No relevant resource is found in the selected language.
MENU
Support Documentation
Wireless Access Controller (AC and Fit AP) V200R019C10 Web-based Configuration Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring an AP to Protect STAs From Obtaining Bogus IP Addresses

Example for Configuring an AP to Protect STAs From Obtaining Bogus IP Addresses

Service Requirements

An enterprise deploys WLAN area to provide WLAN services for users. The enterprise requires that STAs not obtain incorrect IP addresses or fail to communicate even if a bogus DHCP server is deployed on the user side to improve WLAN security.

Networking Requirements

  • AC networking mode: Layer 2 bypass mode
  • DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to APs and STAs.
  • Service data forwarding mode: tunnel forwarding
Figure 3-85 Networking for configuring an AP to protect STAs from obtaining bogus IP addresses

Data planning

Table 3-85 AC data planning
Item Data

Management VLAN for APs

VLAN 100

Service VLAN for STAs

VLAN 101

DHCP server

The AC functions as a DHCP server to assign IP addresses to STAs and APs.

IP address pool for APs

10.23.100.2-10.23.100.254/24

IP address pool for STAs

10.23.101.2-10.23.101.254/24

AC's source interface

VLANIF 100

AP group

  • Name: ap-group1

  • Country code: CHINA

  • Referenced profile: VAP profile wlan-net and AP system profile wlan-net

SSID profile

  • Name: wlan-net

  • SSID name: wlan-net

Security profile

  • Name: wlan-net

  • Security policy: WPA-WPA2+PSK+AES

  • Password: a1234567

VAP profile

  • Name: wlan-net

  • Forwarding mode: tunnel forwarding

  • Service VLAN: VLAN 101

  • Strict IP learning: IPv4

  • Dynamic blacklist of strict IP learning: ON

  • Referenced profile: SSID profile wlan-net and security profile wlan-net

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure WLAN services.

  2. Configure an AP to protect STAs from obtaining bogus IP addresses to improve network security.

Procedure

  1. Configure the switches and router.

    # Add GE0/0/1 and GE0/0/2 on the switch to VLAN 100 (default VLAN of GE0/0/1).

  2. Configure system parameters for the AC.
    1. Perform basic AC configurations.

      # Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is displayed.

      # Set Country/Region based on actual situations. For example, set Country/Region to China. Set System time to Manual and Date and time to PC.

      # Click Next. The Port Configuration page is displayed.

    2. Configure interfaces.

      # Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101 (service VLAN).

      If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to management VLAN 100.



      # Click Apply. In the dialog box that is displayed, click OK.

      # Click Next. The Network Interconnection Configuration page is displayed.

    3. Configuring network interconnections.

      # Set DHCP status to ON.

      # Click Create under Interface Configuration. The Create Interface Configuration page is displayed.

      # Set the IP address of VLANIF 100 to 10.23.100.1/24.

      # Click Create under DHCPv4 Address Pool List, select Interface address pool and select VLANIF 100.

      # Click OK.

      # Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the interface address pool on VLANIF 101 in the same way. The IP address 10.23.101.2 cannot be assigned.

      Configure the DNS server address as required.

      # Under Static Route Table, click Create. The Create Static Route Table page is displayed.

      # Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop address to 10.23.101.2.

      # Click OK.

      # Click Next.

      # Click Next. The AC Source Address page is displayed.

    4. Configure the source address for AC.

      # Set AC source address to VLANIF. Click the browse button and select Vlanif100.



      # Click Next. The Confirm Settings page is displayed.

    5. Confirm the configuration.

      # Confirm the configuration and click Continue With AP Online.

  3. Configure APs to go online.
    1. Configure APs to go online.

      # Click Batch Import. The Batch Import page is displayed. Click to download an AP template file to your local computer.



      # Fill in the AP template file with AP information according to the following example. To add multiple APs, fill in the file with information of the APs.
      • AP MAC: 60de-4476-e360
      • AP SN: 210235419610CB002287
      • AP Name: area_1
      • AP Group: ap-group1
      • If you set AP authentication mode to MAC address authentication, the AP's MAC address is mandatory and the AP's SN is optional.
      • If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the AP's MAC address is optional.

      You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude as required.

      # Click next to Import AP File, select the AP template file, and click Import.

      # On the page that displays the template import result, click OK.

      # Click Next. The Group APs page is displayed.

      # AP group information has been added in the AP template file. Click Next. The Confirm Configurations page is displayed.

    2. Confirm the configuration.

      # Confirm the configuration and click Continue With Wireless Service Configuration.

  4. Configure WLAN services.

    # Click Create. The Basic Information page is displayed.

    # Configure the SSID name, forwarding mode, and service VLAN.



    # Click Next. The Security Authentication page is displayed.

    # Set Security settings to Key (applicable to personnel networks), select the AES mode, and set the key.



    # Click Next. The Access Control page is displayed.

    # Set Binding the AP group to ap-group1.

    # Click Finish.

  5. In a VAP profile, configure an AP to protect STAs from obtaining bogus IP addresses.

    # Choose Configuration > AP Config > Profile.

    # Choose Wireless Service > VAP Profile in Profile Management. The VAP Profile List page is displayed.

    # Click the VAP profile wlan-net. The VAP profile configuration page is displayed. Click Advanced Configuration. On IP Services, set IP learning to IPv4, Strict IP learning to ON, and Dynamic blacklist of static IPv4 addresses to ON.

    # Click Apply.

  6. Verify the configuration.

    If a bogus DHCP server is deployed on the user side, APs discard the DHCP OFFER, ACK, and NAK packets sent by the bogus server and report to the AC about the IP address of the bogus DHCP server.

Translation
简体中文
Download
Updated: 2020-09-07

Document ID: EDOC1100156625

Views: 5147

Downloads: 490

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next
Enterprise APP

Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :