H3C SMB Solution Scenario Best Practices

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Overview·· 1

Networking scenarios· 1

Using a third-party gateway as the gateway· 1

Scenario description· 1

Network diagram·· 1

Device selection· 2

Using an MSR router as the gateway· 2

Scenario description· 2

Network diagram·· 3

Device selection· 3

Using a firewall as the gateway· 4

Scenario description· 4

Network diagram·· 4

Device selection· 5

Using an MSR router as the gateway in out-of-path AC deployment 5

Scenario description· 5

Network diagram·· 5

Device selection· 6

Deployment cases· 7

Using a third-party gateway as the gateway· 7

Network requirements· 7

Analysis· 7

Network planning· 8

Procedure· 9

Verifying the configuration· 12

Using an MSR router as the gateway· 13

Network requirements· 13

Analysis· 14

Network planning· 15

Procedure· 15

Verifying the configuration· 28

Using a firewall as the gateway（F8590P06）·· 29

Network requirements· 29

Analysis· 30

Network planning· 31

Procedure· 31

Verifying the configuration· 55

Using a firewall as the gateway（E8460P27）·· 56

Network requirements· 56

Analysis· 57

Network planning· 58

Procedure· 58

Verifying the configuration· 84

Using an MSR router as the gateway in out-of-path AC deployment 85

Network requirements· 85

Analysis· 86

Network planning· 87

Procedure· 88

Verifying the configuration· 105

Adding devices to Cloudnet 106

 

Overview

Cloudnet is a public cloud service of U-Center unified operation and maintenance designed for small and medium-sized enterprises to provide a low-cost one-stop solution. Throughout the entire life-cycle of a project, Cloudnet services span from initial setup and configuration management to later period operations and maintenance.

As digital transformation advances, service development requires improved efficiency, making cloud-based management the preferred solution for industries such as chain branches. H3C has launched a series of products that rely on Cloudnet for management and maintenance. Administrators with Cloudnet accounts can access and manage the devices from any location that has Internet access.

Cloudnet provides the following benefits in management and maintenance:

·     Suitable for scenarios such as small and medium-sized enterprises, branches, and chain stores.

·     Provides cloud-based graphic interface, which requires no technical expertise, reducing the learning cost.

·     Lowered the management and usage barriers for operation and maintenance personnel.

·     Supports configuration reservation to ensure the security of device settings.

·     Provides rich operation and maintenance data.

·     More advanced cloud features will be released and the administrators can be the first to experience new features.

Networking scenarios

Using a third-party gateway as the gateway

Scenario description

Using a third-party gateway as the gateway is suitable for small to medium-sized stores (such as supermarkets and malls) with less than 1000 square meters and around 100 to 150 online clients. A PoE switch supplies power to multiple APs, and the third-party gateway acts as the gateway.

Network diagram

As shown in Figure 1, the APs operate in cloud mode and connect to the third-party gateway through the PoE switch. The APs connect to the Internet and automatically register on Cloudnet. The third-party gateway also acts as the DHCP server to allocate IP addresses to the switch, cloud-managed APs, and wireless clients.

Figure 1 Using a third-party gateway as the gateway

 

Device selection

Table 1 Device selection

Role	Recommended device models
Third-party gateway	Select a third-party gateway that meets the network requirements.
PoE access switch	S5120V3-28P-HPWR-LI, S5120V3-28S-PWR-LI
AP	WA6120, WA6126

 

Using an MSR router as the gateway

Scenario description

Using an MSR router as the gateway is suitable for small to medium-sized stores (such as supermarkets and malls) with less than 1000 square meters and around 100 to 150 online clients. A PoE switch supplies power to multiple APs, and the MSR router acts as the gateway.

Network diagram

As shown in Figure 2, the APs operate in cloud mode and connect to the gateway through the PoE switch. The APs connect to the Internet and automatically register on Cloudnet. The MSR router also acts as the DHCP server to allocate IP addresses to the switch, cloud-managed APs, and wireless clients.

Figure 2 Using an MSR router as the gateway

 

Device selection

Table 2 Device selection

Role	Recommended device models
Gateway	MSR610
PoE access switch	S5120V3-28P-HPWR-LI, S5120V3-28S-PWR-LI
AP	WA6120, WA6126

 

Using a firewall as the gateway

Scenario description

Using a firewall device as the gateway is suitable for small to medium-sized office spaces (such as conference rooms and work areas) with an area of about 300 to 500 square meters and around 60 to 100 online clients. A PoE switch supplies power to multiple APs and the firewall acts as the gateway to provide security protection.

Network diagram

As shown in Figure 3, the APs operate in cloud mode and connect to the firewall through the PoE switch. The APs connect to the Internet and automatically register on Cloudnet. The firewall also acts as the DHCP server to allocate IP addresses to the switch, cloud-managed APs, and wireless clients, and provides security protection for devices in the internal network.

Figure 3 Using a firewall as the gateway

 

Device selection

Table 3 Device selection

Role	Recommended device models
Gateway	F100-C-A1
PoE access switch	S5120V3-10P-PWR-LI
AP	WA6120, WA6126, and WA6120H

 

Using an MSR router as the gateway in out-of-path AC deployment

Scenario description

This networking method is suitable for small and medium-sized hotels and inns with less than 80 rooms. The AC is attached to the aggregation switch through out-of-path deployment to centrally manage fit APs, and the MSR router acts as the gateway.

Network diagram

As shown in Figure 4, the APs operate in fit mode and connect to the gateway through the PoE access switch and the aggregation switch to provide wireless access services to wireless clients. The MSR router also acts as the DHCP server to allocate IP addresses to the switches, AC, APs, and wireless clients. The AC is attached to the aggregation switch through out-of-path deployment to centrally manage all the fit APs.

Figure 4 Using an MSR router as the gateway in out-of-path AC deployment

 

Device selection

Table 4 Device selection

Role	Recommended device models
Gateway	MSR610
Aggregation switch	S5120V3-28F-LI
Access switch	S5120V3-28P-HPWR-LI
AC	WSG1840X
AP	WA6120, WA6126, and WA6120H

 

Deployment cases

Using a third-party gateway as the gateway

Network requirements

As shown in Figure 5, the APs operate in cloud mode and connect to the third-party gateway through the PoE switch. The APs connect to the Internet and automatically register on Cloudnet. The third-party gateway also acts as the DHCP server to allocate IP addresses to the switch, cloud-managed APs, and wireless clients.

The PoE switch and cloud-managed APs are registered on Cloudnet and are managed and maintained through Cloudnet in a unified manner. This simplifies O&M.

Figure 5 Using a third-party gateway as the gateway

 

Analysis

The following approach is used for network configuration in this example:

1.     Configure the third-party gateway as the gateway:

a.     Log in to the local Web interface of the third-party gateway.

b.     Configure the third-party gateway to connect to the service provider network. Make sure the third-party gateway can access the Internet.

c.     Configure the internal network IP addresses, create service VLANs, enable DHCP, and configure the DHCP server to assign IP addresses to the switch, cloud-managed APs, and wireless clients.

d.     Configure the internal interfaces to permit all the service VLANs to pass.

2.     Power on the PoE switch and cloud-managed APs and connect them to the network. Make sure they can automatically obtain IP addresses and access the Internet.

3.     Add the PoE switch and cloud-managed APs to Cloudnet.

4.     Configure basic settings for the PoE switch on Cloudnet.

5.     Configure wireless service parameters on Cloudnet for wireless clients to access the WLAN.

Network planning

Restrictions and guidelines

·     The configuration example was created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every setting on your network.

·     In this example, the software versions of the PoE switch and APs are R6343P05 and R2592P02, respectively.

Network information planning

Table 5 Network information planning

Item	Plan
Wireless network	·     Network segment: 192.168.20.0/24. The third-party gateway acts as the DHCP server to assign IP addresses to clients. ·     Gateway location: Third-party gateway. ·     IP address of gateway interface VLAN-interface 20: 192.168.20.1/24. ·     Service VLAN: VLAN 20. ·     Encryption method: PSK.
Management IP network segment for the third-party gateway, PoE switch, and APs	·     Network segment: 192.168.1.0/24. ·     IP address of management interface VLAN-interface 1 on the third-party gateway: 192.168.1.1/24. ·     IP address of management interface VLAN-interface 1 on the switch: Automatically obtained from the third-party gateway. ·     IP address of management interface VLAN-interface 1 on the APs: Automatically obtained from the third-party gateway.
Third-party gateway interfaces	·     External network connection supported by WAN interface: DHCP, PPPoE, and static address. Select a method according to the service provider network. ·     Connect LAN interface GE1 to the switch, set the link type to trunk, and assign the interface to VLAN 1 and VLAN 20.
Switch interfaces	·     Connect GE1/0/1 to the third-party gateway, set the link type to trunk, and assign the port to VLAN 1 and VLAN 20. ·     Specify GE interfaces that connect to APs as trunk ports, and assign the ports to VLAN 1 and VLAN 20.
APs	·     Operating mode: Cloud. ·     Forwarding method: Bridge mode.

 

Procedure

Configuring the third-party gateway as the gateway

# Configure the third-party gateway according to the gateway model, configuration analysis, and network information planning. (Details not shown.)

Configuring the PoE switch

# Power on the PoE switch, and use a network cable to connect upstream Ethernet interface GE1/0/1 to the third-party gateway. The PoE switch will dynamically obtain IP addresses through DHCP (the default address assignment method) from the third-party gateway. Make sure the IP addresses obtained through DHCP are reachable from the public network.

Configuring the cloud-managed APs

# Power on the APs, and use network cables to connect the upstream Ethernet interfaces of these APs to the PoE switch. The APs will dynamically obtain IP addresses through DHCP (the default address assignment method) from the third-party gateway. Make sure the IP addresses obtained through DHCP are reachable from the public network.

Adding devices to Cloudnet

After the PoE switch and cloud-managed APs are connected to the public network, you must add them to Cloudnet for them to register on Cloudnet. For more information, see "Adding devices to Cloudnet."

Configuring the PoE switch on Cloudnet

After the PoE switch registers on Cloudnet, configure basic settings for the switch to meet wireless service requirements.

To configure the PoE switch on Cloudnet:

1.     Create service VLAN 20:

a.     On the top navigation bar, click Network. From the left navigation pane, select Settings > Switches > Basic Settings.

b.     In the upper left corner of the work pane, select the branch, site, and device model of the PoE switch.

c.     On the VLAN tab, click Add.

d.     Specify VLAN ID 20.

e.     Click OK.

Figure 6 Creating a service VLAN

 

2.     Specify GE1/0/1 that connects to the third-party gateway and GE interfaces that connect to APs as trunk ports, and assign the ports to VLAN 1 and VLAN 20:

a.     Select the target interfaces on the device panel area.

b.     Click the Interface Management tab.

c.     Specify the link type as trunk, and specify VLANs 1 and 20 as permitted VLANs.

d.     Retain the default settings in the other fields, and then click Submit.

Figure 7 Configuring GE interfaces

 

Configuring Wi-Fi settings on Cloudnet

After cloud-managed APs register on Cloudnet, you can configure and maintain wireless services for the APs from Cloudnet in a unified manner.

To configure Wi-Fi settings on Cloudnet:

1.     On the top navigation bar, click Network. From the left navigation pane, select Settings > Cloud APs > WLAN Settings. Then, select the target branch and site from the upper left corner of the work pane.

2.     On the Region Code tab, select a region code, and then click OK.

3.     Click the Wi-Fi Settings tab, click the  icon to expand the Wireless Service Config section, click Show All Services or Show Enabled Services to display all or only the enabled wireless services.

4.     To enable wireless services, select the target services, and then click Enable Service. To hide or show SSIDs, click Show SSID or Hide SSID.

Figure 8 Enabling wireless services

 

5.     To edit a single wireless service, click the SSID link, and then configure the parameters as needed.

¡     Basic configuration:

-     Modify the SSID and description.

-     Enable the service.

¡     Advanced configuration:

-     Specify the forwarding mode as Bridge, where the APs will only be used for Layer 2 forwarding of client packets. Specify the upper-layer gateway as the DHCP server.

-     Specify the service VLAN ID as 20.

-     Select PSK as the encryption method, select WPA / WPA2-Compliant as the security mode, and enter the password.

-     Retain the default settings in the other fields, and then click OK to save the configuration.

Figure 9 Editing the Wi-Fi configuration

 

Verifying the configuration

1.     Make a client access the WLAN. On the top navigation bar, click Network. From the left navigation pane, select Monitor > Cloud APs > AP List. Select the target branch and site at the upper left corner of the work pane, and view the AP statistics, including the AP online state, MAC address, and IP address information.

Figure 10 Viewing the AP list

 

2.     Click the AP name link. On the Client tab, view the online client trend and online client information.

Figure 11 Viewing online clients

 

Using an MSR router as the gateway

Network requirements

As shown in Figure 12, the APs operate in cloud mode and are connected to the gateway (MSR router) through the PoE switch. The APs access the Internet and then register on Cloudnet automatically. The MSR router also acts as the DHCP server to allocate IP addresses to the switch, cloud-managed APs, and wireless clients.

The gateway (MSR router), PoE switch, and cloud-managed APs are registered on Cloudnet and are managed and maintained through Cloudnet in a unified way. This simplifies O&M.

Figure 12 Using an MSR router as the gateway

 

Analysis

The following approach is used for network configuration in this example:

1.     Configure the MSR router as the gateway:

a.     Log in to the local Web interface of the MSR router.

b.     Configure the MSR router to connect to the service provider network. Make sure the router can access the Internet.

c.     Configure the internal network IP addresses, create service VLANs, enable DHCP, and configure the DHCP server to assign IP addresses to the switch, cloud-managed APs, and wireless clients.

d.     Configure the internal interfaces to permit all the service VLANs to pass.

e.     Configure cloud services. Make sure the MSR router can register on Cloudnet.

2.     Power on the PoE switch and cloud-managed APs and connect them to the network. Make sure they can obtain IP addresses automatically and access the Internet.

3.     Add the MSR router, PoE switch, and cloud-managed APs to Cloudnet.

4.     Configure basic settings for the PoE switch on Cloudnet.

5.     Configure wireless service parameters on Cloudnet for wireless clients to access the WLAN.

Network planning

Restrictions and guidelines

·     The configuration example was created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every setting on your network.

·     In this example, the software versions of the MSR router, PoE switch, and APs are R6728P25, R6343P05, and R2592P02, respectively.

Network information planning

Table 6 Network information planning

Item	Plan
Wireless network	·     Network segment: 192.168.20.0/24. The MSR router acts as the DHCP server to assign IP addresses to clients. ·     Gateway location: Router. ·     IP address of gateway interface VLAN-interface 20: 192.168.20.1/24. ·     Service VLAN: VLAN 20. ·     Encryption method: PSK.
Management IP network segment for the router, switch, and APs	·     Network segment: 192.168.1.0/24. ·     IP address of management interface VLAN-interface 1 on the MSR router: 192.168.1.1/24. ·     IP address of management interface VLAN-interface 1 on the switch: Automatically obtained from the gateway (MSR router). ·     IP addresses of management interface VLAN-interface 1 on the APs: Automatically obtained from the gateway (MSR router).
MSR router interfaces	·     External network connection supported by WAN interface: DHCP, PPPoE, and static address. Select a method according to the service provider network. ·     Connect LAN interface GE1 to the switch, set the link type to trunk, and assign the interface to VLAN 1 and VLAN 20.
Switch interfaces	·     Connect GE1/0/1 to the MSR router, set the link type to trunk, and assign the port to VLAN 1 and VLAN 20. ·     Specify GE interfaces that connect to APs as trunk ports, and assign the ports to VLAN 1 and VLAN 20.
APs	·     Operating mode: Cloud. ·     Forwarding method: Bridge mode.

 

Procedure

Configuring the MSR router as the gateway

1.     Connect a PC to the MSR router.

# Use an Ethernet cable to connect the PC and LAN interface GE2 on the MSR router. By default, all LAN ports belong to VLAN 1.

2.     Click the  icon at the lower right corner of the PC, and then click Open Network and Sharing Center.

3.     In the Network and Sharing Center, click Local Area Connection.

Figure 13 Network and Sharing Center

 

4.     Click Properties.

Figure 14 Local area connection

 

5.     In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click OK.

Figure 15 Local area connection properties

 

6.     In the Internet Protocol Version 4 (TCP/IPv4) dialog box, configure an IP address for the PC. Make sure the PC and the MSR can reach each other. Use either of the following methods:

¡     Select Obtain an IP address automatically and select Obtain DNS server address automatically. The PC will use the addresses assigned by the MSR router.

Figure 16 Configuring automatic address obtaining

 

¡     Manually change the IP address of the PC to any address (except the 192.168.0.1) in the 192.168.0.0/23 segment. For example, 192.168.0.31. If you modify the default login address of the MSR device later, use an IP address in the modified network segment to log in to the MSR device again.

Figure 17 Manually configuring IP address settings

 

7.     Log in to the MSR router.

a.     Enter https://192.168.0.1 in the address bar on the PC, and then press Enter to log in to the Web interface of the MSR router.

b.     Enter the default username admin and default password admin, and then click Login. Change the password as prompted.

Figure 18 Logging in to the MSR router

 

8.     Configure WAN settings.

a.     From the left navigation pane, select Fast Configuration.

b.     Select Single WAN as the scene and then click Next.

Figure 19 Scene selection

 

c.     Select WAN0(GE0) as line 1.

d.     Select the link mode according to the service provider:

-     If you select PPPoE, enter the PPPoE account and password provided by the service provider.

-     If you select DHCP, the system automatically obtains a public IP address from the DHCP server.

-     If you select static address, enter the IP address, subnet mask, gateway address, and DNS address of the WAN.

e.     Select Enabled for NAT and then click Next.

Figure 20 Configuring WAN settings

 

9.     Configure LAN settings.

a.     On the LAN Config page, change the local IP address to 192.168.1.1, and set the subnet mask to 255.255.255.0.

b.     Set both the gateway address and DNS address to 192.168.1.1, and set the IP distribution range to 192.168.1.2 to 192.168.1.254 for allocating IP addresses to the switch and cloud-managed APs.

c.     Retain the default settings in the other fields, and then click Next.

Figure 21 Configuring LAN settings

 

10.     Click Finish.

Figure 22 Completing fast configuration

 

CAUTION: ·     As you have modified the local network IP address of the MSR router, use the modified IP address to re-login to the Web management interface of the MSR router. ·     Modify the IP address of the PC to any IP address in subnet 192.168.1.0/24, for example, 192.168.1.100/24. Make sure the IP address is not the same as any IP address obtained by device.

 

11.     Create a wireless client service VLAN.

a.     From the left navigation pane, select Network > LAN Settings.

b.     Click Add. Configure service VLAN 20.

c.     Specify the VLAN ID as 20.

d.     Specify the interface address as 192.168.20.1.

e.     Specify the subnet mask as 255.255.255.0.

f.     Enable DHCP. Specify the address allocation range for wireless clients as 192.168.20.2 to 192.168.20.254.

g.     Retain the default settings in the other fields and then click Apply.

Figure 23 Creating a wireless client service VLAN

 

12.     Configure interface GE1.

GE1 must permit both VLAN 1 and VLAN 20 to pass.

a.     From the left navigation pane, select Network > LAN Settings.

b.     On the VLAN tab, click the edit icon  for GE1.

c.     Add VLAN 20 as a permitted VLAN.

d.     Click Apply.

Figure 24 Configuring interface GE1

 

13.     Connect the MSR router to Cloudnet.

Connect the MSR router to Cloudnet for Cloudnet to manage and maintain devices in a unified way.

a.     From the left navigation pane, select System Tool > Remote Login.

b.     Click the Cloud Service tab.

c.     Select Open in the Cloud Service field.

d.     Specify the server domain name as cloudnet.h3c.com.

e.     Enter the sysname.

f.     Click Apply.

Figure 25 Configuring cloud services

 

Configuring the PoE switch

# Power on the PoE switch, and use a network cable to connect upstream Ethernet interface GE1/0/1 to the MSR router. The PoE switch will dynamically obtain IP addresses through DHCP (the default address assignment method) from the gateway (MSR router). Make sure the IP addresses obtained through DHCP are reachable from the public network.

Configuring the cloud-managed APs

Power on the cloud-managed APs, and use network cables to connect the upstream Ethernet interfaces to the PoE switch. The cloud-managed APs will dynamically obtain IP addresses through DHCP (the default address assignment method) from the gateway (MSR router). Make sure the IP addresses obtained through DHCP is reachable from the public network.

Adding devices to Cloudnet

After the gateway, PoE switch, and cloud-managed APs are connected to the public network, you must add these devices to Cloudnet for them to register on Cloudnet. For more information, see "Adding devices to Cloudnet."

To verify the configuration:

1.     View device online status.

After you add a cloud-managed AP to Cloudnet, verify that the status of the AP is changed to online. Due to network issues, it might take a few minutes for a device to come online. Please wait and refresh the page to view the status.

Figure 26 Viewing device online status

 

2.     View the network topology.

On the top navigation bar, click Network. From the left navigation pane, select Network > Sites. Then, select the target branch and site from the upper left corner of the work pane, and view the network topology on the Site Summary tab.

Figure 27 Viewing the network topology

 

Configuring the PoE switch on Cloudnet

After the PoE switch registers on Cloudnet, configure basic settings for the switch to meet wireless service requirements.

To configure the PoE switch on Cloudnet:

1.     Create service VLAN 20:

a.     On the top navigation bar, click Network. From the left navigation pane, select Settings > Switches > Basic Settings.

b.     In the upper left corner of the work pane, select the branch, site, and device model of the PoE switch.

c.     On the VLAN tab, click Add.

d.     Specify VLAN ID 20.

e.     Click OK.

Figure 28 Creating a service VLAN

 

2.     Specify GE1/0/1 that connects to the MSR router and GE interfaces that connect to APs as trunk ports, and assign the ports to VLAN 1 and VLAN 20:

a.     Select the target interfaces on the device panel area.

b.     Click the Interface Management tab.

c.     Specify the link type as trunk, and specify VLANs 1 and 20 as permitted VLANs.

d.     Retain the default settings in the other fields, and then click Submit.

Figure 29 Configuring GE interfaces

 

Configuring Wi-Fi settings

After cloud-managed APs register on Cloudnet, you can configure and maintain wireless services for the APs from Cloudnet in a unified way.

1.     On the top navigation bar, click Network. From the left navigation pane, select Settings > Cloud APs > WLAN Settings. Then, select the target branch and site from the upper left corner of the work pane.

2.     On the Region Code tab, select a region code, and then click OK.

3.     Click the Wi-Fi Settings tab, click the  icon to expand the Wireless Service Config section, click Show All Services or Show Enabled Services to display all or only the enabled wireless services.

4.     To enable wireless services, select the target services, and then click Enable Service. To hide or show SSIDs, click Show SSID or Hide SSID.

Figure 30 Enabling wireless services

 

5.     To edit a single wireless service, click the SSID link, and then configure the parameters as needed.

¡     Basic configuration:

-     Modify the SSID and description.

-     Enable the service.

¡     Advanced configuration:

-     Specify the forwarding mode as Bridge, where the APs will only be used for Layer 2 forwarding of client packets. Specify the upper-layer gateway as the DHCP server.

-     Specify the service VLAN ID as 20.

-     Select PSK as the encryption method, select WPA / WPA2-Compliant as the security mode, and enter the password.

-     Retain the default settings in the other fields and click OK to save the configuration.

Figure 31 Editing the Wi-Fi configuration

 

Verifying the configuration

1.     Make a client access the WLAN. On the top navigation bar, click Network. From the left navigation pane, select Monitor > Cloud APs > AP List. Select the target branch and site at the upper left corner of the work pane, and view the AP statistics, including the AP online state, MAC address, and IP address information.

Figure 32 Viewing the AP list

 

2.     Click the AP name link. On the Client tab, view the online client trend and online client information.

Figure 33 Viewing online clients

 

Using a firewall as the gateway（F8590P06）

Network requirements

This example configures wireless coverage and uses a firewall as the gateway to ensure the security of the internal network.

As shown in Figure 34, the APs operate in cloud mode and connect to the firewall through the PoE switch. The APs connect to the Internet and automatically register on Cloudnet. The firewall also acts as the DHCP server to allocate IP addresses to the switch, cloud-managed APs, and wireless clients, and provides security protection for devices in the internal network.

All the gateway (firewall), PoE switch, and cloud-managed APs are registered on Cloudnet and are managed and maintained through Cloudnet in a unified way. This simplifies O&M.

Figure 34 Using a firewall as the gateway

 

Analysis

The following approach is used for network configuration in this example:

1.     Configure the gateway.

a.     Log in to the local Web interface of the firewall.

b.     Connect the firewall to the service provider’s network and make sure the firewall can access the Internet.

c.     Configure internal network interfaces. Create management and service subinterfaces, assign IP addresses to the subinterfaces, and set the VLAN termination type.

d.     Configure DHCP address pools for the management VLAN and service VLAN.

e.     Configure a security policy.

f.     Configure NAT. Make sure internal network users can access the Internet.

g.     Configure the cloud domain name and port number. Make sure the firewall can register on Cloudnet.

2.     Power on the PoE switch and cloud-managed APs and connect them to the network. Make sure they can obtain IP addresses automatically and access the Internet.

3.     Add the firewall, PoE switch, and cloud-managed APs to Cloudnet.

4.     Configure basic settings for the PoE switch on Cloudnet.

5.     Configure wireless service parameters on Cloudnet for wireless clients to access the WLAN.

Network planning

Restrictions and guidelines

·     The configuration example was created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every setting on your network.

·     In this example, the software versions of the firewall, PoE switch, and APs are F8590P06, R6343P05, and R2592P02, respectively.

·     By default, the firewall automatically obtains an IP address through DHCP for VLAN-interface 1. If automatic IP address acquisition through DHCP fails, the firewall uses the default IP address 192.168.0.1/24 as the IP address of VLAN-interface 1.

Network information planning

Table 7 Network information planning

Item	Plan
Wireless network	·     Network segment: 192.168.20.0/24. The firewall acts as DHCP servers to allocate IP addresses to clients. ·     Gateway location: Firewall. ·     IP address of gateway interface GE1/0/2.2: 192.168.20.1/24. ·     Service VLAN: VLAN 20. ·     Encryption method: PSK.
Management IP network segment for the firewall, switch, and APs	·     Network segment: 192.168.1.0/24. ·     IP address of management interface GE1/0/2.1 on the firewall: 192.168.1.1/24. ·     IP address of management interface VLAN-interface 1 on the switch: Automatically obtained from the gateway (firewall). ·     IP address of management interface VLAN-interface 1 on the APs: Automatically obtained from the gateway (firewall).
Firewall interfaces	·     GE1/0/1 operates at Layer 3 and is added to security zone Untrust. External network connection supported by GE1/ 0/1: DHCP, PPPoE, and static IP address. Select a method according to the service provider network. ·     GE1/0/2 that connects to the switch operates at Layer 3 and is added to security zone Trust. Create subinterfaces GE1/0/2.1 and GE1/0/2.2 for the management VLAN and service VLAN, respectively.
Switch interfaces	·     Connect GE1/ 0/ 1 to the firewall, set the link type to trunk, and assign the interface to VLAN 1 and VLAN 20. ·     Specify GE interfaces that connect to APs as trunk ports, and assign the ports to VLAN 1 and VLAN 20.
APs	·     Operating mode: Cloud. ·     Forwarding method: Bridge mode.

 

Procedure

Configure the gateway

1.     Connect a PC to the firewall.

Use an Ethernet cable to connect the PC to interface GE1/0/0 on the firewall.

2.     Click the  icon at the lower right corner of the PC, and then click Open Network and Sharing Center.

3.     In the Network and Sharing Center, click Local Area Connection.

Figure 35 Network and Sharing Center

 

4.     Click Properties.

Figure 36 Local area connection

 

5.     In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click OK.

Figure 37 Local area connection properties

 

6.     In the Internet Protocol Version 4 (TCP/IPv4) dialog box, configure an IP address for the PC. Make sure the PC and the firewall can reach each other. Use either of the following methods:

¡     Select Obtain an IP address automatically and select Obtain DNS server address automatically. The PC will use the addresses assigned by the firewall.

Figure 38 Configuring automatic address obtaining

 

¡     Manually change the IP address of the PC to any address (except the 192.168.0.1) in the 192.168.0.0/24 segment. For example, 192.168.0.31. If you modify the default login address of the firewall later, use an IP address in the modified network segment to log in to the firewall again.

Figure 39 Manually configuring IP address settings

 

7.     Log in to the firewall:

a.     Enter https://192.168.0.1 in the address bar on the PC, and then press Enter to log in to the Web interface of the firewall.

b.     Enter the default username admin and default password admin, and then click Log in. Change the password as prompted.

Figure 40 Logging in to the firewall

 

8.     Configure the external network interface:

# On the top navigation bar, click Network. From the left navigation pane, select Interface Configuration > Interfaces.

# Click the edit icon  to edit interface GE1/0/1 that connects to the external network.

¡     Configure the interface to operate at Layer 3.

¡     Add the interface to security zone Untrust.

¡     Select the IPv4 address configuration method according to the service provider:

-     If you select PPPoE, enter the PPPoE account and password provided by the service provider.

-     If you select DHCP, the system automatically obtains an public IP address from the DHCP server.

-     If you select manual assignment, enter the IP address, subnet mask, and gateway address of the WAN.

¡     Click OK.

Figure 41 Editing interface GE1/0/1

 

Figure 42 Configuring interface settings

 

9.     Configure the internal network interface:

a.     Click the edit icon  to edit interface GE1/0/2 that connects to the internal network.

-     Configure GE1/0/2 to operate at Layer 3.

-     Add the interface to security zone Trust.

-     Click OK.

Figure 43 Configuring interface settings

 

b.     Click Create interface. Create subinterface GE1/0/2.1 for management VLAN-interface 1:

-     Add GE1/0/2.1 to security zone Trust.

-     Specify the interface IP address as 192.168.1.1/24.

-     Specify the VLAN termination type as Untagged termination.

-     Click OK.

Figure 44 Creating subinterface GE1/0/2.1

 

Figure 45 Specifying an IP address for GE1/0/2.1

 

Figure 46 Configuring VLAN termination for GE1/0/2.1

 

c.     Click Create interface. Create subinterface GE1/0/2.2 for service VLAN-interface 1:

-     Add GE1/0/2.2 to security zone Trust.

-     Specify the interface IP address as 192.168.20.1/24.

-     Specify the VLAN termination type as Dot1q unambiguous termination, and specify the ID of the termination VLAN as 20.

-     Click OK.

Figure 47 Creating subinterface GE1/0/2.2

 

Figure 48 Specifying an IP address for GE1/0/2.2

 

Figure 49 Configuring VLAN termination for GE1/0/2.2

 

10.     Configure DHCP address pools:

a.     On the top navigation bar, click Network. From the left navigation pane, select DHCP > DHCP Address Pools. Click Create address pool. Create address pool vlan1pool.

-     Specify the subnet for address allocation as 192.168.1.0/24 and exclude address 192.168.1.1.

-     On the Address Pool Options tab, click Create in the corresponding sections to specify both the gateway and DNS server address as 192.168.1.1.

-     Click OK.

Figure 50 Creating DHCP address pool vlan1pool

 

Figure 51 Specifying the subnet for address allocation

 

Figure 52 Configuring the gateway and DNS server address

 

b.     Click Create address pool. Create address pool vlan20pool.

-     Specify the address range as 192.168.20.0/24 and exclude address 192.168.20.1.

-     On the Address Pool Options tab, click Create in the corresponding sections to specify both the gateway and DNS server address as 192.168.20.1.

-     Click OK.

Figure 53 Creating DHCP address pool vlan20pool

 

Figure 54 Specifying the subnet for address allocation

 

Figure 55 Configuring the gateway and DNS server address

 

11.     Configure a security policy:

a.     On the top navigation bar, click Policies. From the left navigation pane, select Security Policies. Click Create > Create a policy.

Figure 56 Creating a policy

 

b.     Create a security policy.

-     Specify the security policy name as trust-untrust.

-     Select Trust as the source zone and Untrust and Local as the destination zones.

-     Specify the action as Permit.

-     Retain the default settings in the other fields and then click OK.

Figure 57 Creating a security policy (1)

 

Figure 58 Creating a security policy (2)

 

c.     Create a security policy.

-     Specify the security policy name as untrust-trust.

-     Select Untrust as the source zone, create IPv4 address object group cloudnet, and set the host name to cloudnet.h3c.com.

-     Select Trust and Local as the destination zones.

-     Specify the action as Permit.

-     Retain the default settings in the other fields and then click OK.

Figure 59 Creating a security policy (1)

 

Figure 60 Creating a security policy (2)

 

Figure 61 Creating a security policy (3)

 

Figure 62 Creating a security policy (4)

 

Figure 63 Creating a security policy (5)

 

12.     Configure NAT:

# On the top navigation bar, click Policies. From the left navigation pane, select Policy-based NAT. Click Create.

¡     Specify the rule name as PolicyRule_2.

¡     Select NAT44 from the rule type field.

¡     Select Source address translation as the translation mode.

¡     Select Trust as the source zone.

¡     Select Untrust as the destination zone.

¡     Select Dynamic IP+port as the translation mode.

¡     Select the Easy IP address type.

¡     Enable the rule.

¡     Click OK.

Figure 64 Creating a NAT policy (1)

 

Figure 65 Creating a NAT policy (2)

 

13.     Connect the firewall to Cloudnet:

# On the top navigation bar, click Dashboard. Click Set in the System Info section to set the domain name and port.

¡     Set the cloud domain name to cloudnet.h3c.com.

¡     Set the cloud port to 17443.

Figure 66 Editing the cloud domain name

 

Figure 67 Editing the cloud port

 

Configuring the PoE switch

# Power on the PoE switch, and use a network cable to connect upstream Ethernet interface GE1/0/1 to the firewall. The PoE switch will dynamically obtain IP addresses through DHCP (the default address assignment method) from the gateway (firewall). Make sure the IP addresses obtained through DHCP are reachable from the public network.

Configuring the cloud-managed APs

Power on the cloud-managed APs, and use network cables to connect the upstream Ethernet interfaces to the PoE switch. The cloud-managed APs will dynamically obtain an IP address through DHCP (the default address assignment method) from the gateway (firewall). Make sure the IP address obtained through DHCP is reachable from the public network.

Adding devices to Cloudnet

After the firewall, PoE switch, and cloud-managed APs are connected to the public network, you must add these devices to Cloudnet for them to register on Cloudnet. For more information, see "Adding devices to Cloudnet."

Configuring the PoE switch on Cloudnet

After the PoE switch registers on Cloudnet, configure basic settings for the switch to meet wireless service requirements.

To configure the PoE switch on Cloudnet:

1.     Create service VLAN 20:

a.     On the top navigation bar, click Network. From the left navigation pane, select Settings > Switches > Basic Settings.

b.     In the upper left corner of the work pane, select the branch, site, and device model of the PoE switch.

c.     On the VLAN tab, click Add.

d.     Specify VLAN ID 20.

e.     Click OK.

Figure 68 Creating a service VLAN

 

2.     Specify GE1/0/1 that connects to the firewall and GE interfaces that connect to APs as trunk ports, and assign the ports to VLAN 1 and VLAN 20:

a.     Select the target interfaces on the device panel area.

b.     Click the Interface Management tab.

c.     Specify the link type as trunk, and specify VLANs 1 and 20 as permitted VLANs.

d.     Retain the default settings in the other fields, and then click Submit.

Figure 69 Configuring GE interfaces

 

Configuring Wi-Fi settings on Cloudnet

After cloud-managed APs register on Cloudnet, you can configure and maintain wireless services for the APs from Cloudnet in a unified way.

To configure Wi-Fi settings on Cloudnet:

1.     On the top navigation bar, click Network. From the left navigation pane, select Settings > Cloud APs > WLAN Settings. Then, select the target branch and site from the upper left corner of the work pane.

2.     On the Region Code tab, select a region code, and then click OK.

3.     Click the Wi-Fi Settings tab, click the  icon to expand the Wireless Service Config section, click Show All Services or Show Enabled Services to display all or only the enabled wireless services.

4.     To enable wireless services, select the target services, and then click Enable Service. To hide or show SSIDs, click Show SSID or Hide SSID.

Figure 70 Enabling wireless services

 

5.     To edit a single wireless service, click the SSID link, and then configure the parameters as needed.

¡     Basic configuration:

-     Modify the SSID and description.

-     Enable the service.

¡     Advanced configuration:

-     Specify the forwarding mode as Bridge, where the APs will only be used for Layer 2 forwarding of client packets. Specify the upper-layer gateway as the DHCP server.

-     Specify the service VLAN ID as 20.

-     Select PSK as the encryption method, select WPA / WPA2-Compliant as the security mode, and enter the password.

-     Retain the default settings in the other fields and click OK to save the configuration.

Figure 71 Editing the Wi-Fi configuration

 

Verifying the configuration

1.     Make a client access the WLAN. On the top navigation bar, click Network. From the left navigation pane, select Monitor > Cloud APs > AP List. Select the target branch and site at the upper left corner of the work pane, and view the AP statistics, including the AP online state, MAC address, and IP address information.

Figure 72 Viewing the AP list

 

2.     Click the AP name link. On the Client tab, view the online client trend and online client information.

Figure 73 Viewing online clients

 

 

Using a firewall as the gateway（E8460P27）

Network requirements

This example configures wireless coverage and uses a firewall as the gateway to ensure the security of the internal network.

As shown in Figure 74, the APs operate in cloud mode and connect to the firewall through the PoE switch. The APs connect to the Internet and automatically register on Cloudnet. The firewall also acts as the DHCP server to allocate IP addresses to the switch, cloud-managed APs, and wireless clients, and provides security protection for devices in the internal network.

All the gateway (firewall), PoE switch, and cloud-managed APs are registered on Cloudnet and are managed and maintained through Cloudnet in a unified way. This simplifies O&M.

Figure 74 Using a firewall as the gateway

 

Analysis

The following approach is used for network configuration in this example:

1.     Configure the gateway.

a.     Log in to the local Web interface of the firewall.

b.     Connect the firewall to the service provider’s network and make sure the firewall can access the Internet.

c.     Configure internal network interfaces. Create management and service subinterfaces, assign IP addresses to the subinterfaces, and set the VLAN termination type.

d.     Configure DHCP address pools for the management VLAN and service VLAN.

e.     Configure a security policy.

f.     Configure NAT. Make sure internal network users can access the Internet.

g.     Configure the cloud domain name and port number. Make sure the firewall can register on Cloudnet.

2.     Power on the PoE switch and cloud-managed APs and connect them to the network. Make sure they can obtain IP addresses automatically and access the Internet.

3.     Add the firewall, PoE switch, and cloud-managed APs to Cloudnet.

4.     Configure basic settings for the PoE switch on Cloudnet.

5.     Configure wireless service parameters on Cloudnet for wireless clients to access the WLAN.

Network planning

Restrictions and guidelines

·     The configuration example was created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every setting on your network.

·     In this example, the software versions of the firewall, PoE switch, and APs are E8460P27, R6343P05, and R2592P02, respectively.

Network information planning

Table 8 Network information planning

Item	Plan
Wireless network	·     Network segment: 192.168.20.0/24. The firewall acts as DHCP servers to allocate IP addresses to clients. ·     Gateway location: Firewall. ·     IP address of gateway interface GE1/0/2.2: 192.168.20.1/24. ·     Service VLAN: VLAN 20. ·     Encryption method: PSK.
Management IP network segment for the firewall, switch, and APs	·     Network segment: 192.168.1.0/24. ·     IP address of the interface GE1/0/2.1 on the firewall: 192.168.1.1/24. ·     IP address of the interface VLAN-interface 1 on the switch: Automatically obtained from the gateway (firewall). ·     IP address of the interface VLAN-interface 1 on the APs: Automatically obtained from the gateway (firewall).
Firewall interfaces	·     GE1/0/1 operates at Layer 3 and is added to security zone Untrust. External network connection supported by GE1/ 0/1: DHCP, PPPoE, and static IP address. Select a method according to the service provider network. ·     GE1/0/2 that connects to the switch operates at Layer 3 and is added to security zone Trust. Create subinterfaces GE1/0/2.1 and GE1/0/2.2 for the management VLAN and service VLAN, respectively.
Switch interfaces	·     Connect GE1/ 0/ 1 to the firewall, set the link type to trunk, and assign the interface to VLAN 1 and VLAN 20. ·     Specify GE interfaces that connect to APs as trunk ports, and assign the ports to VLAN 1 and VLAN 20.
APs	·     Operating mode: Cloud. ·     Forwarding method: Bridge mode.

 

Procedure

Configure the gateway

1.     Connect a PC to the firewall.

Use an Ethernet cable to connect the PC to interface GE1/0/0 on the firewall.

2.     Click the  icon at the lower right corner of the PC, and then click Open Network and Sharing Center.

3.     In the Network and Sharing Center, click Local Area Connection.

Figure 75 Network and Sharing Center

 

4.     Click Properties.

Figure 76 Local area connection

 

5.     In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click OK.

Figure 77 Local area connection properties

 

6.     In the Internet Protocol Version 4 (TCP/IPv4) dialog box, configure an IP address for the PC. Make sure the PC and the firewall can reach each other. Use either of the following methods:

¡     Select Obtain an IP address automatically and select Obtain DNS server address automatically. The PC will use the addresses assigned by the firewall.

Figure 78 Configuring automatic address obtaining

 

¡     Manually change the IP address of the PC to any address (except the 192.168.0.1) in the 192.168.0.0/24 segment. For example, 192.168.0.31. If you modify the default login address of the firewall later, use an IP address in the modified network segment to log in to the firewall again.

Figure 79 Manually configuring IP address settings

 

7.     Log in to the firewall:

a.     Enter https://192.168.0.1 in the address bar on the PC, and then press Enter to log in to the Web interface of the firewall.

b.     Enter the default username admin and default password admin, and then click Log in. Change the password as prompted.

Figure 80 Logging in to the firewall

 

8.     Configure the external network interface:

# On the top navigation bar, click Network. From the left navigation pane, select Interface Configuration > Interfaces.

# Click the edit icon  to edit interface GE1/0/1 that connects to the external network.

¡     Add the interface to security zone Untrust.

¡     Select the IPv4 address configuration method according to the service provider:

-     If you select PPPoE, enter the PPPoE account and password provided by the service provider.

-     If you select DHCP, the system automatically obtains an public IP address from the DHCP server.

-     If you select manual assignment, enter the IP address, subnet mask, and gateway address of the WAN.

¡     Click OK.

Figure 81 Editing interface GE1/0/1

 

Figure 82 Configuring interface settings

 

9.     Configure the internal network interface:

a.     Click the edit icon  to edit interface GE1/0/2 that connects to the internal network.

-     Add the interface to security zone Trust.

-     Click OK.

Figure 83 Configuring interface settings

 

b.     Click Create interface. Create subinterface GE1/0/2.1 for management VLAN-interface 1:

-     Add GE1/0/2.1 to security zone Trust.

-     Specify the interface IP address as 192.168.1.1/24.

-     Specify the VLAN termination type as Untagged termination.

-     Click OK.

Figure 84 Creating subinterface GE1/0/2.1

 

Figure 85 Specifying an IP address for GE1/0/2.1

 

Figure 86 Configuring VLAN termination for GE1/0/2.1

 

c.     Click Create interface. Create subinterface GE1/0/2.2 for service VLAN-interface 1:

-     Add GE1/0/2.2 to security zone Trust.

-     Specify the interface IP address as 192.168.20.1/24.

-     Specify the VLAN termination type as Dot1q unambiguous termination, and specify the ID of the termination VLAN as 20.

-     Click OK.

Figure 87 Creating subinterface GE1/0/2.2

 

 

Figure 88 Specifying an IP address for GE1/0/2.2

 

 

Figure 89 Configuring VLAN termination for GE1/0/2.2

 

 

10.     Configure DHCP address pools:

a.     On the top navigation bar, click Network. From the left navigation pane, select DHCP > DHCP Address Pools. Click Create address pool. Create address pool vlan1pool.

-     Specify the subnet for address allocation as 192.168.1.0/24 and exclude address 192.168.1.1.

-     On the Address Pool Options tab, click Create in the corresponding sections to specify both the gateway and DNS server address as 192.168.1.1.

-     Click OK.

Figure 90 Enabling the DHCP service

 

Figure 91 Creating DHCP address pool vlan1pool

 

Figure 92 Specifying the subnet for address allocation

 

Figure 93 Configuring the gateway and DNS server address

 

b.     Click Create address pool. Create address pool vlan20pool.

-     Specify the address range as 192.168.20.0/24.

-     On the Address Pool Options tab, click Create in the corresponding sections to specify both the gateway and DNS server address as 192.168.20.1.

-     Click OK.

Figure 94 Creating DHCP address pool vlan20pool

 

Figure 95 Specifying the subnet for address allocation

 

Figure 96 Configuring the gateway and DNS server address

 

11.     Configure a security policy:

a.     On the top navigation bar, click Policies. From the left navigation pane, select Security Policies. Click Create > Create a policy.

Figure 97 Creating a policy

 

b.     Create a security policy.

-     Specify the security policy name as trust-untrust.

-     Select Trust as the source zone and Untrust and Local as the destination zones.

-     Specify the action as Permit.

-     Retain the default settings in the other fields and then click OK.

Figure 98 Creating a security policy (1)

 

Figure 99 Creating a security policy (2)

 

c.     Create a security policy.

-     Specify the security policy name as untrust-trust.

-     Select Untrust as the source zone, create IPv4 address object group cloudnet, and set the host name to cloudnet.h3c.com.

-     Select Trust as the destination zones.

-     Specify the action as Permit.

-     Retain the default settings in the other fields and then click OK.

Figure 100 Creating a security policy (1)

 

Figure 101 Creating a security policy (2)

 

Figure 102 Creating a security policy (3)

 

Figure 103 Creating a security policy (4)

 

Figure 104 Creating a security policy (5)

 

d.     Create a security policy.

-     Specify the security policy name as local-trust.

-     Select Local as the source zone.

-     Select Trust as the destination zones.

-     Specify the action as Permit.

-     Retain the default settings in the other fields and then click OK.

Figure 105 Creating a security policy (1)

 

Figure 106 Figure 100 Creating a security policy (2)

 

e.     Create a security policy.

-     Specify the security policy name as local-untrust.

-     Select Local as the source zone.

-     Select Untrust as the destination zones.

-     Specify the action as Permit.

-     Retain the default settings in the other fields and then click OK.

Figure 107 Creating a security policy (1)

 

Figure 108 Creating a security policy (2)

 

f.     Create a security policy.

-     Specify the security policy name as untrust-local.

-     Select Untrust as the source zone.

-     Select Local as the destination zones.

-     Specify the action as Permit.

-     Retain the default settings in the other fields and then click OK.

Figure 109 Creating a security policy (1)

 

Figure 110 Creating a security policy (2)

 

12.     Configure NAT:

# On the top navigation bar, click Policies. From the left navigation pane, select Policy-based NAT. Click Create.

¡     Specify the rule name as PolicyRule_2.

¡     Select NAT44 from the rule type field.

¡     Select Source address translation as the translation mode.

¡     Select Trust as the source zone.

¡     Select Untrust as the destination zone.

¡     Select Dynamic IP+port as the translation mode.

¡     Select the Easy IP address type.

¡     Enable the rule.

¡     Click OK.

Figure 111 Creating a NAT policy (1)

 

Figure 112 Creating a NAT policy (2)

 

13.     Connect the firewall to Cloudnet:

# On the top navigation bar, click Dashboard. Click Set in the System Info section to set the domain name and port.

¡     Set the cloud domain name to cloudnet.h3c.com.

¡     Set the cloud port to 17443.

Editing the cloud domain name

 

Editing the cloud port

 

Configuring the PoE switch

# Power on the PoE switch, and use a network cable to connect upstream Ethernet interface GE1/0/1 to the firewall. The PoE switch will dynamically obtain IP addresses through DHCP (the default address assignment method) from the gateway (firewall). Make sure the IP addresses obtained through DHCP are reachable from the public network.

Configuring the cloud-managed APs

Power on the cloud-managed APs, and use network cables to connect the upstream Ethernet interfaces to the PoE switch. The cloud-managed APs will dynamically obtain an IP address through DHCP (the default address assignment method) from the gateway (firewall). Make sure the IP address obtained through DHCP is reachable from the public network.

Adding devices to Cloudnet

After the firewall, PoE switch, and cloud-managed APs are connected to the public network, you must add these devices to Cloudnet for them to register on Cloudnet. For more information, see "Adding devices to Cloudnet."

Configuring the PoE switch on Cloudnet

After the PoE switch registers on Cloudnet, configure basic settings for the switch to meet wireless service requirements.

To configure the PoE switch on Cloudnet:

1.     Create service VLAN 20:

a.     On the top navigation bar, click Network. From the left navigation pane, select Settings > Switches > Basic Settings.

b.     In the upper left corner of the work pane, select the branch, site, and device model of the PoE switch.

c.     On the VLAN tab, click Add.

d.     Specify VLAN ID 20.

e.     Click OK.

Figure 113 Creating a service VLAN

 

2.     Specify GE1/0/1 that connects to the firewall and GE interfaces that connect to APs as trunk ports, and assign the ports to VLAN 1 and VLAN 20:

a.     Select the target interfaces on the device panel area.

b.     Click the Interface Management tab.

c.     Specify the link type as trunk, and specify VLANs 1 and 20 as permitted VLANs.

d.     Retain the default settings in the other fields, and then click Submit.

Figure 114 Configuring GE interfaces

 

Configuring Wi-Fi settings on Cloudnet

After cloud-managed APs register on Cloudnet, you can configure and maintain wireless services for the APs from Cloudnet in a unified way.

To configure Wi-Fi settings on Cloudnet:

1.     On the top navigation bar, click Network. From the left navigation pane, select Settings > Cloud APs > WLAN Settings. Then, select the target branch and site from the upper left corner of the work pane.

2.     On the Region Code tab, select a region code, and then click OK.

3.     Click the Wi-Fi Settings tab, click the  icon to expand the Wireless Service Config section, click Show All Services or Show Enabled Services to display all or only the enabled wireless services.

4.     To enable wireless services, select the target services, and then click Enable Service. To hide or show SSIDs, click Show SSID or Hide SSID.

Figure 115 Enabling wireless services

 

5.     To edit a single wireless service, click the SSID link, and then configure the parameters as needed.

¡     Basic configuration:

-     Modify the SSID and description.

-     Enable the service.

¡     Advanced configuration:

-     Specify the forwarding mode as Bridge, where the APs will only be used for Layer 2 forwarding of client packets. Specify the upper-layer gateway as the DHCP server.

-     Specify the service VLAN ID as 20.

-     Select PSK as the encryption method, select WPA / WPA2-Compliant as the security mode, and enter the password.

-     Retain the default settings in the other fields and click OK to save the configuration.

Figure 116 Editing the Wi-Fi configuration

 

Verifying the configuration

1.     Make a client access the WLAN. On the top navigation bar, click Network. From the left navigation pane, select Monitor > Cloud APs > AP List. Select the target branch and site at the upper left corner of the work pane, and view the AP statistics, including the AP online state, MAC address, and IP address information.

Figure 117 Viewing the AP list

 

2.     Click the AP name link. On the Client tab, view the online client trend and online client information.

Figure 118 Viewing online clients

 

Using an MSR router as the gateway in out-of-path AC deployment

Network requirements

As shown in Figure 74, the APs operate in fit mode and connect to the gateway (MSR router) through the access switch and the aggregation switch to provide wireless access services to clients. The MSR router also acts as the DHCP server to allocate IP addresses to the aggregation switch, PoE access switch, AC, APs, and wireless clients. The AC is attached to the aggregation switch through out-of-path deployment to centrally manage all the fit APs.

The gateway (MSR router), aggregation switch, PoE access switch, and APs are registered on Cloudnet and are managed and maintained through Cloudnet in a unified way. This simplifies O&M.

Figure 119 Using an MSR router as the gateway in out-of-path AC deployment

 

Analysis

The following approach is used for network configuration in this example:

1.     Configure the MSR router as the gateway:

a.     Log in to the local Web interface of the MSR router.

b.     Configure the MSR router to connect to the service provider network. Make sure the router can access the Internet.

c.     Configure the internal network IP addresses, create service VLANs, enable DHCP, and configure the DHCP server to assign IP addresses to the aggregation switch, PoE access switch, AC, fit APs, and wireless clients.

d.     Configure the internal interfaces to permit all the service VLANs to pass.

e.     Configure cloud services. Make sure the MSR router can register on Cloudnet.

2.     Power on the aggregation switch, PoE switch, and APs and connect them to the network. Make sure they can automatically obtain IP addresses from the MSR router.

3.     Bulk enable fit mode for the APs on Cloudnet.

4.     Power on the AC and connect it to the network. Make sure the AC can automatically obtain IP addresses from the MSR router. The power-on sequence prevents the switches and fit APs from automatically obtaining IP addresses from the default address pool on the AC and causing a network interruption.

5.     Add the MSR router, aggregation switch, PoE access switch, and AC to Cloudnet.

6.     Configure basic settings for the aggregation switch and AC.

7.     Configure wireless service parameters on Cloudnet for wireless clients to access the WLAN.

Network planning

Restrictions and guidelines

·     The configuration example was created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every setting on your network.

·     In this example, the software versions of the MSR router, aggregation switch, PoE switch, and AC are R6728P25, R6343P05, R6343P05, and E5620, respectively.

·     If no AP license is installed on the AC, fit APs cannot register on the AC. Install sufficient AP licenses on the AC first.

·     Strictly follow the power-on sequence in the configuration analysis to connect the devices to prevent the devices from automatically obtaining IP addresses that are inconsistent with the planned network segments. Inconsistent IP addresses will result in network interruptions.

·     By default, the AC automatically obtains an IP address through DHCP for VLAN-interface 1. If automatic IP address acquisition through DHCP fails, the AC uses the default IP address 192.168.0.100/24 as the IP address of VLAN-interface 1.

Network information planning

Table 9 Network information planning

Item	Plan
Wireless network	·     Network segment: 192.168.20.0/24. The MSR router acts as the DHCP server to assign IP addresses to clients. ·     Gateway location: Router. ·     IP address of gateway interface VLAN-interface 20: 192.168.20.1/24. ·     Service VLAN: VLAN 20. ·     Encryption method: PSK.
Management IP network segment for the router, switches, AC, and APs	·     Network segment: 192.168.1.0/24. ·     IP address of management interface VLAN-interface 1 on the MSR router: 192.168.1.1/24. ·     IP address of management interface VLAN-interface 1 on the AC: Automatically obtained from the gateway (MSR router). ·     IP address of management interface VLAN-interface 1 on the aggregation switch: Automatically obtained from the gateway (MSR router). ·     IP address of management interface VLAN-interface 1 on the PoE switch: Automatically obtained from the gateway (MSR router). ·     IP address of management interface VLAN-interface 1 on the APs: Automatically obtained from the gateway (MSR router).
MSR router interfaces	·     External network connection supported by WAN interface: DHCP, PPPoE, and static address. Select a method according to the service provider network. ·     Connect LAN interface GE1 to the aggregation switch, set the link type to trunk, and assign the interface to VLAN 1 and VLAN 20.
AC interfaces	Connect GE1/0/1 to the aggregation switch, set the link type to trunk, and assign the interface to VLAN 1 and VLAN 20.
Aggregation switch interfaces	·     Connect GE1/0/1 to the MSR router, set the link type to trunk, and assign the port to VLAN 1 and VLAN 20 ·     Connect GE1/0/2 to the AC, set the link type to trunk, and assign the port to VLAN 1 and VLAN 20. ·     Retain the default settings for the other GE interfaces that connect to the PoE access switch.
PoE access switch interfaces	·     Retain the default settings for GE1/0/1 that connects to the aggregation switch. ·     Retain the default settings for the other GE interfaces that connect to fit APs.
APs	Operating mode: Fit.

 

Procedure

Configuring the MSR router as the gateway

1.     Connect a PC to the MSR router.

Use an Ethernet cable to connect the PC and LAN interface GE2 on the MSR router. By default, all LAN ports belong to VLAN 1.

2.     Click the  icon at the lower right corner of the PC, and then click Open Network and Sharing Center.

3.     In the Network and Sharing Center, click Local Area Connection.

Figure 120 Network and Sharing Center

 

4.     Click Properties.

Figure 121 Local area connection

 

5.     In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click OK.

Figure 122 Local area connection properties

 

6.     In the Internet Protocol Version 4 (TCP/IPv4) dialog box, configure an IP address for the PC. Make sure the PC and the MSR can reach each other. Use either of the following methods:

¡     Select Obtain an IP address automatically and select Obtain DNS server address automatically. The PC will use the addresses assigned by the MSR router.

Figure 123 Configuring automatic address obtaining

 

¡     Manually change the IP address of the PC to any address (except the 192.168.0.1) in the 192.168.0.0/24 segment. For example, 192.168.0.31. If you modify the default login address of the MSR device later, use an IP address in the modified network segment to log in to the MSR device again.

Figure 124 Manually configuring IP address settings

 

7.     Log in to the MSR router:

a.     Enter https://192.168.0.1 in the address bar on the PC, and then press Enter to log in to the Web interface of the MSR router.

b.     Enter the default username admin and default password admin, and then click Login. Change the password as prompted.

Figure 125 Logging in to the MSR router

 

8.     Configure WAN settings:

a.     From the left navigation pane, select Fast Configuration.

b.     Select Single WAN as the scene and then click Next.

Figure 126 Scene selection

 

c.     Select WAN0(GE0) as line 1.

d.     Select the link mode according to the service provider:

-     If you select PPPoE, enter the PPPoE account and password provided by the service provider.

-     If you select DHCP, the system automatically obtains a public IP address from the DHCP server.

-     If you select static address, enter the IP address, subnet mask, gateway address, and DNS address of the WAN.

e.     Select Enabled for NAT and then click Next.

Figure 127 Configuring WAN settings

 

9.     Configure LAN settings:

a.     On the LAN Config page, change the local IP address to 192.168.1.1, and set the subnet mask to 255.255.255.0.

b.     Set both the gateway address and DNS address to 192.168.1.1, and set the IP distribution range to 192.168.1.2 to 192.168.1.254 for allocating IP addresses to the switches, AC, and APs.

c.     Retain the default settings in the other fields and then click Next.

Figure 128 Configuring LAN settings

 

10.     Click Finish.

Figure 129 Completing fast configuration

 

CAUTION: ·     As you have modified the local network IP address of the MSR router, use the modified IP address to re-login to the Web management interface of the MSR router. ·     Modify the IP address of the PC to any IP address in subnet 192.168.1.0/24, for example, 192.168.1.100/24. Make sure the IP address is not the same as any IP address obtained by device.

 

11.     Create a wireless client service VLAN:

a.     From the left navigation pane, select Network > LAN Settings.

b.     Click Add. Configure service VLAN 20.

c.     Specify the VLAN ID as 20.

d.     Specify the interface address as 192.168.20.1.

e.     Specify the subnet mask as 255.255.255.0.

f.     Enable DHCP. Specify the address allocation range for wireless clients as 192.168.20.2 to 192.168.20.254.

g.     Retain the default settings in the other fields and then click Apply.

Figure 130 Creating a wireless client service VLAN

 

12.     Configure interface GE1:

GE1 must permit both VLAN 1 and VLAN 20 to pass.

a.     From the left navigation pane, select Network > LAN Settings.

b.     On the VLAN tab, click the edit icon  for GE1.

c.     Add VLAN 20 as a permitted VLAN.

d.     Click Apply.

Figure 131 Configuring interface GE1

 

13.     Connect the MSR router to Cloudnet:

Connect the MSR router to Cloudnet for Cloudnet to manage and maintain devices in a unified way.

a.     From the left navigation pane, select System Tool > Remote Login.

b.     Click the Cloud Service tab.

c.     Select Open in the Cloud Service field.

d.     Specify the server domain name as cloudnet.h3c.com.

e.     Enter the sysname.

f.     Click Apply.

Figure 132 Configuring cloud services

 

Configuring the aggregation switch

# Power on the aggregation switch, and connect upstream Ethernet interface GE1/0/1 to the MSR router. The aggregation switch will dynamically obtain IP addresses through DHCP (the default address assignment method) from the gateway (MSR router). Make sure the IP addresses obtained through DHCP are reachable from the public network.

Configuring the PoE switch

# Power on the PoE switch, and use a network cable to connect upstream Ethernet interface GE1/0/1 to the aggregation switch. The PoE switch will dynamically obtain IP addresses through DHCP (the default address assignment method) from the gateway (MSR router). Make sure the IP addresses obtained through DHCP are reachable from the public network.

Configuring the fit APs

IMPORTANT: By default, an AP operates in cloud mode. You can bulk enable fit mode for cloud-managed APs on Cloudnet.

 

1.     Power on the cloud-managed APs and use network cables to connect the upstream Ethernet interfaces of the APs to the PoE switch. The APs will dynamically obtain IP addresses through DHCP (the default address assignment method) from the gateway (MSR router).

2.     After the cloud-managed APs are connected to the public network, add the APs to Cloudnet for them to register on Cloudnet. For more information, see "Adding devices to Cloudnet."

3.     Log in to the Web interface of Cloudnet. On the top navigation bar, click Network. From the left navigation pane, select Settings > Cloud APs > CLI.

Figure 133 CLI

 

4.     Click Please add. In the dialog box that opens, select the target AP model for mode conversion, and then click OK.

Figure 134 Selecting the target AP model

 

5.     In the Edit box, edit commands including the ap-mode fit command for converting the AP operating mode to fit mode, and then click OK.

Figure 135 Editing commands for converting the AP operating mode to fit mode

 

6.     Delete the cloud-managed APs from Cloudnet in time after the AP operating mode is converted to fit mode. If the APs fail to find an AC when they access Cloudnet for the first time after mode conversion, they automatically convert the operating mode to cloud mode. To delete the cloud-managed APs:

a.     From the left navigation pane, select Network > Devices.

b.     In the upper left corner of the work pane, select the target branch and site.

c.     On the Cloud AP tab, select all cloud-managed APs whose operating mode has been converted to fit mode, and then click Delete.

Figure 136 Deleting cloud-managed APs

 

Configuring the AC

NOTE: If no AP license is installed on the AC, fit APs cannot register on the AC. Install sufficient AP licenses on the AC first.

 

# Power on the AC, and use a network cable to connect upstream Ethernet interface GE1/0/1 to the aggregation switch. The AC will dynamically obtain IP addresses through DHCP (the default address assignment method) from the gateway (MSR router). Make sure the IP addresses obtained through DHCP are reachable from the public network.

Adding devices to Cloudnet

After the gateway, aggregation switch, PoE access switch, and AC are connected to the public network, you must add these devices to Cloudnet for them to register on Cloudnet. For the convergence switch information, see "Adding devices to Cloudnet."

To verify the configuration:

1.     View device online status.

After you add a cloud-managed AP to Cloudnet, verify that the status of the AP is changed to online. Due to network issues, it might take a few minutes for a device to come online. Please wait and refresh the page to view the status.

Figure 137 Viewing device online status

 

2.     View the network topology.

On the top navigation bar, click Network. From the left navigation pane, select Network > Sites. Then, select the target branch and site from the upper left corner of the work pane, and view the network topology on the Site Summary tab.

Figure 138 Viewing the network topology

 

Configuring the aggregation switch on Cloudnet

After the aggregation switch registers on Cloudnet, configure basic settings for the switch to meet wireless service requirements.

To configure the aggregation switch on Cloudnet:

1.     Create service VLAN 20:

a.     On the top navigation bar, click Network. From the left navigation pane, select Settings > Switches > Basic Settings.

b.     In the upper left corner of the work pane, select the branch, site, and device model of the aggregation switch.

c.     On the VLAN tab, click Add.

d.     Specify VLAN ID 20.

e.     Click OK.

Figure 139 Creating a service VLAN

 

2.     Specify GE1/0/1 that connects to the MSR router and GE1/0/2 that connects to the AC as trunk ports, and assign the ports to VLAN 1 and VLAN 20:

a.     Select the target interfaces on the device panel area.

b.     Click the Interface Management tab.

c.     Specify the link type as trunk, and specify VLANs 1 and 20 as permitted VLANs.

d.     Retain the default settings in the other fields, and then click Submit.

Figure 140 Configuring GE interfaces

 

Configuring the AC on Cloudnet

After the AC registers on Cloudnet, configure basic settings for the AC to meet wireless service requirements.

In this example, the AC is enabled with auto AP and APs can come online from the AC automatically. If auto AP is not enabled on your AC, log in to Cloudnet, access the Network > Settings > ACs > AP Settings page, select the target branch, site, and device at the upper left corner of the work pane, and add or import the APs manually. This ensures that the APs can come online from the AC.

To configure the AC on Cloudnet:

1.     Create service VLAN 20:

a.     On the top navigation bar, click Network. From the left navigation pane, select Settings > ACs > Basic Settings.

b.     In the upper left corner of the work pane, select the branch, site, and device model of the AC.

c.     On the VLAN tab, click Add.

d.     In the dialog box that opens, specify VLAN ID 20, turn off VLAN interface IP, and then click OK.

Figure 141 Creating a service VLAN

 

2.     Specify GE1/0/1 that connects to the aggregation switch as a trunk port, and assign the port to VLAN 1 and VLAN 20:

a.     Click Sync to synchronize the basic settings at the device side to Cloudnet.

b.     On the Ports tab, click the Edit icon  in the Actions column for GE1/0/1.

c.     Specify the link type as trunk, and specify VLANs 1 and 20 as permitted VLANs.

d.     Retain the default settings in the other fields, and then click OK.

Figure 142 Configuring GE1/0/1

 

Configuring wireless services on Cloudnet

After AC is registered on Cloudnet, you can configure and maintain wireless services for the APs from Cloudnet in a unified way.

To configure wireless services on Cloudnet:

1.     Log in to Cloudnet. On the top navigation bar, click Network. From the left navigation pane, select Settings > ACs > Wireless Services. Then, select the target branch, site, and device from the upper left corner of the work pane.

2.     Click Add.

¡     Configure the wireless service name and SSID.

¡     Specify the service VLAN ID as 20.

¡     Retain the default settings in the other fields and then and then click Next.

Figure 143 Creating a wireless service

 

3.     On the Security Configuration page, configure wireless parameters:

¡     Select PSK as the encryption service.

¡     Enter a password. The password is a string of 8 to 63 characters. The string can contain digits, letters, and special characters.

¡     Retain the default settings in the other fields and then and then click Next.

Figure 144 Configuring security settings

 

4.     On the Bind AP page, bind the wireless service to APs.

¡     Select the target APs, and then click the  icon.

¡     Click Submit.

Figure 145 Binding the wireless service to APs

 

Verifying the configuration

After a client access the wireless network, click Network on the top navigation pane. From the left navigation pane, select Monitor > ACs > Summary. Select the target branch, site, and device at the upper left corner of the work pane, and view the AC statistics.

1.     On the AP List tab, view information about APs associated with the AC.

Figure 146 Viewing AP information

 

2.     On the Client List tab, view information about clients associated with the AC.

Figure 147 Viewing client information

 

Adding devices to Cloudnet

Logging in to Cloudnet

After connecting devices to the public network, you can log in to Cloudnet to add sites and devices to remotely manage the devices and view device information.

Enter cloudnet.h3c.com in the address bar and press Enter. Enter the username and password, and then click Sign In.

Managing branches

On the top navigation bar, click Network. From the left navigation pane, select Network > Organization. You can add, edit, and delete branches as needed.

1.     Add a branch.

Click the root node or a branch node and click Add. Enter the branch name and then click OK. You can repeat the step to add more branches.

Figure 148 Adding a branch

 

2.     Rename a branch.

To rename the root node or a branch node, click the node, and then click Edit. You can repeat the step to edit the names of other branches.

Figure 149 Renaming a branch

 

NOTE: ·     To delete a branch, click the target branch node, and then click Delete. ·     You cannot delete the root node. ·     If a branch to be deleted contains sub-layer branches or sites, you must first delete the sub-layer branches or sites.

 

Adding a site

1.     Add a site.

On the top navigation bar, click Network.

¡     From the left navigation pane, select Network > Dashboard. Select a branch at the upper left corner of the work pane. On the Sites tab, click Add. If the branch has existing sites, click Tile at the upper right corner and then click Add.

¡     From the left navigation pane, select Network > Organization. Select a branch and then click Add.

The following figures add sites on the Network > Dashboard page.

Figure 150 Adding a site for the first time

 

Figure 151 Adding a site (not the first time) (Tile view)

 

2.     Specify the scenario type.

Select the General scenario type and then click Next. To filter device models supported in the scenario, click the search icon.

Figure 152 Specifying the scenario type

 

3.     Configure the site name.

Configure the site name, select the branch in which the site resides, select the industry information, and then click Next.

Figure 153 Configuring the site name

 

4.     Specify the address.

Specify the site address and then click OK.

Figure 154 Specifying the address

 

Adding devices

After adding a site, click OK at the prompt to add devices immediately. To add devices to the site later, click Cancel. To add devices to an existing site:

1.     On the top navigation bar, click Network. From the left navigation pane, select Network > Devices. Select the target branch and site at the upper left corner of the work pane, and then click Add. Specify the site, device name, and device serial number.

Figure 155 Adding a device

 

 

 

2.     After the device is added, verify that the device is online. Due to network connectivity, it might take a few minutes for the device to come online. Please wait and refresh the page later.

Figure 156 Viewing device online status