1-wlan-ap-group-ap-group_ipv6] vap-profile wlan-net wlan 1 radio 1 
[AC1-wlan-ap-group-ap-group_ipv6] quit 
[AC1-wlan-view] quit

# Configure the source address of AC2.

[AC2] capwap double-stack enable 
[AC2] capwap source ip-address 10.23.100.3 
[AC2] capwap source ipv6-address fc01::3

Configure wireless configuration synchronization in VRRP HSB scenarios.

# Configure wireless configuration synchronization on AC1.

[AC1] wlan 
[AC1-wlan-view] master controller 
[AC1-master-controller] master-redundancy peer-ip ip-address 10.23.102.2 local-ip ip-address 10.23.102.1 psk H@123456 
[AC1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100 
[AC1-master-controller] quit 
[AC1-wlan-view] quit

# Configure wireless configuration synchronization on AC2.

[AC2] wlan 
[AC2-wlan-view] master controller 
[AC2-master-controller] master-redundancy peer-ip ip-address 10.23.102.1 local-ip ip-address 10.23.102.2 psk H@123456 
[AC2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100 
[AC2-master-controller] quit 
[AC2-wlan-view] quit

Manually trigger wireless configuration synchronization.

[AC1] display sync-configuration status 
Controller role:Master/Backup/Local  
---------------------------------------------------------------------------------------------------- 
Controller IP Role    Device Type          Version               Status Last      synced 
---------------------------------------------------------------------------------------------------- 
10.23.102.2   Backup  ACxxxx               V200R019C00           cfg-mismatch     2019-06-27/11:39:41 
---------------------------------------------------------------------------------------------------- 
Total: 1 
[AC1] synchronize-configuration 
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its configurations. Whether to conti 
nue? [Y/N]:y

Enable HSB on AC2.

# Enable the HSB function.

[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit

Verify the configuration.

# After the configurations are complete, run the display vrrp6 and display vrrp commands on AC1 and AC2. The State field of AC1 is displayed as Master and that of AC2 is displayed as Backup.

[AC1] display vrrp6 
  Vlanif100 | Virtual Router 1 
    State : Master 
    Virtual IP : FE80::3 
                 FC01::3 
    Master IP : FE80::769D:8FFF:FE2E:9010 
    PriorityRun : 120 
    PriorityConfig : 120 
    MasterPriority : 120 
    Preempt : YES   Delay Time : 1800 s 
    TimerRun : 200 cs 
    TimerConfig : 200 cs 
    Virtual MAC : 0000-5e00-0201 
    Check hop limit : YES 
    Config type : admin-vrrp 
    Backup-forward : disabled 
    Create time : 2019-06-27 11:14:36 
    Last change time : 2019-06-27 14:47:39 
  
[AC1] display vrrp 
  Vlanif100 | Virtual Router 1 
    State : Master 
    Virtual IP : 10.23.100.3 
    Master IP : 10.23.100.1 
    PriorityRun : 100 
    PriorityConfig : 100 
    MasterPriority : 100 
    Preempt : YES   Delay Time : 1800 s 
    TimerRun : 2 s 
    TimerConfig : 2 s 
    Auth type : NONE 
    Virtual MAC : 0000-5e00-0101 
    Check TTL : YES 
    Config type : member-vrrp 
    Backup-forward : disabled 
    Create time : 2019-06-27 11:07:28 
    Last change time : 2019-06-27 14:47:39

[AC2] display vrrp6 
  Vlanif100 | Virtual Router 1 
    State : Backup 
    Virtual IP : FE80::3 
                 FC01::3 
    Master IP : FE80::769D:8FFF:FE2E:9010 
    PriorityRun : 100 
    PriorityConfig : 100 
    MasterPriority : 120 
    Preempt : YES   Delay Time : 0 s 
    TimerRun : 200 cs 
    TimerConfig : 200 cs 
    Virtual MAC : 0000-5e00-0201 
    Check hop limit : YES 
    Config type : admin-vrrp 
    Backup-forward : disabled 
    Create time : 2019-06-27 11:37:44 
    Last change time : 2019-06-27 14:47:24 
  
[AC2] display vrrp 
  Vlanif100 | Virtual Router 1 
    State : Backup 
    Virtual IP : 10.23.100.3 
    Master IP : 10.23.100.2 
    PriorityRun : 100 
    PriorityConfig : 100 
    MasterPriority : 100 
    Preempt : YES   Delay Time : 0 s 
    TimerRun : 2 s 
    TimerConfig : 2 s 
    Auth type : NONE 
    Virtual MAC : 0000-5e00-0101 
    Check TTL : YES 
    Config type : member-vrrp 
    Backup-forward : disabled 
    Create time : 2019-06-27 11:37:44 
    Last change time : 2019-06-27 14:46:28

[AC1] display hsb-service 0 
Hot Standby Service Information: 
---------------------------------------------------------- 
  Local IP Address       : 10.23.102.1 
  Peer IP Address        : 10.23.102.2 
  Source Port            : 10241 
  Destination Port       : 10241 
  Keep Alive Times       : 3 
  Keep Alive Interval    : 6 
  Service State          : Connected 
  Service Batch Modules  : 
  Shared-key             : - 
----------------------------------------------------------
[AC2] display hsb-service 0 
Hot Standby Service Information: 
---------------------------------------------------------- 
  Local IP Address       : 10.23.102.2 
  Peer IP Address        : 10.23.102.1 
  Source Port            : 10241 
  Destination Port       : 10241 
  Keep Alive Times       : 3 
  Keep Alive Interval    : 6 
  Service State          : Connected 
  Service Batch Modules  : 
  Shared-key             : - 
----------------------------------------------------------

# Run the display hsb-group 0 command on AC1 and AC2 to check the running status of the HSB group.

[AC1] display hsb-group 0 
Hot Standby Group Information: 
---------------------------------------------------------- 
  HSB-group ID                : 0 
  Vrrp Group ID               : 1 
  Vrrp Interface              : Vlanif100 
  Service Index               : 0 
  Group Vrrp Status           : Master 
  Group Status                : Active 
  Group Backup Process        : Realtime 
  Peer Group Device Name      : AC2 
  Peer Group Software Version : V200R019C00 
  Group Backup Modules        : Access-user 
                                AP 
                                DHCP 
----------------------------------------------------------
[AC2] display hsb-group 0 
Hot Standby Group Information: 
---------------------------------------------------------- 
  HSB-group ID                : 0 
  Vrrp Group ID               : 1 
  Vrrp Interface              : Vlanif100 
  Service Index               : 0 
  Group Vrrp Status           : Backup 
  Group Status                : Inactive 
  Group Backup Process        : Realtime 
  Peer Group Device Name      : AC1 
  Peer Group Software Version : V200R019C00 
  Group Backup Modules        : Access-user 
                                DHCP 
                                AP 
----------------------------------------------------------

# The WLAN with SSID wlan-net is available for STAs connected to the AP, and these STAs can connect to the WLAN and go online normally.

Before restarting the AC, run the save command to save the configuration file on the AC to prevent configuration loss after the restart.

# After AC1 recovers from the restart, an active/standby switchback is triggered. The AP automatically goes online on AC1.

Configuration Files

SwitchA configuration file

# 
sysname SwitchA 
# 
vlan batch 100 to 101 
# 
interface Eth-Trunk10 
 port link-type trunk 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 100 to 101 
# 
interface GigabitEthernet0/0/1 
 port link-type trunk 
 port trunk pvid vlan 100 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 100 to 101 
 port-isolate enable group 1 
# 
interface GigabitEthernet0/0/2 
 eth-trunk 10 
# 
interface GigabitEthernet0/0/3 
 eth-trunk 10 
# 
return

CSS configuration file

# 
sysname CSS 
# 
ipv6 
# 
vlan batch 100 to 101 
# 
dhcp enable 
# 
dhcpv6 pool sta_pool 
 address prefix FC02::/64 
# 
interface Vlanif101 
 ipv6 enable 
 ip address 10.23.101.1 255.255.255.0 
 ipv6 address FC02::1/64 
 undo ipv6 nd ra halt 
 ipv6 nd autoconfig managed-address-flag 
 ipv6 nd autoconfig other-flag 
 dhcp select interface 
 dhcpv6 server sta_pool 
# 
interface Eth-Trunk10 
 port link-type trunk 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 100 to 101 
#   
interface GigabitEthernet1/1/0/1 
 port link-type trunk 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 100 
# 
interface GigabitEthernet1/1/0/2 
 eth-trunk 10 
# 
interface GigabitEthernet2/1/0/1 
 port link-type trunk 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 100 
# 
interface GigabitEthernet2/1/0/2 
 eth-trunk 10 
# 
return

AC1 and AC2 have similar configuration files, which are listed in the following table. (Configurations highlighted in bold are the dual-link backup and wireless configuration synchronization configurations on AC1 and AC2, and those in italic are public configurations automatically synchronized from AC1 to AC2.)

Table 23-16 Configuration files of AC1 and AC2

AC1	AC2
# sysname AC1 # ipv6 # vrrp recover-delay 60 # vlan batch 100 to 102 # dhcp enable # dhcp server database enable dhcp server database recover # dhcpv6 pool ap_pool address prefix FC01::/64 excluded-address FC01::1 to FC01::3 # interface Vlanif100 ipv6 enable ip address 10.23.100.1 255.255.255.0 ipv6 address FC01::1/64 undo ipv6 nd ra halt ipv6 nd autoconfig managed-address-flag ipv6 nd autoconfig other-flag vrrp6 vrid 1 virtual-ip FE80::3 link-local vrrp6 vrid 1 virtual-ip FC01::3 admin-vrrp6 vrid 1 vrrp6 vrid 1 priority 120 vrrp6 vrid 1 preempt-mode timer delay 1800 vrrp vrid 1 virtual-ip 10.23.100.3 vrrp vrid 1 preempt-mode timer delay 1800 vrrp vrid 1 track admin-vrrp6 interface Vlanif100 vrid 1 unflowdown dhcp select interface dhcpv6 server ap_pool dhcp server excluded-ip-address 10.23.100.1 10.23.100.3 # interface Vlanif102 ip address 10.23.102.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 # interface GigabitEthernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 # capwap double-stack enable capwap source ip-address 10.23.100.3 capwap source ipv6-address FC01::3 # hsb-service 0 service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241 service-keep-alive detect retransmit 3 interval 6 # hsb-group 0 track vrrp6 vrid 1 interface Vlanif100 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan security-profile name wlan-net security wpa-wpa2 psk pass-phrase %^%#=H/j=-Os`@Fka52lg)lVE['PcVx"R(EmC/%^%# aes ssid-profile name wlan-net ssid wlan-net vap-profile name wlan-net service-vlan vlan-id 101 ssid-profile wlan-net security-profile wlan-net regulatory-domain-profile name default ap-group name ap-group_ipv4 ap ip version ipv4 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-group name ap-group_ipv6 ap ip version ipv6 radio 0 vap-profile wlan-net wlan 1 radio 1 vap-profile wlan-net wlan 1 ap-id 0 type-id 75 ap-mac 00e0-fc76-e360 ap-sn 21500831023GHB001790 ap-name area_1 ap-group ap-group_ipv4 ap-id 1 type-id 75 ap-mac 00e0-fc76-e380 ap-sn 21500831023GH9001248 ap-name area_2 ap-group ap-group_ipv6 provision-ap master controller master-redundancy track-vrrp vrid 1 interface Vlanif100 *master-redundancy peer-ip ip-address 10.23.102.2 local-ip ip-address 10.23.102.1 psk %^%#P)3N8C5Nn;!Q]4U5dQGTAQpjETn8<HUn883eGLF%^%#** # return	# sysname AC2 # ipv6 # vrrp recover-delay 60 # vlan batch 100 to 102 # dhcp enable # dhcp server database enable dhcp server database recover # dhcpv6 pool ap_pool address prefix FC01::/64 excluded-address FC01::1 to FC01::3 # interface Vlanif100 ipv6 enable ip address 10.23.100.2 255.255.255.0 ipv6 address FC01::2/64 undo ipv6 nd ra halt ipv6 nd autoconfig managed-address-flag ipv6 nd autoconfig other-flag vrrp6 vrid 1 virtual-ip FE80::3 link-local vrrp6 vrid 1 virtual-ip FC01::3 admin-vrrp6 vrid 1 vrrp vrid 1 virtual-ip 10.23.100.3 vrrp vrid 1 track admin-vrrp6 interface Vlanif100 vrid 1 unflowdown dhcp select interface dhcpv6 server ap_pool dhcp server excluded-ip-address 10.23.100.1 10.23.100.3 # interface Vlanif102 ip address 10.23.102.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 # interface GigabitEthernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 102 # capwap double-stack enable capwap source ip-address 10.23.100.3 capwap source ipv6-address FC01::3 # hsb-service 0 service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-data-port 10241 service-keep-alive detect retransmit 3 interval 6 # hsb-group 0 track vrrp6 vrid 1 interface Vlanif100 bind-service 0 hsb enable # hsb-service-type access-user hsb-group 0 # hsb-service-type dhcp hsb-group 0 # hsb-service-type ap hsb-group 0 # wlan master controller master-redundancy track-vrrp vrid 1 interface Vlanif100 master-redundancy peer-ip ip-address 10.23.102.1 local-ip ip-address 10.23.102.2 psk %^%#Z3s)13t{t8;\|mh9Y/0bWCl9)G@ZBj%}N~-VRqDv3%^%# # return

AC1

AC2

# 
 sysname AC1 
# 
ipv6 
# 
vrrp recover-delay 60 
# 
vlan batch 100 to 102 
# 
dhcp enable 
# 
dhcp server database enable  
dhcp server database recover  
# 
dhcpv6 pool ap_pool 
 address prefix FC01::/64 
 excluded-address FC01::1 to FC01::3 
# 
interface Vlanif100 
 ipv6 enable 
 ip address 10.23.100.1 255.255.255.0 
 ipv6 address FC01::1/64 
 undo ipv6 nd ra halt 
 ipv6 nd autoconfig managed-address-flag 
 ipv6 nd autoconfig other-flag 
 vrrp6 vrid 1 virtual-ip FE80::3 link-local 
 vrrp6 vrid 1 virtual-ip FC01::3 
 admin-vrrp6 vrid 1 
 vrrp6 vrid 1 priority 120 
 vrrp6 vrid 1 preempt-mode timer delay 1800 
 vrrp vrid 1 virtual-ip 10.23.100.3 
 vrrp vrid 1 preempt-mode timer delay 1800 
 vrrp vrid 1 track admin-vrrp6 interface Vlanif100 vrid 1 unflowdown 
 dhcp select interface 
 dhcpv6 server ap_pool 
 dhcp server excluded-ip-address 10.23.100.1 10.23.100.3  
# 
interface Vlanif102 
 ip address 10.23.102.1 255.255.255.0 
# 
interface GigabitEthernet0/0/1 
 port link-type trunk 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 100 
# 
interface GigabitEthernet0/0/2 
 port link-type trunk 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 102 
# 
capwap double-stack enable 
capwap source ip-address 10.23.100.3 
capwap source ipv6-address FC01::3 
# 
hsb-service 0 
 service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port 10241 peer-data-port 10241 
 service-keep-alive detect retransmit 3 interval 6 
# 
hsb-group 0 
 track vrrp6 vrid 1 interface Vlanif100 
 bind-service 0 
 hsb enable 
# 
hsb-service-type access-user hsb-group 0 
# 
hsb-service-type dhcp hsb-group 0 
# 
hsb-service-type ap hsb-group 0 
# 
wlan 
 security-profile name wlan-net 
  security wpa-wpa2 psk pass-phrase %^%#=H/j=-Os`@Fka52lg)lVE['PcVx"R(EmC/%^%# aes 
 ssid-profile name wlan-net 
  ssid wlan-net 
 vap-profile name wlan-net 
  service-vlan vlan-id 101 
  ssid-profile wlan-net 
  security-profile wlan-net 
 regulatory-domain-profile name default 
 ap-group name ap-group_ipv4 
  ap ip version ipv4 
  radio 0 
   vap-profile wlan-net wlan 1 
  radio 1 
   vap-profile wlan-net wlan 1 
 ap-group name ap-group_ipv6 
  ap ip version ipv6 
  radio 0 
   vap-profile wlan-net wlan 1 
  radio 1 
   vap-profile wlan-net wlan 1 
 ap-id 0 type-id 75 ap-mac 00e0-fc76-e360 ap-sn 21500831023GHB001790 
  ap-name area_1 
  ap-group ap-group_ipv4 
 ap-id 1 type-id 75 ap-mac 00e0-fc76-e380 ap-sn 21500831023GH9001248 
  ap-name area_2 
  ap-group ap-group_ipv6 
 provision-ap 
 master controller 
  master-redundancy track-vrrp vrid 1 interface Vlanif100 
  master-redundancy peer-ip ip-address 10.23.102.2 local-ip ip-address 10.23.102.1 psk %^%#P)3N8C5Nn;!Q]4U5dQGTAQpjETn8<*HUn883eGLF%^%# 
# 
return

# 
 sysname AC2 
# 
ipv6 
# 
vrrp recover-delay 60 
# 
vlan batch 100 to 102 
# 
dhcp enable 
# 
dhcp server database enable  
dhcp server database recover  
# 
dhcpv6 pool ap_pool 
 address prefix FC01::/64 
 excluded-address FC01::1 to FC01::3 
# 
interface Vlanif100 
 ipv6 enable 
 ip address 10.23.100.2 255.255.255.0 
 ipv6 address FC01::2/64 
 undo ipv6 nd ra halt 
 ipv6 nd autoconfig managed-address-flag 
 ipv6 nd autoconfig other-flag 
 vrrp6 vrid 1 virtual-ip FE80::3 link-local 
 vrrp6 vrid 1 virtual-ip FC01::3 
 admin-vrrp6 vrid 1 
 vrrp vrid 1 virtual-ip 10.23.100.3 
 vrrp vrid 1 track admin-vrrp6 interface Vlanif100 vrid 1 unflowdown 
 dhcp select interface 
 dhcpv6 server ap_pool 
 dhcp server excluded-ip-address 10.23.100.1 10.23.100.3  
# 
interface Vlanif102 
 ip address 10.23.102.2 255.255.255.0 
# 
interface GigabitEthernet0/0/1 
 port link-type trunk 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 100 
# 
interface GigabitEthernet0/0/2 
 port link-type trunk 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 102 
# 
capwap double-stack enable 
capwap source ip-address 10.23.100.3 
capwap source ipv6-address FC01::3 
# 
hsb-service 0 
 service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port 10241 peer-data-port 10241 
 service-keep-alive detect retransmit 3 interval 6 
# 
hsb-group 0 
 track vrrp6 vrid 1 interface Vlanif100 
 bind-service 0 
 hsb enable 
# 
hsb-service-type access-user hsb-group 0 
# 
hsb-service-type dhcp hsb-group 0 
# 
hsb-service-type ap hsb-group 0 
# 
wlan 
 master controller 
  master-redundancy track-vrrp vrid 1 interface Vlanif100 
  master-redundancy peer-ip ip-address 10.23.102.1 local-ip ip-address 10.23.102.2 psk %^%#Z3s)13t{t8;|mh9Y/0bWCl9)G@ZBj%}N~-VRqDv3%^%# 
# 
return

Understanding VRRP HSB
Configuring a VRRP Group
Configuring an HSB Service
Configuring an HSB Group
Enabling an HSB Group
Configuring Wireless Configuration Synchronization
Verifying the Wireless Configuration Synchronization Configuration
Example for Configuring VRRP HSB (Tunnel Forwarding)
Example for Configuring VRRP HSB (Direct Forwarding)
Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios
Example for Configuring VRRP HSB (CAPWAP Dual-Stack)

Translation

Favorite

Download

Update Date：2021-11-19

Document ID：EDOC1100096325

Downloads：3722

Average rating：5.0Points

Digital Signature File

digtal sigature tool

Wireless Access Controller (AC and Fit AP) V200R019C00 CLI-based Configuration Guide

VRRP HSB Configuration

Understanding VRRP HSB

Purpose

Definition

Implementation

Application Scenario

Configuring a VRRP Group

Context

Procedure

Configuring an HSB Service

Context

Procedure

Configuring an HSB Group

Context

Procedure

Enabling an HSB Group

Context

Procedure

Configuring Wireless Configuration Synchronization

Context

Procedure

Verifying the Wireless Configuration Synchronization Configuration

Context

Procedure

Example for Configuring VRRP HSB (Tunnel Forwarding)

Service Requirements

Networking Requirements

Data Planning

Configuration Roadmap

Configuration Notes

Procedure

Configuration Files

Example for Configuring VRRP HSB (Direct Forwarding)

Service Requirements

Networking Requirements

Data Planning

Configuration Roadmap

Configuration Notes

Procedure

Configuration Files

Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios

Service Requirements

Networking Requirements

Data Planning

Configuration Roadmap

Configuration Notes

Procedure

Configuration Files

Example for Configuring VRRP HSB (CAPWAP Dual-Stack)

Service Requirements

Networking Requirements

Data Planning

Configuration Roadmap

Configuration Notes

Procedure

Configuration Files

Related Documents

Digital Signature File

Share