LAN-Side Site Configuration

Domain name

Default domain name suffix for all switches and APs at the current site, for example, huawei.com.

The value specified for Device name during device addition and the value specified here constitute the fully qualified domain name (FQDN) of the device. The FQDN helps users identify devices in a network management system.

This parameter applies only to:

• Switches of V200R012C00 and later versions.
• APs of V200R009C00 and later versions.

Time zone

Default time zone for all devices at the current site. This setting is applicable to firewalls, switches, and APs only.

DST

Daylight saving time for devices at the current site. This setting is applicable to switches, APs, and ARs only.

NTP server IP address

NTP server IP address for the current site. This setting is applicable to firewalls, switches, and APs only.

Local user

User name

User name for logging in to a device. The user name is in the username or username@domainname format. The value is case-insensitive and cannot contain spaces or the following special characters: *, ?, ". If HWTACACS authentication bypass is enabled, an authentication account same as the local user account must be configured.

Password

Password of the user account. The password must meet the following requirements:

• Contains 8 to 128 characters.
• Contains at least three of the following: uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and special characters (for example, !, @, #, $, %). Question marks or spaces are not supported.
• The same character is not repeated consecutively two or more times.
• The password cannot be the same as the user name or its characters in reverse order.

Role

Service type

BootROM password

BootROM password of a switch or an AP.

If you do not set this password, the administrator password and BootROM password that take effect are those set by tenant administrators when they log in to iMaster NCE-Campus for the first time, or those set in the Device Password Configuration area on the Device Management tab page under Design > Site Agile Deployment > Device Management.

Login timeout interval (min)

Period after which a user is disconnected from the user interface.

The value is 10 by default. The value 0 indicates that this function is disabled.

Screen length

Number of rows printed on a split screen.

The value is 24 by default. The value 0 indicates that this function is disabled.

Login restriction

Whether to restrict login to devices via SSH. You can bind SSH virtual type terminal (VTY) accounts of devices to specified advanced ACLs to restrict the accounts that are allowed to log in to devices via SSH.

Only APs and switches support this function. The available ACL numbers are in the range from 3032 to 3999.

HWTACACS Authentication

-

Whether to enable the HWTACACS authentication mode for the devices at the current site.

HWTACACS Server

Select a HWTACACS server from the drop-down list box. The server has been defined on the Policy Template page.

Command line authorization

You can set this parameter as needed. This function is optional when the controller functions as a HWTACACS authentication server. If the controller functions as a HWTACACS authorization server to authorize command lines to device users, you need to configure a command set and enable this function.

HWTACACS authentication bypass

• Switch to local authorization mode if the HWTACACS server is faulty.

  When a user logs in to a device using the corresponding user name and password, local authentication is triggered if the user fails to be authenticated by the HWTACACS server.

• Accounting bypass: If accounting bypass is disabled, the controller stops providing services for users as long as accounting fails, resulting in the users unable to log in to the device. If accounting bypass is enabled, users can still log in to the device when accounting fails due to a network fault.

RADIUS Authentication

RADIUS server

RADIUS server configured in the desired RADIUS server template. The RADIUS server template is defined on the policy template page.

Authentication protocol

RADIUS authentication protocol. PAP and CHAP are supported.

RADIUS authentication bypass

• When the RADIUS server fails, local authentication and authorization are performed.

  If a user attempts to access the Internet using a username and password and fails RADIUS authentication, the user will initiate local authentication.

• Accounting bypass

  If the accounting bypass function is disabled, the controller stops providing services to users when accounting fails and users cannot access the Internet. If the accounting bypass is enabled, when accounting fails due to a network fault, users can still access the Internet.

Protocol version

SNMP version. SNMPv3 is recommended, because it is more secure than SNMPv1 and SNMPv2c.

Configuration in the scenario where Version is set to V1 or V2C

Read community name

Group of NMSs and SNMP agents. A community name functions as the password for authentication when devices in the community communicate with each other. An NMS can access an SNMP agent only if the community name carried in the SNMP request sent by the NMS is the same as that configured on the SNMP agent. A community name consists of a read community name and a write community name. Currently, iMaster NCE-Campus can only interconnect with SNMP through the read community name.

The parameter value consists of 1 to 32 characters including digits, letters, or special characters.

Allowed IP addresses

IP address whitelist of NMS servers. The whitelist defines NMS servers' IP addresses, improving the system security. If the whitelist is left empty, an NMS server with any IP address can access devices.

Alarm Server

WIndicates whether to configure alarm servers for devices. Through this function, alarms generated on a device can be sent to the NMS server in a timely manner, implementing effective management on devices.

The IP addresses must be of Class A, B, or C. Multiple IP addresses need to be separated with line breaks, and up to 20 IP addresses can be entered.

• Class A IP addresses: 1.0.0.0-126.255.255.255
• Class B IP addresses: 128.0.0.0-191.255.255.255
• Class C IP addresses: 192.0.0.0-223.255.255.255

Alarm server list

Alarm server IP address.

The IP addresses must be of Class A, B, or C. Multiple IP addresses need to be separated with line breaks, and up to 20 IP addresses can be entered.

Configuration in the scenario where Version is set to V3

User List

Click Add and add the account information. To implement the bidirectional communication in the following scenarios, ensure that User name, Encryption Password, and Authentication Password are the same as those on the NMS server:

• When a device reports an alarm to the NMS server, the user account and password set here are used for authentication and verification on the NMS server. The device can successfully report the alarm only after successful verification.
• When the NMS server proactively accesses a device, the NMS server performs authentication and verification on the device. The NMS server can successfully access the device only after successful verification.

Allowed IP addresses

IP address whitelist of NMS servers. The whitelist defines NMS servers' IP addresses, improving the system security. If the whitelist is left empty, an NMS server with any IP address can access devices.

The IP addresses must be of Class A, B, or C. Multiple IP addresses need to be separated with line breaks, and up to 20 IP addresses can be entered.

Alarm Server

Whether to configure alarm servers for devices. Through this function, alarms generated on a device can be sent to the NMS server in a timely manner, implementing effective management on devices.

Alarm server list

Click Add, add an alarm server, and select corresponding accounts from the drop-down list box.

The alarm server IP addresses must be of Class A, B, or C, and up to 20 IP addresses can be added.

Information upload

Enable Information upload function.

Server IP or domain

IP address or domain name of the third-party server that receives packets. Only APs of V200R009C00 and later versions support the domain name.

Port number

Number of the port on which packets are received. This parameter is configurable only when Information upload is enabled. The default value is 10031.

Interval (ms)

Interval at which an AP reports the received information. The default value is 20,000 ms.

Threshold (dBm)

Scanned signal strength. If the signal strength is lower than the threshold, no action is performed. The default value is -75 dBm.

AP PSK

Whether to enable the function of configuring the PSK. Enabling this parameter indicates that a PSK is added, while disabling this parameter indicates that no PSK exists.

Update PSK Key

Whether to update the PSK value. If the PSK is not configured, the update button is unavailable.

Set AP installation location

WSpecify whether to enable the function of configuring AP installation location information. After this field is enabled, you can configure the AP installation location. Only APs of V200R009C00 and later versions support this parameter.

AP installation location

Set the AP installation location.

LLDP

An LLDP-enabled device sends LLDP packets containing its own status information to neighbors that have LLDP enabled, and collects the status information about these neighbors. Enable this function when you need to know the Layer 2 connection status between devices and analyze the network topology through the NMS. This function is enabled by default.

Frequently enabling or disabling LLDP globally may cause service data delivery failures. The interval between two consecutive LLDP operations must be longer than 10s.

HTTP service

Whether to enable the HTTP service on cloud-managed devices. By default, this function is enabled. If the HTTP service is disabled, tenant administrators can log in to the web system of cloud-managed devices using HTTPS. If the HTTP service is enabled, when tenant administrators access the web system of cloud-managed devices using HTTP, they will be redirected to an HTTPS address for login.

Public key-free upon first authentication of SSH client

Whether to enable the first authentication function on an SSH client.

IPv6

Whether to enable IPv6 globally. The configuration takes effect only after the function is enabled in the AP's SSID configuration as well. After IPv6 is globally enabled, it takes effect only after it is enabled in the AP's SSID configuration as well.

Auto-negotiated Management VLAN

(For firewalls and switches only) When a downstream NE is connected to the current device, this VLAN is automatically used as the management VLAN of the NE through negotiation. The NE then can obtain an IP address from the DHCP server and register with iMaster NCE-Campus.

Management VLAN

(For switches and APs only) Management VLAN of the current device. The switch or AP creates a VLANIF interface based on the management VLAN. The IP address of the VLANIF interface is used as the management IP address of the device to initiate a registration request to iMaster NCE-Campus.

Auto permit on uplink interface

(For switches only) After this function is enabled:

• If the upstream port of the current device is a trunk port, the allowed VLAN is automatically used as the management VLAN.
• If the upstream port of the current device is an access port, the default VLAN is automatically used as the management VLAN.

Display the WLAN view.

system-view

wlan

Displays or delete a interface view.

system-view

interface interface-type interface-number

undo interface interface-type interface-number

Create or delete a VLANIF interface.

system-view

interface vlanif vlan-id

undo interface vlanif vlan-id

Add an RU in offline mode or enter the AP view.

wlan

ap-id ap-id [ [ type-id type-id | ap-type ap-type ] { ap-mac ap-mac | ap-sn ap-sn | ap-mac ap-mac ap-sn ap-sn } ]

undo ap ap-id

Add an RU in offline mode or enter the AP view.

wlan

ap-mac ap-mac [ type-idtype-id | ap-typeap-type ] [ ap-idap-id ] [ ap-snap-sn ]

Configure or restore an RU name

AP-view

ap-name ap-name

undo ap-name

Configure or restore the memory usage alarm threshold.

system-view

set memory-usage threshold threshold-value

undo set memory-usage threshold

Configure or restore physical interfaces on the SSH server to which clients can connect

system-view

ssh server permit interface { interface-type interface-number } &<1-5>

undo ssh server permit interface

Configure or restore the port number of the SSH server.

system-view

ssh server port port-number

undo ssh server port

Configure or restore an interval for updating the SSH server key pair.

system-view

ssh server rekey-interval hours

undo ssh server rekey-interval

Configure or restore a timeout interval for an SSH server connection.

system-view

ssh server timeout seconds

undo ssh server timeout

Enable or disable the SSH server function.

system-view

stelnet server enable

undo stelnet server enable

Enable or disable the SFTP function of the SSH server.

system-view

sftp server enable

undo sftp server enable

Creates or delete an attack defense.

system-view

cpu-defend policy policy-name

undo cpu-defend policy policy-name

Set or restore the rate limit for packets sent to the CPU.

attack defense policy view

packet-type packet-type rate-limit rate-value { wired | wireless }

undo packet-type packet-type rate-limit { wired | wireless }

Configure or restore the rate limit for upstream and downstream packets of all STAs or each STA on a VAP.

traffic profile view

rate-limit { client | vap } { up | down } rate-value

undo rate-limit { client | vap } { up | down }

Set or restore the rate limit for Secure Shell (SSH), Telecommunication Network Protocol (Telnet), or File Transfer Protocol (FTP) packets.

attack defense policy view

application-apperceive packet-type { ssh | telnet | ftp } rate-limit rate-value

undo application-apperceive packet-type { ssh | telnet | ftp }

Create or delete a QoS CAR profile.

system-view

interface

qos car car-name cir cir-value [ cbs cbs-value [ pbs pbs-value ] | pir pir-value [ cbs cbs-value pbs pbs-value ] ]

undo qos carcar-name

Create or delete a VAP profile.

wlan

vap-profile name profile-name

undo vap-profile { name profile-name | all }

Create or delete a SSID profile.

wlan

ssid-profile name profile-name

undo ssid-profile { name profile-name | all }

Create or delete a traffic profile.

wlan

traffic-profile name profile-name

undo traffic-profile { all | name profile-name }

Create or delete a Hotspot2.0 profile.

wlan

hotspot2-profile name profile-name

undo hotspot2-profile { name profile-name | all }

Create or delete a security profile.

wlan

security-profile profile-name

undo security-profile

Create or delete a 2G radio profile.

wlan

radio-2g-profile name profile-name

undo radio-2g-profile { name profile-name | all }

Create or delete a 5G radio profile.

wlan

radio-5g-profile name profile-name

undo radio-5g-profile { name profile-name | all }

Create or deletes an RRM profile

wlan

rrm-profile name profile-name

undo rrm-profile { name profile-name | all }

Create or delete an air scan profile.

wlan

air-scan-profile name profile-name

undo air-scan-profile { name profile-name | all }

Create or delete a location profile.

wlan

location-profile name profile-name

undo location-profile { name profile-name | all }

Create or delete an AP group

wlan

ap-group name group-name

undo ap-group { name group-name | all }

Configure broadcast flood attack detection.

vap-profile

anti-attack broadcast-flood

undo anti-attack broadcast-flood

Enable or disable the MU-MIMO optimization function.

ssid-profile

mu-mimo

undo mu-mimo

Enable or disable IGMP snooping.

system-view

traffic-profile

igmp-snooping enable

undo igmp-snooping enable

Set or restore the maximum transmission unit (MTU) of the AP's CAPWAP tunnel.

system-view

interface vlanif

mtu mtu

undo mtu

Specify or restore the noise floor threshold for triggering radio calibration.

rrm-profile

calibrate noise-floor-threshold threshold

undo calibrate noise-floor-threshold

Create or delete a radio calibration policy.

wlan

calibrate policy { rogue-ap | load | non-wifi | noise-floor }

undo calibrate policy { rogue-ap | load | non-wifi | noise-floor }

Enable or disable the DHCP function.

system-view

dhcp enable

undo dhcp enable

Set or restore the maximum number of ping packets to be sent.

system-view

dhcp server ping packet number

undo dhcp server ping packet

Set or restore the maximum response time of a ping packet.

system-view

dhcp server ping timeout milliseconds

undo dhcp server ping timeout

Enable or disable DHCP snooping.

system-view

interface

dhcp snooping enable [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

undo dhcp snooping enable [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

Set or restore the GI mode to short GI.

radio-2g-profile

radio-5g-profile

guard-interval-mode { short | normal }

undo guard-interval-mode short

Set or restore the start threshold for the number of STAs that preferentially access the 5 GHz radio during band steering.

rrm-profile

band-steer balance start-threshold start-threshold

undo band-steer balance start-threshold

Set or restore the RTS-CTS threshold in a radio profile.

radio-2g-profile

radio-5g-profile

rts-cts-threshold rts-cts-threshold

undo rts-cts-threshold

Enable user CAC based on terminal SNR.

rrm-profile

uac client-snr enable

undo uac client-snr enable

Configure or restore the user CAC threshold based on terminal SNR.

rrm-profile

uac client-snr threshold threshold

undo uac client-snr threshold

Enable the user CAC threshold based on channel usage.

rrm-profile

uac channel-utilization enable

undo uac channel-utilization enable

Configure or restore the user CAC threshold based on channel usage.

rrm-profile

uac channel-utilization threshold access access-threshold [ roam roam-threshold ]

undo uac channel-utilization threshold

Set or restore the maximum MSS value for a TCP connection.

system-view

tcp max-mss mss-value

undo tcp max-mss

Configure or disable the device to output information to a log host

system-view

info-center loghost domain domain-name [ channel { channel-number | channel-name } | facility local-number | language language-name | portport| transport { udp | tcpssl-policy policy-name } ] ^*

undo info-center loghost domain domain-name

Set or default the timestamp format of logs messages

system-view

info-center timestamp log { { date | short-date | format-date } [ precision-time { tenth-second | millisecond } ] | boot | none }

undo info-center timestamp log

Configure security profile.

wlan

vap-profile

security-profile

Disable/Enable smart roaming.

radio-2g-profile

radio-5g-profile

smart-roam disable

undo smart-roam disable

Enable or disable the HTTPS server function on the device.

system-view

http secure-server enable

undo http secure-server enable

Enable or disable the HTTP server.

system-view

http server enable

undo http server enable

Restore the default user CAC threshold based on the number of users.

rrm-profile

undo uac client-number threshold

Disable user CAC based on the number of users.

rrm-profile

undo uac client-number enable

Create or delete an IoT profile.

wlan

iot-profile nameprofile-name

undo iot-profile { name profile-name | all }

Configure a host computer or delete the host computer configuration.

iot-profile

management-server server-ip server-ip server-port server-port-num

undo management-server server-ip server-ip server-port server-port-num

Display the IoT card interface view.

wlan

ap-group

card card-number

Bind an IoT profile.

card

iot-profile profile-name config-agent udp port udp-port

Set the radio type in a radio profile.

radio-2g-profile

radio-5g-profile

radio-type { dot11b | dot11g | dot11n | dot11ax }

undo radio-type

radio-type { dot11a | dot11n | dot11ac | dot11ax }

undo radio-type

Enable an AP to sendARP/ND proxy packets for a STAbefore the STA is successfully associated.

wlan

sta arp-nd-proxy before-assoc

undo sta arp-nd-proxy before-assoc

Enable the DHCP-based terminal type awareness function.

system-view

device-sensor dhcp option

undo device-sensor dhcp option

Enable the User Agent function.

system-view

http parse user-agent enable

undo http parse user-agent enabled

Set the memory usage threshold.

system-view

set memory-usage threshold threshold-value

undo set memory-usage threshold

Set or restore the CPU usage alarm threshold and CPU usage alarm recovery threshold.

system-view

set cpu-usage threshold threshold-value [ restore restore-threshold-value ]

undo set cpu-usage threshold

Set or restore the lower temperature alarm threshold for APs.

wlan

low-temperature threshold threshold

undo low-temperature threshold

Set or restore the upper temperature alarm threshold for APs.

wlan

high-temperature threshold threshold

undo high-temperature threshold

Set the lower temperature alarm threshold for RUs.

AP system profile view

low-temperature threshold threshold

undo low-temperature threshold

Set the upper temperature alarm threshold for RUs.

AP system profile view

high-temperature threshold threshold

undo high-temperature threshold

Configure the source IP address for the device to communicate with a Portal server.

system-view

web-auth-server server-name

source-ip ip-address

undo web-auth-server server-name

undo source-ip

Configure the offline self-healing function.

system-view

offline self-healing-reset disable

undo offline self-healing-reset disable

Add or delete MAC addresses of neighboring APs that are allowed to connect to an AP to a Mesh whitelist profile.

mesh-whitelist-profile

peer-ap mac mac-address

undo peer-ap mac mac-address

Configure AP indicators to turn off or turn off during the specified time range/ restores the default settings.

system-view

led off [ time-range time-range-name ]

undo led off

Set or restore a time range.

system-view

time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }

undo time-range time-name [ start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] ]

Create or delete an AP system profile

wlan

ap-system-profile name profile-name

undo ap-system-profile

Set or restore a Mesh ID for a Mesh profile

mesh-profile

mesh-id name

undo mesh-id

Create or delete a Mesh profile

wlan

mesh-profile name profile-name

undo mesh-profile { all | name profile-name }

Create or delete a Mesh whitelist profile or display the Mesh whitelist profile view.

wlan

mesh-whitelist-profile name whitelist-name

undo mesh-whitelist-profile { all | name whitelist-name }

Delete entries from all session tables.

system-view

reset session all

Create a VLAN and displays the VLAN view. If the VLAN exists, the VLAN view is displayed.

system-view

vlan vlan-id

vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo vlan vlan-id

undo vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10>

Configure a VLAN as the default VLAN of an interface and add the interface to the VLAN.

vlan

port interface-type { interface-number1 [ to interface-number2 ] }&<1-10>

undo port interface-type { interface-number1 [ to interface-number2 ] }&<1-10>

Enable the port bridge function on an interface. The interface then can forward packets whose source and destination MAC addresses are both learned by this interface.

GE interface

Eth-Trunk interface

XGE interface

MultiGE interface

port bridge enable

undo port bridge enable

Configure the default VLAN of an interface and adds the interface to the VLAN.

GE interface

Eth-Trunk interface

XGE interface

MultiGE interface

port default vlanvlan-id

undo port default vla

Specify the default VLAN ID of a hybrid interface.

GE interface

Eth-Trunk interface

XGE interface

MultiGE interface

port hybrid pvid vlanvlan-id

undo port hybrid pvid vlan

Add a hybrid interface to the specified VLANs. Frames of the VLANs then pass through the hybrid interface in tagged mode.

GE interface

Eth-Trunk interface

XGE interface

MultiGE interface

port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }

undo port hybrid vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }

Add a hybrid interface to the specified VLANs. Frames of the VLANs then pass through the hybrid interface in untagged mode.

GE interface

Eth-Trunk interface

XGE interface

MultiGE interface

port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }

undo port hybrid vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }

Set the link type of an interface.

GE interface

Eth-Trunk interface

XGE interface

MultiGE interface

port link-type { access | hybrid | trunk }

undo port link-type

Add a trunk interface to the specified VLANs.

GE interface

Eth-Trunk interface

XGE interface

MultiGE interface

port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }

undo port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }

Specify the default VLAN for a trunk interface.

GE interface

Eth-Trunk interface

XGE interface

MultiGE interface

port trunk pvid vlanvlan-id

undo port trunk pvid vlan

Set the AP channel mode to indoor mode or restore the AP channel mode to outdoor mode.

wlan

channel-load-mode indoor

undo channel-load-mode indoor

Configure or delete an IP address for an interface.

VLANIF interface view

loopback interface view

ip address ip-address { mask | mask-length }

undo ip address ip-address { mask | mask-length }

Enable or disable an interface to use the interface address pool.

VLANIF interface view

dhcp select interface

undo dhcp select interface

Configure or delete a unicast static route.

system-view

ip route-static ip-address { mask | mask-length } { nexthop-address | interface-type interface-number [ nexthop-address ] } [ preference preference | tag tag ] ^* [ permanent | inherit-cost ] [ description text ]

undo ip route-static ip-address { mask | mask-length } [ nexthop-address | interface-type interface-number [ nexthop-address ] ] [ preference preference | tag tag ] ^* [ permanent ]

undo ip route-static all

Disable or enable intelligent flow control for unknown unicast packets.

system-view

unicast-suppression auto-detect disable

undo unicast-suppression auto-detect disable

Configure or delete an IP address pool for a sub-VLAN.

vlan

ip pool start-address [ to end-address ]

undo ip pool

Create or delete a RADIUS server template.

system-view

radius-server template template-name

undo radius-server template template-name

Modify or restore a RADIUS attribute.

RADIUS server template view

radius-attribute set service-type attribute-value [ auth-type mac | user-type ipsession ]

undo radius-attribute set service-type

Configure or delete the DNS server address for the DHCP client.

IP address pool view

DHCP Option template view

dns-list { ip-address &<1-8> | unnumbered interface interface-type interface-number }

undo dns-list { ip-address | unnumbered interface | all }

Enable or disable DNS proxy.

system-view

dns proxy enable

undo dns proxy enable

Enable or disable dynamic DNS resolution

system-view

dns resolve

undo dns resolve

Enabling/Disabling the USB ethernet port mode

system-view

usb enable [ 5w ]

undo usb enable

card connect-type { ethernet | serial }

undo card connect-type

iot-card reboot ap ap-id ap-id card { card-id | usb }

Displays or delete a interface view.

system-view

interface interface-type interface-number

undo interface interface-type interface-number

Create or delete a VLAN view

system-view

vlan vlan-id

undo vlan vlan-id

Enable the device to obtain packets matching specified rules.

system-view

capture-packet { interface interface-type interface-number | acl acl-number } * [ vlan vlan-id | cvlan cvlan-id ] * destination terminal [ car cir car-value | time-out time-out-value | packet-num number | packet-len length ] *

capture-packet cpu [ vlan vlan-id | acl acl-number ] * destination terminal [ time-out time-out-value | packet-num number | packet-len length ] *

Configure traditional local management parameters (SSH, HTTP, and HTTPS).

system-view

ssh [ ipv4 | ipv6 ] server port port-number

undo ssh [ ipv4 | ipv6 ]server port

ssh server rekey-interval hours

undo ssh server rekey-interval

ssh server timeout seconds

undo ssh server timeout

stelnet [ ipv4 | ipv6 ] server enable

undo stelnet [ ipv4 | ipv6 ] server enable

sftp server enable

undo sftp server enable

ssh server-source -i loopback interface-number

undo ssh server-source

http ipv6 server enable

undo http ipv6 server enable

http [ ipv6 ] server port port-number

undo http [ ipv6 ] server port

http timeout

undo http timeout

http [ ipv6 ] secure-server port port-number

undo http [ ipv6 ] secure-server port

http [ ipv6 ] secure-server enable

undo http [ ipv6 ] secure-server enable

http server-source -i loopback interface-number

undo http server-source

Specify the IP addresses of administrators allowed to log in to the switches.

system-view

ssh [ ipv6 ] server acl acl-number

undo ssh [ ipv6 ] server acl

telnet [ ipv6 ] server acl acl-number

undo telnet [ ipv6 ] server acl

http[ ipv6 ] acl

undo http[ ipv6 ] acl

Enable broadcast storm suppression.

vlan

broadcast-suppression threshold-value

undo broadcast-suppression

interface

broadcast-suppression { percent-value | cir cir-value [ cbs cbs-value ] | packets packets-per-second }

undo broadcast-suppression

multicast-suppression { percent-value | cir cir-value [ cbs cbs-value ] | packets packets-per-second }

undo multicast-suppression

unicast-suppression { percent-value | cir cir-value [ cbs cbs-value ] | packets packets-per-second }

undo unicast-suppression

Enable link aggregation.

interface

lacp preempt enable

undo lacp preempt enable

lacp timeout

undo lacp timeout

lacp force-forward

undo lacp force-forward

system-view

lacp priority

undo lacp priority

Enable DLDP.

system-view

dldp enable

undo dldp enable

dldp interval interval

undo dldp interval

dldp authentication-mode { md5 md5-password | simple simple-password | sha sha-password | none }

undo dldp authentication-mode [ md5 md5-password | simple simple-password | sha sha-password | none ]

dldp delaydown-timer time

undo dldp delaydown-timer [ time ]

Enable port mirroring.

interface

port-mirroring to observe-port observe-port-index { both | inbound | outbound }

undo port-mirroring [ to observe-port observe-port-index ] { both | inbound | outbound }

system-view

observe-port [ observe-port-index ] interface interface-type interface-number [ untag-packet ]

undo observe-port observe-port-index

Enable IGMP snooping.

system-view

igmp-snooping enable

VLAN

l2-multicast forwarding-mode

undo l2-multicast forwarding-mode

l2-multicast router-port-discard

undo l2-multicast router-port-discard

igmp-snooping enable

undo igmp-snooping enable

igmp-snooping version version

undo igmp-snooping version

Enable DHCP snooping.

system-view

VLAN

interface

dhcp snooping check dhcp-request enable

undo dhcp snooping check dhcp-request enable

dhcp snooping check dhcp-rate enable [ rate ]

undo dhcp snooping check dhcp-rate enable

Enable ND snooping.

VLAN

interface

nd snooping enable dhcpv6 only

undo nd snooping enable

nd snooping trusted interface interface-type interface-number

undo nd snooping trusted interface interface-type interface-number

nd snooping trusted dhcpv6 only

Enable MLD snooping.

system-view

VLAN

mld-snooping enable [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

undo mld-snooping enable [ vlan { all | { vlan-id1 [ to vlan-id2 ] } &<1-10> } ]

mld-snooping enable

undo mld-snooping enable

Enable IPv6 management. (IPv6 addresses are configured on the VLANIF interfaces, but iMaster NCE-Campus can still manage devices using IPv4 addresses.)

interface

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

undo ipv6 address [ ipv6-address prefix-length | ipv6-address/prefix-length ]

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast

ipv6 address auto global [ default ]

ipv6 address auto link-local

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64

ipv6 address ipv6-address link-local

undo ipv6 address dhcpv6-prefix

ipv6 enable

undo ipv6 enable

Port security

interface

port-security enable

undo port-security enable

port-security mac-address sticky [ mac-address vlan vlan-id ]

undo port-security mac-address sticky [ mac-address vlan vlan-id ]

port-security max-mac-num max-number

undo port-security max-mac-num

port-security aging-time

undo port-security aging-time

port-security protect-action

undo port-security protect-action

Enable QoS functions.

system-view

traffic classifier classifier-name [ operator { and | or } ]

undo traffic classifier classifier-name

traffic policy policy-name [ match-order { auto | config } ] [ atomic ]

undo traffic policy policy-name

drop-profile drop-profile-name

qos queue queue-index wred drop-profile-name

qos-profile name profile-name

undo qos-profile { all | name profile-name }

traffic behavior behavior-name

undo traffic behavior behavior-name

interface

traffic-policy policy-name { inbound | outbound }

undo traffic-policy [ policy-name ] { inbound | outbound }

trust { 8021p | dscp }

trust { 8021p { inner | outer } | dscp }

qos queue queue-index wred drop-profile-name

qos { pq | wrr | drr }

undo qos { pq | wrr | drr }

qos queue queue-index drr weight weight

undo qos queue queue-index drr

qos queue queue-index wrr weight weight

undo qos queue queue-index wrr

qos lr inbound cir cir-value [ cbs cbs-value ]

qos lr outbound cir cir-value [ cbs cbs-value ]

qos queue queue-index shaping cir cir-value pir pir-value [ cbs cbs-value pbs pbs-value ]

traffic classifier

if-match [ ipv6 ] acl { acl-number | acl-name }

undo if-match [ ipv6 ] acl { acl-number | acl-name }

if-match vlan-id start-vlan-id [ to end-vlan-id ] [ cvlan-id cvlan-id ]

undo if-match vlan-id start-vlan-id [ to end-vlan-id ] [ cvlan-id cvlan-id ]

traffic behavior

car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ share ] [ green { discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-value ] } ] [ yellow { discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-value ] } ] [ red { discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-value ] } ]

undo car

statistic enable

undo statistic enable

remark dscp { dscp-name | dscp-value }

undo remark dscp

traffic policy

classifier classifier-name behavior behavior-name

undo classifier classifier-name

drop profile

color { green | non-tcp | red | yellow } low-limit low-limit-percentage high-limit high-limit-percentage discard-percentage discard-percentage

undo color { green | non-tcp | red | yellow }

Enable ACL functions.

system-view

acl [ number ] acl-number [ match-order { auto | config } ]

undo acl { [ number ] acl-number | all }

advanced ACL

basic ACL

user ACL

user-defined ACL

layer 2 ACL

rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

undo rule { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

undo rule { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

rule [ rule-id ] { deny | permit } { protocol-num ber | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

undo rule { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

undo rule { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

undo rule rule-id [ destination | destination-port | { { precedence | tos } * | dscp } | { fragment | first-fragment } | logging | icmp-type | source | source-port | tcp-flag | time-range | ttl-expired | vpn-instance ] *

Set the source IP address and source MAC address of offline detection packets in a VLAN.

system-view

access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address

undo access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address

Set the default source IP address of offline detection packets.

system-view

access-user arp-detect default ip-address ip-address

undo access-user arp-detect default ip-address ip-address

Configure a traffic suppression mode.

system-view

suppression mode { by-packets | by-bits }

undo suppression mode

Set the working mode of DLDP.

system-view

dldp work-mode { enhance | normal }

undo dldp work-mode [ enhance | normal ]

Enable MUX VLAN.

VLAN

mux-vlan

undo mux-vlan

subordinate group { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo subordinate group { vlan-id1 [ to vlan-id2 ] } &<1-10>

subordinate separate vlan-id

undo subordinate separate

interface

port mux-vlan enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo port mux-vlan enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo port mux-vlan enable

Set the maximum MSS value for a TCP connection.

system-view

tcp max-mss mss-value

undo tcp max-mss

Priority Mapping Commands

interface

trust { 8021p { inner | outer } | dscp }

undo trust

Congestion Avoidance and Congestion Management Commands

system-view

drop-profile drop-profile-name

undo drop-profile drop-profile-name

Create a user group or displays the user group view.

system-view

user-group group-name

undo user-group group-name

Basic IPv6 Configuration Commands

interface

ipv6

ipv6 address

undo ipv6 address

ipv6 enable

undo ipv6 enable

DHCP Snooping Configuration Commands

system-view

undo dhcp enable

undo dhcp snooping enable

undo dhcp snooping trusted

Configure DHCP.

system-view

ip pool ip-pool-name

undo ip pool ip-pool-name

snmp-agent trap enable feature-name dhcp

undo snmp-agent trap source

ip pool

gateway-list ip-address &<1-8>

undo gateway-list { ip-address | all }

network ip-address [ mask { mask | mask-length } ]

undo network ip-address [ mask { mask | mask-length } ]

excluded-ip-address start-ip-address [ end-ip-address ]

undo excluded-ip-address start-ip-address [ end-ip-address ]

domain-name domain-name

undo domain-name

interface

dhcp select global

undo dhcp select global

Configure or delete the DNS server address for the DHCP client.

ip pool

dns-list { ip-address &<1-8> | unnumbered interface interface-type interface-number }

undo dns-list { ip-address | unnumbered interface | all }

Enable or disable dynamic DNS resolution

system-view

dns resolve

undo dns resolve

Enable or disable DNS proxy

system-view

dns proxy enable

undo dns proxy enable

Configure DNS.

system-view

dns domain domain-name [ vpn-instance vpn-instance-name ]

undo dns domain domain-name [ vpn-instance vpn-instance-name ]

dns server ip-address [ vpn-instance vpn-instance-name ]

undo dns server ip-address [ vpn-instance vpn-instance-name ]

Configure switch bridge.

system-view

stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> root primary

undo stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> root

stp [ instance instance-id ] root primary

undo stp [ instance instance-id ] root

Configure Cluster.

system-view

cluster enable

undo cluster enable

Configure Stack

system-view

stack timer mac-address switch-delay delay-time

undo stack timer mac-address switch-delay

stack reserved-vlan

mad restore

mad exclude interface

undo mad exclude interface

Change the working mode of Ethernet interfaces from Layer 2 mode to Layer 3 mode

interface

undo portswitch

Configure multi-active detection (MAD) on an interface.

system-view

mad detect [mode direct | mode relay]

undo mad detect [mode direct | mode relay]

Change the power supply standards of interfaces from 802.3at to 802.3af.

interface

poe af-inrush enable

undo poe af-inrush enable

Set the memory usage threshold.

system-view

set memory-usage threshold threshold-value [ slot slot-id ]

undo set memory-usage threshold [ threshold-value ] [ slot slot-id ]

Set the alarm threshold and alarm recovery threshold of CPU usage.

system-view

For fixed switches:

cpu-usage threshold threshold-value [ restore restore-threshold-value ] [ slot slot-id ]

undo cpu-usage threshold [ threshold-value [ restore [ restore-threshold-value ] ] ] [ slot slot-id ]

Sets the CPU usage alarm threshold and CPU usage alarm recovery threshold.

system-view

For modular switches:

set cpu-usage threshold threshold-value [ restore restore-threshold-value ] [ slot slot-id ]

undo set cpu-usage threshold [ threshold-value [ restore [ restore-threshold-value ] ] ] [ slot slot-id ]

Set the temperature alarm thresholds.

system-view

For fixed switches:

temperature threshold slot { slot-id | all } lower-limit min-temperature upper-limit max-temperature

undo temperature threshold slot { slot-id | all }

Set the temperature alarm thresholds.

system-view

For modular switches:

temperature threshold slot STRING<1-10> sensor INTEGER<0-127> upper-limit INTEGER<0-93>

Configure ACL-based packet filtering globally or in a VLAN.

system-view

traffic-filter [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

undo traffic-filter [ vlan vlan-id ] inboundacl { [ ipv6 ] { bas-acl | adv-acl | nameacl-name } | l2-acl | user-acl } [ rule rule-id ]

Set the MAC address of BPDUs.

system-view

bpdu mac-address

undo bpdu mac-address

Configure access control for service packets based on traffic classifiers.

traffic behavior

permit

undo permit

Set to advertise the MED TLVs or set the MED TLVs disabled on an interface.

interface

lldp tlv-enable med-tlv { all | capability | inventory | location-id { civic-address device-type country-code { ca-type ca-value } &<1-10> | elin-address Tel-Number } | network-policy [ voice-vlan { vlan vlan-id [ cos cvalue | dscp dvalue ]^* | 8021p [ cos cvalue | dscp dvalue ]^* | untagged } ] | power-over-ethernet }

undo lldp tlv-enable med-tlv { all | capability | inventory | location-id [ civic-address | elin-address ] | network-policy [ voice-vlan { vlan | cos | dscp | 8021p | untagged } ] | power-over-ethernet }

Disables an interface from automatically recovering from the Error-Down state to the Up state.

system-view

undo error-down auto-recovery cause { auto-defend | bpdu-protection | efm-remote-failure | efm-threshold-event | error-statistics | link-flap | mac-address-flapping | port-security | transceiver-power-low | storm-control | data-integrity-error }

OSPF Configuration Commands

system-view

ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] ^*

undo ospf process-id [ flush-waiting-timer time ]

preference [ ase ] { preference | route-policy route-policy-name } ^*

undo preference [ ase ]

silent-interface { all | interface-type interface-number }

undo silent-interface { all | interface-type [ interface-number ] }

bandwidth-reference value

undo bandwidth-reference

area area-id

undo area area-id

abr-summary ip-address mask [ cost { cost | inherit-minimum } | [ advertise [ generate-null0-route ] | not-advertise | generate-null0-route [ advertise ] ] ] ^*

undo abr-summary ip-address mask

network network-address wildcard-mask [ description text ]

undo network network-address wildcard-mask

stub [ no-summary | default-route-advertise backbone-peer-ignore ] ^*

undo stub

Enabling or Disabling NAC re-authentication

system-view

mac-authen reauthenticate mac-address mac-address

mac-access-profile name access-profile-name

undo mac-access-profile name access-profile-name

mac-authen reauthenticate

undo mac-authen reauthenticate

mac-authen timer reauthenticate-period reauthenticate-period-value

undo mac-authen timer reauthenticate-period

authentication-profilename authentication-profile-name

mac-access-profile access-profile-name

undo mac-access-profile

Create or delete an interface.

system-view

interface interface-type interface-number

undo interface interface-type interface-number

Create or delete a common interface group.

system-view

interface-group [ interface-group-id ] name interface-group-name

undo interface-group { interface-group-id | name interface-group-name }

Configure traditional local management parameters (SSH and Telnet).

system-view

ssh user user-name

undo ssh user user-name

ssh user user-name authentication-type password

undo ssh user user-name authentication-type

ssh user user-name service-type stelnet

undo ssh user user-name service-type

telnet server enable

undo telnet server enable

Configure policy-based routing.

policy-based-route

rule copy rule-name new-rule-name

rule move rule-name1 { { after | before } rule-name2 | up | down | top | bottom }

rule name rule-name

rule rename old-name new-name

Configure an ACL.

system-view

acl [ number ] acl-number [ vpn-instance vpn-instance-name ]

undo acl { all | [ number ] acl-number }

Configure traditional local management parameters (HTTP and HTTPS).

system-view

web-manager enable [ port port-number ]

web-manager security enable [ port port-number ]

undo web-manager enable [ port port-number ]

undo web-manager security enable [ port port-number ]

Configure PPPoE.

interface

dialer enable-circular

undo dialer enable-circular

dialer number dial-number [ autodial ]

undo dialer number dial-number

system-view

dialer-rule

undo dialer-rule

interface

dialer-group group-number

undo dialer-group

dialer timer idle seconds

undo dialer timer idle

restart

Enable a 3G/4G card.

system-view

apn profile profile-name

undo apn profile profile-name

interface cellular interface-number

ip address negotiate

undo ip address negotiate

interface cellular

apn-profile

undo apn-profile

Enable intelligent outbound selection to load balance traffic among multiple links.

system-view

multi-interface

multi-interface

add interface { interface-name | interface-type interface-num } [ { { weight weight-value } | { priority priority-value } }* ]

add interface-group { group-name | isp isp-name} [ { { weight weight-value } | { priority priority-value } }* ]

mode { proportion-of-bandwidth | proportion-of-weight | priority-of-userdefine }

undo mode

priority-of-link-quality protocol { icmp | tcp-simple }

undo priority-of-link-quality protocol

priority-of-link-quality parameter { delay | jitter | loss }*

undo priority-of-link-quality parameter

priority-of-link-quality {interval INTEGER<1-10> | times INTEGER<2-10>}*

undo priority-of-link-quality {interval | times}*

priority-of-link-quality mask INTEGER<1-32>

undo priority-of-link-quality mask

load-balance flow hash { destination-ip | destination-port | source-ip | source-port }*

multi-interface priority-of-link-quality parameter { delay accuracy delay-accuracy | jitter accuracy jitter-accuracy }

undo multi-interface priority-of-link-quality parameter { delay accuracy | jitter accuracy }

standby-interface status down

undo standby-interface status

session persistence enable

undo session persistence enable

session persistence source-ip mask <src-mask-value>

session persistence destination-ip mask <dst-mask-value>

undo session persistence { source-ip | destination-ip }* mask

session persistence table aging-time <aging-time-value>

undo session persistence table aging-time

session persistence mode { source-ip | destination-ip }*

undo session persistence mode

diagnose

reset session persistence table

rule

action pbr egress-interface multi-interface

undo action pbr egress-interface multi-interface

Configure that server certificate validation is not required during the upload of log files to the FTPS server.

system-view

gawa-log non-certificate

undo gawa-log non-certificate

Set the maximum MSS value for a TCP connection.

system-view

tcp max-mss mss-value

undo tcp max-mss

Display the diagnose view.

system-view

diagnose

ISP Link Selection Configuration Commands

interface-group

add interface

undo add interface

multi-interface

add interface-group

undo add interface-group

Configure the country or region where the FW is deployed.

system-view

country country-code

undo country

Display the IPSec intelligent link selection profile view.

system-view

ipsec smart-link profile profile-name

undo ipsec smart-link profile profile-name

Add links for IPSec intelligent link selection.

system-view

link link-id interface interface-type interface-number [ local local-address ] [ nexthop nexthop-address ] remote remote-address

undo link link-id

Switch links for IPSec intelligent link selection.

system-view

auto-switch preempt enable

undo auto-switch preempt enable

Disable an interface in Error-Down state to go Up.

system-view

undo error-down auto-recovery cause { auto-defend | bpdu-protection | efm-remote-failure | efm-threshold-event | error-statistics | link-flap | mac-address-flapping | port-security | transceiver-power-low | storm-control | data-integrity-error }

Basic Settings

SSID Name

SSID when a STA connects to a wireless network.

Working status

The default value is ON. If the value is set to OFF, the SSID is unavailable.

Scheduled switch-on

Time range during which the SSID is enabled. The SSID is disabled beyond the time range. This improves the network security and saves energy.

If the preconfigured time policy cannot meet flexibility requirements, click . In the displayed window, create a user-defined time template.

Effective radio

Triple-frequency bands are used by default. The default value is recommended.

AP tags

The label specifies the AP where the SSID is configured.

If the value is empty, the SSID is configured on all APs in the site. Otherwise, you need to add a label for the AP as prompted.

Network connection mode

• If STAs connect to the AP used only for Layer 2 forwarding, select Layer 2 forwarding. You also need to configure the VLAN ID based on the label.
• If STAs connect to the AP used as the DHCP server, select NAT.

VLAN

This parameter is available only when the value of Network connection mode is Layer 2 forwarding. The VLAN ID of an AP is assigned to a STA that is associated with an SSID based on the label.

Advanced Configuration

SSID hiding

By default, this function is disabled. After this function is enabled, SSIDs are invisible.

MDNS Snooping

By default, this function is disabled. After this function is enabled, the access device can parse service information in mDNS packets sent by wireless terminals and identify the terminals.

Disable AP after AP disconnection

By default, this function is disabled. After this function is enabled, the SSID will be automatically disabled if the AP uplink is disconnected. This ensures that the device can automatically connect to other APs.

Band steering (5G-prioritized)

By default, this function is enabled. The band steering function enables an AP to steer STAs to the 5 GHz frequency band first, which reduces load and interference on the 2.4 GHz frequency band. User experience is therefore improved.

Transmit rate of 2.4G Beacon frames (Mbit/s)

Transmit rate of 2.4 GHz Beacon frames and 5 GHz Beacon frames, in Mbit/s. Only APs running V200R009C00 or a later version support these parameters.

Transmit rate of 5G Beacon frames (Mbit/s)

Limit access of traditional terminals

By default, this function is disabled. After this function is enabled, 802.11a, 802.11b, and 802.11g traditional terminals cannot be connected.

Maximum number of users

Maximum number of STAs connected to the SSID.

Access threshold policy

• New users are not allowed to access the network

  When the number of STAs connected to the RF reaches the threshold, new users are not allowed to access the network.

• New users are not allowed to access the network and the SSID is hidden

  When the number of STAs connected to a radio reaches the threshold, new STAs are not allowed to access the network, and all SSIDs of the radio are automatically hidden.

• VIP subscribers preferentially access the network

  When the number of terminals connected to the RF reaches the threshold, VIP users preferentially access the network and replace common users. You need to authorize VIP users on the Admission > Admission Policy > Authentication and Authorization Policy page.

User isolation

By default, this function is enabled. After this function is enabled, STAs connected to the SSID of a certain AP are isolated from each other.

Isolation mode

• All isolated
• Layer 2 user isolation

IGMP-Snooping

By default, this function is disabled. After IGMP snooping is enabled, multicast data can be forwarded and controlled at the data link layer.

Disable broadcast or multicast

By default, this function is disabled. After this function is enabled, WLAN sharing and broadcast or multicast discovery is disabled, and the Bonjour transparent transmission parameter becomes configurable.

Multicast-to-unicast conversion

By default, this function is disabled. After this function is enabled on an AP, the AP listens on Report and Leave messages to maintain multicast-to-unicast entries. When sending multicast packets to the client, the AP converts the multicast data packets to unicast data packets based on the multicast-to-unicast entries to improve multicast traffic transmission efficiency.

After adaptive multicast-to-unicast conversion is enabled, when the air interface performance encounters a bottleneck during multicast-to-unicast conversion, an AP automatically switches the multicast group containing the minimum number of STAs to the multicast mode. After the air interface performance is improved and keeps being improved for a period of time, the AP automatically switches the multicast group containing the maximum number of STAs to the unicast mode. In this way, the air interface performance is automatically adjusted without manual intervention, improving wireless user experience.

Bonjour transparent transmission

By default, this function is disabled. Bonjour is a Zeroconf solution proposed by Apple and applies to Layer 2 broadcast domains. It allows network devices in a Layer 2 broadcast domain to obtain IP addresses and discover services.

U-APSD

By default, this function is disabled. U-APSD is a new energy saving mode defined for WMM, which can improve the energy-saving capability of STAs. Some STAs may not well support U-APSD. In this case, you need to disable U-APSD.

WMM scenario

Set the WMM parameter based on the network requirements to enable high-priority data packets to occupy wireless channels, namely, adjusting the forwarding priority of video and voice service traffic. To make the WMM function take effect, you need to enable the WMM function switch among the radio parameters. The options of this parameter are as follows:

• Default: No priority is assigned.
• Voice: Priority is assigned to voice service traffic.
• Voice and Video: Priority is assigned to voice and video service traffic.
• Customize.

Terminal MAC address filtering

By default, this function is disabled. After this function is enabled, the system filters the MAC addresses of the devices connected to the network according to the blacklist or whitelist.

• Blacklist: Devices with the MAC address specified in the list are denied to access the network. Complete MAC addresses are matched against the list.
• Whitelist: Devices with the MAC address specified in this list are allowed to access the network. Either complete MAC addresses or OUIs can be matched against this list. The OUI is the first 24 bits of a MAC address of a device.

Audio quality analysis

By default, this function is disabled. If this function is enabled and the SIP port is configured, the system will enable the SIP protocol. In this case, devices can capture SIP packets and analyze the service type of the packets, such as the voice service.

If iMaster NCE-Campus allows devices to report performance data to the analyzer, the analyzer can obtain the performance data of the voice service and analyze the voice call quality.

802.11r Fast Roaming Enable

Whether to enable 802.11r fast roaming function. The options are as follows:

• Adaptive
• Enable: After this function is enabled, you need to set the reassociation timeout interval. The default value is 1 second.
• Disable
  NOTE:

  Security policies supported by 802.11r include open system, WPA2+PSK+AES, WPA2+PPSK+AES, and WPA2+802.1X+AES.

802.11r over the DS

802.11r fast roaming mode.

• If this parameter is enabled, 802.11r fast roaming in over-the-DS mode is configured.
• If this parameter is disabled, 802.11r fast roaming in over-the-Air mode is configured.

Reassociation timeout interval(s)

Timeout period for reassociation. The default value is 1 second.

Device-pipe synergy roaming

Whether to enable device-pipe collaborative roaming. This function is disabled by default.

Service assurance mode

• Performance first
• Reliability first

Mobile game acceleration

Whether to enable the mobile game acceleration function. The default value is enable.

This function is supported on the following mobile game applications: PlayerUnknown's Battlegrounds (PUBG), PUBG Mobile, Crossfire, Knives Out, Honor of Kings, DNF, Fantasy Westward Journey, League of Legends, Fortnite, and Identity V. After this function is enabled, the uplink and downlink rates will be accelerated for the mobile game applications that support this function.

Suppressing UE power saving

Whether to enable the function of preventing terminals from entering energy-saving mode. After the function is enabled, the terminals consume more power and extra bandwidth. If no terminal unexpectedly enters energy-saving state, you are advised to disable the function. This function is disabled by default.

MU-MIMO

Whether to enable MU-MIMO optimization. In an environment with less interference, the MU-MIMO optimization function meets user requirements for high downlink throughput of APs. This function is enabled by default.

Terminal aging time (minutes)

Time when weak-signal terminals are forced offline. To prevent user experience deterioration when a large number of weak-signal STAs access the network, you can reduce the aging time of these STAs.

SSID-based rate limiting

Limit the uplink or downlink bandwidth of a single SSID.

Static terminal rate limiting

Whether to configure static rate limiting for a single terminal to limit its uplink and downlink bandwidths separately.

If both static and dynamic terminal rate limiting functions are enabled, static terminal rate limiting takes effect.

Dynamic terminal rate limiting

Whether to enable dynamic rate limiting for a single terminal. If this function is enabled, the uplink and downlink bandwidths of each terminal are limited separately. If both static and dynamic terminal rate limiting functions are enabled, static terminal rate limiting takes effect.

Advanced Configuration

IPV6

Whether to enable IPv6 for the SSID.

ACL

Configure ACL-based packet filtering to permit or reject the packets matching ACL rules. You can select an ACL from the drop-down list box.

Application traffic statistics collection

After this function is enabled, APs parse packets from users to collect the network usage statistics about each user application.

APP filtering list

Configure blocking, CAR, and DSCP marking policies for network packets of certain applications.

If you want to learn supported applications in the AP signature database, visit https://support.huawei.com/enterprise/en/doc/EDOC1000183795.

URL filtering

By default, this function is disabled. After enabling this function, configure a URL filtering policy to limit network resources accessed by STAs.

• Blacklist filtering mode: rejects access to the websites in the URL list.
• Whitelist filtering mode: permits access to the websites in the URL list.

IPSEC ACL

Use ACLs to configure IPsec policies to implement priority-based processing of data packets meeting related conditions.

Country/Region

Region where the tenant network belongs. After Region is selected based on the region where the AP is deployed, the AP resets the working channel and power of the radio based on local laws and regulations and adjusts the configurable channel range and power.

Schedule for enabling radio

Time range during which the radio is enabled. The radio is disabled beyond the time range. This improves the network security and saves energy.

If the preconfigured time policy cannot meet flexibility requirements, click . In the displayed window, create a user-defined time template.

Calibration mode

Radio calibration mode. You are advised to use Timing mode and set the optimization time to off-peak hours (for example, 00:00-06:00 at the local time).

• Manual: An AP does not actively perform calibration. Default start time 03:00:00, interval 1440min.
• Automatic: An AP performs calibration based on the configured start time and period.
• Timing: An AP performs calibration at the specified time point.

Calibration policy

The calibration policy takes effect only in automatic radio calibration mode. You are advised to use scheduled optimization and set the optimization time to off-peak hours (for example, 00:00-06:00).

• Rogue AP policy: When rogue APs (out of control by a WAC) exist on a network, set the radio calibration policy to rogue-ap. The device then immediately takes actions to avoid interference. This policy may lead to frequency channel switchovers. You are advised to use this policy under the instruction of technical support personnel.

• Non Wi-Fi policy: When non-Wi-Fi interference occurs on a network, the device immediately takes actions to avoid interference.

• Noise: When the noise floor of APs is high due to special external interference, service experience may deteriorate. With this radio calibration policy, the device takes actions to avoid interference. When detecting that the noise floor of the current channel exceeds the threshold for three consecutive times, an AP notifies the AC of the high noise floor. The AC then allocates another channel to the AP and does not allocate the current channel to the AP in 30 minutes.

AI-powered calibration

This function is enabled by default and takes effect when the system connects to the CampusInsight. If the CampusInsight is not connected, the device automatically uses the original mode for optimization. After the AI optimization function takes effect, the device automatically optimizes the AI algorithm based on the historical data of the device within seven days. If the interference source around the device changes during the day and night, this function has good optimization effect.

RF mode

Radio mode of the AP.

2.4GHz

DCA channel set (20MHz)

Channel set used by an AP to transmit wireless signals at the 2.4 GHz frequency band. To reduce AP co-channel or adjacent-channel interference, the system selects a channel from the channel set based on the neighbor relationship between APs and allocates a channel to each AP based on Dynamic Channel Allocation (DCA).

• 1,6,11
• 1,5,9,13

GI mode

Set the guard interval (GI) mode. This parameter is valid for APs running V200R009C00 or a later version.

• Default: The default value is used.

• short: short GI (400 ns)
• normal: normal GI (800 ns)

TPC cap threshold calibration (dBm)

Transmit power range after radio calibration is completed, in dBm. The default value is 9 dBm to 127 dBm.

If the lower threshold is too low, the power may be low and cannot meet radio coverage requirements after radio calibration is performed. If the upper threshold is too high, the power may be high and interferences occur between APs after radio calibration is performed.

TPC floor threshold calibration (dBm)

Access user count limit

Set the maximum number of STAs that can access the AP on the 2.4 GHz frequency band. The default value is 64.

Access threshold policy:

• New users are not allowed to access the network.

  When the number of STAs connected to the RF reaches the threshold, new users are not allowed to access the network.

• New users are not allowed to access the network and the SSID is hidden.

  When the number of STAs connected to a radio reaches the threshold, new STAs are not allowed to access the network, and all SSIDs of the radio are automatically hidden.

• VIP users preferentially access the network.

  When the number of terminals connected to the RF reaches the threshold, VIP users preferentially access the network and replace common users. You need to authorize VIP users on the Admission > User Admission > Admission Policy > Authentication Rule page.

Upper threshold of access users

Access threshold policy

Radio coverage threshold

Transmit Power Control (TPC) threshold, in dBm. The default value is -60 dBm.

The threshold is adjusted based on the AP deployment height and distance to achieve optimal coverage after radio calibration is performed. A higher threshold indicates higher power adjusted by TPC.

Multicast transmit rate

The configured multicast transmit rate must be in the basic rate set or supported rate set, and supported by the STA. Otherwise, the STA cannot receive multicast data.

Base rate (Mbit/s)

2.4 GHz.

Support rate (Mbit/s)

2.4 GHz.

Kick off weak-signal terminals

Whether to kick off weak-signal terminals. After this function is enabled, APs kick off detected weak-signal terminals.

Scene

After Kick off weak-signal terminals is enabled, APs check connected terminals based on Signal-to-noise Ratio Threshold and Detection Cycle.

• If Scene is set to Normal or High Density, values are predefined for Signal-to-noise Ratio Threshold and Detection Cycle on iMaster NCE-Campus. Therefore, you do not need to configure them again. You can select a scene as required.
• If Scene is set to User-defined, you need to manually specify Signal-to-noise Ratio Threshold and Detection Cycle.
  NOTE:

  The SNR threshold for AirEngine series devices is affected by the device version.

  • In V200R019C00 and earlier versions, the value ranges from 5 to 25.
  • In versions later than V200R019C00, the value ranges from 5 to 45.

Signal-to-noise Ratio Threshold (dB)

Detection Cycle (ms)

Dual-band dynamic adjustment

Whether to enable dual-band dynamic adjustment. This function is disabled by default.

Interference rate environment deterioration threshold

The environment deteriorates if the interference rate exceeds the threshold.

Number of times that the threshold is exceeded

Number of times that the interference rate exceeds the threshold.

Redundant 2.4G radio adjustment mode

Processing mode of the redundant radio. This parameter is valid only when Dynamic switch frequency is set to On.

• Auto Switch to 5G: The redundant 2.4G radio is automatically switched to the 5G radio. If no channel is available on the 5G radio or the current radio cannot switch to the 5G radio, switch to the monitor mode.
• Auto 2.4G Shutdown: The redundant 2.4G radio is automatically shut down.

Ultimate power

If obstacles exist or signals are not covered, the signals with higher power are used to implement signal coverage.

• Auto
• Enable
• Disable

Bandwidth reservation ratio for VIPs

Ratio of the bandwidth reserved for VIP users. This parameter is configured to guarantee the bandwidth for VIP users. The air interface bandwidth reservation algorithm for VIP users is implemented based on RU allocation in downlink and uplink OFDMA transmission mode. This algorithm evaluates the spectrum resources required by users in real time and reserves or allocates spectrum resources for VIP users to meet their service requirements.

• When the option Normal is selected, there are four bandwidth guarantee modes available: Disable, Default mode (20%), Enhanced mode (50%), and Extreme mode (100%). You can select a mode as needed.
• When the option User-defined is selected, you need to manually configure the bandwidth reservation ratio for VIP users. The default value is 20%.

5GHz

Calibration bandwidth

DCA channel bandwidth used by an AP to transmit wireless signals at the 5 GHz frequency band. A higher-bandwidth channel indicates a higher transmission rate.

Channel set

Channel set used by an AP to transmit wireless signals at the 5 GHz frequency band. To achieve optimal calibration, use three or more than three optional channels.

Basic rate (Mbit/s)

5 GHz base rates.

Supported rate (Mbit/s)

5 GHz supported rates.

GI mode

Set the guard interval (GI) mode. This parameter is valid for APs running V200R009C00 or a later version.

• Default: The default value is used.

• short: short GI (400 ns)
• normal: normal GI (800 ns)

TPC cap threshold calibration (dBm)

Transmit power range after radio calibration is completed, in dBm. The default value is 12 dBm to 127 dBm.

If the lower threshold is too low, the power may be low and cannot meet radio coverage requirements after radio calibration is performed. If the upper threshold is too high, the power may be high and interferences occur between APs after radio calibration is performed.

TPC floor threshold calibration (dBm)

Access user count limit

Set the maximum number of STAs that can access the AP on the 5 GHz frequency band. The default value is 64.

Access threshold policy:

• New users are not allowed to access the network

  When the number of STAs connected to the RF reaches the threshold, new users are not allowed to access the network.

• New users are not allowed to access the network and the SSID is hidden

  When the number of STAs connected to a radio reaches the threshold, new STAs are not allowed to access the network, and all SSIDs of the radio are automatically hidden.

• VIP subscribers preferentially access the network

  When the number of terminals connected to the RF reaches the threshold, VIP users preferentially access the network and replace common users. You need to authorize VIP users on the Admission > User Admission > Admission Policy > Authentication Rule page.

Upper threshold of access users

Access threshold policy

Radio coverage threshold

Transmit Power Control (TPC) threshold, in dBm. The default value is -60 dBm.

The threshold is adjusted based on the AP deployment height and distance to achieve optimal coverage after radio calibration is performed. A higher threshold indicates higher power adjusted by TPC.

A-MSDU

Enable the MAC Protocol Data Unit (MPDU) aggregation function.

Maximum number of subframes

Maximum number of subframes that can be aggregated into an A-MSDU at one time.

Multicast transmit rate

Configure the maximum length of an A-MPDU.

Kick off weak-signal terminals

Whether to kick off weak-signal terminals. After this function is enabled, APs kick off detected weak-signal terminals.

Scene

After Kick off weak-signal terminals is enabled, APs check connected terminals based on Signal-to-noise Ratio Threshold and Detection Cycle.

• If Scene is set to Normal or High Density, values are predefined for Signal-to-noise Ratio Threshold and Detection Cycle on iMaster NCE-Campus. Therefore, you do not need to configure them again. You can select a scene as required.
• If Scene is set to User-defined, you need to manually specify Signal-to-noise Ratio Threshold and Detection Cycle.

Signal-to-noise Ratio Threshold (dB)

Detection Cycle (ms)

Interference rate environment deterioration threshold

The environment deteriorates if the interference rate exceeds the threshold.

Number of times that the threshold is exceeded

Number of times that the interference rate exceeds the threshold.

Ultimate power

If obstacles exist or signals are not covered, the signals with higher power are used to implement signal coverage.

• Auto
• Enable
• Disable

Bandwidth reservation ratio for VIPs

Ratio of the bandwidth reserved for VIP users. This parameter is configured to guarantee the bandwidth for VIP users. The air interface bandwidth reservation algorithm for VIP users is implemented based on RU allocation in downlink and uplink OFDMA transmission mode. This algorithm evaluates the spectrum resources required by users in real time and reserves or allocates spectrum resources for VIP users to meet their service requirements.

• When the option Normal is selected, there are four bandwidth guarantee modes available: Disable, Default mode (20%), Enhanced mode (50%), and Extreme mode (100%). You can select a mode as needed.
• When the option User-defined is selected, you need to manually configure the bandwidth reservation ratio for VIP users. The default value is 20%.

General parameters

Beacon interval (TUs)

Interval at which an AP sends Beacon frames. The default value of 100 ms is recommended.

An AP sends Beacon frames at intervals to notify STAs of an existing 802.11 network. After an STA receives a Beacon frame, it can modify parameters used to connect to the 802.11 network.

A long interval for sending Beacon frames lengthens the dormancy time of STAs, while a short interval for sending Beacon frames increases air interface costs.

RTS-CTS mode

Working mode of Request To Send/Clear To Send (RTS-CTS). RTS-CTS prevents data transmission failures caused by channel conflicts. The default value cts-to-self is recommended.

• cts-to-self: The sender notifies neighboring devices of stopping data sending before data transmission. This mode uses a small network cost to prevent data transmission conflicts. This mode applies to most application environments.
• rts-cts: The sender and receiver notify neighboring devices of stopping data sending before data transmission. This mode can better prevent conflicts, but the network cost is high. Excess advertisement frames may occupy the channel bandwidth.
• disable: Advertisement packets are not sent before data transmission. Data transmission may fail due to conflicts.

Airtime fair scheduling

Airtime fair scheduling preferentially schedules users who occupy the channel for a short time. In this way, each user is assigned equal time to occupy the channel, ensuring fairness in channel usage. By default, this function is enabled.

Packet-based power control

Packet-based power control technology detects the signal strength of STAs in real time to conserve energy. If an AP detects that the signal strength of a STA is strong (for example, the STA is close to the AP), the AP reduces its transmit power when sending packets. If an AP detects that the signal strength of a STA is weak (for example, the STA is far away from the AP), the AP uses the normal transmit power to send radio signals. By default, this function is enabled.

Beamforming

Beamforming can enhance signals at an angle (for target users), attenuate signals at another angle (for non-target users or obstacles), and control the signal transmission direction and coverage area. By default, this function is disabled.

Load balance

In scenarios where APs are close to each other and there is a high degree of overlap between APs' coverage ranges, you can configure load balancing to evenly distribute user traffic to different APs and ensure wireless network experience of each STA. When a STA attempts to connect to a WLAN, the AP that receives the access request of the AP evaluates the current load based on the number of online STAs and its maximum capability. If the load is much higher than the average load of a neighboring AP in the same AP group, the AP rejects the access request.

Smart roaming

Enables smart roaming.

When STAs connected to an AP have weak signals, their network access rates are low. In this situation, if many low-rate STAs connect to the AP, air interface occupation time of other STAs is reduced. As a result, the AP throughput decreases, degrading user experience. To prevent this situation, configure forced logout of weak-signal STAs. When detecting that the SNR or access rate of a STA is lower than the specified threshold, the AP sends a Disassociation packet to the STA to force the STA offline so that the STA can reconnect to the WLAN. After enabling smart roaming and configuring the smart roaming threshold, APs forcibly disconnect STAs with SNR or access rate lower than the threshold.

Scan duration (ms)

Duration during which an AP continuously scans the air interface. The AP continuously scans surrounding radio signals during the duration. After the scanning is complete, the AP sends collected information to iMaster NCE-Campus for radio calibration and spectrum analysis.

A longer scanning time indicates more collected data and more accurate data analysis result. However, scanning for a long time consumes too many system resources, which may affect normal services. Therefore, you are advised to use the default value of 60 ms.

Scan interval (ms)

Interval at which an AP scans the air interface. The default value of 10000 ms is recommended.

Channel to scan

Channel set where an AP scans the air interface. The default value is Channel in region.

• Channel in region: scans all channels supported by the selected country code in region.
• Calibration Channel: scans all channels in the calibration channel set.
• Working Channel: scans only the current working channel.

WMM

Whether to enable the Wi-Fi Multimedia (WMM) function.

Channel contention parameters

WMM classifies packets into four access categories (ACs): AC_VO (voice), AC_VI (video), AC_BE (best effort), and AC_BK (background). Each AC queue defines a set of EDCA parameters, which determine the capability of occupying channels. These parameters ensure that a higher-priority AC queue has a higher probability to preempt channels than a lower-priority AC queue.

EDCA parameters are as follows:

• Arbitration interframe spacing number (AIFSN): determines the channel idle time. A larger AIFSN value indicates a longer channel idle time and a lower priority.
• Exponent form of CWmin (ECWmin): A larger value indicates a lower priority. The value of ECWmin must be smaller than that of ECWmax.
• Exponent form of CWmax (ECWmax): A larger value indicates a lower priority.
• Transmission opportunity limit (TXOPLimit): determines the maximum duration in which a STA can occupy a channel. A larger value indicates a longer duration.

ACK policy:

• Normal ACK: The receiver must return an ACK frame each time it receives a unicast packet.
• No ACK: The receiver does not need to return ACK frames after receiving packets. This mode is applicable to environments with high communication quality and little interference.

Dynamic BE optimization

Dynamic optimization of the Best Effort (BE) service. After this function is enabled, the AP dynamically reduces the air interface resources consumed by terminals based on the number of access users by using algorithm. This saves more resources for the BE service, improving user experience. In the BE service, packets arriving first are forwarded first. However, the BE service does not ensure the delay, jitter, packet loss rate, or reliability of transmission.

BE optimization threshold (packets/second)

Threshold for BE optimization algorithm. You are advised to retain the default value.

Multimedia dynamic optimization

After this function is enabled, the AP dynamically reduces the air interface resources consumed by terminals based on the number of access users by using algorithm. This saves more resources for audio and video applications, improving user experience.

Audio optimization threshold (packets/second)

Optimization thresholds for audio and video applications. You are advised to retain the default value.

Video optimization threshold (packets/second)

Scene

This parameter is displayed when both Dynamic BE optimization and Multimedia dynamic optimization are disabled.

Set the WMM parameter based on the network requirements to enable high-priority data packets to occupy wireless channels, namely, adjusting the forwarding priority of video and voice service traffic. To make the WMM function take effect, you need to enable the WMM function switch among the radio parameters. The options of this parameter are as follows:

• Default: No priority is assigned.
• Voice: Priority is assigned to voice service traffic.
• Voice and Video: Priority is assigned to voice and video service traffic.

Radio status

Whether the radio status is enabled. By default, the radio is enabled.

Frequency bandwidth

Working bandwidth. The default value is 20mhz.

• Calibration Bandwidth
• 20mhz
• 40mhz-plus
• 40mhz-minus
• 80mhz (for 5GHz radio only)
• 80+80mhz (For 5 GHz radio only. For a three-radio AP, the second 5G radio is a low-frequency radio, and therefore does not support the bandwidth.)

Automatic channel selection

When Frequency bandwidth is set to Calibration Bandwidth, the channel is automatically selected.

Channel

Frequency band over which radio signals are transmitted. To prevent signal interference, ensure that adjacent APs work in non-overlapping channels. To avoid radio interference, it is recommended that non-overlapping channels (such as channels 1, 6, and 11) be planned for neighboring APs at 2.4 GHz frequency band.

Automatic bandwidth selection

(For 5G radio only) When Frequency bandwidth is set to Calibration Bandwidth, the radio bandwidth can be dynamically adjusted without being restricted by the existing calibration bandwidth.

Automatic power selection

Whether to enable automatic power selection. When this function is disabled, the transmit power can be manually adjusted.

Transmit power level

Transmit power of a radio. The transmit power must ensure that radio signals meet network requirements and the quality of radio signals is improved.

Antenna gain

The antenna gain is used to measure the antenna's capability to transmit and receive signals at a specified direction. A higher antenna gain indicates a longer signal transmission distance. The value is the actual gain of an antenna used by an AP.

Redundant radio adjustment

(For 2.4G radio only) Whether to enable the redundant radio adjustment function for the 2.4G radio of the current device. After setting this parameter to On, ensure that Dual-band dynamic adjustment in Advanced Settings is set to On. Otherwise, this function does not take effect on the target device.

Detection of brute force key cracking attacks

An AP checks whether the number of key negotiation failures occurring during WPA/WPA2-PSK, WAPI-PSK, or WEP-Share-Key authentication of a user exceeds the threshold (20). If so, the AP considers that the user is using the brute force method to crack the password.

Spoofing attack detection

An AP checks whether the source MAC address of a packet is its MAC address when receiving broadcast Disassociation packets or Deauthentication packets. If so, the AP considers that the WLAN is under the spoofing attack of Disassociation or Deauthentication packets.

Rogue device detection

An AP can detect information about wireless devices in its coverage range, and determines accordingly whether rogue devices exist on the WLAN.

Flood attack detection

An AP monitors the traffic volume of each STA to prevent flooding attacks. If the traffic volume of an STA exceeds the threshold (for example, the AP receives more than 100 packets from an STA within 1 second), the AP considers this STA to be flooding packets.

Weak IV detection

An AP checks whether a packet carries a weak IV (whose first byte value is in the range from 3 to 15 and second byte value is 255).

Defense using dynamic blacklist

If detecting a user flooding packets or using the brute force method to crack passwords, an AP adds the user to the dynamic blacklist and discards all packets of the user until the dynamic blacklist entry expires (after 10 minutes).

Manual containment

An AP takes countermeasures against rogue devices based on the device types (AP or STA).

Fake AP containment

An AP uses the MAC address of a fake AP to broadcast Deauthentication packets to take countermeasures against the fake AP, preventing STAs from connecting to the fake AP again.

Ad-hoc device containment

An AP uses the MAC address of an ad-hoc device to continuously send unicast Deauthentication packets, disconnecting rogue devices.

Open device containment

An AP uses the MAC address of a rogue AP using open authentication to broadcast Deauthentication packets to counter the rogue AP, preventing STAs from connecting to the rogue AP again.

STA protection

An AP uses the MAC address of a rogue AP connected to protected STAs to continuously send unicast Deauthentication packets, disconnecting the rogue AP.

MAC whitelist

If a rogue AP is detected but matches the authorized AP list, the AP is considered authorized and will not be contained. This parameter is valid when Rogue device detection is enabled.

OUI whitelist

SSID whitelist

MAC address list for manual device containment

MAC addresses of rogue devices that are specified manually for containment. This parameter is valid when Manual device containment is enabled.

Alternatively, you can choose AP > Security under Monitor > Health > Devices 360 menu, access the Risky Device Detection tab page, and click Add Manual Contain to add target devices to this list.

Spoofing SSID rule list

Specifies the regular expression for an SSID. If an SSID matches the regular expression, the SSID is considered a spoofing one. This parameter is valid when Rogue device detection is enabled.

MAC address list for terminal protection

MAC addresses of authorized STAs that need to be protected from getting connected to rogue APs. This parameter is valid when Terminal protection is enabled.

Abnormalities

An attacker sends malformed IP packets to the target system. Then the system may crash when processing such packets.

Packet fragments

An attacker sends a large number of fragmented packets to the target system to consume memory resources of the target system. As a result, the target system cannot respond to normal IP packets.

ICMP flood

An attacker sends a large number of ICMP packets to the attack target within a short period of time, exhausting sessions of network devices and leading to network breakdown. Attacks of oversized ICMP packets will also result in congestion of network links.

TCP SYN

An attacker sends a large number of packets with forged IP addresses to the target system, so the target system cannot reply packets to the correct destination addresses, exhausting host resources.

UDP flood

An attacker sends a large number of UDP packets to the target system in a short period of time and requests for responses. The target system then is overloaded and cannot process valid tasks.

MAC Address

Unique code of a terminal address.

VLAN ID

Code of a virtual local area network (VLAN).

Interface Name

AP interface. A combination of the same MAC address and Vlan ID can be bound to only one interface.

Binding type

(Optional) Use either of the following policies to control STA access to APs. Broadcast, multicast, or all-0 MAC addresses or OUIs are not supported. You can configure up to 2048 records.

• Not Bound
• Blacklist (Not allowed to pass)
• Whitelist (Allowed to pass)

ALL

Whether to enable rate limit for all broadcast packets and IGMP multicast packets on an AP.

ARP

Whether to enable rate limit for ARP broadcast packets on an AP.

ND

Whether to enable rate limit for ND broadcast packets on an AP.

IGMP

Whether to enable rate limit for IGMP multicast packets on an AP.

DHCP

Whether to enable rate limit for DHCP broadcast packets on an AP.

DHCPv6

Whether to enable rate limit for DHCPv6 broadcast packets on an AP.

mDNS

Whether to enable rate limit for mDNS multicast packets on an AP.

Other-broadcast

Whether to enable rate limit for broadcast packets other than ARP, ND, DHCP and DHCPv6 packets on an AP.

Other-multicast

Whether to enable rate limit for multicast packets other than IGMP and mDNS packets on an AP.

Port type

-

Type of the interface on an IoT card connecting to an IoT AP. For cards, the Serial Port and Ethernet Port options are supported; for USBs, only the Serial Port option is supported.

Serial Port

Communication protocol

Protocol and port for communication between an IoT card and the IoT server.

Communication port

Trusted host address

When an AP functions as a server to receive data, the AP communicates only with trusted clients. If this parameter is left empty, connection establishment and configuration delivery are allowed between the AP and any reachable client on the network.

The value is the combination of a unicast IP address and a mask, for example, 192.168.0.1/24.

Shared key

(Only involved in TCP) Key used for encrypting packets between an AP and the IoT server, which improves the data communication security. To ensure the security, you are advised to use a key containing at least two types of lower-case letters, upper-case letters, digits, and special characters.

IoT server

Address and port of the IoT server. If multiple IoT servers are configured, at least one of the address and port must be different between two servers.

Port

Ethernet Port

Administrative status

Whether to enable the IoT card function.

Default VLAN

Default VLAN on the network interface of an AP for communication between the AP and an IoT card. The IoT card automatically obtains an IP address from the DHCP address pool of the default VLAN for external communication.

Broadcast

Broadcast

Whether to enable the broadcast function of a Bluetooth module. If no independent BLE device is deployed on the network, you need to enable the broadcast function of the built-in Bluetooth module of an AP.

Transmit power (dBm)

Transmit power of the built-in Bluetooth module of an AP. Set the parameter according to the planning, and then fine-tune the parameter on site.

The options are -21, -18, -15, -12, -9, -6, -3, 0, 1, 2, 3, 4, and 5, in dBm. The default value is 0.

RSSI calibration value (dBm)

RSSI value of a Bluetooth Low Energy (BLE) device measured at a distance of 1 m. It is used to estimate the distance between the BLE device and Bluetooth-capable STAs. Set the parameter according to the planning, and then fine-tune the parameter on site.

The value is an integer that ranges from -97 to -50, in dBm. The default value is -65.

Broadcast interval (ms)

Interval for an AP's built-in Bluetooth module to send BLE advertising packets. Set the parameter according to the planning, and then fine-tune the parameter on site.

The value is an integer that ranges from 100 to 10240, in milliseconds. The default value is 400.

UUID in broadcast packets

Value of the UUID parameter (hexadecimal type) in a BLE broadcast frame, which is the unique identifier of a BLE device. Set this parameter based on UUIDs provided by third-party vendors. The vendors can identity their devices using the UUID. For example, a Bluetooth tracker vendor provides a UUID value, and an AP identifies Bluetooth STAs based on the UUID.

Major value in broadcast packets

Value of the Major parameter in a BLE broadcast frame, in hexadecimal notation. This field specifies a major group and is combined with the Minor field to define information about a BLE device, for example, location of a BLE device.

Set this parameter based on values provided by third-party vendors. For example, a Bluetooth tracker vendor that provides a large business volume will provide different UUIDs in different areas. If a separate UUID is set for Jiangsu in China, you need to set this parameter to China.

Minor value in broadcast packets

Value of the Minor parameter in a BLE broadcast frame, in hexadecimal notation. This field specifies a minor group and is combined with the Major field to define information about a BLE device, for example, location of a BLE device.

Set this parameter based on values provided by third-party vendors. For example, a Bluetooth tracker vendor that provides a large business volume will provide different UUIDs in different areas. If a separate UUID is set for Jiangsu in China, you need to set this parameter to Jiangsu.

Monitoring

Monitoring

Whether to enable the Bluetooth monitoring function of an AP's built-in Bluetooth module.

Monitoring mode

• iBeacon: Bluetooth Terminal location.
• Tag: Bluetooth tag location function.
• Transparent: Bluetooth data transparent transmission.

Data report

Whether to enable APs to report Bluetooth location packets.

• Enable the data reporting function when configuring Bluetooth tag location. After the data reporting function is enabled, the Bluetooth tag information and alarms indicating that Bluetooth tags go offline will be reported to the location server.
• Enable the data reporting function when configuring Bluetooth data transparent transmission. After the data reporting function is enabled, the Bluetooth client information will be reported to the location server.
• Enable the data reporting function when configuring Bluetooth terminal location. This function is required only when APs report device locations to the location server.

Data report mode

Mode for an AP to report Bluetooth location packets. If Bluetooth location packets are reported by APs upon receipt, the location accuracy is higher, but the AP performance is affected.

Data report interval (s)

Interval for an AP to report Bluetooth location packets when Data report mode is set to Periodic. The unit is second, and the default value is 10.

Server address

Destination and port number for an AP to send Bluetooth location packets.

Server port

Policy name

Name that uniquely identifies an IPsec policy. You are advised to set this parameter to the IP address or domain name of the peer device.

Peer IP or domains

IP address of the peer device. Only one IPsec policy can be created for an IP address. Otherwise, the IPsec tunnel fails to be established.

Local ID

Type and value of the local ID, used for identity authentication during IKE negotiation.

• IP: The IP address of the local IPsec tunnel interface is used as the local ID.
• FQDN: The fully qualified domain name (FQDN) is used as the local ID.

Encryption ACL

Click Add to create a local ACL rule, and click Submit to save the ACL rule.

• Encryption ACL: defines packets that need to be encrypted and transmitted through the IPsec tunnel.

  If Policy is set to Permit, packets are transmitted through the IPsec tunnel. Otherwise, packets do not enter the IPsec tunnel.

• Filtering ACL: filters packets again after packets are filtered based on the encryption ACL. Packets that do not match the filtering ACL are not transmitted through the IPsec tunnel.

Filtering ACL

IPSec template

-

Click +, set IKE Parameters and IPSec Parameters, and click Save to save the current template.

IKE Parameters

IKE version

IKE protocol version number used by an IKE peer. The value on the local device must be the same as that on the peer device. IKEv2 with higher security, better extensibility, and higher negotiation efficiency is recommended. If IKEv1 is used, Negotiation mode must be set to the same value on the local and peer devices.

Encryption algorithm

Algorithm used to encrypt and decrypt IP packets. A longer key indicates higher security but slower encryption speed.

The algorithms are listed as follows from the highest security level to the lowest security level: AES-256, AES-192, AES-128, 3DES, and DES. You are not advised to use the insecure algorithms DES and 3DES.

Negotiation mode

Negotiation mode in the IKEv1 phase (for IKEv1 only).

• Main: This mode provides identity protection. The peer ID must be an IP address.
• Aggressive: This mode has higher negotiation speed, but does not provide identity protection. The peer ID can be an IP address or a name.

Authentication algorithm

Authentication algorithm used in IKEv1 negotiation (for IKEv1 only).

The algorithms are listed as follows from the highest security level to the lowest security level: SHA2-512, SHA2-384, SHA2-256, SHA1, and MD5. You are not advised to use the insecure algorithms MD5 and SHA1.

Integrity algorithm

Integrity algorithm used in IKEv2 negotiation (for IKEv2 only).

The algorithms are listed as follows from the highest security level to the lowest security level: SHA2-512, SHA2-384, SHA2-256, AES-XCBC-96, SHA1, and MD5.

You are not advised to use the insecure algorithms MD5 and SHA1.

PRF

Pseudo-random function (PRF) algorithm used in IKEv2 negotiation (for IKEv2 only).

The algorithms are listed as follows from the highest security level to the lowest security level: SHA2-512, SHA2-384, SHA2-256, AES-XCBC-96, SHA1, and MD5.

You are not advised to use the insecure algorithms MD5 and SHA1.

DH group

Diffie-Hellman (DH) group used in IKE phase-1 key negotiation. The DH group is used to calculate the shared key, preventing packets from being cracked.

The DH groups are listed as follows from the highest security level to the lowest security level: group16, group15, group14, group5, group2, and group1. You are not advised to use the insecure group1, group2, and group5.

SA timeout interval (s)

IKE SA lifetime, for periodic IKE SA update to reduce risks of SA cracking and improve security. If an IKE SA times out, a new IKE SA needs to be negotiated. It is recommended that you set this parameter to a value greater than 600s.

IPSec Parameters

Encapsulation mode

Encapsulation mode in which fields related to AH or ESP are inserted into the original IP packets based on certain rules to authenticate and encrypt packets. Compared with the transport mode, the tunnel mode has higher security but occupies more bandwidth.

Security protocol

Protocol used to encapsulate and transmit data packets. AH and ESP have their own advantages and disadvantages. AH-ESP is recommended in scenarios with high security requirements.

• AH: authenticates packets only.

  The authentication algorithms are listed as follows from the highest security level to the lowest security level: SHA2-512, SHA2-384, SHA2-256, SHA1, and MD5. You are not advised to use the insecure algorithms MD5 and SHA1.

• ESP: encrypts or authenticates packets.

  The encryption algorithms are listed as follows from the highest security level to the lowest security level: AES-256, AES-192, AES-128, 3DES, and DES. You are not advised to use the insecure algorithms DES and 3DES.

  The authentication algorithms are listed as follows from the highest security level to the lowest security level: SHA2-512, SHA2-384, SHA2-256, SHA1, and MD5. You are not advised to use the insecure algorithms MD5 and SHA1.

• AH-ESP: uses both AH and ESP protocols to encapsulate packets. Packets are encapsulated using ESP and then AH.

PFS

Perfect forward secrecy (PFS) used when the local end initiates negotiation. An addition DH exchange is performed during negotiation of a child SA in IKEv1 phase 2 or IKEv2 to ensure security of the IPsec SAs and improve communication security. You are not advised to use the insecure group1, group2, and group5.

IPSec SA Aging

SA lifetime, for periodic SA update to reduce risks of SA cracking and improve security. The current SA becomes invalid if either of the following times out. IKE will negotiate a new SA for to the peer to protect IPsec communication.

• Time-based: indicates the SA lifetime.
• Flow-based: indicates the maximum traffic volume that an SA can process. It is recommended that the ratio of the value to bandwidth be larger than or equivalent to 3600s.

DPD

-

Whether dead peer detection (DPD) is enabled. After this function is enabled, an IKE peer detects whether the peer is alive through DPD messages.

Detection mode

• Send if necessary: If the local end does not receive any packet from the peer within the specified period, it sends a DPD packet to check whether the peer is available.
• Send periodically: If the local end does not receive any packet from the peer for a long time, it sends DPD packets periodically to check whether the peer is available.

Load sequence

• hash-notify
• notify-hash

Detection interval (s)

Interval for sending DPD packets. When there are a large number of IPsec tunnels, you need to set this parameter to a larger value to prevent performance deterioration caused by frequent exchange of DPD packets.

Retransmission interval (s)

Interval at which DPD packets are retransmitted.

Key

The authentication key on two ends of an IPsec tunnel must be the same. For example, if the key on one end is a character string but the key on the other end is a hexadecimal number, the SA cannot be set up.

Administrative status

Whether to enable the network interface. If the value of this parameter is set to OFF, the network interface will be unavailable. Exercise caution when performing this operation.

LLDP

An LLDP-enabled device sends LLDP packets containing its own status information to neighbors that have LLDP enabled, and collects the status information about these neighbors. Enable this function when you need to know the Layer 2 connection status between devices and analyze the network topology through the NMS. The default value is ON.

Frequently enabling or disabling LLDP globally may cause service data delivery failures. The interval between two consecutive LLDP operations must be longer than 10s.

The configuration takes effect only when LLDP is also enabled in the Other area on the Site > Service Parameters page.

Default VLAN

VLAN that the network interface joins by default.

Allowed VLAN

VLAN allowed by the network interface.

When you click Add to add VLAN IDs, you can specify different VLANs packets that can pass through the AP based on labels. If VLAN ID is empty, the APs specified by the corresponding AP label allow packets from all VLANs to pass. You need to configure the AP label as follows:

1. Choose AP > AP under Monitoring > Health > Devices 360 menu.
2. Select the device to be labeled and click Add Tag.
3. In the displayed window, add a new or existing label to the selected AP.

MAC limit

MAC address limiting on an AP limits the number of STAs connected to the AP. MAC address limiting can prevent network attacks. After the maximum number of MAC addresses is reached, the AP will reject access requests of subsequent STAs. In this case, services may be affected.

Administrative status

Whether to enable the network interface. If the value of this parameter is set to OFF, the network interface will be unavailable. Exercise caution when performing this operation.

LLDP

An LLDP-enabled device sends LLDP packets containing its own status information to neighbors that have LLDP enabled, and collects the status information about these neighbors. Enable this function when you need to know the Layer 2 connection status between devices and analyze the network topology through the NMS. The default value is ON.

Frequently enabling or disabling LLDP globally may cause service data delivery failures. The interval between two consecutive LLDP operations must be longer than 10s.

The configuration takes effect only when LLDP is also enabled in the Other area on the Site > Service Parameters page.

Binding check

Whether to enable Dynamic ARP Inspection (DAI), IP Source Guard (IPSG), and DHCP snooping on the network interface. By default, these functions are not enabled.

• DAI: compares the source IP address, source MAC address, interface number, and VLAN ID in ARP packets against the binding table, and identifies and discards suspicious ARP packets to prevent network attacks.
• IPSG: compares the source IP address, source MAC address, interface number, and VLAN ID in IP packets against the binding table, and identifies and discards suspicious IP packets to prevent network attacks.
• DHCP snooping: ensures that DHCP clients obtain IP addresses from authorized DHCP servers and records mappings between IP addresses and MAC addresses of DHCP clients, preventing DHCP attacks on the network.

Network connection mode

• Layer 2 forwarding: The AP functions as a Layer 2 forwarding device. The VLAN ID must be set to the VLAN ID of the network interface on the switch connected to the WAN interface.
• NAT: The AP functions as a Layer 3 gateway. STAs access the public network using NAT, and the AP assigns IP addresses to STAs dynamically. By default, STAs automatically obtain IP addresses in the range from 10.1.1.2 to 10.1.1.254 and belong to VLAN 3911. You can adjust the DHCP address pool and VLAN ID as needed. For details, see Configuring DHCP.

VLAN ID

This parameter is available only when the AP serves as a Layer 2 forwarding device. The value must be the same as the VLAN ID of a switch interface connected to the uplink network interface.

Terminal's rate limit (Mbps)

Rate limit for uplink STAs.

ACL

The ACL permits STAs to access or prevents STAs from accessing specified resources based on the destination IP address, protocol type, and interface number.

Administrative status

Whether to enable the network interface. If the value of this parameter is set to OFF, the network interface will be unavailable. Exercise caution when performing this operation.

LLDP

An LLDP-enabled device sends LLDP packets containing its own status information to neighbors that have LLDP enabled, and collects the status information about these neighbors. Enable this function when you need to know the Layer 2 connection status between devices and analyze the network topology through the NMS. The default value is ON.

Frequently enabling or disabling LLDP globally may cause service data delivery failures. The interval between two consecutive LLDP operations must be longer than 10s.

The configuration takes effect only when LLDP is also enabled in the Other area on the Site > Service Parameters page.

POE

Whether to enable PoE power supply on the downlink network interface to perform power-on or power-off operations over the distributed AP that is directly connected to the network interface.

Administrative status

Whether to enable the network interface. If the value of this parameter is set to OFF, the network interface will be unavailable. Exercise caution when performing this operation.

LLDP

An LLDP-enabled device sends LLDP packets containing its own status information to neighbors that have LLDP enabled, and collects the status information about these neighbors. Enable this function when you need to know the Layer 2 connection status between devices and analyze the network topology through the NMS. The default value is ON.

Frequently enabling or disabling LLDP globally may cause service data delivery failures. The interval between two consecutive LLDP operations must be longer than 10s.

The configuration takes effect only when LLDP is also enabled in the Other area on the Site > Service Parameters page.

Binding check

Whether to enable Dynamic ARP Inspection (DAI), IP Source Guard (IPSG), and DHCP snooping on the network interface. By default, these functions are not enabled.

• DAI compares the source IP address, source MAC address, interface number, and VLAN ID in ARP packets against the binding table, and identifies and discards suspicious ARP packets to prevent network attacks.
• IPSG compares the source IP address, source MAC address, interface number, and VLAN ID in IP packets against the binding table, and identifies and discards suspicious IP packets to prevent network attacks.
• DHCP snooping ensures that DHCP clients obtain IP addresses from authorized DHCP servers and records mappings between IP addresses and MAC addresses of DHCP clients, preventing DHCP attacks on the network.

Network connection mode

• Layer 2 forwarding: The AP functions as a Layer 2 forwarding device. The VLAN ID must be set to the VLAN ID of the network interface on the switch connected to the WAN interface.
• NAT: The AP functions as a Layer 3 gateway. STAs access the public network using NAT, and the AP assigns IP addresses to STAs dynamically. By default, STAs automatically obtain IP addresses in the range from 10.1.1.2 to 10.1.1.254 and belong to VLAN 3911. You can adjust the DHCP address pool and VLAN ID as needed. For details, see Configuring DHCP.

VLAN ID

This parameter is available only when the AP serves as a Layer 2 forwarding device. The value must be the same as the VLAN ID of a switch interface connected to the uplink network interface.

Terminal's rate limit (Mbit/s)

Rate limit for uplink STAs.

ACL

The ACL permits STAs to access or prevents STAs from accessing specified resources based on the destination IP address, protocol type, and interface number.

Administrative status

Whether to enable the network interface. If the value of this parameter is set to OFF, the network interface will be unavailable. Exercise caution when performing this operation.

LLDP

An LLDP-enabled device sends LLDP packets containing its own status information to neighbors that have LLDP enabled, and collects the status information about these neighbors. Enable this function when you need to know the Layer 2 connection status between devices and analyze the network topology through the NMS. The default value is ON.

Frequently enabling or disabling LLDP globally may cause service data delivery failures. The interval between two consecutive LLDP operations must be longer than 10s.

The configuration takes effect only when LLDP is also enabled in the Other area on the Site > Service Parameters page.

VLAN ID

VLAN that the network interface joins by default.

Allowed VLAN

VLAN allowed by the network interface.

MAC limit

MAC address limiting on an AP limits the number of STAs connected to the AP. MAC address limiting can prevent network attacks. After the maximum number of MAC addresses is reached, the AP will reject access requests of subsequent STAs. In this case, services may be affected.

Administrative status

Whether to enable the network interface. If the value of this parameter is set to OFF, the network interface will be unavailable. Exercise caution when performing this operation.

LLDP

An LLDP-enabled device sends LLDP packets containing its own status information to neighbors that have LLDP enabled, and collects the status information about these neighbors. Enable this function when you need to know the Layer 2 connection status between devices and analyze the network topology through the NMS. The default value is ON.

Frequently enabling or disabling LLDP globally may cause service data delivery failures. The interval between two consecutive LLDP operations must be longer than 10s.

The configuration takes effect only when LLDP is also enabled in the Other area on the Site > Service Parameters page.

VLAN ID

VLAN that the network interface joins by default.

Allowed VLAN

VLAN allowed by the network interface.

Administrative status

Whether to enable the network interface. If the value of this parameter is set to OFF, the network interface will be unavailable. Exercise caution when performing this operation.

LLDP

An LLDP-enabled device sends LLDP packets containing its own status information to neighbors that have LLDP enabled, and collects the status information about these neighbors. Enable this function when you need to know the Layer 2 connection status between devices and analyze the network topology through the NMS. The default value is ON.

Frequently enabling or disabling LLDP globally may cause service data delivery failures. The interval between two consecutive LLDP operations must be longer than 10s.

The configuration takes effect only when LLDP is also enabled in the Other area on the Site > Service Parameters page.

Default VLAN

VLAN that the network interface joins by default.

Allowed VLAN

VLAN allowed by the network interface.

When you click Add to add VLAN IDs, you can specify different VLANs packets from which are allowed to pass based on the AP labels. If VLAN ID is empty, the APs specified by the corresponding AP label allow packets from all VLANs to pass. You need to configure the AP label as follows:

1. Choose AP > AP under Monitoring > Health > Devices 360 menu.
2. Select the device to be labeled and click Add Tag.
3. In the displayed window, add a new or existing label to the selected AP.

Administrative status

Whether to enable the network interface. If the value of this parameter is set to OFF, the network interface will be unavailable. Exercise caution when performing this operation.

LLDP

An LLDP-enabled device sends LLDP packets containing its own status information to neighbors that have LLDP enabled, and collects the status information about these neighbors. Enable this function when you need to know the Layer 2 connection status between devices and analyze the network topology through the NMS. The default value is ON.

Frequently enabling or disabling LLDP globally may cause service data delivery failures. The interval between two consecutive LLDP operations must be longer than 10s.

The configuration takes effect only when LLDP is also enabled in the Other area on the Site > Service Parameters page.

Binding check

Whether to enable Dynamic ARP Inspection (DAI), IP Source Guard (IPSG), and DHCP snooping on the network interface. By default, these functions are not enabled.

• DAI compares the source IP address, source MAC address, interface number, and VLAN ID in ARP packets against the binding table, and identifies and discards suspicious ARP packets to prevent network attacks.
• IPSG compares the source IP address, source MAC address, interface number, and VLAN ID in IP packets against the binding table, and identifies and discards suspicious IP packets to prevent network attacks.
• DHCP snooping ensures that DHCP clients obtain IP addresses from authorized DHCP servers and records mappings between IP addresses and MAC addresses of DHCP clients, preventing DHCP attacks on the network.

Network connection mode

• Layer 2 forwarding: The AP functions as a Layer 2 forwarding device. The VLAN ID must be set to the VLAN ID of the network interface on the switch connected to the WAN interface.
• The AP functions as a Layer 3 gateway. STAs access the public network using NAT, and the AP assigns IP addresses to STAs dynamically. By default, STAs automatically obtain IP addresses in the range from 10.1.1.2 to 10.1.1.254 and belong to VLAN 3911. You can adjust the DHCP address pool and VLAN ID as needed. For details, see Configuring DHCP.

VLAN ID

This parameter is available only when the AP serves as a Layer 2 forwarding device. The value must be the same as the VLAN ID of a switch interface connected to the uplink network interface.

DHCP enable

Enable DHCP and set DHCP parameters. This parameter is enabled by default.

IP

Default gateway and subnet mask of the DHCP client. The gateway IP address and subnet mask determine the IP address range (DHCP address pool) that DHCP clients may obtain.

Mask

Log records

This switch is turned off by default. When this switch is turned on, it takes effect when the system connects to the CampusInsight. This function is used to record DHCP Server configuration success or failure logs and report the logs to the CampusInsight for data analysis and display.

Third-party URL Filtering

URL filtering by third-party software. After this function is enabled, third-party software can be used to implement URL filtering.

Lease

Lease of an IP address that a DHCP client automatically obtains. After the IP address lease expires, an IP address is assigned again.

Master WINS

Primary and secondary WINS server addresses assigned to a DHCP client.

Slave WINS

Static address binding

Binding between IP addresses and MAC addresses. A fixed IP address is assigned to a DHCP client with a specified MAC address.

VLAN ID

Configuring a VLAN ID. A LAN-side VLAN cannot be a service VLAN in use, and NAT and IPsec users will go offline if this VLAN is modified. The LAN VLAN cannot be the same as the management VLAN. Otherwise, the configuration delivery may fail.

NAT Logs

Whether devices report NAT logs to the Syslog server.

Text log output interval

Interval for sending text logs to the Syslog server, in seconds.

Binary log output

Whether to send binary logs to the Syslog server. After the function is enabled, binary logs are sent to the Syslog server.

Log server address and port

IP address and port of the Syslog server.

Source address for sending logs and source port

IP address of the AP and the port for sending logs. The IP address can be automatically obtained. Therefore, only the port needs to be manually configured.

Name

Name of a Mesh network.

Effective Radio

Radio parameters for Mesh links.

• 2.4G (wlan-radio 0/0/0)
• 5G (wlan-radio 0/0/1)
• 5G (wlan-radio 0/0/2)

Use whitelist

A Mesh whitelist contains MAC addresses of neighboring APs allowed to set up Mesh links with an AP. After this function is enabled, only neighboring APs with MAC addresses in the whitelist can connect to the AP. A maximum of 512 MAC addresses can be configured in the whitelist, and the whitelisted MAC addresses must be unique.

This function is disabled by default. If no Mesh whitelist is configured, APs may establish Mesh links with neighboring APs randomly, wasting limited Mesh link resources. In addition, because there may be rogue neighboring APs, potential security risks exist if no Mesh whitelist is configured.

Scene

Two application scenarios Single MPP and Multiple MPPs can be configured based on the number of MPPs on the Mesh network.

• Single MPP: The Mesh network contains only one MPP.
• Multiple MPPs: The Mesh network contains one or more MPPs.

Members

Device Report Role

AP's role reported to iMaster NCE-Campus after the AP goes online.