- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
01-Text | 3.86 MB |
Feature and hardware compatibility
Restrictions and guidelines: AP management configuration
AP management tasks at a glance
Configuring CAPWAP tunnel establishment
Prerequisites for configuring CAPWAP tunnel establishment
Setting the discovery-response timeout timer
Setting the AP connection priority for the AC
Enabling the AC to respond only to unicast discovery requests
Configuring the mapping between a software version and a hardware version of an AP model
Specifying the preferred location for the AC to obtain an AP image file
Configuring basic VLAN settings
Assigning an access port to a VLAN
Assigning a trunk port to VLANs
Assigning a hybrid port to VLANs
Assigning VLAN settings to APs
Configuring CAPWAP tunnel encryption
Configuring CAPWAP tunnel latency detection
Setting the echo interval for an AP
Setting the maximum fragment size for CAPWAP packets
Setting the TCP MSS for CAPWAP tunnels
Configuring AC request retransmission
Setting the statistics report interval
Managing the file system of an AP
Configuring preprovisioned settings for an AP
Configuring network settings for an AP group
Assigning preprovisioned settings to APs
Configuring auto loading of preprovisioned settings
Configuring advanced features for AP management
Configuring the default input power level
Enabling or disabling USB interfaces for APs
Enabling service anomaly detection
Display and maintenance commands for AP management
AP management configuration examples
Example: Establishing a CAPWAP tunnel through DHCP
Example: Establishing a CAPWAP tunnel through DHCPv6
Example: Establishing a CAPWAP tunnel through DNS
Example: Configuring the auto AP feature·
Example: Configuring AP groups
Feature and hardware compatibility
Restrictions and guidelines: Radio management configuration
Radio management tasks at a glance
Enabling or disabling all radios
Enabling or disabling a radio in radio view
Enabling or disabling a radio in AP group radio view
Configuring basic radio functions
Configuring the channel selection blacklist or whitelist
Setting the maximum transmit power
Specifying a collision avoidance mode
Setting the fragmentation threshold
Setting the hardware retransmission limits
Setting the maximum number of clients that can associate with an AP
Configuring access services for 802.11b clients
Configuring 802.11g protection
Setting the maximum transmission distance
Enabling the continuous mode for a radio
Performing on-demand channel usage measurement
Specifying the A-MPDU aggregation method
Specifying the A-MSDU aggregation method
Configuring the client dot11n-only feature
Setting the 802.11n bandwidth mode
Configuring 802.11n protection
Configuring 802.11ac functions
Configuring the client dot11ac-only feature
Setting the 802.11ac bandwidth mode
Configuring the smart antenna feature
Display and maintenance commands for radio management
Radio management configuration examples
Example: Configuring basic radio function··
Whitelist- and blacklist-based access control
Feature and hardware compatibility
Configuration restrictions and guidelines
Configuring a service template
Configuring a description for a service template
Setting the maximum number of associated clients for a service template
Binding a service template to a radio·
Configuring an AP to not inherit the specified service template from the AP group
Configuring wireless client functions
Setting the client idle timeout
Setting the VLAN allocation method for clients
Configuring clients to prefer the authorization VLAN after roaming
Setting the aging time for the cache of clients
Enabling client association at the AC or APs
Specifying the client traffic forwarder
Enabling client traffic forwarding
Setting the encapsulation format for client data frames
Setting the idle period before client reauthentication
Enabling immediate client association upon successful local authentication
Specifying the method for APs to process traffic from unknown clients
Performing a wireless link quality test
Specifying the Web server to which client information is reported
Enabling the device to generate client logs in the specified format
Configuring client statistics reporting·
Configuring client access control
Specifying a permitted AP group for client association
Specifying a permitted SSID for client association
Adding a client to the whitelist
Adding a client to the static blacklist
Configuring the dynamic blacklist
Configuring ACL-based access control
Disabling an AP from responding to broadcast probe requests
Configuring policy-based forwarding
Restrictions and guidelines for policy-based forwarding
Prerequisites for policy-based forwarding
Configuring a forwarding policy
Applying a forwarding policy to a service template
Applying a forwarding policy to a user profile
Deploying a configuration file to an AP
Enabling SNMP notifications for WLAN access
Display and maintenance commands for WLAN access
WLAN access configuration examples
Example: Configuring WLAN access
Example: Configuring the whitelist
Example: Configuring the static blacklist
Example: Configuring ACL-based access control
802.11w management frame protection
About 802.11w management frame protection
Feature and hardware compatibility
WLAN security tasks at a glance
Setting the security information element
Setting the TKIP MIC failure hold time
Configuring 802.11w management frame protection
Enabling the dynamic WEP mechanism
Enabling SNMP notifications for WLAN security
Display and maintenance commands for WLAN security
WLAN security configuration examples
Example: Configuring shared key authentication
Example: Configuring PSK authentication and bypass authentication
Example: Configuring PSK authentication and MAC authentication
Example: Configuring 802.1X AKM
Example: Configuring management frame protection
Example: Configuring dynamic WEP
Example: Configuring private PSK authentication and MAC authentication
Configuring WLAN authentication
Feature and hardware compatibility
WLAN authentication tasks at a glance
Prerequisites for WLAN authentication··
Configuring global WLAN authentication parameters
Setting OUIs for OUI authentication
Enabling EAP relay or EAP termination for 802.1X authentication
Specifying 802.1X-supported domain name delimiters
Setting the maximum number of 802.1X authentication request attempts
Setting the 802.1X authentication timers
Configuring the MAC authentication user account format
Specifying a global MAC authentication domain
Setting the MAC authentication server timeout timer
Configuring service-specific WLAN authentication parameters
Setting the authentication mode·
Specifying the authenticator for WLAN clients
Specifying an EAP mode for 802.1X authentication
Ignoring 802.1X or MAC authentication failures
Enabling URL redirection for WLAN MAC authentication clients
Configuring a WLAN Auth-Fail VLAN
Configuring a WLAN critical VLAN
Ignoring authorization information from the server
Enabling the authorization-fail-offline feature
Configuring intrusion protection
Configuring the online user handshake feature
Configuring the online user handshake security feature
Specifying an 802.1X authentication domain
Setting the maximum number of concurrent 802.1X clients
Enabling the periodic online user reauthentication feature
Setting the maximum number of concurrent MAC authentication clients
Specifying a service-specific MAC authentication domain
Configuring the accounting-start trigger feature
Configuring the accounting-update trigger feature
Display and maintenance commands for WLAN authentication settings
WLAN authentication configuration examples
Example: Configuring 802.1X CHAP local authentication
Example: Configuring 802.1X EAP-PEAP RADIUS authentication
Example: Configuring RADIUS-based MAC authentication
Broadcast disassociation/deauthentication attack detection
Detection on clients with the 40 MHz bandwidth mode disabled
AP impersonation attack detection
Association/reassociation DoS attack detection··
Signature-based attack detection
Feature and hardware compatibility
Configuring an attack detection policy
Applying an attack detection policy
Configuring signature-based attack detection
Configuring a signature policy
Configuring device classification
Configuring a classification policy
Configuring an automatic device classification policy
Configuring a manual AP classification policy
Applying a classification policy
Configuring a countermeasure policy
Applying a countermeasure policy
Detecting clients with NAT configured·
Configuring the alarm-ignoring feature
Configuring APs to perform WIPS scanning while providing access services
Display and maintenance commands for WIPS
Example: Configuring device classification and countermeasures
Example: Configuring malformed packet and flood attack detection
Example: Configuring signature-based attack detection
Feature and hardware compatibility
Restrictions and guidelines: WLAN QoS configuration
Setting EDCA parameters of AC-BE or AC-BK queues for clients
Setting EDCA parameters of AC-VI or AC-VO queues for clients
Configuring a port to trust packet priority for priority mapping
Configuring bandwidth guaranteeing
Configuring client rate limiting
Display and maintenance commands for WMM
WLAN QoS configuration examples
Example: Configuring basic WMM
Example: Configuring SVP mapping
Example: Configuring traffic differentiation
Example: Configuring bandwidth guaranteeing
Example: Configuring client rate limiting·
Feature and hardware compatibility
Restrictions and guidelines: WLAN roaming configuration
Enabling SNMP notifications for WLAN roaming
Display and maintenance commands for WLAN roaming
WLAN roaming configuration examples
Example: Configuring intra-AC roaming
Configuring WLAN radio resource measurement
About WLAN radio resource measurement
Feature and hardware compatibility
Restrictions and guidelines: Radio resource measurement configuration
WLAN radio resource measurement tasks at a glance
Enabling radio resource management
Setting the measurement duration and interval
Setting the match mode for client radio resource measurement capabilities
Display and maintenance commands for WLAN radio resource measurement
Radio resource measurement configuration examples
Example: Configuring radio resource measurement
Feature and hardware compatibility
Restrictions and guidelines: Channel scanning configuration
Channel scanning tasks at a glance
Setting the maximum service period
Setting the service idle timeout timer
Configuring the channel scanning blacklist or whitelist
Configuring all-channel scanning·
Channel scanning configuration examples
Example: Configuring relative forwarding preferred channel scanning
Example: Configuring absolute forwarding preferred channel scanning
Feature and hardware compatibility
Restrictions and guidelines: Band navigation configuration
Band navigation tasks at a glance
Prerequisites for band navigation
Enabling band navigation globally·
Enabling AP-based band navigation
Configuring load balancing for band navigation
Configuring band navigation parameters
Band navigation configuration examples
Example: Configuring band navigation
Configuring WLAN multicast optimization
About WLAN multicast optimization
WLAN multicast optimization mechanism
WLAN multicast optimization entries
Feature and hardware compatibility
WLAN multicast optimization tasks at a glance
Enabling WLAN multicast optimization
Configuring a multicast optimization policy·
Setting rate limits for IGMP/MLD packets from clients
Setting the limit for multicast optimization entries
Setting the limit for multicast optimization entries per client
Setting the aging time for multicast optimization entries
Display and maintenance commands for WLAN multicast optimization
WLAN multicast optimization configuration examples
Example: Configuring basic WLAN multicast optimization
Cloud connection establishment
Feature and hardware compatibility
Configuring a cloud connection
Configuring the H3C Oasis server
Display and maintenance commands for cloud connections
Cloud connection configuration examples
Example: Configuring a cloud connection
Feature and hardware compatibility
Restrictions and guidelines: WLAN RRM··
Setting the DFS sensitivity mode
Configuring DFS trigger parameters
Configuring scheduled auto-DFS
Configuring an RRM holddown group
Configuring TPC trigger parameters
Setting the minimum transmit power
Configuring an RRM holddown group
Configuring spectrum management
Setting the power constraint mode
Setting the channel switch mode
Setting the transmit power capability match mode
Setting the channel capability match mode
Enabling SNMP notifications for WLAN RRM
Display and maintenance commands for WLAN RRM
WLAN RRM configuration examples
Example: Configuring periodic auto-DFS
Example: Configuring scheduled auto-DFS
Example: Configuring periodic auto-TPC
Example: Configuring spectrum management
Feature and hardware compatibility
WLAN IP snooping tasks at a glance
Disabling snooping ARP packets
Disabling snooping DHCPv4 packets
Enabling snooping DHCPv6 packets
Disabling SNMP from getting client IPv6 addresses learned from ND packets
Enabling snooping HTTP requests redirected to the portal server
WLAN IP snooping configuration examples
Example: Configuring WLAN IP snooping
Configuring WLAN load balancing
Feature and hardware compatibility
Restrictions and guidelines: WLAN load balancing configuration
WLAN load balancing tasks at a glance
Prerequisites for WLAN load balancing
Configuring a load balancing group
Configuring load balancing parameters·
Enabling SNMP notifications for WLAN load balancing
Display and maintenance commands for WLAN load balancing
WLAN load balancing configuration examples (on radios)
Example: Configuring session-mode load balancing
Example: Configuring traffic-mode load balancing
Example: Configuring bandwidth-mode load balancing
WLAN load balancing configuration examples (on a load balancing group)
Example: Configuring session-mode load balancing
Example: Configuring traffic-mode load balancing
Example: Configuring bandwidth-mode load balancing
Feature and hardware compatibility
Specifying a server to receive wireless device information
Configuring sensors to report wireless device information to the AC
Enabling real-time reporting of wireless device information to the UDP server
Setting the coordinates and timezone offset for a sensor
Reporting wireless device information to the Oasis platform
Configuring wireless device filtering
Display and maintenance commands for WLAN probe
WLAN probe configuration examples
Managing APs
The term "AC" in this document refers to MSR routers that can function as ACs.
About AP management
Managing a large number of APs is both time consuming and costly. The fit AP+AC network architecture enables an AC to implement centralized AP management and maintenance.
CAPWAP tunnel
Control And Provisioning of Wireless Access Points (CAPWAP) defines how an AP communicates with an AC. It provides a generic encapsulation and transport mechanism between AP and AC. CAPWAP uses UDP and supports both IPv4 and IPv6.
As shown in Figure 1, an AC and an AP establish a data tunnel to forward data packets and a control tunnel to forward control packets.
AC discovery
After starting up with zero configurations, an AP automatically creates VLAN-interface 1 and enables the DHCP client, DHCPv6 client, and DNS features on the interface. Then it obtains its own IP address from the DHCP server and discovers ACs by using the following methods:
· Static IP address.
If AC IP addresses have been manually configured for the AP, the AP sends a unicast discovery request to each AC IP address to discover ACs.
· DHCP options.
The AP obtains AC IPv4 addresses from Option 138, Option 43, and IPv6 addresses from Option 52 sent from the DHCP server. It uses these addresses in descending order.
For more information about DHCP options, see Layer 3—IP Services Configuration Guide.
· DNS.
a. The AP obtains the domain name suffix from the DHCP server.
b. The AP adds the suffix to the host name.
c. The DNS server translates the domain name into IP addresses.
For more information about DNS, see Layer 3—IP Services Configuration Guide.
· Broadcast.
The AP broadcasts discovery requests to IP address 255.255.255.255 to discover ACs.
· IPv4 multicast:
The AP sends multicast discovery requests to IPv4 address 224.0.1.140 to discover ACs.
· IPv6 multicast.
The AP sends multicast discovery requests to IPv6 address FF0E::18C to discover ACs.
The methods of static IP address, DHCPv4 options, broadcast/IPv4 multicast, IPv4 DNS, IPv6 multicast, DHCPv6 option, and IPv6 DNS are used in descending order.
The AP does not stop AC discovery until it establishes a CAPWAP tunnel with one of the discovered ACs.
CAPWAP tunnel establishment
Figure 2 Establishing a CAPWAP tunnel
As shown in Figure 2, the AP and an AC establish a CAPWAP tunnel by using the following procedure:
1. The AP sends a discovery request to each AC to discover ACs.
2. Upon receiving a discovery request, an AC determines whether to send a discovery response by performing the following steps:
a. Identifies whether the discovery request is a unicast packet.
- Unicast packet—The AC proceeds to step b.
- Broadcast or multicast packet—The AC proceeds to step b if it is disabled with the feature of responding only to unicast discovery requests. If this feature is enabled, the AC does not send a discovery response.
- If manual AP configuration exists, the AC sends a discovery response to the AP. The discovery response contains information about whether the AC has the manual configuration for the AP, the AP connection priority, and the AC's load status.
- If no manual AP configuration exists, the AC proceeds to step c.
c. Identifies whether auto AP is enabled.
- If auto AP is enabled, the AC sends a discovery response to the AP. The discovery response contains the enabling status of auto AP, AP connection priority, and AC's load information.
- If auto AP is disabled, the AP does not send a discovery response.
3. Upon receiving the discovery responses, the AP selects the optimal AC in descending order.
? AC that saves information about the AP.
? AC where the auto AP feature is enabled.
? AC with higher AP connection priority.
? AC with the lighter load.
? AC that is the earliest to respond.
4. The AP sends a join request to the optimal AC.
5. After receiving the join request, the AC examines the information in the request to determine whether to provide access services to the AP and sends a join response.
6. The AP examines the result code in the response upon receiving the join response:
? If the result code represents failure, the AP does not establish a CAPWAP tunnel with the AC.
? If the result code represents success, the AP establishes a CAPWAP tunnel with the AC.
APDB
The Access Point Information Database (APDB) on an AC stores the following AP information:
· AP models.
· Hardware version and software version mappings.
· Information about radios supported by AP models:
? Number of radios.
? Radio type.
? Valid region code.
? Valid antenna type.
? Maximum transmission power.
The AC can establish a CAPWAP tunnel with an AP only when the APDB contains the corresponding AP model information.
You can use the system script and user scripts to manage data in the APDB. The system script is released with the AC software version, and it is automatically loaded each time the AC starts. If you need to add new AP models, upgrade the AC software version (see Fundamentals Configuration Guide) or create a user script and load it on the AC (see "Loading an APDB user script").
Protocols and standards
· RFC 5415, Control And Provisioning of Wireless Access Points (CAPWAP) Protocol Specification
Feature and hardware compatibility
Only the following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC/3610/3620/3620-DP/3640/3660.
Restrictions and guidelines: AP management configuration
You can configure APs by using the following methods:
· Configure APs one by one in AP view.
· Assign APs to an AP group and configure the AP group in AP group view.
· Configure all APs in global configuration view.
For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.
AP management tasks at a glance
Tasks at a glance |
(Required.) Configuring CAPWAP tunnel establishment |
(Optional.) Upgrading APs' software |
(Optional.) Configuring an AP group |
(Optional.) Configuring VLANs for APs |
(Optional.) Configuring a CAPWAP tunnel |
(Optional.) Configuring AC request retransmission |
(Optional.) Setting the statistics report interval |
(Optional.) Maintaining APs |
(Optional.) Preprovisioning APs |
(Optional.) Enabling SNMP notifications |
(Optional.) Configuring advanced features for AP management |
(Optional.) Enabling service anomaly detection |
Configuring CAPWAP tunnel establishment
Prerequisites for configuring CAPWAP tunnel establishment
Before you manage APs, complete the following tasks:
· Create a DHCP address pool on the DHCP server to assign IP addresses to APs.
· If DHCP options are used for AC discovery, configure Option 138, Option 43, or Option 52 in the specified DHCP address pool on the DHCP server.
· If DNS is used for AC discovery, configure the IP address of the DNS server and the AC domain name suffix in the specified DHCP address pool on the DHCP server. Then configure the mapping between the domain name and the AC IP address on the DNS server.
· Make sure the APs and the AC can reach each other.
For more information about DHCP and DNS, see Layer 3—IP Services Configuration Guide.
Creating a manual AP
About manual APs
You can create a manual AP on the AC based on the AP model, serial ID, and MAC address of the AP you are using. An AP prefers to establish a CAPWAP tunnel with an AC that saves the manual AP configuration.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
|
2. Create a manual AP and enter its view. |
wlan ap ap-name |
By default, no manual APs exist. You must specify the model name when you create an AP. |
3. Specify the serial ID or the MAC address for the AP. |
·
Specify the serial ID for the AP: ·
Specify the MAC address for the AP: |
Use either command. |
4. (Optional.) Configure a description for the AP. |
description text |
By default, an AP does not have a description. |
Managing auto APs
About the auto AP feature
The auto AP feature enables APs to connect to an AC without manual AP configuration. This feature simplifies configuration when you deploy a large number of APs in a WLAN.
For security purposes, you can use the following methods to authenticate auto APs:
· Local authentication.
The AC authenticates an auto AP by serial ID or MAC address. When an auto AP initiates a connection request, the AC uses an ACL specified by the wlan ap-authentication acl command to match the auto AP. Assume that the AC authenticates the auto AP by serial ID.
? If the serial ID matches a permit rule, the auto AP passes the authentication and associates with the AC.
? If the serial ID matches a deny rule, the auto AP fails the authentication and cannot associate with the AC.
? If the serial ID does not match a rule, the auto AP is determined as an unauthenticated auto AP. An unauthenticated auto AP can associate with the AC but cannot provide wireless services.
· Remote authentication.
Remote authentication is used for authenticating unauthenticated auto APs. The AC uses the serial ID or MAC address of an unauthenticated auto AP as the username and password and sends them to the authentication server for authentication. If the authentication succeeds, the AC accepts the AP. If it does not succeed, the AC rejects the AP.
· Manual authentication.
Manual authentication is used for authenticating unauthenticated auto APs.
The AC determines whether to accept an unauthenticated auto AP depending on the manual authentication configuration.
Restrictions and guidelines
To prevent illegal APs from associating with the AC, disable the auto AP feature after all required APs are associated with the AC.
You must convert auto APs to manual APs after they come online because of the following reasons:
· Auto APs can re-associate with the AC upon an AC reboot or CAPWAP tunnel termination only when they are converted to manual APs.
· You can individually configure auto APs only when they are converted to manual APs.
Prerequisites
Before you configure remote authentication for auto APs, specify an authentication domain and AAA scheme on the AC and create user accounts on the RADIUS server. For information about authentication domain and AAA scheme configuration, see AAA in Security Configuration Guide.
Tasks at a glance
1. Enabling the auto AP feature
2. (Optional.) Converting auto APs to manual APs
3. (Optional.) Configuring auto AP authentication
? Configuring auto AP local authentication
? Configuring auto AP remote authentication
? Manually authenticating unauthenticated auto APs
4. (Optional.) Disabling unauthenticated auto APs from associating with the AC
5. (Optional.) Restarting unauthenticated auto APs
Enabling the auto AP feature
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable the auto AP feature. |
wlan auto-ap enable |
By default, the auto AP feature is disabled. |
Converting auto APs to manual APs
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Convert auto APs to manual APs. |
·
Convert online auto APs to manual APs: ·
Convert auto APs to manual APs automatically
after auto APs come online: |
Use either command. By default, auto APs are not converted to manual APs. The wlan auto-persistent enable command does not take effect on auto APs that are already online. |
Configuring auto AP local authentication
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Specify an authentication method. |
wlan ap-authentication method { mac-address | serial-id } |
By default, the AC authenticates auto APs by MAC address. |
3. Create a WLAN AP ACL. |
acl wlan ap { acl-number | name acl-name } |
By default, no WLAN AP ACLs exist. For more information about this command, see ACL and QoS Command Reference. |
4. Return to the system view. |
N/A |
|
5. Specify an ACL for authenticating auto APs. |
wlan ap-authentication acl acl-number |
By default, no ACL is specified for authenticating auto APs. |
6. Create ACL rules for the WLAN AP ACL. |
· (Method 1) Manually create a rule: a. acl wlan ap { acl-number | name acl-name } b. rule [ rule-id ] { deny | permit } [ mac mac-address mac-mask ] [ serial-id serial-id ] c. quit ·
(Method 2) Import an auto AP
authentication file to generate ACL rules: |
By default, no WLAN AP ACL rules exist. Use either method or both methods according to actual network requirements. |
7. Enable auto AP authentication. |
wlan ap-authentication enable |
By default, auto AP authentication is disabled. |
Configuring auto AP remote authentication
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Specify an authentication domain for unauthenticated auto APs. |
wlan ap-authentication domain domain-name |
By default, no authentication domain is specified for unauthenticated auto APs. |
Manually authenticating unauthenticated auto APs
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Manually authenticate unauthenticated auto APs. |
wlan ap-authentication { accept | reject } ap-unauthenticated { all | name ap-name } |
By default, manual authentication is not configured for unauthenticated auto APs. |
Disabling unauthenticated auto APs from associating with the AC
This feature reduces waste of system resources.
To disable unauthenticated auto APs from associating with the AC:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Disable unauthenticated auto APs from associating with the AC. |
undo wlan ap-authentication permit-unauthenticated |
By default, unauthenticated auto APs can associate with the AC but cannot provide wireless services. |
Restarting unauthenticated auto APs
Perform the following task in user view:
Task |
Command |
Remarks |
Restart unauthenticated auto APs. |
reset wlan ap unauthenticated |
The auto APs will be reauthenticated after being restarted. |
Setting the discovery-response timeout timer
About the discovery-response timeout timer
The discovery-response timeout timer specifies the timeout time for an AP to wait for another discovery response. Whenever an AP receives a discovery response packet, the discovery-response timeout timer is created or refreshed. When the timeout timer expires, the AP sends a join request to the optimal AC.
Restrictions and guidelines
If the network condition is poor, set a larger discovery-response timeout timer.
Procedure
To set the discovery-response timeout timer in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Set the discovery-response timeout timer. |
discovery-response wait-time seconds |
By default, an AP uses the configuration in AP group view. |
To set the discovery-response timeout timer in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Set the discovery-response timeout timer. |
discovery-response wait-time seconds |
The default setting is 2 seconds. |
Setting the AP connection priority for the AC
To set the AP connection priority in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Set the AP connection priority for the AC. |
priority priority |
By default, an AP uses the configuration in AP group view. A larger number represents a higher priority. |
To set the AP connection priority in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Set the AP connection priority for the AC. |
priority priority |
The default setting is 4. A larger number represents a higher priority. |
Enabling the AC to respond only to unicast discovery requests
About responding only to unicast discovery requests
An AP can send unicast, multicast, and broadcast discovery requests to discover ACs. This feature enables an AC to respond only to unicast discovery requests.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable the AC to respond only to unicast discovery requests. |
wlan capwap discovery-policy unicast |
By default, the AC can respond to unicast, multicast, and broadcast discovery requests. |
Configuring AC rediscovery
About AC rediscovery
An AC enabled with AC rediscovery will add the CAPWAP Control IP Address message element to the discovery responses sent to APs. Upon receiving such a discovery response, an AP establishes a CAPWAP tunnel by using the following procedure:
1. Examines whether a discovery request has been sent to each IP address specified in the CAPWAP Control IP Address message element.
2. Performs either of the following operations:
? Sends a join request to the specified IP address representing the optimal AC for CAPWAP establishment if discovery requests have been sent.
? Sends a discovery request to each specified IP address to initiate a new AC discovery process if no discovery requests have been sent.
An AC disabled with AC rediscovery does not add the CAPWAP Control IP Address message element in discovery responses sent to APs. APs that receive the discovery responses will send join requests to the source IP address of the discovery responses to establish CAPWAP tunnels with the AC.
Procedure
To configure AC rediscovery in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
control-address { disable | enable } |
By default, an AP uses the configuration in AP group view. If no configuration exists in AP group view, the AP uses the configuration in global configuration view. |
|
4. Specify the IP address to be added in the CAPWAP Control IP Address message element. |
control-address { ip ipv4-address | ipv6 ipv6-address } |
By default, an AP uses the configuration in AP group view. If no configuration exists in AP group view, the AP uses the configuration in global configuration view. You can specify a maximum of three IPv4 or IPv6 addresses to be added in the CAPWAP Control IP Address message element. |
To configure AC rediscovery in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Configure AC rediscovery. |
control-address { disable | enable } |
By default, an AP uses the configuration in global configuration view. |
4. Specify the IP address to be added in the CAPWAP Control IP Address message element. |
control-address { ip ipv4-address | ipv6 ipv6-address } |
By default, an AP uses the configuration in global configuration view. You can specify a maximum of three IPv4 or IPv6 addresses to be added in the CAPWAP Control IP Address message element. |
To configure AC rediscovery in global configuration view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter global configuration view. |
wlan global-configuration |
N/A |
3. Configure AC rediscovery. |
control-address { disable | enable } |
By default, AC rediscovery is disabled. |
4. Specify the IP address to be added in the CAPWAP Control IP Address message element. |
control-address { ip ipv4-address | ipv6 ipv6-address } |
By default, the IP address in the element is AC's IP address. You can specify a maximum of three IPv4 or IPv6 addresses to be added in the CAPWAP Control IP Address message element. |
Upgrading APs' software
About software upgrade
With software upgrade enabled, the AC examines the AP software version while establishing a CAPWAP tunnel with an AP. If this feature is disabled, the AC does not examine the software version of the AP and directly establishes a CAPWAP tunnel with the AP.
Software upgrade for an AP proceeds as follows:
1. The AP reports the software version and AP model information to the AC.
2. The AC examines the received AP software version.
? If a match is found, the AC establishes a CAPWAP tunnel with the AP.
? If no match is found, the AC sends a message that notifies the AP of the AP software version inconsistency.
3. Upon receiving the inconsistency message, the AP requests a software version from the AC.
4. The AC assigns the software version to the AP after receiving the request.
5. The AP upgrades the software version, restarts, and establishes a CAPWAP tunnel with the AC.
Configuring software upgrade
To configure software upgrade in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Configure software upgrade. |
firmware-upgrade { disable | enable } |
By default, an AP uses the configuration in AP group view. If no software upgrade configuration exists in AP group view, the AP uses the configuration in global configuration view. |
To configure software upgrade in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Configure software upgrade. |
firmware-upgrade { disable | enable } |
By default, an AP uses the configuration in global configuration view. |
To configure software upgrade in global configuration view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter global configuration view. |
wlan global-configuration |
N/A |
3. Configure software upgrade. |
firmware-upgrade { disable | enable } |
By default, the software upgrade feature is enabled. |
Configuring the mapping between a software version and a hardware version of an AP model
About configuring software and hardware version mapping for an AP model
Perform this task to configure the mapping between a software version and a hardware version of an AP model for software upgrade.
Perform this task only when the AP software version for an AP model stored in the APDB is inconsistent with the software version you expect for the AP model. To display the AP software version for each AP model in the APDB, use the display wlan ap-model command.
For example, the APDB has a hardware version and software version mapping entry (hardware version Ver.C and software version E2108) for AP model WA4320i-CAN. If you expect this AP to use software version E2105 when it comes online, perform the following steps:
1. Configure the mapping between software version E2105 and hardware version Ver.C of AP model WA4320i-ACN.
2. Save the AP image file of software version E2105 to the AC's local folder.
3. Configure the AC to prefer the AP image file stored in the local folder for software version assignment.
Restrictions and guidelines
To avoid CAPWAP tunnel establishment failure, use this feature under the guidance of H3C Support.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the mapping between a software version and a hardware version of an AP model. |
wlan apdb model-name hardware-version software-version |
By default, the software version for a hardware version of an AP model is the software version that is stored in APDB user scripts. |
Specifying the preferred location for the AC to obtain an AP image file
About specifying the preferred location for the AC to obtain an AP image file
The AC assigns an AP image file to an AP if the AP requests a software version during CAPWAP tunnel establishment. You can specify the preferred location as the AC's RAM or local folder for the AC to obtain an AP image file. If the AC cannot obtain an AP image file from the preferred location, it obtains an AP image file from the other location. If no AP image file exists, the AC fails to obtain an image file and cannot assign a software version to the AP.
Restrictions and guidelines
The AC can assign only .ipe AP image files to APs.
If you specify the local folder, make sure the AC uses a CF card as the default file system and the AP image file is stored in the root directory of the file system on the AC.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Specify the preferred location for the AC to obtain an AP image file. |
wlan image-load filepath { local | ram } |
By default, the AC prefers the AP image file stored in the RAM when assigning a software version to an AP. |
Configuring an AP group
About AP groups
This feature enables you to configure multiple APs in a batch to reduce configuration workload.
APs in an AP group use the configuration of the group. By default, all APs belong to system-defined AP group default-group. The system-defined AP group cannot be deleted.
You can configure AP grouping rules by AP name, serial ID, MAC address, and IP address to add APs to the specified AP group. Priorities of these grouping rules are in descending order. If an AP does not match any grouping rules, it is added to the default AP group.
Restrictions and guidelines
An AP can be added to only one AP group.
You cannot delete an AP group that contains an AP. An AP group that has grouping rules but does not contain any APs can be deleted.
When you configure an AP grouping rule, follow these restrictions and guidelines:
· You cannot create the same grouping rule for different AP groups. If you do so, the most recent configuration takes effect.
· You cannot create grouping rules for the default AP group.
· AP grouping rules by IPv4 or IPv6 addresses for an AP group or for different AP groups cannot overlap with each other.
· An AP group supports a maximum of 32 AP grouping rules by IPv4 or IPv6 addresses.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create an AP group and enter its view. |
wlan ap-group group-name |
By default, a default AP group exists. |
3. (Optional.) Configure a description for the AP group. |
description text |
By default, an AP group does not have a description. |
4. Create an AP grouping rule by AP names. |
ap ap-name-list |
N/A |
5. Create an AP grouping rule by serial IDs. |
serial-id serial-id |
N/A |
6. Create an AP grouping rule by MAC addresses. |
mac-address mac-address |
N/A |
7. Create an AP grouping rule by IPv4 addresses. |
if-match ip ip-address { mask-length | mask } |
N/A |
8. Create an AP grouping rule by IPv6 addresses. |
if-match ipv6 { ipv6-address prefix-length | ipv6-address/prefix-length } |
N/A |
9. (Optional.) Create an AP regrouping rule. |
wlan re-group { ap ap-name | ap-group old-group-name | mac-address mac-address | serial-id serial-id } group-name |
N/A |
Configuring VLANs for APs
|
NOTE: Support for this feature depends on the AP model. |
About VLANs for APs
Perform this task to enable the AC to assign VLAN settings to APs for packet forwarding and isolation. For example, when you enable an AP to forward client data traffic, you need to configure ports of the AP to allow client traffic from different VLANs.
For information about VLANs, see Layer 2—LAN Switching Configuration Guide. For information about client data traffic forwarder configuration, see "Configuring WLAN access."
Tasks at a glance
1. Configuring basic VLAN settings
2. Assigning a port to a VLAN
? Assigning an access port to a VLAN
? Assigning a trunk port to VLANs
? Assigning a hybrid port to VLANs
3. Assigning VLAN settings to APs
Configuring basic VLAN settings
To configure basic VLAN settings in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. (Optional.) Create a VLAN and enter its view, or create a list of VLANs. |
vlan { vlan-id1 [ to vlan-id2 ] | all } |
By default, only VLAN 1 (the system default VLAN) exists. |
4. Enter VLAN view. |
vlan vlan-id |
To configure a VLAN after you create a list of VLANs, you must perform this step. |
5. Assign a name to the VLAN. |
name text |
By default, an AP uses the configuration in AP group view. |
6. Configure the description of the VLAN. |
description text |
By default, an AP uses the configuration in AP group view. |
To configure basic VLAN settings in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. (Optional.) Create a VLAN and enter its view, or create a list of VLANs. |
vlan { vlan-id1 [ to vlan-id2 ] | all } |
By default, only VLAN 1 (the system default VLAN) exists. |
4. Enter VLAN view. |
vlan vlan-id |
To configure a VLAN after you create a list of VLANs, you must perform this step. |
5. Assign a name for the VLAN. |
name text |
By default, the name of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in a four-digit format. If the VLAN ID has less than four digits, leading zeros are added. For example, the name of VLAN 100 is VLAN 0100. |
6. Configure the description of the VLAN. |
description text |
By default, the description of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in a four-digit format. If the VLAN ID has less than four digits, leading zeros are added. For example, the default description of VLAN 100 is VLAN 0100. |
Assigning an access port to a VLAN
To assign an access port to a VLAN in an AP's Layer 2 Ethernet interface view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter Layer 2 Ethernet interface view. |
·
Enter
GigabitEthernet interface view: ·
Enter Smarterate-Ethernet interface view: |
Use either command depending on AP models and network requirements. |
4. Set the link type to access. |
port link-type access |
By default, a port uses the configuration in an AP group's Layer 2 Ethernet interface view. |
5. Assign the access port to a VLAN. |
port access vlan vlan-id |
By default, an access port uses the configuration in an AP group's Layer 2 Ethernet interface view. |
To assign an access port to a VLAN in an AP group's Layer 2 Ethernet interface view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter Layer 2 Ethernet interface view. |
·
Enter
GigabitEthernet interface view: ·
Enter Smarterate-Ethernet interface view: |
Use either command depending on AP models and network requirements. |
5. Set the link type to access. |
port link-type access |
By default, all ports are access ports. |
6. Assign the access port to a VLAN. |
port access vlan vlan-id |
By default, an access port belongs to VLAN 1. |
Assigning a trunk port to VLANs
To assign a trunk port to VLANs in an AP's Layer 2 Ethernet interface view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter Layer 2 Ethernet interface view. |
·
Enter
GigabitEthernet interface view: ·
Enter Smarterate-Ethernet interface view: |
Use either command depending on AP models and network requirements. |
4. Set the link type to trunk. |
port link-type trunk |
By default, a port uses the configuration in an AP group's Layer 2 Ethernet interface view. |
5. Assign the trunk port to the specified VLANs. |
port trunk permit vlan { vlan-id-list | all } |
By default, a trunk port uses the configuration in an AP group's Layer 2 Ethernet interface view. |
6. (Optional.) Set the PVID for the trunk port. |
port trunk pvid vlan vlan-id |
By default, a trunk port uses the configuration in an AP group's Layer 2 Ethernet interface view. |
To assign a trunk port to VLANs in an AP group's Layer 2 Ethernet interface view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter Layer 2 Ethernet interface view. |
·
Enter GigabitEthernet interface view: ·
Enter Smarterate-Ethernet interface view: |
Use a command based on AP models and network requirements. |
5. Set the link type to trunk. |
port link-type trunk |
By default, all ports are access ports. |
6. Assign the trunk port to the specified VLANs. |
port trunk permit vlan { vlan-id-list | all } |
By default, a trunk port permits only VLAN 1. |
7. (Optional.) Set the PVID for the trunk port. |
port trunk pvid vlan vlan-id |
The default setting is VLAN 1. |
Assigning a hybrid port to VLANs
To assign a hybrid port to VLANs in an AP's Layer 2 Ethernet interface view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter Layer 2 Ethernet interface view. |
·
Enter GigabitEthernet interface view: ·
Enter Smarterate-Ethernet interface view: |
Use either command depending on AP models and network requirements. |
4. Set the link type to hybrid. |
port link-type hybrid |
By default, a port uses the configuration in an AP group's Layer 2 Ethernet interface view. |
5. Assign the hybrid port to the specified VLANs. |
port hybrid vlan vlan-id-list { tagged | untagged } |
By default, a hybrid port uses the configuration in an AP group's Layer 2 Ethernet interface view. |
6. (Optional.) Set the PVID for the hybrid port. |
port hybrid pvid vlan vlan-id |
By default, a hybrid port uses the configuration in an AP group's Layer 2 Ethernet interface view. |
To assign a hybrid port to VLANs in an AP group's Layer 2 Ethernet interface view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter Layer 2 Ethernet interface view. |
·
Enter GigabitEthernet interface view: ·
Enter Smarterate-Ethernet interface view: |
Use either command depending on AP models and network requirements. |
5. Set the link type to hybrid. |
port link-type hybrid |
By default, all ports are access ports. |
6. Assign the hybrid port to the specified VLANs. |
port hybrid vlan vlan-id-list { tagged | untagged } |
By default, a hybrid port is an untagged member of the VLAN to which the port belongs when its link type is access. |
7. (Optional.) Set the PVID for the hybrid port. |
port hybrid pvid vlan vlan-id |
By default, the PVID of a hybrid port is the ID of the VLAN to which the port belongs when its link type is access. |
Assigning VLAN settings to APs
About assigning VLAN settings to APs
The AC assigns VLAN settings to an AP or an AP group only when the remote configuration assignment feature is enabled.
Procedure
To assign VLAN settings in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enable remote configuration assignment to assign VLAN settings to the AP. |
remote-configuration enable |
By default, an AP uses the configuration in AP group view. |
To assign VLAN settings in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enable remote configuration assignment to assign VLAN settings to the APs in the AP group. |
remote-configuration enable |
By default, remote configuration assignment is disabled. |
Configuring a CAPWAP tunnel
Configuring CAPWAP tunnel encryption
About CAPWAP tunnel encryption
CAPWAP tunnel encryption uses the Datagram Transport Layer Security (DTLS) protocol to encrypt control and data packets transmitted over a CAPWAP tunnel.
When CAPWAP control tunnel encryption is enabled, an AP establishes a CAPWAP tunnel with the AC after receiving a discovery response with the encryption flag from the AC. Then, the AC and the AP encrypt control packets transmitted in the CAPWAP control tunnel after the DTLS handshake.
When CAPWAP data tunnel encryption is enabled, an AP exchanges encryption information including keys with the AC through the CAPWAP control tunnel upon receiving the first keepalive packet from the AC. After the exchange, the AC and the AP encrypt data packets transmitted in the CAPWAP data tunnel. Keepalive packets are not encrypted.
Restrictions and guidelines
CAPWAP tunnel encryption takes effect on an AP only when the AP restarts.
Procedure
To configure CAPWAP tunnel encryption in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Configure CAPWAP control tunnel encryption. |
tunnel encryption { disable | enable } |
By default, an AP uses the configuration in AP group view. |
4. Configure CAPWAP data tunnel encryption. |
data-tunnel encryption { disable | enable } |
By default, an AP uses the configuration in AP group view. Make sure you have enabled CAPWAP control tunnel encryption. |
To configure CAPWAP tunnel encryption in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Configure CAPWAP control tunnel encryption. |
tunnel encryption { disable | enable } |
By default, CAPWAP control tunnel encryption is disabled. |
4. Configure CAPWAP data tunnel encryption. |
data-tunnel encryption { disable | enable } |
By default, CAPWAP data tunnel encryption is disabled. Make sure you have enabled CAPWAP control tunnel encryption. |
Configuring CAPWAP tunnel latency detection
About CAPWAP tunnel latency detection
This feature enables an AC to detect the transmission latency of CAPWAP control frames or data frames from an AP to the AC and back.
This feature takes effect only on the master AC after a CAPWAP tunnel is established.
When an AP goes offline, CAPWAP tunnel latency detection automatically stops. To restart CAPWAP tunnel latency detection when the AP comes online, execute the tunnel latency-detect start command again.
To display CAPWAP tunnel latency information, use the display wlan ap tunnel latency command.
Procedure
Step |
Command |
Remarks |
|
||
1. Enter system view. |
system-view |
N/A |
|
||
2. Enter AP view. |
wlan ap ap-name |
N/A |
|||
3. Configure CAPWAP tunnel latency detection. |
tunnel latency-detect { start | stop } |
By default, CAPWAP tunnel latency detection is not started. |
|
||
Setting the echo interval for an AP
About setting the echo interval
An AP sends echo requests to the AC at the specified echo interval to identify whether the CAPWAP control tunnel is operating correctly. If the AP does not receive any echo responses from the AC within a specific period of time, the AP terminates the connection. If the AC does not receive any echo requests within a specific period of time, the AC terminates the connection..
To set the echo interval for an AP in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Set the interval for the AP to send echo requests. |
echo-interval interval |
By default, an AP uses the configuration in AP group view. |
To set the echo interval for APs in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Set the interval for the APs in the AP group to send echo requests. |
echo-interval interval |
The default setting is 10 seconds. |
Setting the maximum fragment size for CAPWAP packets
About setting the maximum fragment size for CAPWAP packets
Perform this task to prevent intermediate devices from dropping packets between AC and AP if the AP connects to the AC across the Internet.
Any maximum fragment size modification takes effect immediately on online APs.
Procedure
To set the maximum fragment size for CAPWAP packets in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Set the maximum fragment size for CAPWAP control or data packets. |
fragment-size { control control-size | data data-size } |
By default, an AP uses the configuration in AP group view. |
To set the maximum fragment size for CAPWAP packets in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Set the maximum fragment size for CAPWAP control or data packets. |
fragment-size { control control-size | data data-size } |
By default, the maximum fragment size for CAPWAP control packets and data packets is 1450 bytes and 1500 bytes, respectively. |
Setting the TCP MSS for CAPWAP tunnels
About setting the TCP MSS
Perform this task to set the value of the Maximum Segment Size (MSS) option in SYN packets transmitted over a CAPWAP tunnel.
The MSS option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment. If the size of a TCP segment is smaller than or equal to the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, TCP fragments the segment based on the receiver's MSS.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the TCP MSS for CAPWAP tunnels. |
wlan tcp mss value |
The default setting is 1460 bytes. |
Configuring AC request retransmission
About AC request retransmission
The AC retransmits a request to an AP at the retransmission interval until the maximum number of request retransmission attempts is reached or a response is received.
Procedure
To configure AC request retransmission in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Set the maximum number of request retransmission attempts. |
retransmit-count value |
By default, an AP uses the configuration in AP group view. |
4. Set the interval at which an AC request is retransmitted. |
retransmit-interval interval |
By default, an AP uses the configuration in AP group view. |
To configure AC request retransmission in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Set the maximum number of request retransmission attempts. |
retransmit-count value |
The default setting is 3. |
4. Set the interval at which an AC request is retransmitted. |
retransmit-interval interval |
The default setting is 5 seconds. |
Setting the statistics report interval
About setting the statistics report interval
Perform this task to change the interval for an AP to report its statistics. You can use the statistics to monitor the operating status of radios on the AP.
Procedure
To set the statistics report interval in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Set the statistics report interval. |
statistics-interval interval |
By default, an AP uses the configuration in AP group view. |
To set the statistics report interval in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Set the statistics report interval. |
statistics-interval interval |
The default setting is 50 seconds. |
Maintaining APs
Resetting APs
Perform the following task in user view:
Task |
Command |
Reset all APs or the specified AP. |
reset wlan ap { all | ap-group group-name | model model-name | name ap-name | native } |
Renaming a manual AP
Step |
Command |
1. Enter system view. |
system-view |
2. Rename a manual AP. |
wlan rename-ap ap-name new-ap-name |
Managing the file system of an AP
About file system management for an AP
You can perform the following tasks on an AC to manage files for an AP after the AP establishes a CAPWAP tunnel with the AC:
· View file information for the AP.
· Delete a file from the AP.
· Download an image file from the AC to the AP.
Restrictions and guidelines
This feature takes effect only on master ACs.
Procedure
Step |
Command |
1. Display information about files or file folders on an AP. |
display wlan ap name ap-name files |
2. Enter system view. |
system-view |
3. Enter AP view. |
wlan ap ap-name |
4. Delete a file from the AP. |
delete file filename |
5. Download an image file to the AP. |
Setting a LED lighting mode
About LED lighting modes
You can configure LEDs on an AP to flash in the following modes:
· quiet—All LEDs are off.
· awake—All LEDs flash once every minute. Support for this mode depends on the AP model.
· always-on—All LEDs are steady on. Support for this mode depends on the AP model.
· normal—How LEDs flash in this mode varies by AP model. This mode can identify the running status of an AP.
Restrictions and guidelines
If you set the LED lighting mode to awake or always-on in AP group view, the setting takes effect only on member APs that support the specified LED lighting mode.
Procedure
To set a LED lighting mode in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Set a LED lighting mode. |
led-mode { always-on | awake | normal | quiet } |
By default, an AP uses the configuration in AP group view. |
To set a LED lighting mode in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
By default, a default AP group named default-group exists, and it cannot be deleted. |
3. Set a LED lighting mode. |
led-mode { always-on | awake | normal | quiet } |
By default, the LED lighting mode is normal. |
Preprovisioning APs
About AP preprovisioning
AP preprovisioning allows you to configure network settings for fit APs on an AC. The AC automatically assigns these settings to the fit APs in run state through CAPWAP tunnels in a batch. These settings will be saved in preprovisioned configuration file wlan_ap_prvs.xml on the APs. This reduces the workload in large WLAN networks.
Restrictions and guidelines
This feature takes effect only on master ACs.
The save wlan ap-provision command has the same effect as the reset wlan ap provision command if no preprovisioned settings exist.
Tasks at a glance
1. Configuring preprovisioned settings
? Configuring preprovisioned settings for an AP
? Configuring network settings for an AP group
2. Assigning preprovisioned settings to APs
3. Configuring auto loading of preprovisioned settings
Configuring preprovisioned settings for an AP
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
N/A |
|
3. Enable AP preprovisioning and enter AP provision view. |
By default, an AP uses the configuration in AP group view. |
|
4. Specify an AC for the AP. |
By default, an AP uses the configuration in AP group view. |
|
5. Specify an IPv4 address for the management VLAN interface. |
By default, no IPv4 address is specified for the management VLAN interface. |
|
6. Specify an IPv6 address for the management VLAN interface. |
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } |
By default, no IPv6 address is specified for the management VLAN interface. |
7. Set the gateway IP address. |
By default, no gateway IP address is specified for an AP. |
|
8. Specify a DNS server. |
By default, an AP uses the configuration in AP group view. |
|
9. Set a DNS domain name suffix. |
By default, an AP uses the configuration in AP group view. |
Configuring network settings for an AP group
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
N/A |
|
3. Enable AP preprovisioning and enter AP group provision view. |
provision |
By default, AP preprovisioning is disabled. |
4. Specify an AC. |
ac { host-name host-name | ip ipv4-address } |
By default, no static AC is specified for an AP. |
5. Specify a DNS server. |
dns server { ip ipv4-address | ipv6 ipv6-address } |
By default, no DNS server is specified for an AP. |
6. Set a domain name suffix for the DNS server. |
dns domain domain-name |
By default, no domain name suffix is specified for a DNS server. |
Assigning preprovisioned settings to APs
About assigning preprovisioned settings to APs
Perform this task to enable the AC to assign preprovisioned settings to an AP with which the AC has established a CAPWAP tunnel. The preprovisioned settings will be saved to configuration file wlan_ap_prvs.xml on the AP, and the settings will overwrite the network settings originally saved in the configuration file.
You can use the following methods to assign preprovisioned settings to an AP:
· Manual configuration—You save the preprovisioned settings to configuration file wlan_ap_prvs.xml on the AP after it comes online. The settings take effect immediately.
· Auto assignment of preprovisioned settings—The preprovisioned settings are assigned to an AP when it is coming online. The AP will establish a CAPWAP tunnel with the AC specified in the preprovisioned settings. For information about optimal AC selection , see "CAPWAP tunnel establishment."
Restrictions and guidelines
Manually assigned preprovisioned settings immediately take effect on an online AP. Modifying the AC address configuration in the configuration file of the AP will trigger a new optimal AC selection process. The AP will terminate the original CAPWAP tunnel and establish a CAPWAP tunnel with the new AC.
Saving the network settings to the configuration file on an AP
Perform the following task in any view:
Task |
Command |
Save the network settings to preprovisioned configuration file wlan_ap_prvs.xml on the specified AP or all APs. |
Configuring auto assignment of preprovisioned settings
To configure auto assignment of preprovisioned settings in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Configure auto assignment of preprovisioned settings for the AP. |
provision auto-update { disable | enable } |
By default, an AP uses the configuration in AP group view. |
To configure auto assignment of preprovisioned settings in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Configure auto assignment of preprovisioned settings for APs in the AP group. |
provision auto-update { disable | enable } |
By default, auto assignment of preprovisioned settings is disabled. |
Configuring auto loading of preprovisioned settings
About auto loading of preprovisioned settings
Auto loading of preprovisioned settings ensures successful CAPWAP tunnel establishment between AP and AC. An AP uses the following procedure to discover an AC when you enable this feature:
1. Uses the preprovisioned settings to discover an AC that has the AP's manual or auto AP configuration.
2. Reboots and uses other methods to discover ACs if AC discovery fails.
3. Reboots and uses the preprovisioned settings again to discover ACs if the AP still fails to discover the target AC.
This AC discovery process will be repeated until the AP discovers the target AC to establish a CAPWAP tunnel.
Procedure
To configure auto loading of preprovisioned settings for an AP:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Configure auto loading of preprovisioned settings for the AP. |
By default, an AP uses the configuration in AP group view. |
To configure auto loading of preprovisioned settings for an AP group:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Configure auto loading of preprovisioned settings for APs in the AP group. |
provision auto-recover { disable | enable } |
By default, auto loading of preprovisioned settings is enabled. |
Enabling SNMP notifications
About SNMP notifications
To report critical WLAN events to an NMS, enable SNMP notifications. For WLAN event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable SNMP notifications. |
·
Enable SNMP notifications for AP
management: ·
Enable SNMP notifications for CAPWAP: |
By default, SNMP notifications for AP management and CAPWAP are disabled. |
Configuring advanced features for AP management
Configuring remote AP
About remote AP
Remote AP enables an AP to automatically perform the following operations when the CAPWAP tunnel to the AC is disconnected:
· Forward client traffic.
· Provide client access services if local authentication is enabled and association is enabled at the AP.
Remote AP is applicable to telecommuting, small branches, and SOHO solutions.
Restrictions and guidelines
Remote AP takes effect only on APs that operate in local forwarding mode.
When the tunnel between the AC and AP is recovered, clients that use the AC as the authenticator need reauthentication. Clients that use the AP as the authenticator remain online.
Procedure
To configure remote AP in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Configure remote AP. |
hybrid-remote-ap { disable | enable } |
By default, an AP uses the configuration in AP group view. |
To configure remote AP in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Configure remote AP. |
hybrid-remote-ap { disable | enable } |
By default, remote AP is disabled. |
Configuring the default input power level
|
NOTE: Support for this feature depends on the AP model. |
About configuring the default input power level
Configure the default input power level for an AP in case the AP cannot obtain its input power level at startup.
An AP automatically detects power supply modes to obtain its input power level at startup. If the AP fails to obtain the input power level, it operates at the low power level before associating with an AC. After the association, it operates at the configured default input power level.
An AP can be powered through a power adapter or through its PoE or PoE+ ports. The following table shows the relationship between the AP's power supply mode and input power level:
Power supply mode |
Input power level |
· Power adapter. · Multiple PoE+ ports. · Combination of PoE and PoE+ ports. |
High |
· Single PoE+ port · Multiple PoE ports |
Middle |
Single PoE port |
Low |
An AP's support for MIMO modes and USB interfaces varies by input power level, as shown in Table 1.
Table 1 AP's support for MIMO modes and USB interfaces
Input power level |
Supported MIMO modes |
Whether USB interfaces can be enabled |
High |
1×1, 2×2, 3×3, and 4×4. |
Yes. |
Middle |
1×1, 2×2, 3×3, and 4×4. |
Yes when the MIMO mode is 1×1 or 2×2. |
Low |
1×1. |
No. |
Restrictions and guidelines
When you configure the default input power level for an AP, make sure the setting matches its power mode. An excessively low input power level prevents the AP from operating correctly. An excessively high input power level causes overload of the AP in case of power shortage.
Procedure
To configure the default input power level in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Configure the default input power level. |
power-level default { high | low | middle } |
By default, an AP uses the configuration in AP group's AP model view. |
To configure the default input power level in an AP group's AP model view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Configure the default input power level. |
power-level default { high | low | middle } |
The default setting is middle. |
Enabling or disabling USB interfaces for APs
|
NOTE: Support for this feature depends on the AP model. |
About configuring USB interfaces
After you enable USB interfaces for an AP, the USB interfaces become active only when either of the following requirements is met:
· The input power level of the AP is high.
· The input power level of the AP is middle and the MIMO mode is 1×1 or 2×2.
For information about input power levels, see "Configuring the default input power level." For information about MIMO modes, see "Configuring radio management."
Procedure
To enable or disable USB interfaces in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enable or disable USB interfaces. |
usb { enable | disable } |
By default, an AP uses the configuration in an AP group's AP model view. |
To enable or disable USB interfaces in an AP group's AP model view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enable or disable USB interfaces. |
usb { enable | disable } |
By default, USB interfaces are disabled. |
Loading an APDB user script
About APDB user script loading
This task allows you to add new AP models to the APDB without upgrading AC software.
Restrictions and guidelines
Make sure the user script is valid. Invalid scripts can cause loading failure.
The AP models in the user script must be different from the AP models in the system script.
If you load multiple user scripts on the AC, the most recently loaded user script overwrites the old user scripts.
To reload a user script when the following conditions exist, you must delete the related AP models or use the wlan apdb command to restore the original software version:
· A manual AP or an online auto AP whose model is listed in the old user script exists.
· APs of an AP model listed in the old user script have been added to an AP group.
· The old user script includes an AP model whose software version was already configured.
To prevent AP model configuration lost after an AC reboot, you must reload a user script when you rename, or delete the user script in the file system.
When you replace a user script, the AP model configuration in the old user script will be lost upon an AC reboot if the new user script does not contain AP model configuration of the old script. In this case, you must reload the new user script.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Load an APDB user script. |
wlan apdb file user.apdb |
By default, no user script is loaded on the AC. |
Enabling service anomaly detection
About service anomaly detection
This feature enables an AC to check service status and start a reboot timer upon detecting that no APs are associated with the AC. When the reboot timer (10 minutes) expires, the AC restarts. If an AP comes online on the AC before the reboot timer expires, the AC deletes the timer.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable service anomaly detection. |
wlan detect-anomaly enable |
By default, service anomaly detection is disabled. |
Display and maintenance commands for AP management
Execute display commands in any view and reset commands in user view.
Task |
Command |
Display information about all APs or the specified AP. |
display wlan ap { all | name ap-name } [ verbose ] |
Display address information for all APs or the specified AP. |
display wlan ap { all | name ap-name } address |
Display GPS information for all APs or the specified AP. |
|
Display AP group information for all APs or the specified AP. |
display wlan ap { all | name ap-name } group |
Display AP connection records on the AC. |
display wlan ap { all | name ap-name } connection-record |
Display AP online duration. |
display wlan ap { all | name ap-name } online-time |
Display association failure records for APs. |
display wlan ap association-failure-record |
Display CAPWAP tunnel down records. |
display wlan ap tunnel-down-record |
Display the number of installed WLAN licenses. |
display wlan license |
Display the reboot logs of the specified AP. |
display wlan ap name ap-name reboot-log |
Display running configuration for all APs or the specified AP. |
display wlan ap { all | ap ap-name } running-configuration [ verbose ] |
Display information about all AP groups or the specified AP group. |
display wlan ap-group [ brief | name group-name ] |
Display AP model information. |
display wlan ap-model { all | name model-name } |
Display tunnel latency information for the specified CAPWAP tunnel. |
display wlan ap name ap-name tunnel latency |
Display information about distribution of attached APs for ACs (centralized devices in standalone mode). |
display wlan ap-distribution all |
Display information about distribution of attached APs for ACs (centralized devices in IRF mode). |
display wlan ap-distribution { all | slot slot-number } |
Display the attachment location of an AP. |
display wlan ap-distribution ap-name ap-name |
Clear the reboot logs of all APs or the specified AP. |
reset wlan ap reboot-log { all | name ap-name } |
Clear tunnel latency information for all CAPWAP tunnels or the specified CAPWAP tunnel. |
reset wlan tunnel latency ap { all | name ap-name } |
Delete configuration file wlan_ap_prvs.xml from all APs or the specified AP. |
reset wlan ap provision { all | name ap-name } |
AP management configuration examples
Example: Establishing a CAPWAP tunnel through DHCP
Network configuration
As shown in Figure 3, configure the AP to obtain its IP address and AC IP address from the DHCP server through DHCP Option 43. The AP uses the IP address of the AC to establish a CAPWAP tunnel with the AC.
Procedure
1. Configure the DHCP server:
# Enable the DHCP service.
[DHCP server] dhcp enable
# Configure DHCP address pool 1.
[DHCP server] dhcp server ip-pool 1
[DHCP server-dhcp-pool-1] network 1.1.1.0 mask 255.255.255.0
# Configure Option 43 to specify the IP address of the AC in address pool 0. The right-most bytes 01010103 (1.1.1.3) represent the IP address of the AC.
[DHCP server-dhcp-pool-1] option 43 hex 800700000101010103
[DHCP Server-dhcp-pool-1] quit
[DHCP Server] quit
2. Configure the AC:
# Set the IP address of VLAN-interface 1 on the AC to 1.1.1.3/24.
[AC] interface vlan-interface 1
[AC-Vlan-interface1] ip address 1.1.1.3 24
[AC-Vlan-interface1] quit
# Create an AP named ap1 with model WA4320i-ACN, and set its serial ID to 210235A1BSC123000050.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050
[AC-wlan-ap-ap1] quit
# Start up the AP. The AP performs the following operations:
? Obtains its IP address 1.1.1.2 from the DHCP server.
? Obtains the IP address of the AC through Option 43.
? Establishes a CAPWAP tunnel with the AC.
Verifying the configuration
# Verify that you can see the following information:
· The AP obtains the IP address of the AC through DHCP.
· The AP and the AC have established a CAPWAP tunnel.
· The AP is in Run state.
[AC] display wlan ap name ap1 verbose
AP name : ap1
AP ID : 1
AP group name : default-group
State : Run
Backup type : Master
Online time : 0 days 1 hours 25 minutes 12 seconds
System up time : 0 days 2 hours 22 minutes 12 seconds
Model : WA4320i-ACN
Region code : CN
Region code lock : Disable
Serial ID : 210235A1BSC123000050
MAC address : 0AFB-423B-893C
IP address : 1.1.1.2
UDP port number : 18313
H/W version : Ver.C
S/W version : E2321
Boot version : 1.01
USB state : N/A
Power Level : N/A
PowerInfo : N/A
Description : wtp1
Priority : 4
Echo interval : 10 seconds
Statistics report interval : 50 seconds
Fragment size (data) : 1500
Fragment size (control) : 1450
MAC type : Local MAC & Split MAC
Tunnel mode : Local Bridging & 802.3 Frame & Native Frame
Discovery type : DHCP
Retransmission count : 3
Retransmission interval : 5 seconds
Firmware upgrade : Enabled
Sent control packets : 1
Received control packets : 1
Echo requests : 147
Lost echo responses : 0
Average echo delay : 3
Last reboot reason : User soft reboot
Latest IP address : 10.1.0.2
Tunnel down reason : Request wait timer expired
Connection count : 1
Backup Ipv4 : Not configured
Backup Ipv6 : Not configured
Tunnel encryption : Disabled
Data-tunnel encryption : Disabled
LED mode : Normal
Remote configuration : Enabled Radio 1:
Basic BSSID : 7848-59f6-3940
Admin state : Up
Radio type : 802.11ac
Antenna type : internal
Client dot11ac-only : Disabled
Client dot11n-only : Disabled
Channel band-width : 20/40/80MHz
Active band-width : 20/40/80MHz
Secondary channel offset : SCB
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160MHz : Not supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational VHT-MCS Set:
Mandatory : Not configured
Supported : NSS1 0,1,2,3,4,5,6,7,8,9
NSS2 0,1,2,3,4,5,6,7,8,9
Multicast : Not configured
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 44(auto)
Channel usage(%) : 15
Max power : 20 dBm
Operational rate:
Mandatory : 6, 12, 24 Mbps
Multicast : Auto
Supported : 9, 18, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise Floor : -102 dBm
Smart antenna : Enabled
Smart antenna policy : Auto
Protection mode : rts-cts
Continuous mode : N/A
HT protection mode : No protection
Radio 2:
Basic BSSID : 7848-59f6-3950
Admin state : Down
Radio type : 802.11b
Antenna type : internal
Client dot11n-only : Disabled
Channel band-width : 20MHz
Active band-width : 20MHz
Secondary channel offset : SCN
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 5(auto)
Channel usage(%) : 0
Max power : 20 dBm
Preamble type : Short
Operational rate:
Mandatory : 1, 2, 5.5, 11 Mbps
Multicast : Auto
Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise Floor : 0 dBm
Smart antenna : Enabled
Smart antenna policy : Auto
Protection mode : rts-cts
Continuous mode : N/A
HT protection mode : No protection
Example: Establishing a CAPWAP tunnel through DHCPv6
Network configuration
As shown in Figure 4, configure the AP to obtain its IP address and AC IP address from the DHCPv6 server through DHCP Option 52. The AP uses the IP address of the AC to establish a CAPWAP tunnel with the AC.
Procedure
1. Configure the DHCPv6 server:
# Assign an IPv6 address to GigabitEthernet 1/0/1.
<DHCPv6 Server> system-view
[DHCPv6 Server] interface gigabitethernet 1/0/1
[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 address 1::1/64
# Disable RA message advertising suppression.
[DHCPv6 Server-GigabitEthernet1/0/1] undo ipv6 nd ra halt
# Set the managed address configuration flag (M) to 1 in RA advertisements to be sent.
[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 nd autoconfig managed-address-flag
# Set the other stateful configuration flag (O) to 1 in RA advertisements to be sent.
[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 nd autoconfig other-flag
# Enable the DHCPv6 service on GigabitEthernet 1/0/1.
[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 dhcp select server
[DHCPv6 Server-GigabitEthernet1/0/1] quit
# Create a DHCPv6 address pool, and specify an IPv6 subnet for dynamic allocation in the DHCPv6 address pool.
[DHCPv6 Server] ipv6 dhcp pool 1
[DHCPv6 Server-dhcp6-pool-1] network 1::0/64
# Configure Option 52 that specifies an AC address 1::3 in DHCPv6 address pool 1.
[DHCPv6 Server-dhcp-pool-1] option 52 hex 00010000000000000000000000000003
[DHCPv6 Server-dhcp-pool-1] quit
[DHCPv6 Server] quit
2. Configure the AC:
# Set the IP address of VLAN-interface 1 to 1::3/64.
<AC> system-view
[AC] interface vlan-interface 1
[AC-Vlan-interface1] ipv6 address 1::3 64
# Create an AP named ap1 with model WA4320i-ACN, and set its serial ID to 210235A1BSC123000050.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050
[AC-wlan-ap-ap1] quit
# Start up the AP. The AP performs the following operations:
? Obtains its IPv6 address 1::2 from the DHCP server.
? Obtains the IPv6 address of the AC through Option 52.
? Establishes a CAPWAP tunnel with the AC.
Verifying the configuration
# Verify that you can view the following information:
· The AP obtains the IP address of the AC through DHCP.
· The AP and the AC have established a CAPWAP tunnel.
· The AP is in Run state.
[AC] display wlan ap name ap1 verbose
AP name : ap1
AP ID : 1
AP group name : default-group
State : Run
Backup type : Master
Online time : 0 days 1 hours 25 minutes 12 seconds
System up time : 0 days 2 hours 22 minutes 12 seconds
Model : WA4320i-ACN
Region code : CN
Region code lock : Disable
Serial ID : 210235A1BSC123000050
MAC address : 0AFB-423B-893C
IP address : 1::2
UDP port number : 18313
H/W version : Ver.C
S/W version : E2321
Boot version : 1.01
USB state : N/A
Power Level : N/A
PowerInfo : N/A
Description : wtp1
Priority : 4
Echo interval : 10 seconds
Statistics report interval : 50 seconds
Fragment size (data) : 1500
Fragment size (control) : 1450
MAC type : Local MAC & Split MAC
Tunnel mode : Local Bridging & 802.3 Frame & Native Frame
Discovery type : DHCP
Retransmission count : 3
Retransmission interval : 5 seconds
Firmware upgrade : Enabled
Sent control packets : 1
Received control packets : 1
Echo requests : 147
Lost echo responses : 0
Average echo delay : 3
Last reboot reason : User soft reboot
Latest IP address : 10.1.0.2
Tunnel down reason : Request wait timer expired
Connection count : 1
Backup Ipv4 : Not configured
Backup Ipv6 : Not configured
Tunnel encryption : Disabled
Data-tunnel encryption : Disabled
LED mode : Normal
Remote configuration : Enabled
Radio 1:
Basic BSSID : 7848-59f6-3940
Admin state : Up
Radio type : 802.11ac
Antenna type : internal
Client dot11ac-only : Disabled
Client dot11n-only : Disabled
Channel band-width : 20/40/80MHz
Active band-width : 20/40/80MHz
Secondary channel offset : SCB
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160MHz : Not supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational VHT-MCS Set:
Mandatory : Not configured
Supported : NSS1 0,1,2,3,4,5,6,7,8,9
NSS2 0,1,2,3,4,5,6,7,8,9
Multicast : Not configured
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 44(auto)
Channel usage(%) : 15
Max power : 20 dBm
Operational rate:
Mandatory : 6, 12, 24 Mbps
Multicast : Auto
Supported : 9, 18, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise Floor : -102 dBm
Smart antenna : Enabled
Smart antenna policy : Auto
Protection mode : rts-cts
Continuous mode : N/A
HT protection mode : No protection
Radio 2:
Basic BSSID : 7848-59f6-3950
Admin state : Down
Radio type : 802.11b
Antenna type : internal
Client dot11n-only : Disabled
Channel band-width : 20MHz
Active band-width : 20MHz
Secondary channel offset : SCN
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 5(auto)
Channel usage(%) : 0
Max power : 0 dBm
Preamble type : Short
Operational rate:
Mandatory : 1, 2, 5.5, 11 Mbps
Multicast : Auto
Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise Floor : 5 dBm
Smart antenna : Enabled
Smart antenna policy : Auto
Protection mode : rts-cts
Continuous mode : N/A
HT protection mode : No protection
Example: Establishing a CAPWAP tunnel through DNS
Network configuration
As shown in Figure 5, configure the AP to obtain the IP address of the AC through DNS to establish a CAPWAP tunnel with the AC.
Procedure
1. Configure the DHCP server:
# Enable the DHCP service, configure DHCP address pool 1, and set the domain name suffix of the AC to abc.
[DHCP server] dhcp enable
[DHCP server] dhcp server ip-pool 1
[DHCP server-dhcp-pool-1] network 1.1.1.0 mask 255.255.255.0
[DHCP server-dhcp-pool-1] domain-name abc
[DHCP server-dhcp-pool-1] dns-list 1.1.1.4
[DHCP server-dhcp-pool-1] gateway-list 1.1.1.2
[DHCP server-dhcp-pool-1] quit
[DHCP server] quit
2. Configure a mapping between domain name h3c.abc and IP address 2.1.1.1/24. For more information, see Layer 3—IP Services Configuration Guide. (Details not shown.)
3. Configure the AC:
# Set the IP address of VLAN-interface 1 to 2.1.1.1/24.
[AC] interface vlan-interface 1
[AC-Vlan-interface1] ip address 2.1.1.1 24
[AC-Vlan-interface1] quit
# Configure a default route with next hop address 2.1.1.2.
[AC] ip route-static 0.0.0.0 0 2.1.1.2
# Create an AP named ap1 with model WA4320i-ACN, and set its serial ID to 210235A1BSC123000050.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050
# Start up the AP.
[AC-wlan-ap-ap1] quit
The AP performs the following operations:
? Obtains its IP address 1.1.1.1, the domain name suffix of the AC, and the IP address of the DNS server from the DHCP server.
? Adds the domain name suffix to the hostname.
? Informs the DNS client to translate the domain name into an IP address.
? Uses the IP address of the AC to establish a CAPWAP tunnel with the AC.
Verifying the configuration
# Verify that you can see the following information:
· The AP and the AC have established a CAPWAP tunnel.
· The AP is in Run state.
· The AP obtains the IP address of the AC through DNS.
[AC] display wlan ap name ap1 verbose
AP name : ap1
AP ID : 1
AP group name : default-group
State : Run
Backup type : Master
Online time : 0 days 1 hours 25 minutes 12 seconds
System up time : 0 days 2 hours 22 minutes 12 seconds
Model : WA4320i-ACN
Region code : CN
Region code lock : Disable
Serial ID : 210235A1BSC123000050
MAC address : 0AFB-423B-893C
IP address : 1.1.1.2
UDP port number : 18313
H/W version : Ver.C
S/W version : E2321
Boot version : 1.01
USB state : N/A
Power Level : N/A
PowerInfo : N/A
Description : wtp1
Priority : 4
Echo interval : 10 seconds
Statistics report interval : 50 seconds
Fragment size (data) : 1500
Fragment size (control) : 1450
MAC type : Local MAC & Split MAC
Tunnel mode : Local Bridging & 802.3 Frame & Native Frame
Discovery type : DNS
Retransmission count : 3
Retransmission interval : 5 seconds
Firmware upgrade : Enabled
Sent control packets : 1
Received control packets : 1
Echo requests : 147
Lost echo responses : 0
Average echo delay : 3
Last reboot reason : User soft reboot
Latest IP address : 10.1.0.2
Tunnel down reason : Request wait timer expired
Connection count : 1
Backup Ipv4 : Not configured
Backup Ipv6 : Not configured
Tunnel encryption : Disabled
Data-tunnel encryption : Disabled
LED mode : Normal
Remote configuration : Enabled
Radio 1:
Basic BSSID : 7848-59f6-3940
Admin state : Up
Radio type : 802.11ac
Antenna type : internal
Client dot11ac-only : Disabled
Client dot11n-only : Disabled
Channel band-width : 20/40/80MHz
Active band-width : 20/40/80MHz
Secondary channel offset : SCB
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160MHz : Not supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational VHT-MCS Set:
Mandatory : Not configured
Supported : NSS1 0,1,2,3,4,5,6,7,8,9
NSS2 0,1,2,3,4,5,6,7,8,9
Multicast : Not configured
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 44(auto)
Channel usage(%) : 15
Max power : 20 dBm
Operational rate:
Mandatory : 6, 12, 24 Mbps
Multicast : Auto
Supported : 9, 18, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise Floor : -102 dBm
Smart antenna : Enabled
Smart antenna policy : Auto
Protection mode : rts-cts
Continuous mode : N/A
HT protection mode : No protection
Radio 2:
Basic BSSID : 7848-59f6-3950
Admin state : Down
Radio type : 802.11b
Antenna type : internal
Client dot11n-only : Disabled
Channel band-width : 20MHz
Active band-width : 20MHz
Secondary channel offset : SCN
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 5(auto)
Channel usage(%) : 0
Max power : 20 dBm
Preamble type : Short
Operational rate:
Mandatory : 1, 2, 5.5, 11 Mbps
Multicast : Auto
Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise Floor : 0 dBm
Smart antenna : Enabled
Smart antenna policy : Auto
Protection mode : rts-cts
Continuous mode : N/A
HT protection mode : No protection
Example: Configuring the auto AP feature
Network configuration
As shown in Figure 6, enable the auto AP feature on the AC. The AP obtains the AC IP address through DHCP Option 43 and establishes a CAPWAP tunnel with the AC.
Procedure
1. Configure the DHCP server:
# Enable the DHCP service.
<DHCP server> system-view
[DHCP server] dhcp enable
# Configure DHCP address pool 1.
[DHCP server] dhcp server ip-pool 1
[DHCP server-dhcp-pool-1] network 1.1.1.0 mask 255.255.255.0
# Configure Option 43 to specify the IP address of the AC in address pool 0. The right-most bytes 02010102 (2.1.1.2) represent the IP address of the AC.
[DHCP server-dhcp-pool-1] option 43 ip-address hex 800700000102010102
[DHCP Server-dhcp-pool-1] gateway-list 1.1.1.3
[DHCP Server-dhcp-pool-1] quit
[DHCP Server] quit
2. Configure the AC:
# Set the IP address of VLAN-interface 1 on the AC to 2.1.1.2/24.
[AC] interface vlan-interface 1
[AC-Vlan-interface1] ip address 2.1.1.2 24
[AC-Vlan-interface1] quit
# Configure a default route with next hop address 2.1.1.1.
[AC] ip route-static 0.0.0.0 0 2.1.1.1
# Enable auto AP.
[AC] wlan auto-ap enable
Verifying the configuration
# Verify that the AP has established a CAPWAP tunnel with the AC.
[AC] display wlan ap name 0011-2200-0101 verbose
AP name : 0011-2200-0101
AP ID : 1
AP group name : default-group
State : Run
Backup type : Master
Online time : 0 days 1 hours 25 minutes 12 seconds
System up time : 0 days 2 hours 22 minutes 12 seconds
Model : WA4320i-ACN
Region code : CN
Region code lock : Disable
Serial ID : 219801A0CNC138011454
MAC address : 0011-2200-0101
IP address : 1.1.1.2
UDP port number : 18313
H/W version : Ver.C
S/W version : E2321
Boot version : 1.01
USB state : N/A
Power Level : N/A
PowerInfo : N/A
Description : wtp1
Priority : 4
Echo interval : 10 seconds
Statistics report interval : 50 seconds
Fragment size (data) : 1500
Fragment size (control) : 1450
MAC type : Local MAC & Split MAC
Tunnel mode : Local Bridging & 802.3 Frame & Native Frame
Discovery type : DHCP
Retransmission count : 3
Retransmission interval : 5 seconds
Firmware upgrade : Enabled
Sent control packets : 1
Received control packets : 1
Echo requests : 147
Lost echo responses : 0
Average echo delay : 3
Last reboot reason : User soft reboot
Latest IP address : 10.1.0.2
Tunnel down reason : Request wait timer expired
Connection count : 1
Backup Ipv4 : Not configured
Backup Ipv6 : Not configured
Tunnel encryption : Disabled
Data-tunnel encryption : Disabled
LED mode : Normal
Remote configuration : Enabled
Radio 1:
Basic BSSID : 7848-59f6-3940
Admin state : Up
Radio type : 802.11ac
Antenna type : internal
Client dot11ac-only : Disabled
Client dot11n-only : Disabled
Channel band-width : 20/40/80MHz
Active band-width : 20/40/80MHz
Secondary channel offset : SCB
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160MHz : Not supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational VHT-MCS Set:
Mandatory : Not configured
Supported : NSS1 0,1,2,3,4,5,6,7,8,9
NSS2 0,1,2,3,4,5,6,7,8,9
Multicast : Not configured
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 44(auto)
Channel usage(%) : 15
Max power : 20 dBm
Operational rate:
Mandatory : 6, 12, 24 Mbps
Multicast : Auto
Supported : 9, 18, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise Floor : -102 dBm
Smart antenna : Enabled
Smart antenna policy : Auto
Protection mode : rts-cts
Continuous mode : N/A
HT protection mode : No protection
Radio 2:
Basic BSSID : 7848-59f6-3950
Admin state : Down
Radio type : 802.11b
Antenna type : internal
Client dot11n-only : Disabled
Channel band-width : 20MHz
Active band-width : 20MHz
Secondary channel offset : SCN
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 5(auto)
Channel usage(%) : 0
Max power : 20 dBm
Preamble type : Short
Operational rate:
Mandatory : 1, 2, 5.5, 11 Mbps
Multicast : Auto
Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise Floor : 0 dBm
Smart antenna : Enabled
Smart antenna policy : Auto
Protection mode : rts-cts
Continuous mode : N/A
HT protection mode : No protection
Example: Configuring AP groups
Network configuration
As shown in Figure 7, configure AP groups and add AP 1 to AP group group1, and AP 2, AP 3, and AP 4 to AP group group2.
Procedure
1. Configure APs to obtain their IP addresses and the AC IP address from the DHCP server. (Details not shown.)
2. Configure manual APs. (Details not shown.)
3. Configure AP groups:
# Create an AP group named group1.
[AC] wlan ap-group group1
# Add AP 1 to AP group group1.
[AC-wlan-ap-group-group1] ap ap1
[AC-wlan-ap-group-group1] quit
# Create an AP group named group2.
# Add AP 2, AP 3, and AP 4 to AP group group2.
[AC-wlan-ap-group-group2] ap ap2 ap3 ap4
[AC-wlan-ap-group-group2] quit
[AC] quit
Verifying the configuration
# Verify that AP 1 is in AP group group1, and AP 2, AP 3, and AP 4 are in AP group group2.
[AC-wlan-ap-group-group2] display wlan ap-group
Total number of AP groups: 3
AP group name : default-group
Description : Not configured
AP model : Not configured
APs : Not configured
AP group name : group1
Description : Not configured
AP model : WA4320i-ACN
AP grouping rules:
AP name : ap1
Serial ID : Not configured
MAC address : Not configured
IPv4 address : Not configured
IPv6 address : Not configured
APs : ap1 (AP name)
AP group name : group2
Description : Not configured
AP model : WA4320i-ACN
AP grouping rules:
AP name : ap2, ap3, ap4
Serial ID : Not configured
MAC address : Not configured
IPv4 address : Not configured
IPv6 address : Not configured
APs : ap2 (AP name), ap3 (AP name), ap4 (AP name)
Configuring radio management
The term "AC" in this document refers to MSR routers that can function as ACs.
About radio management
Radio frequency (RF) is a rate of electrical oscillation in the range of 300 KHz to 300 GHz. WLAN uses the 2.4 GHz band and 5 GHz band radio frequencies as the transmission media. The 2.4 GHz band includes radio frequencies from 2.4 GHz to 2.4835 GHz. The 5 GHz band includes radio frequencies from 5.150 GHz to 5.350 GHz and from 5.725 GHz to 5.850 GHz.
The term "radio frequency" or its abbreviation RF is also used as a synonym for "radio" in wireless communication.
Radio mode
IEEE defines the 802.11a, 802.11b, 802.11g, 802.11n, and 802.11ac radio modes.
Table 2 provides a comparison of these radio modes.
Table 2 Comparison of 802.11 standards
IEEE standard |
Frequency band |
Maximum rate |
Indoor coverage |
Outdoor coverage |
802.11a |
5 GHz |
54 Mbps |
About 30 meters (98.43 ft) |
About 45 meters (147.64 ft) |
802.11b |
2.4 GHz |
11 Mbps |
About 30 meters (98.43 ft) |
About 100 meters (328.08 ft) |
802.11g |
2.4 GHz |
54 Mbps |
About 30 meters (98.43 ft) |
About 100 meters (328.08 ft) |
802.11n |
2.4 GHz or 5 GHz |
600 Mbps |
About 300 meters (984.3 ft) |
About 600 meters (1968.50 ft) |
802.11ac |
5 GHz |
6900 Mbps |
About 300 meters (984.3 ft) |
About 600 meters (1968.50 ft) |
Channel
A channel is a range of frequencies with a specific bandwidth.
The 2.4 GHz band has 14 channels. The bandwidth for each channel is 20 MHz and each two channels are spaced 5 MHz apart. Among the 14 channels, four groups of non-overlapping channels exist and the most commonly used one contains channels 1, 6, and 11.
The 5 GHz band can provide higher rates and is more immune to interference. There are 24 non-overlapping channels designated to the 5 GHz band. The channels are spaced 20 MHz apart with a bandwidth of 20 MHz. The available channels vary by country.
Transmit power
Transmit power reflects the signal strength of a wireless device. A higher transmit power enables a radio to cover a larger area but it brings more interference to adjacent devices. The signal strength decreases as the transmission distance increases.
Transmission rate
Transmission rate refers to the speed at which wireless devices transmit traffic. It varies by radio mode and spreading, coding, and modulation schemes. The following are rates supported by different types of radios:
· 802.11a—6 Mbps, 9 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps, and 54 Mbps.
· 802.11b—1 Mbps, 2 Mbps, 5.5 Mbps, and 11 Mbps.
· 802.11g—1 Mbps, 2 Mbps, 5.5 Mbps, 6 Mbps, 9 Mbps, 11 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps, and 54 Mbps.
· 802.11n—Rates for 802.11n radios vary by channel bandwidth. For more information, see "MCS."
· 802.11ac—Rates for 802.11ac radios vary by channel bandwidth and number of spatial streams (NSS). For more information, see "VHT-MCS."
MCS
Modulation and Coding Scheme (MCS) defined in IEEE 802.11n-2009 determines the modulation, coding, and number of spatial streams.
MCS types
802.11n MCSs are classified into the following types:
· Mandatory MCSs—Mandatory MCSs for an AP. To associate with an 802.11n AP, a client must support the mandatory MCSs for the AP.
· Supported MCSs—MCSs supported by an AP besides the mandatory MCSs. If a client supports both mandatory and supported MCSs, the client can use a supported rate to communicate with the AP.
· Multicast MCS—MCS for the rate at which an AP transmits multicast frames.
MCS parameters
An MCS is identified by an MCS index, which is represented by an integer in the range of 0 to 76. An MCS index is the mapping from MCS to a data rate.
Table 3 through Table 10 show sample MCS parameters for 20 MHz and 40 MHz.
When the bandwidth mode is 20 MHz, MCS indexes 0 through 15 are mandatory for APs, and MCS indexes 0 through 7 are mandatory for clients.
Table 3 MCS parameters (20 MHz, NSS=1)
MCS index |
Number of spatial streams |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
|||
0 |
1 |
BPSK |
6.5 |
7.2 |
1 |
1 |
QPSK |
13.0 |
14.4 |
2 |
1 |
QPSK |
19.5 |
21.7 |
3 |
1 |
16-QAM |
26.0 |
28.9 |
4 |
1 |
16-QAM |
39.0 |
43.3 |
5 |
1 |
64-QAM |
52.0 |
57.8 |
6 |
1 |
64-QAM |
58.5 |
65.0 |
7 |
1 |
64-QAM |
65.0 |
72.2 |
Table 4 MCS parameters (20 MHz, NSS=2)
MCS index |
Number of spatial streams |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
|||
8 |
2 |
BPSK |
13.0 |
14.4 |
9 |
2 |
QPSK |
26.0 |
28.9 |
10 |
2 |
QPSK |
39.0 |
43.3 |
11 |
2 |
16-QAM |
52.0 |
57.8 |
12 |
2 |
16-QAM |
78.0 |
86.7 |
13 |
2 |
64-QAM |
104.0 |
115.6 |
14 |
2 |
64-QAM |
117.0 |
130.0 |
15 |
2 |
64-QAM |
130.0 |
144.4 |
Table 5 MCS parameters (20 MHz, NSS=3)
MCS index |
Number of spatial streams |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
|||
16 |
3 |
BPSK |
19.5 |
21.7 |
17 |
3 |
QPSK |
39.0 |
43.3 |
18 |
3 |
QPSK |
58.5 |
65.0 |
19 |
3 |
16-QAM |
78.0 |
86.7 |
20 |
3 |
16-QAM |
117.0 |
130.0 |
21 |
3 |
64-QAM |
156.0 |
173.3 |
22 |
3 |
64-QAM |
175.5 |
195.0 |
23 |
3 |
64-QAM |
195.0 |
216.7 |
Table 6 MCS parameters (20 MHz, NSS=4)
MCS index |
Number of spatial streams |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
|||
24 |
4 |
BPSK |
26.0 |
28.9 |
25 |
4 |
QPSK |
52.0 |
57.8 |
26 |
4 |
QPSK |
78.0 |
86.7 |
27 |
4 |
16-QAM |
104.0 |
115.6 |
28 |
4 |
16-QAM |
156.0 |
173.3 |
29 |
4 |
64-QAM |
208.0 |
231.1 |
30 |
4 |
64-QAM |
234.0 |
260.0 |
31 |
4 |
64-QAM |
260.0 |
288.9 |
Table 7 MCS parameters (40 MHz, NSS=1)
MCS index |
Number of spatial streams |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
|||
0 |
1 |
BPSK |
13.5 |
15.0 |
1 |
1 |
QPSK |
27.0 |
30.0 |
2 |
1 |
QPSK |
40.5 |
45.0 |
3 |
1 |
16-QAM |
54.0 |
60.0 |
4 |
1 |
16-QAM |
81.0 |
90.0 |
5 |
1 |
64-QAM |
108.0 |
120.0 |
6 |
1 |
64-QAM |
121.5 |
135.0 |
7 |
1 |
64-QAM |
135.0 |
150.0 |
Table 8 MCS parameters (40 MHz, NSS=2)
MCS index |
Number of spatial streams |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
|||
8 |
2 |
BPSK |
27.0 |
30.0 |
9 |
2 |
QPSK |
54.0 |
60.0 |
10 |
2 |
QPSK |
81.0 |
90.0 |
11 |
2 |
16-QAM |
108.0 |
120.0 |
12 |
2 |
16-QAM |
162.0 |
180.0 |
13 |
2 |
64-QAM |
216.0 |
240.0 |
14 |
2 |
64-QAM |
243.0 |
270.0 |
15 |
2 |
64-QAM |
270.0 |
300.0 |
Table 9 MCS parameters (40 MHz, NSS=3)
MCS index |
Number of spatial streams |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
|||
16 |
3 |
BPSK |
40.5 |
45.0 |
17 |
3 |
QPSK |
81.0 |
90.0 |
18 |
3 |
QPSK |
121.5 |
135.0 |
19 |
3 |
16-QAM |
162.0 |
180.0 |
20 |
3 |
16-QAM |
243.0 |
270.0 |
21 |
3 |
64-QAM |
324.0 |
360.0 |
22 |
3 |
64-QAM |
364.5 |
405.0 |
23 |
3 |
64-QAM |
405.0 |
450.0 |
Table 10 MCS parameters (40 MHz, NSS=4)
MCS index |
Number of spatial streams |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
|||
24 |
4 |
BPSK |
54.0 |
60.0 |
25 |
4 |
QPSK |
108.0 |
120.0 |
26 |
4 |
QPSK |
162.0 |
180.0 |
27 |
4 |
16-QAM |
216.0 |
240.0 |
28 |
4 |
16-QAM |
324.0 |
360.0 |
29 |
4 |
64-QAM |
432.0 |
480.0 |
30 |
4 |
64-QAM |
486.0 |
540.0 |
31 |
4 |
64-QAM |
540.0 |
600.0 |
|
NOTE: · For all the MCS data rate tables, see IEEE 802.11n-2009. · Support for MCS indexes depends on the device model. |
VHT-MCS
Very High Throughput Modulation and Coding Scheme (VHT-MCS) defined in IEEE 802.11ac determines the wireless data rates.
VHT-MCS types
802.11ac VHT-MCSs are classified into the following types:
· Mandatory VHT-MCSs—Mandatory VHT-MCSs for an AP. To associate with an 802.11ac AP, a client must support the mandatory VHT-MCSs for the AP.
· Supported VHT-MCSs—VHT-MCSs supported by an AP besides the mandatory VHT-MCSs. If a client supports both mandatory and supported VHT-MCSs, the client can use a supported rate to communicate with the AP.
· Multicast VHT-MCS—VHT-MCS for the rate at which an AP transmits multicast frames.
VHT-MCS parameters
A VHT-MCS is identified by a VHT-MCS index, which is represented by an integer in the range of 0 to 9. A VHT-MCS index is the mapping from VHT-MCS to a data rate.
802.11ac supports the 20 MHz, 40 MHz, 80 MHz, and 160 MHz bandwidth modes, and supports a maximum of eight spatial streams.
Table 11 through Table 22 show VHT-MCS parameters that are supported by an AP.
Table 11 VHT-MCS parameters (20 MHz, NSS=1)
VHT-MCS index |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
||
0 |
BPSK |
6.5 |
7.2 |
1 |
QPSK |
13.0 |
14.4 |
2 |
QPSK |
19.5 |
21.7 |
3 |
16-QAM |
26.0 |
28.9 |
4 |
16-QAM |
39.0 |
43.3 |
5 |
64-QAM |
52.0 |
57.8 |
6 |
64-QAM |
58.5 |
65.0 |
7 |
64-QAM |
65.0 |
72.2 |
8 |
256-QAM |
78.0 |
86.7 |
9 |
Not valid |
Table 12 VHT-MCS parameters (20 MHz, NSS=2)
VHT-MCS index |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
||
0 |
BPSK |
13.0 |
14.4 |
1 |
QPSK |
26.0 |
28.9 |
2 |
QPSK |
39.0 |
43.3 |
3 |
16-QAM |
52.0 |
57.8 |
4 |
16-QAM |
78.0 |
86.7 |
5 |
64-QAM |
104.0 |
115.6 |
6 |
64-QAM |
117.0 |
130.0 |
7 |
64-QAM |
130.0 |
144.4 |
8 |
256-QAM |
156.0 |
173.3 |
9 |
Not valid |
Table 13 VHT-MCS parameters (20 MHz, NSS=3)
VHT-MCS index |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
||
0 |
BPSK |
19.5 |
21.7 |
1 |
QPSK |
39.0 |
43.3 |
2 |
QPSK |
58.5 |
65.0 |
3 |
16-QAM |
78.0 |
86.7 |
4 |
16-QAM |
117.0 |
130.0 |
5 |
64-QAM |
156.0 |
173.3 |
6 |
64-QAM |
175.5 |
195.0 |
7 |
64-QAM |
195.0 |
216.7 |
8 |
256-QAM |
234.0 |
260.0 |
9 |
256-QAM |
260.0 |
288.9 |
Table 14 VHT-MCS parameters (20 MHz, NSS=4)
VHT-MCS index |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
||
0 |
BPSK |
26.0 |
28.9 |
1 |
QPSK |
52.0 |
57.8 |
2 |
QPSK |
78.0 |
86.7 |
3 |
16-QAM |
104.0 |
115.6 |
4 |
16-QAM |
156.0 |
173.3 |
5 |
64-QAM |
208.0 |
231.1 |
6 |
64-QAM |
234.0 |
260.0 |
7 |
64-QAM |
260.0 |
288.9 |
8 |
256-QAM |
312.0 |
346.7 |
9 |
Not valid |
Table 15 VHT-MCS parameters (40 MHz, NSS=1)
VHT-MCS index |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
||
0 |
BPSK |
13.5 |
15.0 |
1 |
QPSK |
27.0 |
30.0 |
2 |
QPSK |
40.5 |
45.0 |
3 |
16-QAM |
54.0 |
60.0 |
4 |
16-QAM |
81.0 |
90.0 |
5 |
64-QAM |
108.0 |
120.0 |
6 |
64-QAM |
121.5 |
135.0 |
7 |
64-QAM |
135.0 |
150.0 |
8 |
256-QAM |
162.0 |
180.0 |
9 |
256-QAM |
180.0 |
200.0 |
Table 16 VHT-MCS parameters (40 MHz, NSS=2)
VHT-MCS index |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
||
0 |
BPSK |
27.0 |
30.0 |
1 |
QPSK |
54.0 |
60.0 |
2 |
QPSK |
81.0 |
90.0 |
3 |
16-QAM |
108.0 |
120.0 |
4 |
16-QAM |
162.0 |
180.0 |
5 |
64-QAM |
216.0 |
240.0 |
6 |
64-QAM |
243.0 |
270.0 |
7 |
64-QAM |
270.0 |
300.0 |
8 |
256-QAM |
324.0 |
360.0 |
9 |
256-QAM |
360.0 |
400.0 |
Table 17 VHT-MCS parameters (40 MHz, NSS=3)
VHT-MCS index |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
||
0 |
BPSK |
40.5 |
45.0 |
1 |
QPSK |
81.0 |
90.0 |
2 |
QPSK |
121.5 |
135.0 |
3 |
16-QAM |
162.0 |
180.0 |
4 |
16-QAM |
243.0 |
270.0 |
5 |
64-QAM |
324.0 |
360.0 |
6 |
64-QAM |
364.5 |
405.0 |
7 |
64-QAM |
405.0 |
450.0 |
8 |
256-QAM |
486.0 |
540.0 |
9 |
256-QAM |
540.0 |
600.0 |
Table 18 VHT-MCS parameters(40 MHz, NSS=4)
VHT-MCS index |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
||
0 |
BPSK |
54.0 |
60.0 |
1 |
QPSK |
108.0 |
120.0 |
2 |
QPSK |
162.0 |
180.0 |
3 |
16-QAM |
216.0 |
240.0 |
4 |
16-QAM |
324.0 |
360.0 |
5 |
64-QAM |
432.0 |
480.0 |
6 |
64-QAM |
486.0 |
540.0 |
7 |
64-QAM |
540.0 |
600.0 |
8 |
256-QAM |
648.0 |
720.0 |
9 |
256-QAM |
720.0 |
800.0 |
Table 19 VHT-MCS parameters (80 MHz, NSS=1)
VHT-MCS index |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
||
0 |
BPSK |
29.3 |
32.5 |
1 |
QPSK |
58.5 |
65.0 |
2 |
QPSK |
87.8 |
97.5 |
3 |
16-QAM |
117.0 |
130.0 |
4 |
16-QAM |
175.5 |
195.0 |
5 |
64-QAM |
234.0 |
260.0 |
6 |
64-QAM |
263.0 |
292.5 |
7 |
64-QAM |
292.5 |
325.0 |
8 |
256-QAM |
351.0 |
390.0 |
9 |
256-QAM |
390.0 |
433.3 |
Table 20 VHT-MCS parameters (80 MHz, NSS=2)
VHT-MCS index |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
||
0 |
BPSK |
58.5 |
65.0 |
1 |
QPSK |
117.0 |
130.0 |
2 |
QPSK |
175.5 |
195.0 |
3 |
16-QAM |
234.0 |
260.0 |
4 |
16-QAM |
351.0 |
390.0 |
5 |
64-QAM |
468.0 |
520.0 |
6 |
64-QAM |
526.5 |
585.0 |
7 |
64-QAM |
585.0 |
650.0 |
8 |
256-QAM |
702.0 |
780.0 |
9 |
256-QAM |
780.0 |
866.7 |
Table 21 VHT-MCS parameters (80 MHz, NSS=3)
VHT-MCS index |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
||
0 |
BPSK |
87.8 |
97.5 |
1 |
QPSK |
175.5 |
195.0 |
2 |
QPSK |
263.3 |
292.5 |
3 |
16-QAM |
351.0 |
390.0 |
4 |
16-QAM |
526.5 |
585.0 |
5 |
64-QAM |
702.0 |
780.0 |
6 |
Not valid |
||
7 |
64-QAM |
877.5 |
975.0 |
8 |
256-QAM |
1053.0 |
1170.0 |
9 |
256-QAM |
1170.0 |
1300.0 |
Table 22 VHT-MCS parameters (80 MHz, NSS=4)
VHT-MCS index |
Modulation |
Data rate (Mbps) |
|
800ns GI |
400ns GI |
||
0 |
BPSK |
117.0 |
130.0 |
1 |
QPSK |
234.0 |
260.0 |
2 |
QPSK |
351.0 |
390.0 |
3 |
16-QAM |
468.0 |
520.0 |
4 |
16-QAM |
702.0 |
780.0 |
5 |
64-QAM |
936.0 |
1040.0 |
6 |
64-QAM |
1053.0 |
1170.0 |
7 |
64-QAM |
1170.0 |
1300.0 |
8 |
256-QAM |
1404.0 |
1560.0 |
9 |
256-QAM |
1560.0 |
1733.3 |
|
NOTE: · For all the VHT-MCS data rate tables, see IEEE 802.11ac-2013. · Support for VHT-MCS indexes depends on the device model. |
Feature and hardware compatibility
The following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Restrictions and guidelines: Radio management configuration
The priorities for the configuration in radio view, AP group radio view, and global configuration view are in descending order.
Radio management tasks at a glance
Enabling or disabling radios
Enabling or disabling all radios
|
CAUTION: Disabling all radios terminates wireless services. Use it with caution. |
Restrictions and guidelines
This feature takes effect only on manual APs and online auto APs.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable or disable all radios. |
wlan radio { enable | disable } |
By default, radios are disabled unless they are already enabled in radio view or AP group radio view. |
Enabling or disabling a radio in radio view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enable or disable the radio. |
radio { enable | disable } |
By default, a radio is enabled if the wlan radio enable command is executed in system view. If the wlan radio enable command is not executed in system view, a radio uses the configuration in AP group radio view. |
Enabling or disabling a radio in AP group radio view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Enable or disable the radio. |
radio { enable | disable } |
By default, a radio is disabled unless it is already enabled by using the wlan radio enable command in system view. |
Specifying a radio mode
About radio modes
Available radio functions vary by radio mode. You can configure basic radio functions for all radios, 802.11n functions for 802.11an, 802.11gn, and 802.11ac radios, and 802.11ac functions only for 802.11ac radios.
Restrictions and guidelines
Support for channels and transmit powers depends on the radio mode. When you change the mode of a radio, the system automatically adjusts the channel and power parameters for the radio.
When you change the radio mode in AP group radio view, the default settings for the radio mode related commands are restored.
Procedure
To specify a radio mode in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Specify a radio mode. |
type { dot11a | dot11ac | dot11an | dot11b | dot11g | dot11gn } |
By default, a radio uses the configuration in AP group radio view. |
To specify a radio mode in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Specify a radio mode. |
type { dot11a | dot11ac | dot11an | dot11b | dot11g | dot11gn } |
The default setting for this command varies by device model. |
Configuring basic radio functions
Specifying a working channel
About specifying a working channel
Perform this task to reduce interference from both wireless and non-wireless devices. You can manually specify a channel or configure the system to automatically select a channel for a radio.
When radar signals are detected on the working channel of a radio, one of the following events occurs:
· If the channel is automatically assigned, the radio changes its channel.
· If the channel is manually specified, the radio changes its channel, and switches back to the specified channel after 30 minutes and then starts the quiet timer. If no radar signals are detected within the quiet time, the radio starts to use the channel. If radar signals are detected within the quiet time, the radio changes it channel again.
Procedure
To specify a working channel in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Specify a working channel. |
channel { channel-number | auto { lock | unlock } } |
By default, a radio uses the configuration in AP group radio view. |
To specify a working channel in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Specify a working channel. |
channel { channel-number | auto { lock | unlock } } |
By default, the AC automatically selects a channel for the radio and does not lock the channel. |
Configuring the channel selection blacklist or whitelist
About the channel selection blacklist and whitelist
If you configure the blacklist for an AP, the AP will not select channels in the blacklist. If you configure the whitelist for an AP, the AP will select only channels in the whitelist. You cannot configure both the channel selection blacklist and whitelist for the same AP.
Restrictions and guidelines
This feature takes effect only on APs operating in auto channel selection mode.
Procedure
To configure the channel selection blacklist or whitelist in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Add the specified channels to the channel selection blacklist or whitelist. |
channel auto-select { blacklist | whitelist } channel-number |
By default, a radio uses the configuration in AP group view. |
To configure the channel selection blacklist or whitelist in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Add the specified channels to the channel selection blacklist or whitelist. |
channel auto-select { blacklist | whitelist } channel-number |
By default, no channel selection blacklist or the whitelist exists. |
Setting the antenna type
About setting the antenna type
Perform this task to set the antenna type for an AP. The antenna type setting for an AP must be consistent with the type of the antenna used on the AP.
To ensure that the Effective Isotropic Radiated Power (EIRP) is within the correct range, the antenna gain automatically changes after you set the antenna type.
Restrictions and guidelines
Antenna types supported by an AP vary by device model.
Procedure
To set the antenna type in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the antenna type. |
antenna type antenna-type |
By default, a radio uses the configuration in AP group radio view. |
To set the antenna type in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the antenna type. |
antenna type antenna-type |
The default antenna type for an AP varies by device model. |
Setting the antenna gain
About setting the antenna gain
EIRP is the actual transmit power of an antenna, and it is the sum of the antenna gain and the maximum transmit power of the radio.
Procedure
To set the antenna gain in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the antenna gain. |
custom-antenna gain antenna-gain |
By default, a radio uses the configuration in AP group radio view. |
To set the antenna gain in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the antenna gain. |
custom-antenna gain antenna-gain |
By default, the antenna gain is 0 dBi. |
Setting the maximum transmit power
Restrictions and guidelines
The transmit power range supported by a radio varies by country code, channel, AP model, radio mode, antenna type, and bandwidth mode. If you change these attributes for a radio after you set the maximum transmit power, the configured maximum transmit power might be out of the supported transmit power range. If this happens, the system automatically adjusts the maximum transmit power to a valid value.
If you enable power lock, the locked power becomes the maximum transmit power. For more information about power lock, see "Configuring power lock."
Procedure
To set the maximum transmit power in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the maximum transmit power. |
max-power radio-power |
By default, a radio uses the configuration in AP group radio view. |
To set the maximum transmit power in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the maximum transmit power. |
max-power radio-power |
By default, a radio uses the supported maximum transmit power. |
Configuring power lock
About power lock
If you enable power lock, the current power is locked and becomes the maximum transmit power. The locked power still takes effect after the AC restarts.
If a radio enabled with power lock switches to a new channel that provides lower power than the locked power, the maximum power supported by the new channel takes effect.
Procedure
To configure power lock in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Configure power lock. |
power-lock { disable | enable } |
By default, a radio uses the configuration in AP group radio view. |
To configure power lock in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Configure power lock. |
power-lock { disable | enable } |
By default, power lock is disabled. |
Setting transmission rates
About transmission rates
Transmission rates are classified into the following types:
· Prohibited rates—Rates that cannot be used by an AP.
· Mandatory rates—Rates that the clients must support to associate with an AP.
· Supported rates—Rates that an AP supports. After a client associates with an AP, the client can select a higher rate from the supported rates to communicate with the AP. The AP automatically decreases or increases the transmission rate as interference signals, retransmission packets, or dropped packets increase or decrease.
· Multicast rate—Rate at which an AP transmits multicasts and broadcasts. The multicast rate must be selected from the mandatory rates.
Procedure
To set the transmission rates in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the transmission rates for the radio. |
rate { multicast { auto | rate-value } | { disabled | mandatory | supported } rate-value } |
By default, a radio uses the configuration in AP group radio view. |
To set the transmission rates in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the transmission rates for the radio. |
rate { multicast { auto | rate-value } | { disabled | mandatory | supported } rate-value } |
The default settings are as follows: · 802.11a/802.11an/802.11ac radios: ? Prohibited rates—None. ? Mandatory rates—6, 12, and 24. ? Multicast rate—Selected from the mandatory rates. ? Supported rates—9, 18, 36, 48, and 54. · 802.11b radios: ? Prohibited rates—None. ? Mandatory rates—1 and 2. ? Multicast rate—Selected from the mandatory rates. ? Supported rates—5.5, and 11. · 802.11g/802.11gn radios: ? Prohibited rates—None. ? Mandatory rates—1, 2, 5.5, and 11. ? Multicast rate—Selected from the mandatory rates. ? Supported rates—6, 9, 12, 18, 24, 36, 48, and 54. |
Setting the beacon interval
About setting the beacon interval
Perform this task to enable an AP to broadcast beacon frames at the specified interval. A short beacon interval enables clients to easily detect the AP but consumes more system resources.
Procedure
To set the beacon interval in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the beacon interval. |
beacon-interval interval |
By default, a radio uses the configuration in AP group radio view. |
To set the beacon interval in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the beacon interval. |
beacon-interval interval |
By default, the beacon interval is 100 TU. |
Setting the DTIM interval
About setting the DTIM interval
An AP periodically broadcasts a beacon compliant with the Delivery Traffic Indication Map (DTIM). After the AP broadcasts the beacon, it sends buffered broadcast and multicast frames based on the value of the DTIM interval. For example, if you set the DTIM interval to 5, the AP sends buffered broadcast and multicast frames every five beacon frames.
Procedure
To set the DTIM interval in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the DTIM interval. |
dtim counter |
By default, a radio uses the configuration in AP group radio view. |
To set the DTIM interval in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the DTIM interval. |
dtim counter |
By default, the DTIM interval is 1. |
Specifying a collision avoidance mode
About collision avoidance modes
Wireless devices operate in half duplex mode and cannot send and receive data simultaneously. To avoid collision, 802.11 allows wireless devices to send Request to Send (RTS) or Clear to Send (CTS) packets before they transmit data.
You can specify either of the following collision avoidance modes for an AP:
· RTS/CTS—An AP sends an RTS packet to a client before sending data to the client. After receiving the RTS packet, the client sends a CTS packet to the AP. The AP begins to send data after receiving the CTS packet, and other devices that detect the RTS or CTS packet do not send data within a specific time period.
· CTS-to-self—An AP sends a CTS packet with its own MAC address as the destination MAC address before sending data to a client. After receiving the CTS-to-self packet, the AP begins to send data, and other devices that detect the CTS-to-self packet do not send data within a specific time period. The CTS-to-self mode reduces the transmission time but might result in hidden node problems.
To ensure wireless resource efficiency, collision avoidance takes effect only when the following conditions are met:
· The size of the packets to be sent is larger than the RTS threshold 2346 bytes.
· 802.11g or 802.11n protection is enabled. For more information about 802.11g or 802.11n protection, see "Configuring 802.11g protection" and "Configuring 802.11n protection."
Procedure
To specify a collision avoidance mode in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Specify a collision avoidance mode. |
protection-mode { cts-to-self | rts-cts } |
By default, a radio uses the configuration in AP group radio view. |
To specify a collision avoidance mode in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Specify a collision avoidance mode. |
protection-mode { cts-to-self | rts-cts } |
By default, the CTS-to-self mode is used. |
Setting the RTS threshold
About setting the RTS threshold
802.11 allows wireless devices to send Request to Send (RTS) or Clear to Send (CTS) packets to avoid collision. However, excessive RTS and CTS packets consume system resources and reduce transmission efficiency. You can set an RTS threshold to resolve this problem. The system performs collision avoidance only for packets larger than the RTS threshold.
Restrictions and guidelines
In a low-density WLAN, increase the RTS threshold to improve the network throughput and efficiency. In a high-density WLAN, decrease the RTS threshold to reduce collisions in the network.
Procedure
To set the RTS threshold in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the RTS threshold. |
protection-threshold size |
By default, a radio uses the configuration in AP group radio view. |
To set the RTS threshold in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the RTS threshold. |
protection-threshold size |
By default, the RTS threshold is 2346 bytes. |
Setting the fragmentation threshold
About setting the fragmentation threshold
Frames larger than the fragmentation threshold are fragmented before transmission. Frames smaller than the fragmentation threshold are transmitted without fragmentation.
When a fragment is not received, only this fragment rather than the whole frame is retransmitted.
Restrictions and guidelines
In a WLAN with great interference, decrease the fragmentation threshold and set the MTU (ip mtu command) of packets sent over the radio to be lower than the fragmentation threshold. This improves the network throughput and efficiency.
Procedure
To set the fragmentation threshold in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the fragmentation threshold. |
fragment-threshold size |
By default, a radio uses the configuration in AP group radio view. |
To set the fragmentation threshold in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the fragmentation threshold. |
fragment-threshold size |
By default, the fragmentation threshold is 2346 bytes. |
Setting the hardware retransmission limits
About the hardware retransmission limits
In wireless networks, unicast packets require acknowledgements. If a radio fails to receive the acknowledgement for a packet, it retransmits the packet.
You can set hardware retransmission limits for both large frames and small frames. Transmitting large frames requires a large buffer size and a long time because the system performs collision avoidance for large frames before transmission. Therefore, you can set a small hardware retransmission limit for large frames to save system buffer and transmission time.
Procedure
To set the hardware retransmission limits in radio view:
Step |
Command |
Remarks |
||
1. Enter system view. |
system-view |
N/A |
||
2. Enter AP view. |
wlan ap ap-name |
N/A |
||
3. Enter radio view. |
radio radio-id |
N/A |
||
4. Set the hardware retransmission limit for small frames. |
short-retry threshold count |
By default, a radio uses the configuration in AP group radio view. |
||
5. Set the hardware retransmission limit for large frames. |
long-retry threshold count |
By default, a radio uses the configuration in AP group radio view. |
||
To set the hardware retransmission limits in AP group radio view:
Step |
Command |
Remarks |
||
1. Enter system view. |
system-view |
N/A |
||
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
||
3. Enter AP model view. |
ap-model ap-model |
N/A |
||
4. Enter radio view. |
radio radio-id |
N/A |
||
5. Set the hardware retransmission limit for small frames. |
short-retry threshold count |
By default, the hardware retransmission limit is 7 for small frames. |
||
6. Set the hardware retransmission limit for large frames. |
long-retry threshold count |
By default, the hardware retransmission limit is 4 for large frames. |
||
Setting the maximum number of clients that can associate with an AP
About the maximum number of associated clients on an AP
When the maximum number of clients is reached on an AP, the AP stops accepting new clients. This prevents the AP from being overloaded.
Procedure
To set the maximum number of clients that can associate with an AP in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the maximum number of clients that can associate with the AP. |
client max-count max-number |
By default, a radio uses the configuration in AP group radio view. |
To set the maximum number of clients that can associate with an AP in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the maximum number of clients that can associate with the AP. |
client max-count max-number |
By default, no limit is set for the number of clients that can associate with an AP. |
Configuring access services for 802.11b clients
About 802.11b client access
To prevent low-speed 802.11b clients from decreasing wireless data transmission performance, you can enable an 802.11g or 802.11gn radio to disable access services for 802.11b clients.
Procedure
To configure access services for 802.11b clients in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Configure access services for 802.11b clients. |
client dot11b-forbidden { disable | enable } |
By default, a radio uses the configuration in AP group radio view. |
To configure access services for 802.11b clients in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Configure access services for 802.11b clients. |
client dot11b-forbidden { disable | enable } |
By default, a radio accepts 802.11b clients. |
Configuring 802.11g protection
About 802.11g protection
When both 802.11b and 802.11g clients exist in a WLAN, transmission collision might occur because they use different modulation modes. 802.11g protection can avoid such collision. It enables 802.11g, 802.11n, or 802.11ac devices to send RTS/CTS or CTS-to-self packets to inform 802.11b clients to defer access to the medium. For more information about RTS/CTS or CTS-to-self, see "Specifying a collision avoidance mode."
802.11g, 802.11n, or 802.11ac devices send RTS/CTS or CTS-to-self packets before sending data only when 802.11b signals are detected on the channel.
802.11g protection automatically takes effect when 802.11b clients associate with an 802.11g or 802.11n (2.4 GHz) AP.
Restrictions and guidelines
This feature is applicable only to 802.11g and 802.11n (2.4 GHz) radios.
Procedure
To configure 802.11g protection in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Configure 802.11g protection. |
dot11g protection { disable | enable } |
By default, a radio uses the configuration in AP group radio view. |
To configure 802.11g protection in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Configure 802.11g protection. |
dot11g protection { disable | enable } |
By default, 802.11g protection is disabled. |
Configuring ANI
About ANI
Adaptive Noise Immunity (ANI) enables the device to adjust the anti-noise level as required by the environment to reduce interference.
Procedure
To configure ANI in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Configure ANI. |
ani { disable | enable } |
By default, a radio uses the configuration in AP group radio view. |
To configure ANI in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Configure ANI. |
ani { disable | enable } |
By default, ANI is enabled. |
Setting the preamble type
About preambles
A preamble is a set of bits in a packet header to synchronize transmission signals between sender and receiver. A short preamble improves network performance and a long preamble ensures compatibility with wireless devices using long preambles.
Restrictions and guidelines
This feature is applicable only to 802.11b, 802.11g, and 802.11gn radios.
Procedure
To set the preamble type in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the preamble type. |
preamble { long | short } |
By default, a radio uses the configuration in AP group radio view. |
To set the preamble type in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the preamble type. |
preamble { long | short } |
By default, a short preamble is used. |
Setting the maximum transmission distance
About the maximum transmission distance
The strength of wireless signals gradually degrades as the transmission distance increases. The maximum transmission distance of wireless signals depends on the surrounding environment and on whether an external antenna is used.
· Without an external antenna—About 300 meters (984.25 ft).
· With an external antenna—30 km (18.64 miles) to 50 km (31.07 miles).
· In an area with obstacles—35 m (114.83 ft) to 50 m (164.04 ft).
Procedure
To set the maximum transmission distance in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the maximum transmission distance. |
distance distance |
By default, a radio uses the configuration in AP group radio view. |
To set the maximum transmission distance in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the maximum transmission distance. |
distance distance |
By default, the maximum transmission distance is 1 km (0.62 miles). |
Enabling the continuous mode for a radio
About the continuous mode
This feature is used for network testing only. Do not use it under any other circumstances.
The feature enables continuous data packet sending at the specified rate. When the feature is enabled, do not perform any other operations except for changing the transmit rate.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enable the continuous mode for a radio. |
continuous-mode { mcs mcs-index | nss nss-index vht-mcs vhtmcs-index | rate rate-value } |
By default, the continuous mode is disabled. The rate rate-value option applies to all radio types. The mcs mcs-index option applies only to 802.11n and 802.11ac radios. The nss nss-index vht-mcs vhtmcs-index option applies only to 802.11ac radios. |
Performing on-demand channel usage measurement
About on-demand channel usage measurement
This feature enables an AP to scan supported channels and display the channel usage after scanning. It takes about one second to scan a channel.
Procedure
Step |
Command |
1. Enter system view. |
system-view |
2. Enter AP view. |
wlan ap ap-name |
3. Enter radio view. |
radio radio-id |
4. Perform on-demand channel usage measurement. |
channel-usage measure |
Configuring 802.11n functions
|
NOTE: Support for 802.11n functions depends on the device model. |
Specifying the A-MPDU aggregation method
About MPDU aggregation
A MAC Protocol Data Unit (MPDU) is a data frame in 802.11 format. MPDU aggregation aggregates multiple MPDUs into one aggregate MPDU (A-MPDU) to reduce additional information, ACK frames, and Physical Layer Convergence Procedure (PLCP) header overhead. This improves network throughput and channel efficiency.
All MPDUs in an A-MPDU must have the same QoS priority, source address, and destination address.
Procedure
To specify the A-MPDU aggregation method in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Specify the A-MPDU aggregation method. |
a-mpdu { disable | enable } |
By default, a radio uses the configuration in AP group radio view. |
To specify the A-MPDU aggregation method in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Specify the A-MPDU aggregation method. |
a-mpdu { disable | enable } |
By default, the A-MPDU aggregation method is disabled. |
Specifying the A-MSDU aggregation method
About MSDU aggregation
MSDU aggregation aggregates multiple MSDUs into one aggregate MSDU (A-MSDU) to reduce PLCP preamble, PLCP header, and MAC header overheads. This improves network throughput and frame forwarding efficiency.
All MSDUs in an A-MSDU must have the same QoS priority, source address, and destination address. When a device receives an A-MSDU, it restores the A-MSDU to multiple MSDUs for processing.
Procedure
To specify the A-MSDU aggregation method in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Specify the A-MSDU aggregation method. |
By default, a radio uses the configuration in AP group radio view. |
To specify the A-MSDU aggregation method in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Specify the A-MSDU aggregation method. |
a-msdu { disable | enable } |
By default, the A-MSDU aggregation method is enabled. |
Configuring short GI
About short GI
802.11 OFDM fragments frames to data blocks for transmission. It uses GI to ensure that the data block transmissions do not interfere with each other and are immune to transmission delays.
The GI used by 802.11a/g is 800 ns. 802.11n supports a short GI of 400 ns, which provides a 10% increase in data rate.
Both the 20 MHz and 40 MHz bandwidth modes support short GI.
Procedure
To configure short GI in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Configure short GI. |
By default, a radio uses the configuration in AP group radio view. |
To configure short GI in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Configure short GI. |
short-gi { disable | enable } |
By default, short GI is enabled. |
Configuring LDPC
About LDPC
802.11n introduces the Low-Density Parity Check (LDPC) mechanism to increase the signal-to-noise ratio and enhance transmission quality. LDPC takes effect only when both ends support LDPC.
Procedure
To configure LDPC in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-number |
N/A |
4. Configure LDPC. |
ldpc { disable | enable } |
By default, a radio uses the configuration in AP group radio view. |
To configure LDPC in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Configure LDPC. |
ldpc { disable | enable } |
By default, LDPC is disabled. |
Configuring STBC
About STBC
The Space-Time Block Coding (STBC) mechanism enhances the reliability of data transmission and does not require clients to have high transmission rates.
Procedure
To configure STBC in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-number |
N/A |
4. Configure STBC. |
stbc { disable | enable } |
By default, a radio uses the configuration in AP group radio view. |
To configure STBC in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Configure STBC. |
stbc { disable | enable } |
By default, STBC is enabled. |
Setting MCS indexes
About MCS indexes
802.11n clients use the rate corresponding to the MCS index to send unicast frames. 802.11a/b/g clients use the 802.11a/b/g rate to send unicast frames.
If you do not set a multicast MCS index, 802.11n clients and the AP use the 802.11a/b/g multicast rate to send multicast frames. If you set a multicast MCS index, one of following events occurs:
· The AP and clients use the rate corresponding to the multicast MCS index to send multicast frames if only 802.11n and 802.11ac clients exist.
· The AP and clients use the 802.11a/b/g multicast rate to send multicast frames if any 802.11a/b/g clients exist.
When you set the maximum mandatory or supported MCS index, you are specifying a range. For example, if you set the maximum mandatory MCS index to 5, rates corresponding to MCS indexes 0 through 5 are configured as 802.11n mandatory rates.
Restrictions and guidelines
The multicast MCS index cannot be greater than the maximum mandatory MCS index.
The maximum supported MCS index cannot be smaller than the maximum mandatory MCS index.
Procedure
To set MCS indexes in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
dot11n mandatory maximum-mcs index |
The default settings are as follows: · No maximum mandatory MCS index is set if the maximum supported MCS index is set. · The radio uses the configuration in AP group radio view if the maximum supported MCS index is not set. |
|
5. Set the maximum supported MCS index. |
dot11n support maximum-mcs index |
The default settings are as follows: · The maximum supported MCS index is 76 if the maximum mandatory MCS index is set. · The radio uses the configuration in AP group radio view if the maximum mandatory MCS index is not set. |
6. Set the multicast MCS index. |
The default settings are as follows: · No multicast MCS index is set if the maximum supported MCS index or the maximum mandatory MCS index is set. · The radio uses the configuration in AP group radio view if neither the maximum supported MCS index nor the maximum mandatory MCS index is set. |
To set MCS indexes in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the maximum mandatory MCS index. |
dot11n mandatory maximum-mcs index |
By default, no maximum mandatory MCS index is set. |
6. Set the maximum supported MCS index. |
dot11n support maximum-mcs index |
By default, the maximum supported MCS index is 76. |
7. Set the multicast MCS index. |
dot11n multicast-mcs index |
By default, no multicast MCS index is set. |
Configuring the client dot11n-only feature
About the client dot11n-only feature
To prevent low-speed 802.11a/b/g clients from decreasing wireless data transmission performance, you can enable the client dot11n-only feature for an AP to accept only 802.11n and 802.11ac clients.
Procedure
To configure the client dot11n-only feature in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Configure the client dot11n-only feature. |
By default, a radio uses the configuration in AP group radio view. |
To configure the client dot11n-only feature in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Configure the client dot11n-only feature. |
client dot11n-only { disable | enable } |
By default, the client dot11n-only feature is disabled. |
Setting the 802.11n bandwidth mode
About 802.11n bandwidth modes
802.11n uses the channel structure of 802.11a/b/g, but it increases the number of data subchannels in each 20 MHz channel to 52. This improves data transmission rate.
802.11n binds two adjacent 20 MHz channels to form a 40 MHz channel (one primary channel and one secondary channel). This provides a simple way to double the data rate.
If the current channel of a radio does not support the specified bandwidth mode, the radio clears the channel configuration and selects another channel.
If the bandwidth mode is set to 40 MHz, the radio uses the 40 MHz bandwidth if two adjacent channels that can be bound together exist. If there are no adjacent channels that can be bound together, the radio uses the 20 MHz bandwidth.
Procedure
To set the 802.11n bandwidth mode in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
channel band-width { 20 | 40 [ auto-switch ] } |
By default, a radio uses the configuration in AP group radio view. Only 802.11gn radios support the auto-switch keyword. |
To setting the 802.11n bandwidth mode in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the 802.11n bandwidth mode. |
channel band-width { 20 | 40 [ auto-switch ] } |
By default, the bandwidth mode is 40 MHz for 802.11an radios and 20 MHz for 802.11gn radios. Only 802.11gn radios support the auto-switch keyword. |
Specifying a MIMO mode
|
NOTE: The number of spatial streams supported by a radio varies by device model. |
About MIMO modes
Multiple-input and multiple-output (MIMO) enables a radio to send and receive wireless signals through multiple spatial streams. This improves system capacity and spectrum usage without requiring higher bandwidth.
A radio can operate in one of the following MIMO modes:
· 1x1—Sends and receives wireless signals through one spatial stream.
· 2x2—Sends and receives wireless signals through two spatial streams.
· 3x3—Sends and receives wireless signals through three spatial streams.
· 4x4—Sends and receives wireless signals through four spatial streams.
Procedure
To specify a MIMO mode in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Specify a MIMO mode. |
mimo { 1x1 | 2x2 | 3x3 | 4x4 } |
By default, a radio uses the configuration in AP group radio view. |
To specify a MIMO mode in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Specify a MIMO mode. |
mimo { 1x1 | 2x2 | 3x3 | 4x4 } |
The default MIMO mode for a radio varies by device model. |
Configuring energy saving
About energy saving
After you enable the energy-saving feature, the MIMO mode of a radio automatically changes to 1x1 if no clients associate with the radio.
Procedure
To configure energy saving in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Configure energy saving. |
green-energy-management { disable | enable } |
By default, a radio uses the configuration in AP group radio view. |
To configure energy saving in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Configure energy saving. |
green-energy-management { disable | enable } |
By default, energy saving is disabled. |
Configuring 802.11n protection
About 802.11n protection
When both 802.11n and non-802.11n clients exist in a WLAN, transmission collision might occur because they use different modulation modes. 802.11n protection can avoid such collision. It enables 802.11n devices to send RTS/CTS or CTS-to-self packets to inform non-802.11n clients to defer access to the medium. For more information about RTS/CTS or CTS-to-self, see "Specifying a collision avoidance mode."
802.11n devices send RTS/CTS or CTS-to-self packets before sending data only when non-802.11n signals are detected on the channel.
802.11n protection automatically takes effect when non-802.11n clients associate with an 802.11n AP.
|
NOTE: 802.11n devices refer to 802.11n and 802.11ac devices. |
Procedure
To configure 802.11n protection in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Configure 802.11n protection. |
dot11n protection { disable | enable } |
By default, a radio uses the configuration in AP group radio view. |
To configure 802.11n protection in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Configure 802.11n protection. |
dot11n protection { disable | enable } |
By default, 802.11n protection is disabled. |
Configuring 802.11ac functions
|
NOTE: Support for 802.11ac depends on the device model. |
Setting NSSs
About NSSs
If the AP supports an NSS, it supports all VHT-MCS indexes for the NSS. 802.11ac clients use the rate corresponding to the VHT-MCS index for the NSS to send unicast frames. Non-802.11ac clients use the 802.11a/b/g/n rate to send unicast frames.
If you do not set a multicast NSS, 802.11ac clients and the AP use the 802.11a/b/g/n multicast rate to send multicast frames. If you set a multicast NSS and specify a VHT-MCS index, the following situations occur:
· The AP and clients use the rate corresponding to the VHT-MCS index to send multicast frames if all clients are 802.11ac clients.
· The AP and clients use the 802.11a/b/g/n multicast rate to send multicast frames if any non-802.11ac clients exist.
The maximum mandatory NSS or supported NSS determines a range of 802.11 rates. For example, if the maximum mandatory NSS is 5, rates corresponding to VHT-MCS indexes for NSSs 1 through 5 will be 802.11ac mandatory rates.
Restrictions and guidelines
The maximum supported NSS cannot be smaller than the maximum mandatory NSS and the multicast NSS cannot be greater than the maximum mandatory NSS.
Procedure
To set NSSs in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the maximum mandatory NSS. |
dot11ac mandatory maximum-nss nss-number |
The default settings are as follows: · If the multicast NSS or the maximum supported NSS is set, no maximum mandatory NSS is set. · If neither the multicast NSS nor the maximum supported NSS is set, the radio uses the configuration in AP group radio view. |
5. Set the maximum supported NSS. |
dot11ac support maximum-nss nss-number |
The default settings are as follows: · If the multicast NSS or the maximum mandatory NSS is set, the maximum supported NSS is 8. · If neither the multicast NSS nor the maximum mandatory NSS is set, the radio uses the configuration in AP group radio view. |
6. Set the multicast NSS and specify a VHT-MCS index. |
dot11ac multicast-nss nss-number vht-mcs index |
The default settings are as follows: · If the maximum supported NSS or the maximum mandatory NSS is set, no multicast NSS is set. · If neither the maximum supported NSS nor the maximum mandatory NSS is set, the radio uses the configuration in AP group radio view. |
To set NSSs in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the maximum mandatory NSS. |
dot11ac mandatory maximum-nss nss-number |
By default, no maximum mandatory NSS is set. |
6. Set the maximum supported NSS. |
dot11ac support maximum-nss nss-number |
By default, the maximum supported NSS is 8. |
7. Set the multicast NSS and specify a VHT-MCS index. |
dot11ac multicast-nss nss-number vht-mcs index |
By default, no multicast NSS is set. |
Configuring the client dot11ac-only feature
About the client dot11ac-only feature
To prevent low-speed 802.11a/b/g/n clients from decreasing wireless data transmission performance, you can enable the client dot11ac-only feature for an AP to accept only 802.11ac clients.
Procedure
To configure the client dot11ac-only feature in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Configure the client dot11ac-only feature. |
client dot11ac-only { disable | enable } |
By default, a radio uses the configuration in AP group radio view. |
To configure the client dot11ac-only feature in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Configure the client dot11ac-only feature. |
client dot11ac-only { disable | enable } |
By default, the client dot11ac-only feature is disabled. |
Setting the 802.11ac bandwidth mode
About 802.11ac bandwidth modes
802.11ac uses the channel structure of 802.11n and increases the maximum bandwidth from 40 MHz to 160 MHz. 802.11ac can bind two adjacent 20/40/80 MHz channels to form a 40/80/160 MHz channel.
The radio uses the specified 40/80/160 MHz bandwidth if adjacent channels can be bound to form a 40/80/160 channel. If adjacent channels cannot form a 40/80/160 channel, the radio uses the next available bandwidth less than the specified one.
For example, the bandwidth mode is set to 80 MHz. The radio uses the 80 MHz bandwidth if adjacent channels that can be bound together exist. If adjacent channels that can be bound to an 80 MHz channel do not exist, but two adjacent channels that can be bound to a 40 MHz channel exist, the 40 MHz bandwidth is used. If no adjacent channels that can be bound together exist, the radio uses the 20 MHz bandwidth.
When the bandwidth mode is set to 80+80 MHz, the radio uses the 160 MHz bandwidth if two adjacent 80 MHz channels that can be bound together exist. If a 160 MHz channel cannot be formed but two non-adjacent 80 MHz channels are available, the radio uses the two 80 MHz channels to achieve the 160 MHz bandwidth.
If the working channel is specified, you can specify the secondary 80 MHz channel for the 160 MHz or 80+80 MHz bandwidth mode. If no working channel is specified, the device automatically selects a secondary channel. The working channel forwards all packets and the secondary channel forwards only data packets.
If the current channel of a radio does not support the specified bandwidth mode, the radio clears the channel configuration and selects another channel.
|
NOTE: Support for the 160 MHz and 80+80 MHz bandwidth modes depends on the device model. |
Figure 8 802.11ac bandwidth modes
Procedure
To set the 802.11ac bandwidth mode in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the 802.11ac bandwidth mode. |
channel band-width { 20 | 40 | 80 | { 160 | dual-80 } [ secondary-channel channel-number ] } |
By default, a radio uses the configuration in AP group radio view. |
To set the 802.11ac bandwidth mode in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the 802.11ac bandwidth mode. |
channel band-width { 20 | 40 | 80 | { 160 | dual-80 } [ secondary-channel channel-number ] } |
By default, the bandwidth mode is 80 MHz and 20 MHz for 802.11ac radios. |
Configuring TxBF
|
NOTE: Support for this feature depends on the AP model. |
About TxBF
Transmit beamforming (TxBF) enables an AP to adjust transmitting parameters based on the channel information to focus RF signals on intended clients. This feature improves the RF signal quality. TxBF includes single-user TxBF and multi-user TxBF.
· Single-user TxBF—Single-user TxBF enables an AP to improve the signal to one intended client. Single-user TxBF is applicable to WLANs that have widely spread clients, poor network quality, and serious signal attenuation.
· Multi-user TxBF—Multi-user TxBF is part of 802.11ac Wave2. Multi-user TxBF enables an AP to focus different RF signals on their intended clients to reduce interference and transmission delay. This improves traffic throughput and bandwidth usage. Multi-user TxBF is applicable to WLANs that have a large number of clients and require high bandwidth usage and low transmission delay.
Procedure
To configure TxBF in radio view:
Step |
Command |
Remarks |
1. Enter system view, |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Configure single-user TxBF. |
su-txbf { disable | enable } |
By default, a radio uses the configuration in AP group radio view. |
5. Configure multi-user TxBF. |
mu-txbf { disable | enable } |
By default, a radio uses the configuration in AP group radio view. Multi-user TxBF takes effect only when single-user TxBF is enabled. |
To configure TxBF in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Configure single-user TxBF. |
su-txbf { disable | enable } |
By default, single-user TxBF is enabled. |
6. Configure multi-user TxBF. |
mu-txbf { disable | enable } |
By default, multi-user TxBF is enabled. Multi-user TxBF takes effect only when single-user TxBF is enabled. |
Configuring the smart antenna feature
|
NOTE: Support for this feature depends on the device model. |
About the smart antenna feature
This feature is applicable only to 802.11n and 802.11ac radios.
The smart antenna feature enables an AP to automatically adjust the antenna parameters based on the client location and channel information to improve signal quality and stability.
You can configure a radio to operate in one of the following smart antenna modes:
· auto—Uses the high availability mode for audio and video packets, and uses the high throughput mode for other packets.
· high-availability—Applicable to WLANs that require stable bandwidth, this mode reduces noise and interference impacts, and provides guaranteed bandwidth for clients.
· high-throughput—Applicable to WLANs that require high performance, this mode enhances signal strength and association capability.
Procedure
To configure the smart antenna feature in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enable the smart antenna feature. |
smart antenna enable |
By default, a radio uses the configuration in AP group radio view. |
5. Specify a smart antenna mode. |
smart-antenna policy { auto | high-availability | high-throughput } |
By default, a radio uses the configuration in AP group radio view. |
To configure the smart antenna feature in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Enable the smart antenna feature. |
smart antenna enable |
By default, the smart antenna feature is enabled. |
6. Specify a smart antenna mode. |
smart-antenna policy { auto | high-availability | high-throughput } |
By default, the auto mode is used. |
Display and maintenance commands for radio management
Execute display commands in any view and reset commands in user view.
Command |
|
Display AP radio information. |
display wlan ap { all | name ap-name } radio [ frequency-band { 5 | 2.4 } ] |
Display radio channel information. |
display wlan ap { all | name ap-name } radio channel |
Display radio type information. |
display wlan ap { all | name ap-name } radio type |
Display radio statistics. |
display wlan ap { all | name ap-name } radio-statistics |
Clear radio statistics. |
reset wlan ap { all | name ap-name } radio-statistics |
Radio management configuration examples
Example: Configuring basic radio function
Network requirements
As shown in Figure 9, create a manual AP and set the radio mode, working channel, and maximum transmit power to 802.11gn, channel 11, and 19 dBm, respectively.
Configuration procedure
# Create manual AP ap1, and specify its model and serial ID.
<AC> system-view
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454
# Enter radio view of radio 2.
[AC-wlan-ap-ap1] radio 2
# Set the radio mode to dot11gn.
[AC-wlan-ap-ap1-radio-2] type dot11gn
# Configure radio 2 to work on channel 11.
[AC-wlan-ap-ap1-radio-2] channel 11
# Set the maximum transmit power to 19 dBm.
[AC-wlan-ap-ap1-radio-2] max-power 19
# Enable radio 2.
[AC-wlan-ap-ap1-radio-2] radio enable
[AC-wlan-ap-ap1-radio-2] return
Verifying the configuration
# Display information about all radios.
<AC> display wlan ap all verbose
Total number of APs: 1
Total number of connected APs: 1
Total number of connected manual APs: 1
Total number of connected auto APs: 0
Total number of connected common APs: 1
Total number of connected WTUs: 0
Total number of inside APs: 0
Maximum supported APs: 256
Remaining APs: 255
Total AP licenses: 128
Local AP licenses: 2
Server AP licenses: 0
Remaining local AP licenses: 127
Sync AP licenses: 0
AP name : ap1
AP ID : 1
AP group name : default-group
State : Run
Backup Type : Master
Online time : 0 days 1 hours 25 minutes 12 seconds
System up time : 0 days 2 hours 22 minutes 12 seconds
Model : WA2620-WiNet
Region code : CN
Region code lock : Disable
Serial ID : 219801A0CNC138011454
MAC address : 0AFB-423B-893C
IP address : 192.168.1.50
UDP control port number : 65488
UDP data port number : N/A
H/W version : Ver.C
S/W version : V700R001B49D001
Boot version : 1.01
USB state : N/A
Power level : N/A
Power info : N/A
Description : wtp1
Priority : 4
Echo interval : 10 seconds
Echo count : 3 counts
Keepalive interval : 10 seconds
discovery-response wait-time : 2 seconds
Statistics report interval : 50 seconds
Fragment size (data) : 1500
Fragment size (control) : 1450
MAC type : Local MAC & Split MAC
Tunnel mode : Local Bridging & 802.3 Frame & Native Frame
CAPWAP data-tunnel status : Down
Discovery type : Static Configuration
Retransmission count : 3
Retransmission interval : 5 seconds
Firmware upgrade : Enabled
Sent control packets : 1
Received control packets : 1
Echo requests : 147
Lost echo responses : 0
Average echo delay : 3
Last reboot reason : User soft reboot
Latest IP address : 10.1.0.2
Current AC IP : N/A
Tunnel down reason : Request wait timer expired
Connection count : 1
Backup Ipv4 : Not configured
Backup Ipv6 : Not configured
Tunnel encryption : Disabled
Data-tunnel encryption : Disabled
LED mode : Normal
Remote configuration : Enabled
Radio 1:
Basic BSSID : 7848-59f6-3940
Admin state : Up
Radio type : 802.11ac
Antenna type : internal
Client dot11ac-only : Disabled
Client dot11n-only : Disabled
Channel band-width : 20/40/80MHz
Secondary channel offset : SCB
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160MHz : Not supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational VHT-MCS Set:
Mandatory : Not configured
Supported : NSS1 0,1,2,3,4,5,6,7,8,9
NSS2 0,1,2,3,4,5,6,7,8,9
Multicast : Not configured
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 44(auto)
Channel usage(%) : 0
Max power : 20 dBm
Operational rate:
Mandatory : 6, 12, 24 Mbps
Multicast : Auto
Supported : 9, 18, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise Floor : –102 dBm
Protection mode : rts-cts
Continuous mode : N/A
HT protection mode : No protection
Radio 2:
Basic BSSID : 7848-59f6-3950
Admin state : Up
Radio type : 802.11n(2.4GHz)
Antenna type : internal
Client dot11n-only : Disabled
Channel band-width : 20MHz
Active band-width : 20MHz
Secondary channel offset : SCN
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 11
Channel usage(%) : 0
Max power : 19 dBm
Preamble type : Short
Operational rate:
Mandatory : 1, 2, 5.5, 11 Mbps
Multicast : Auto
Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise Floor : –105 dBm
Protection mode : rts-cts
Continuous mode : N/A
HT protection mode : No protection
Example: Configuring 802.11n
Network requirements
As shown in Figure 10, specify radio 1 on the AP as an 802.11an radio, and enable the A-MSDU and A-MPDU aggregation methods on the radio.
Configuration procedure
# Create manual AP ap1, and specify its model and serial ID.
<AC> system-view
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050
# Enter radio view of radio 1 on AP 1, and specify the radio as an 802.11an radio.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] type dot11an
# Enable the A-MPDU and A-MSDU aggregation methods.
[AC-wlan-ap-ap1-radio-1] a-mpdu enable
[AC-wlan-ap-ap1-radio-1] a-msdu enable
# Enable radio 1.
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] return
Verifying the configuration
# Display information about radios on AP 1.
<AC> display wlan ap name ap1 verbose
AP name : ap1
AP ID : 1
AP group name : default-group
State : Run
Backup Type : Master
Online time : 0 days 1 hours 25 minutes 12 seconds
System up time : 0 days 2 hours 22 minutes 12 seconds
Model : WA2620-WiNet
Region code : CN
Region code lock : Disable
Serial ID : 219801A0CNC138011454
MAC address : 0AFB-423B-893C
IP address : 192.168.1.50
UDP control port number : 65488
UDP data port number : N/A
H/W version : Ver.C
S/W version : V700R001B49D001
Boot version : 1.01
USB state : N/A
Power level : N/A
Power info : N/A
Description : wtp1
Priority : 4
Echo interval : 10 seconds
Echo count : 3 counts
Keepalive interval : 10 seconds
discovery-response wait-time : 2 seconds
Statistics report interval : 50 seconds
Fragment size (data) : 1500
Fragment size (control) : 1450
MAC type : Local MAC & Split MAC
Tunnel mode : Local Bridging & 802.3 Frame & Native Frame
CAPWAP data-tunnel status : Down
Discovery type : Static Configuration
Retransmission count : 3
Retransmission interval : 5 seconds
Firmware upgrade : Enabled
Sent control packets : 1
Received control packets : 1
Echo requests : 147
Lost echo responses : 0
Average echo delay : 3
Last reboot reason : User soft reboot
Latest IP address : 10.1.0.2
Current AC IP : N/A
Tunnel down reason : Request wait timer expired
Connection count : 1
Backup Ipv4 : Not configured
Backup Ipv6 : Not configured
Tunnel encryption : Disabled
Data-tunnel encryption : Disabled
LED mode : Normal
Remote configuration : Enabled
Radio 1:
Basic BSSID : 7848-59f6-3940
Admin state : Up
Radio type : 802.11n(5GHz)
Antenna type : internal
Client dot11ac-only : Disabled
Client dot11n-only : Disabled
Channel band-width : 20/40/80MHz
Active band-width : 20/40/80MHz
Secondary channel offset : SCB
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160MHz : Not supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational VHT-MCS Set:
Mandatory : Not configured
Supported : NSS1 0,1,2,3,4,5,6,7,8,9
NSS2 0,1,2,3,4,5,6,7,8,9
Multicast : Not configured
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 44(auto)
Channel usage(%) : 0
Max power : 20 dBm
Operational rate:
Mandatory : 6, 12, 24 Mbps
Multicast : Auto
Supported : 9, 18, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise Floor : –102 dBm
Protection mode : rts-cts
Continuous mode : N/A
HT protection mode : No protection
Radio 2:
Basic BSSID : 7848-59f6-3950
Admin state : Up
Radio type : 802.11n(2.4GHz)
Antenna type : internal
Client dot11n-only : Disabled
Channel band-width : 20MHz
Active band-width : 20MHz
Secondary channel offset : SCN
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
A-MSDU : Enabled
A-MPDU : Enabled
LDPC : Not Supported
STBC : Supported
Operational HT MCS Set:
Mandatory : Not configured
Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15
Multicast : Not configured
Channel : 11
Channel usage(%) : 0
Max power : 19 dBm
Preamble type : Short
Operational rate:
Mandatory : 1, 2, 5.5, 11 Mbps
Multicast : Auto
Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps
Disabled : Not configured
Distance : 1 km
ANI : Enabled
Fragmentation threshold : 2346 bytes
Beacon interval : 100 TU
Protection threshold : 2346 bytes
Long retry threshold : 4
Short retry threshold : 7
Maximum rx duration : 2000 ms
Noise Floor : –105 dBm
Protection mode : rts-cts
Continuous mode : N/A
Configuring WLAN access
The term "AC" in this document refers to MSR routers that can function as ACs.
About WLAN access
A wireless client can access a WLAN only when it completes the scanning, link layer authentication, association, and WLAN authentication processes.
For more information about data link layer authentication, see "Configuring WLAN security."
For more information about WLAN authentication, see "Configuring WLAN authentication."
Figure 11 WLAN access process
Scanning
Active scanning
A wireless client periodically scans surrounding wireless networks by sending probe requests. It obtains network information from received probe responses. Based on whether a probe request carries an SSID, active scanning can be divided into the following types:
· Active scanning of all wireless networks.
As shown in Figure 12, the client periodically sends a probe request on each of its supported channels to scan wireless networks. APs that receive the probe request send a probe response that carries the available wireless network information. The client associates with the optimal AP.
Figure 12 Scanning all wireless networks
· Active scanning of a specific wireless network.
As shown in Figure 13, the client periodically sends a probe request carrying the specified SSID or the SSID of the wireless network it has been associated with. When an AP that can provide wireless services with the specified SSID receives the probe request, it sends a probe response.
Figure 13 Scanning a specific wireless network
Passive scanning
As shown in Figure 14, the clients periodically listen for beacon frames sent by APs on their supported channels to get information about surrounding wireless networks. Then the clients select an AP for association. Passive scanning is used when clients want to save power.
Association
A client sends an association request to the associated AP after passing date link layer authentication. Upon receiving the request, the AP determines the capability supported by the wireless client and sends an association response to the client. Then the client is associated with the AP.
Client access control
The following client access control methods are available:
· AP group-based access control—Allows clients associated with APs in the specified AP group to access the WLAN.
· SSID-based access control—Allows clients associated with the specified SSID to access the WLAN.
· Whitelist- and blacklist-based access control—Uses the whitelist and blacklists to control access for the specified clients.
· ACL-based access control—Uses ACL rules bound to APs or service templates to control client access.
AP group-based access control
As shown in Figure 15, for AP group-based access control, configure AP group 1 as the permitted AP group for Client 1 and Client 2, and configure AP group 2 as the permitted AP group for Client 3.
When a client passes authentication, the server sends the related user profile to the AC. The AC examines whether the AP with which the client associates is in the permitted AP group. If it is, the client is allowed to access the WLAN. If it is not, the AC logs off the client.
Figure 15 AP group-based access control
SSID-based access control
As shown in Figure 16, for SSID-based access control, configure ssida as the permitted SSID for Client 1 and Client 2, and configure ssidb as the permitted SSID for Client 3.
When a client passes authentication, the server sends the related user profile to the AC. The AC examines whether the associated SSID of the client is the permitted SSID. If it is, the client is allowed to access the WLAN. If it is not, the AC logs off the client.
Figure 16 SSID-based access control
Whitelist- and blacklist-based access control
You can configure the whitelist or blacklists to filter frames from WLAN clients and implement client access control.
Whitelist-based access control
The whitelist contains the MAC addresses of all clients allowed to access the WLAN. Frames from clients not in the whitelist are discarded. This list is manually configured.
Blacklist-based access control
The following blacklists are available for access control:
· Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is manually configured.
· Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. An AP adds the MAC address of a client forbidden to access the WLAN to the list when WIPS is configured or when URL redirection is enabled for WLAN MAC authentication clients. The entries in the list are removed when the aging time expires. For more information about WIPS, see "Configuring WIPS." For more information about WLAN MAC authentication, see "Configuring WLAN authentication."
The dynamic blacklist can take effect on the AC or on APs, depending on the configuration.
Working mechanism
When an AP receives an association request and sends an Add Mobile message to the AC, the AC performs the following operations to determine whether to permit the client:
1. Searches the whitelist:
? If the client MAC address does not match any entries in the whitelist, the client is rejected.
? If a match is found, the client is permitted.
2. Searches the static and dynamic blacklists if no whitelist entries exist:
? If the client MAC address matches an entry in either blacklist, the client is rejected.
? If no match is found, or no blacklist entries exist, the client is permitted.
Figure 17 Whitelist- and blacklist-based access control
ACL-based access control
This feature controls client access by using ACL rules bound to an AP or a service template.
Upon receiving an association request from a client, the AC performs the following actions:
· Allows the client to access the WLAN if a match is found and the rule action is permit.
· Denies the client's access to the WLAN if no match is found or the matched rule has a deny statement.
Feature and hardware compatibility
The following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Configuration restrictions and guidelines
You can configure APs by using the following methods:
· Configure APs one by one in AP view.
· Assign APs to an AP group and configure the AP group in AP group view.
· Configure all APs in global configuration view.
For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.
WLAN access tasks at a glance
Configuring wireless services
Configuring a service template
About service templates
A service template defines a set of wireless service attributes, such as SSID and authentication method.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a service template. |
wlan service-template service-template-name |
By default, no service template exists. |
3. Assign clients coming online through the service template to the specified VLAN. |
vlan vlan-id |
By default, clients are assigned VLAN 1 after coming online through a service template. |
Configuring a description for a service template
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Configure a description for the service template. |
description text |
By default, no description is configured for a service template. |
Setting an SSID
About SSIDs
APs advertise SSIDs in beacon frames. If the number of clients in a BSS exceeds the limit or the BSS is unavailable, you can enable SSID-hidden to prevent clients from discovering the BSS. When SSID-hidden is enabled, the BSS hides its SSID in beacon frames and does not respond to broadcast probe requests. A client must send probe requests with the specified SSID to access the WLAN. This feature can protect the WLAN from being attacked.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Set an SSID for the service template. |
ssid ssid-name |
By default, no SSID is set for a service template. |
4. (Optional.) Enable SSID-hidden in beacon frames. |
beacon ssid-hide |
By default, beacon frames carry SSIDs. |
Setting the maximum number of associated clients for a service template
About setting the client quantity limit for a service template
Perform this task to limit the associated client quantity to avoid overload. When this feature is configured, new clients cannot access the WLAN when the maximum number is reached.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Set the maximum number of associated clients for the service template. |
client max-count max-number |
By default, the number of associated clients for a service template is not limited. |
Enabling a service template
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Enable the service template. |
service-template enable |
By default, a service template is disabled. |
Binding a service template to a radio
About service template binding
If you bind a service template to a radio, the AP creates a BSS that can provide wireless services defined in the service template.
You can perform the following tasks when binding a service template to a radio:
· Bind a VLAN group to the radio so that clients associated with the BSS will be assigned evenly to all VLANs in the VLAN group.
· Bind the NAS port ID or the NAS ID to the radio to identify the network access server.
· Enable the AP to hide SSIDs in beacon frames.
Restrictions and guidelines
You can bind a maximum of 16 service templates to a radio.
Procedure
To bind a service template to a radio in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Bind a service template to the radio. |
service-template service-template-name [ vlan vlan-id | vlan-group vlan-group-name ] [ ssid-hide ] [ nas-id nas-id | nas-port-id nas-port-id ] |
By default, the configuration in AP group view is used. |
To bind a service template to a radio in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Bind a service template to the radio. |
service-template service-template-name [ vlan vlan-id | vlan-group vlan-group-name ] [ ssid-hide ] [ nas-id nas-id | nas-port-id nas-port-id ] |
By default, a radio is not bound to any service templates. |
Configuring an AP to not inherit the specified service template from the AP group
About service template inheritance
By default, APs in an AP group inherit the service template bound to the AP group and create BSSs. You can perform this task to configure an AP to not inherit the specified service template from the AP group to which it belongs.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Configure the AP to not inherit the specified service template from the AP group. |
inherit exclude service-template service-template-name |
By default, an AP inherits the service template bound to the AP group to which it belongs. |
Configuring wireless client functions
Setting the client idle timeout
About the client idle timeout
If an online client does not send any frames to the associated AP before the client idle timeout timer expires, the AP logs off the client.
Procedure
To set the client idle timeout in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Set the client idle timeout. |
client idle-timeout timeout |
By default, an AP uses the configuration in AP group view. |
To set the client idle timeout in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Set the client idle timeout. |
client idle-timeout timeout |
By default, the client idle timeout is 3600 seconds. |
Configuring client keepalive
About client keepalive
This feature enables an AP to send keepalive packets to clients at the specified interval to determine whether the clients are online. If the AP does not receive any replies from a client within three keepalive intervals, it logs off the client.
Procedure
To configure client keepalive in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enable client keepalive. |
client keep-alive enable |
By default, an AP uses the configuration in AP group view. |
4. (Optional.) Set the client keepalive interval. |
client keep-alive interval interval |
By default, an AP uses the configuration in AP group view. |
To configure client keepalive in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enable client keepalive. |
client keep-alive enable |
By default, client keepalive is disabled. |
4. (Optional.) Set the client keepalive interval. |
client keep-alive interval interval |
By default, the client keepalive interval is 300 seconds. |
Setting the VLAN allocation method for clients
About VLAN allocation methods
When a client comes online for the first time, the radio assigns a random VLAN to it. When the client comes online again, the VLAN assigned to the client depends on the allocation method.
· Static allocation—The client inherits the VLAN that has been assigned to it. If the IP address lease has not expired, the client will use the same IP address. This method helps save IP addresses.
· Dynamic allocation—The radio re-assigns a VLAN to the client. This method balances clients in all VLANs.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Set the VLAN allocation method for clients. |
client vlan-alloc { dynamic | static } |
By default, the VLAN allocation method for clients is dynamic. |
Configuring clients to prefer the authorization VLAN after roaming
About VLAN allocation after client roaming
Typically, the VLAN of a client remains unchanged after client roaming. However, if the client triggers a security alert configured on IMC after roams to another AP, the issued authorization VLAN for user isolation takes effect.
Restrictions and guidelines
As a best practice, configure this feature on all ACs in a mobility group.
This feature takes effect only on 802.1X and MAC authentication clients.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Configure clients to prefer the authorization VLAN after roaming. |
client preferred-vlan authorized |
By default, clients prefer the authorization VLAN after roaming. |
Setting the aging time for the cache of clients
About the aging time for the client cache
The cache of a client saves the PMK list, access VLAN, and other authorized information for the client. If an offline client comes online again within the aging time, it can inherit all information in its cache for fast roaming. If the client does not come online within the aging time, the AC clears the client cache.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Set the aging time for the cache of clients. |
client cache aging-time aging-time |
By default, the aging time for the cache of clients is 180 seconds. |
Enabling client association at the AC or APs
About the client association position
If you enable client association at the AC, management frames are sent to the AC over the CAPWAP tunnel. This ensures security and facilitates management. As a best practice, enable client association at the APs when the network between AC and APs is complicated.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Enable client association at the AC or APs. |
client association-location { ac | ap } |
By default, client association is performed at the AC. |
Specifying the client traffic forwarder
About the client traffic forwarder
The AC (centralized forwarding) or APs (local forwarding) can forward client traffic. Using APs to forward client traffic releases the forwarding burden on the AC.
If APs forward client traffic, you can specify a VLAN or a VLAN range for the APs to forward traffic from the specified VLANs. The AC forwards data traffic from the other VLANs.
Restrictions and guidelines
For the configuration of using the AC to forward client traffic to take effect, make sure client traffic forwarding has been enabled.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Specify the client traffic forwarder. |
client forwarding-location { ac | ap [ vlan { start- vlan [ to end-vlan ] } ] } |
By default, the client traffic forwarder is the AC. |
Enabling client traffic forwarding
About client traffic forwarding
In an AC hierarchical network, disable this feature on the central AC and enable this feature on local ACs if the client traffic forwarder is the AC. This guarantees central AC's management performance in case a local AC is down.
For more information about AC hierarchy, see "Configuring AC hierarchy."
Restrictions and guidelines
You must enable this feature if you configure the AC as the client traffic forwarder.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable client traffic forwarding. |
wlan client forwarding enable |
By default, client traffic forwarding is enabled. |
Setting the encapsulation format for client data frames
About the encapsulation format of client data frames
In the centralized forwarding infrastructure, an AP sends data frames from clients to the AC over the CAPWAP tunnel. You can set the encapsulation format for the client data frames to 802.3 or 802.11. As a best practice, set the format to 802.3 so the AC does not need to perform frame format conversion.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Set the encapsulation format for client data frames. |
client frame-format { dot3 | dot11 } |
By default, client data frames are encapsulated in the 802.3 format. |
Enabling quick association
About quick association
Enabling load balancing or band navigation might affect client association efficiency. For delay-sensitive services or in an environment where load balancing and band navigation is not needed, you can enable quick association for a service template.
Quick association disables load balancing or band navigation on clients associated with the service template. The device will not balance traffic or perform band navigation even if these two features are enabled in the WLAN.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Enable quick association. |
quick-association enable |
By default, quick association is disabled. |
Setting the idle period before client reauthentication
About the idle period before client reauthentication
Set the idle period before client reauthentication to reduce reauthentication failures.
When URL redirection is enabled for WLAN MAC authentication clients, an AP logs off a client that has passed MAC authentication. At the next MAC authentication attempt, the client can pass MAC authentication and access the WLAN. With the idle period configured, the AP adds the client to the dynamic blacklist after logging off the client and the client entry ages out after the specified idle period.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the idle period before client reauthentication. |
wlan client reauthentication-period [ period-value ] |
By default, the idle period is not configured. |
Enabling immediate client association upon successful local authentication
About immediate client association upon successful local authentication
By default, an AP reports information about locally authenticated clients that pass authentication to the AC, and the AC creates client entries and informs the AP to get the clients online. If the CAPWAP tunnel between the AC and the AP operates incorrectly, clients might fail to come online and are reauthenticated repeatedly.
To avoid this problem, you can allow clients to come online immediately after successful local authentication so that the AP can forward client traffic when the AC cannot be reached. The AP synchronizes client information to the AC when the tunnel recovers.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Enable clients to come online immediately upon successful local authentication. |
undo client report-mandatory |
By default, locally authenticated clients come online after successful client information reporting. |
Specifying the method for APs to process traffic from unknown clients
About unknown client traffic processing
Perform this task to configure APs using the specified service template to drop data packets from unknown clients and deauthenticate these clients or to drop the packets only.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Specify the method for APs to process traffic from unknown clients. |
unknown-client [ deauthenticate | drop ] |
By default, APs drop packets from unknown clients and deauthenticate these clients. |
Performing a wireless link quality test
About wireless link quality tests
This feature enables an AP to test the quality of the link to a wireless client. The AP sends empty data frames to the client at each supported rate. Then it calculates link quality information such as RSSI, packet retransmissions, and RTT based on the responses from the client.
The timeout for a wireless link quality test is 10 seconds. If the wireless link test is not completed before the timeout expires, test results cannot be obtained.
Procedure
Task |
Command |
Perform wireless link quality test. |
wlan link-test mac-address |
Specifying the Web server to which client information is reported
About the Web server for client information reporting
Perform this task to enable the AC to report client information, such as client MAC address, associated AP, and association time, to the specified Web server through HTTP. The Web server accepts client information only when the server's host name, port number, and path are specified.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Specify the host name and port number of the Web server. |
wlan web-server host host-name port port-number |
By default, the host name and port number of the Web server are not specified. |
3. Specify the path of the Web server. |
wlan web-server api-path path |
By default, the path of the Web server is not specified. |
4. Set the maximum number of client entries that can be reported at a time. |
wlan web-server max-client-entry number |
By default, a maximum of ten client entries can be reported at a time. |
Enabling the device to generate client logs in the specified format
About client log formats
The device supports client logs in the following formats:
· H3C—Logs AP name, radio ID, client MAC address, SSID, BSSID, and client online status. By default, the device generates client logs only in H3C format.
· normal—Logs AP MAC address, AP name, client IP address, client MAC address, SSID, and BSSID.
· sangfor—Logs AP MAC address, client IP address, and client MAC address.
This feature enables the device to generate client logs in normal or sangfor format and send the logs to the information center. Log destinations are determined by the information center settings. For more information about the information center, see Network Management and Monitoring Configuration Guide.
This feature does not affect generation of client logs in H3C format.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable the device to generate client logs in the specified format. |
customlog format wlan { normal | sangfor } |
By default, the device generates client logs only in the H3C format. |
Configuring client statistics reporting
About client statistics reporting
This feature enables an AP to report client statistics to the AC at the specified intervals for client entry update. The AC informs the AP to log off a client if the client's information does not exist in the saved entries.
To avoid frequent client re-association, disable this feature when the network is in a bad condition.
Procedure
To configure client statistics reporting in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name [ model model-name ] |
N/A |
3. Configure client statistics reporting. |
client-statistics-report { disable | enable [ interval interval ] } |
By default, an AP uses the configuration in AP group view. |
To configure client statistics reporting in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Configure client statistics reporting. |
client-statistics-report { disable | enable [ interval interval ] } |
By default, client statistics reporting is enabled. |
Configuring client access control
Specifying a permitted AP group for client association
About AP group-based client access control
Perform this task to enable clients to associate with APs in the specified AP group.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter user profile view. |
user-profile profile-name |
N/A |
3. Specify a permitted AP group for client association. |
wlan permit-ap-group ap-group-name |
By default, no permitted AP group is specified for client association. |
Specifying a permitted SSID for client association
About SSID-based client access control
Perform this task to allow clients to associate with a WLAN through the specified SSID.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter user profile view. |
user-profile profile-name |
N/A |
3. Specify a permitted SSID for client association. |
wlan permit-ssid ssid-name |
By default, no permitted SSID is specified for client association. |
Adding a client to the whitelist
Restrictions and guidelines
When you add the first client to the whitelist, the system asks you whether to disconnect all online clients. Enter Y at the prompt to configure the whitelist.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Add a client to the whitelist. |
wlan whitelist mac-address mac-address |
By default, no clients exist in the whitelist. |
Adding a client to the static blacklist
Restrictions and guidelines
You cannot add a client to both the whitelist and the static blacklist.
If the whitelist and blacklists are configured, only the whitelist takes effect.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Add a client to the static blacklist. |
wlan static-blacklist mac-address mac-address |
By default, no clients exist in the static blacklist. |
Configuring the dynamic blacklist
About the dynamic blacklist
You can configure the dynamic blacklist to take effect on the AC or on APs.
If you configure the dynamic blacklist to take effect on the AC, all APs connected to the AC will reject the clients in the dynamic blacklist. If you configure the dynamic blacklist to take effect on APs, the AP associated with the clients in the dynamic blacklist will reject the clients, but the clients can still associate with other APs connected to the AC.
Restrictions and guidelines
As a best practice, configure the dynamic blacklist to take effect on the AC in high-density environments.
The configured aging time takes effect only on entries newly added to the dynamic blacklist.
If the whitelist and blacklists are configured, only the whitelist takes effect.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the dynamic blacklist to take effect on the AC or on APs. |
·
Configure the dynamic blacklist to take
effect on APs: ·
Configure the dynamic blacklist to take
effect on the AC: |
By default, the dynamic blacklist takes effect on APs. |
3. Set the aging time for dynamic blacklist entries. |
wlan dynamic-blacklist lifetime lifetime |
By default, the aging time is 300 seconds. The aging time for dynamic blacklist entries takes effect only on rogue client entries. |
Configuring ACL-based access control
Restrictions and guidelines
The ACL-based access control configuration takes precedence over the whitelist and blacklist configuration. As a best practice, do not configure both ACL-based access control and whitelist- and blacklist-based access control on the same AC.
If the bound ACL contains a deny statement, configure a permit statement for the ACL to permit all clients. If you do not do so, no clients can come online through the AP or service template.
The configuration in AP view takes precedence over the configuration in service template view.
This feature supports only Layer 2 ACLs and can only use source MAC address as the match criterion. If you bind an ACL of another type, the configuration does not take effect.
Procedure
To configure ACL-based access control in service template view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Bind an ACL to the service template. |
access-control acl acl-number |
By default, no ACL is bound to a service template. |
To configure ACL-based access control in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name [ model model-name ] |
N/A |
3. Bind an ACL to the AP. |
access-control acl acl-number |
By default, no ACL is bound to an AP. |
Specifying a region code
About region codes
A region code determines characteristics such as available frequencies, available channels, and transmit power level. Set a valid region code before configuring an AP.
To prevent regulation violation caused by region code modification, lock the region code.
Procedure
To specify a region code in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Specify a region code. |
region-code code |
By default, an AP uses the configuration in AP group view. If no region code exists in AP group view, the AP uses the configuration in global configuration view. |
4. Lock the region code. |
region-code-lock enable |
By default, an AP uses the configuration in AP group view. If no configuration exists in AP group view, the AP uses the configuration in global configuration view. |
To specify a region code in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Specify a region code. |
region-code code |
By default, an AP group uses the configuration in global configuration view. |
4. Lock the region code. |
region-code-lock enable |
By default, an AP group uses the configuration in global configuration view. |
To specify a global region code:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter global configuration view. |
wlan global-configuration |
N/A |
3. Specify a region code. |
region-code code |
By default, the region code is CN. |
4. Lock the region code. |
region-code-lock enable |
By default, region codes are not locked. |
Disabling an AP from responding to broadcast probe requests
About broadcast probe request responses
Broadcast probe requests do not carry any SSIDs. Upon receiving a broadcast probe request, an AP responds with a probe response that carries service information for the AP.
This feature enables clients that send unicast probe requests to the AP to associate with the AP more easily.
Procedure
To disable an AP from responding to broadcast probe requests in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Disable the AP from responding to broadcast probe requests. |
broadcast-probe reply disable |
By default, an AP uses the configuration in AP group view. |
To disable APs in an AP group from responding to broadcast probe requests in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Disable APs in the AP group from responding to broadcast probe requests. |
broadcast-probe reply disable |
By default, an AP responds to broadcast probe requests. |
Setting the NAS ID
About NAS IDs
A network access server identifier (NAS ID), network access server port identifier (NAS port ID), or network access server VLAN identifier (NAS VLAN ID) identifies the network access server of a client and differentiates the source of client traffic.
Restrictions and guidelines
If you specify a NAS ID or NAS port ID when binding a service template to a radio, the radio uses the NAS ID or NAS port ID specified for the service template.
Procedure
To set the NAS ID in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Set the NAS ID. |
nas-id nas-id |
By default, an AP uses the configuration in AP group view. If no NAS ID is specified in AP group view, the AP uses the configuration in global configuration view. |
4. Set the NAS port ID. |
nas-port-id nas-port-id |
By default, an AP uses the configuration in AP group view. If no NAS port ID is specified in AP group view, the AP uses the configuration in global configuration view. |
5. Set the NAS VLAN ID and enable the AC to encapsulate the VLAN ID in RADIUS requests. |
nas-vlan vlan-id |
By default, no NAS VLAN ID is set. Authentication requests sent to the RADIUS server do not contain the NAS VLAN ID field. Set the NAS VLAN ID when a third-party Security Accounting Management (SAM) server is used as the RADIUS server. |
To set the NAS ID in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Set the NAS ID. |
nas-id nas-id |
By default, an AP uses the configuration in global configuration view. |
4. Set the NAS port ID. |
nas-port-id nas-port-id |
By default, an AP uses the configuration in global configuration view. |
To set the global NAS ID:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter global configuration view. |
wlan global-configuration |
N/A |
3. Set the global NAS ID. |
nas-id nas-id |
By default, no NAS ID is set. |
4. Set the NAS port ID. |
nas-port-id nas-port-id |
By default, no NAS port ID is set. |
Configuring policy-based forwarding
Restrictions and guidelines for policy-based forwarding
Make sure the AC and its associated APs are in different network segments.
You can apply a forwarding policy to a service template or user profile. The AC preferentially uses the forwarding policy applied to a user profile to direct client traffic forwarding. If the user profile of a client does not have a forwarding policy, the AC uses the forwarding policy applied to the service template.
Prerequisites for policy-based forwarding
Before configuring policy-based forwarding, you must specify the AC to perform authentication for clients. For more information about specifying the authentication location, see "Configuring WLAN authentication."
Configuring a forwarding policy
About forwarding policies
A forwarding policy contains one or multiple forwarding rules. Each forwarding rule specifies a traffic match criterion and the forwarding mode for matching traffic. The traffic match criterion can be a basic ACL, an advanced ACL, or a Layer 2 ACL. The forwarding mode can be local forwarding or centralized forwarding.
Actions defined in ACL rules do not take effect in wireless packet forwarding. All matched packets are forwarded based on the forwarding mode.
For more information about ACLs, see ACL and QoS Configuration Guide.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a forwarding policy and enter its view. |
wlan forwarding-policy policy-name |
By default, no forwarding policies are configured. |
3. Configure a forwarding rule. |
classifier acl { acl-number | ipv6 ipv6-acl-number } |
By default, no forwarding rules are configured. Repeat this command to configure more forwarding rules. |
Applying a forwarding policy to a service template
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Apply a forwarding policy to the service template. |
client forwarding-policy-name policy-name |
By default, no forwarding policy is applied to a service template. |
4. Enable policy-based forwarding. |
client forwarding-policy enable |
By default, policy-based forwarding is disabled for a service template. For the forwarding policy to take effect, you must enable policy-based forwarding for the service template. |
Applying a forwarding policy to a user profile
About applying a forwarding policy to a user profile
For the AC to perform policy-based forwarding for clients that use a user profile, apply a forwarding policy to the user profile. After a client passes authentication, the authentication server sends the user profile name specified for the client to the AC. The AC will forward traffic of the client based on the forwarding policy applied to the user profile.
Restrictions and guidelines
If you modify or delete the applied forwarding policy, the change takes effect when the client comes online again.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter user profile view. |
user-profile profile-name |
N/A |
3. Apply a forwarding policy to the user profile. |
wlan client forwarding-policy-name policy-name |
By default, no forwarding policy is applied to a user profile. |
4. Return to system view. |
quit |
N/A |
5. Enter service template view. |
wlan service-template service-template-name |
N/A |
6. Enable policy-based forwarding. |
client forwarding-policy enable |
By default, policy-based forwarding is disabled for a service template. For the forwarding policy applied to the user profile to take effect, you must enable policy-based forwarding for the service template that the user profile uses. |
Deploying a configuration file to an AP
About deploying the AP configuration file
Deploy a configuration file to an AP if you want to update its configuration file or configure features that require a configuration file. For example, to configure a user profile for an AP in local forwarding mode, you must write related commands to a configuration file and then deploy the configuration file to the AP. The configuration file takes effect when the CAPWAP tunnel to the AC is in Run state. It does not survive an AP reboot.
Restrictions and guidelines
Make sure the configuration file is stored in the storage medium of the AC. Contents in the configuration file must be complete commands.
This feature takes effect every time the specified AP comes online.
An AP can only use its main IP address to establish a CAPWAP tunnel to the AC if the AP is configured by using a configuration file.
In an IRF fabric, save the configuration file on each member ACs in case of master and backup AC switchover. The map-configuration command takes effect only on the master AC. If you specify a path when executing the command, make sure the path leads to the file on the master AC.
Procedure
To deploy a configuration file to an AP in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Deploy a configuration file to the AP. |
map-configuration filename |
By default, no configuration file is deployed to an AP. |
To deploy a configuration file to an AP in AP group AP model view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Deploy a configuration file to the AP. |
map-configuration filename |
By default, no configuration file is deployed to an AP. |
Enabling SNMP notifications for WLAN access
About SNMP notifications
To report critical WLAN access events to an NMS, enable SNMP notifications for WLAN access. For WLAN access event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable SNMP notification for client access. |
snmp-agent trap enable wlan client |
By default, SNMP notifications are disabled for client access. |
3. Enable SNMP notification for client audit. |
snmp-agent trap enable wlan client-audit |
By default, SNMP notifications are disabled for client audit. |
Display and maintenance commands for WLAN access
Execute display commands in any view and the reset command in user view.
Task |
Command |
Display the number of online clients and channel information for each radio. |
display wlan ap all radio client-number |
Display the number of online clients in each AP group. |
display wlan ap-group all client-number |
Display the number of online clients at both 2.4 GHz and 5 GHz bands. |
display wlan ap all client-number |
Display blacklist entries. |
display wlan blacklist { dynamic | static } |
Display basic service set (BSS) information. |
display wlan bss { all | ap ap-name | bssid bssid } [ slot slot-number ] [ verbose ] |
(Centralized devices in standalone mode.) Display client information. |
display wlan client [ ap ap-name [ radio radio-id ] | mac-address mac-address | service-template service-template-name | frequency-band { 2.4 | 5 } ] [ verbose ] |
(Centralized devices in IRF mode.) Display client information on the specified member device or the master device. |
display wlan client distributed-sys [ slot slot-number ] [ verbose ] |
Display information about client IPv6 addresses. |
display wlan client ipv6 |
Display client online duration. |
display wlan client online-duration [ ap ap-name ] [ verbose ] |
Display client status information. |
display wlan client status [ mac-address mac-address ] [ verbose ] |
Display WLAN forwarding policy information. |
display wlan forwarding-policy |
Display region code information for APs. |
display wlan ap { all | name ap-name } region-code |
Display service template information. |
display wlan service-template [ service-template-name ] [ verbose ] |
Display client statistics or service template statistics. |
display wlan statistics { ap { all | name ap-name } connect-history | client [ mac-address mac-address ] | service-template service-template-name [ connect-history ] } |
Display whitelist entries. |
display wlan whitelist |
Remove the specified client or all clients from the dynamic blacklist. |
reset wlan dynamic-blacklist [ mac-address mac-address ] |
Log off the specified client or all clients. |
reset wlan client { all | mac-address mac-address } |
Clear client statistics. |
reset wlan statistics client { all | mac-address mac-address } |
Clear service template statistics. |
reset wlan statistics service-template service-template-name |
WLAN access configuration examples
Example: Configuring WLAN access
Network requirements
As shown in Figure 18, the switch acts as the DHCP server to assign IP addresses to the AP and the client. The AP provides wireless services with the SSID trade-off.
Configuration procedure
1. Create VLAN 100, and assign an IP address to VLAN-interface 100.
<AC> system-view
[AC] vlan 100
[AC-vlan100]quit
[AC] interface vlan-interface 100
[AC-Vlan-interface100] ip address 10.1.9.58 16
2. Create the manual AP ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454
3. Configure a service template and bind it to the AP radio:
# Create the service template service1, set the SSID to trade-off, assign clients coming online through the service template to VLAN 100, and enable the service template.
<AC> system-view
[AC] wlan service-template service1
[AC-wlan-st-service1] ssid trade-off
[AC-wlan-st-service1] vlan 100
[AC-wlan-st-service1] service-template enable
[AC-wlan-st-service1] quit
# Set the working channel to channel 157 for radio 1 of the AP.
[AC] wlan ap ap1
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] channel 157
# Bind the service template service1 to radio 1.
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] service-template service1
Verifying the configuration
# Verify that the SSID is trade-off, and the service template is enabled.
[AC] display wlan service-template verbose
Service template name : service1
Description : Not configured
SSID : trade-off
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : 64
Frame format : Dot3
Seamless roam status : Disabled
Seamless roam RSSI threshold : 50
Seamless roam RSSI gap : 20
VLAN ID : 100
AKM mode : Not configured
Security IE : Not configured
Cipher suite : Not configured
TKIP countermeasure time : 0 s
PTK life time : 43200 s
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 s
GTK rekey client-offline : Disabled
User authentication mode : Bypass
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : 1
Critical VLAN ID : Not configured
802.1X handshake : Enabled
802.1X handshake secure : Disabled
802.1X domain : my-domain
MAC-auth domain : Not configured
Max 802.1X users per BSS : 4096
Max MAC-auth users per BSS : 4096
802.1X re-authenticate : Enabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : N/A
PMF status : Disabled
Hotspot policy number : Not configured
Forwarding policy status : Disabled
Forwarding policy name : Not configured
Forwarder : AC
FT status : Disabled
QoS trust : Port
QoS priority : 0
# Associate the client with the AP. (Details not shown.)
# Verify that the client can access the WLAN.
[AC] display wlan client service-template service1
Total number of clients: 1
MAC address Username AP name RID IP address IPv6 address VLAN
0023-8933-223b N/A ap1 1 3.0.0.3 100
Example: Configuring the whitelist
Network requirements
As shown in Figure 19, configure the whitelist to permit only the client whose MAC address is 0000-000f-1211 to access the WLAN.
Configuration procedure
# Add the MAC address 0000-000f-1211 to the whitelist.
<AC> system-view
[AC] wlan whitelist mac-address 0000-000f-1211
Verifying the configuration
# Verify that the MAC address 0000-000f-1211 is in the whitelist.
[AC] display wlan whitelist
Total number of clients: 1
MAC addresses:
0000-000f-1211
Example: Configuring the static blacklist
Network requirements
As shown in Figure 20, configure the static blacklist to forbid the client whose MAC address is 0000-000f-1211 to access the WLAN.
Configuration procedure
# Add the MAC address 0000-000f-1211 to the static blacklist.
<AC> system-view
[AC] wlan static-blacklist mac-address 0000-000f-1211
Verifying the configuration
# Verify that the MAC address 0000-000f-1211 is in the static blacklist.
[AC] display wlan blacklist static
Total number of clients: 1
MAC addresses:
0000-000f-1211
Example: Configuring ACL-based access control
Network configuration
As shown in Figure 21, configure ACL-based access control to allow Client 1 and clients with the same OUI as Client 2 to access the WLAN.
Procedure
# Create Layer 2 ACL 4000, and create ACL rules to permit Client 1 and clients with the same OUI as Client 2.
<Sysname> system-view
[Sysname] acl mac 4000
[Sysname -acl-mac-4000] rule 0 permit source-mac 0000-000f-1121 ffff-ffff-ffff
[Sysname -acl-mac-4000] rule 1 permit source-mac 000e-35b2-000e ffff-ff00-0000
[Sysname -acl-mac-4000] quit
# Bind ACL 4000 to service template service1.
[Sysname] wlan service service1
[Sysname-wlan-st-service1] access-control acl 4000
Verifying the configuration
Verify that only Client 1 and clients with the same OUI as Client 2 (including Client 2) can access the WLAN.
Configuring WLAN security
The term "AC" in this document refers to MSR routers that can function as ACs.
About WLAN security
WLAN security mechanisms include Pre Robust Security Network Association (Pre-RSNA), 802.11i, and 802.11w.
Pre-RSNA defines the original security mechanism, which is vulnerable to security attacks. To enhance WLAN security, 802.11i was introduced, but it encrypts only WLAN data traffic. Based on the 802.11i framework, 802.11w offers management frame protection to prevent attacks such as forged de-authentication and disassociation frames.
Pre-RSNA mechanism
The pre-RSNA mechanism uses the open system and shared key algorithms for authentication and uses WEP for data encryption. WEP uses the stream cipher RC4 for confidentiality and supports key sizes of 40 bits (WEP40), 104 bits (WEP104), and 128 bits (WEP128).
Open system authentication
Open system authentication is the default and simplest authentication algorithm. Any client that requests authentication by using this algorithm can pass the authentication.
Open system authentication uses the following process:
1. The client sends an authentication request to the AP.
2. The AP sends an authentication response to the client after the client passes the authentication.
Figure 22 Open system authentication process
Shared key authentication
Shared key authentication uses a WEP key for the AP and client to complete authentication.
Shared key authentication uses the following process:
1. The client sends an authentication request to the AP.
2. The AP randomly generates a challenge text and sends it to the client.
3. The client uses the WEP key to encrypt the challenge text and sends it to the AP.
4. The AP uses the WEP key to decrypt the challenge text and compares the decrypted challenge text with the original challenge text. If they are identical, the client passes the authentication. If they are not, the authentication fails.
Figure 23 Shared key authentication process
802.11i mechanism
|
IMPORTANT: 802.11i requires open system authentication for link layer authentication. |
Security modes
The 802.11i mechanism (the RSNA mechanism) provides WPA and RSN security modes. WPA implements a subset of an 802.11i draft to provide enhanced security over WEP and RSN implements the full 802.11i.
AKM
The 802.11i mechanism uses the following authentication and key management (AKM) modes for authenticating user integrity and dynamically generating and updating keys:
· 802.1X—802.1X performs user authentication and generates the pairwise master key (PMK) during authentication. The client and AP use the PMK to generate the pairwise transient key (PTK).
· Private PSK—The MAC address of the client is used as the PSK to generate the PMK. The client and AP use the PMK to generate the PTK.
· PSK—The PSK is used to generate the PMK. The client and AP use the PMK to generate the PTK.
Authentication
802.1X authentication is more secure than PSK authentication. For more information about 802.1X authentication, see "Configuring WLAN user access authentication."
PSK authentication requires the same PSK to be configured for both an AP and a client. PSK integrity is verified during the four-way handshake. If PTK negotiation succeeds, the client passes the authentication.
Key management
Key management defines how to generate and update the PTK and group temporary key (GTK). The PTK is used in unicast and the GTK is used in multicast and broadcast.
PTK and GTK
· PTK structure
? EAPOL-Key Confirmation Key (KCK) is used to verify the integrity of an EAPOL-Key frame.
? EAPOL-Key Encryption Key (KEK) is used to encrypt the key data in the EAPOL-Key frame.
? Temporal Key (TK) is used to encrypt unicast packets.
· The GTK includes the TK and other fields. The TK is used to encrypt multicast and broadcast packets.
EAPOL-Key packet
The IEEE 802.11i protocol uses EAPOL-Key packets during key negotiation.
Figure 24 EAPOL-Key structure
Table 23 EAPOL-Key field description
Field |
Description |
Descriptor type |
Specifies the network type: · WPA network. · RSN network. |
Key information |
For more information about this field, see Table 24. |
Key length |
Length of the key. |
Key replay counter |
Records the total number of GTK updates to prevent replay attacks. The AP sets this field to 0 at the beginning of the negotiation and increments the value on each successive EAPOL-Key frame. The client records this field from the last valid EAPOL-Key frame that it received if this field is greater than the field recorded previously. EAPOL-Key frame retransmission is required in the following situations: · The field received by the client is smaller than or equal to the field recorded by the client. · The field received by the AP is not equal to the field recorded on the AP. If the retransmission attempts exceed the maximum number, the AP disconnects the client. |
Key nonce |
Random value used to generate the PTK. |
EAPOL Key IV |
Encrypts the TKIP. This field is valid only when the encryption type is not CCMP. |
Key RSC |
Records the total number of multicast packets or broadcast packets to prevent replay attacks. The AP increments the value of this field on transmission of each multicast or broadcast packet. |
Reserved |
Reserved field. |
Key MIC |
Message integrity check. |
Key data length |
Length of the key data. |
Key data |
Data to be transmitted, such as the GTK and pairwise master key identifier (PMKID). |
Figure 25 Key information structure
Table 24 Key information description
Field |
Description |
Key Descriptor Version |
3-bit key version: · 1—Non-CCMP key. · 2—CCMP key. |
Key Type |
1-bit key type: · 0—Multicast negotiation key. · 1—Unicast negotiation key. |
Reserved |
2-bit field reserved. The sender sets this field to 0, and the receiver ignores this field. |
Install |
1-bit key installation field. If the Key Type field is 1, this field is 0 or 1. · 0—The AP does not request the client to install the TK. · 1—The AP requests the client to install the TK. If the Key type field is 0, the sender sets this field to 0, and the receiver ignores this field. |
Key Ack |
1-bit key acknowledgment field. The value 1 indicates that the AP requests an acknowledgement from the client. |
Key MIC |
Message integrity check. If this field is 1, the generated MIC must be included in the Key MIC field of the EAPOL-key frame. |
Secure |
1-bit key status. The value 1 indicates that the key has been generated. |
Error |
1-bit MIC check status. The value 1 indicates that a MIC failure has occurred. The client sets this field to 1 when the Request field is 1. |
Request |
1-bit request used by the client to request the AP to initiate the four-way handshake or multi-cast handshake in a MIC failure report. |
Encrypted Key Data |
1-bit key data encryption status. The value 1 indicates that the key data is encrypted. |
Reserved |
3-bit reserved field. The sender sets this field to 0, and the receiver ignores this field. |
WPA key negotiation
WPA uses EAPOL-Key packets in the four-way handshake to negotiate the PTK, and in the two-way handshake to negotiate the GTK.
Figure 26 WPA key negotiation process
WPA key negotiation uses the following process:
1. The AP sends the client EAPOL-Key message 1 that contains a random value ANonce.
2. The client performs the following operations:
a. Uses the random value SNonce, ANonce, and PMK to generate a PTK by using the key derivation function (KDF).
b. Uses the KCK in the PTK to generate the MIC.
c. Returns EAPOL-Key message 2 that contains the SNonce and MIC.
3. The AP performs the following operations:
a. Uses the SNonce, ANonce, and PMK to generate a PTK by using the KDF.
b. Uses the KCK in the PTK to generate the MIC.
c. Compares the received MIC with the local MIC.
d. Returns EAPOL-Key message 3 that contains the PTK installation request tag and MIC if the two MICs are the same.
4. The client performs the following operations:
a. Compares the received MIC with the local MIC.
b. Installs the PTK and returns EAPOL-Key message 4 that contains the MIC if the two MICs are the same.
5. The AP performs the following operations:
a. Compares the received MIC with the local MIC.
b. Installs the PTK and generates a GTK with the GMK and MAC address of the AP by using the KDF if the two MICs are the same.
c. Returns EAPOL-Key group message 1 that contains the GTK and MIC.
6. The client performs the following operations:
a. Installs the GTK if the two MICs are the same.
b. Returns EAPOL-Key group message 2 that contains the MIC.
7. The AP performs the following operations:
a. Compares the received MIC with the local MIC.
b. Installs the GTK if the MICs are the same.
RSN key negotiation
RSN uses EAPOL-Key packets in the four-way handshake to negotiate the PTK and the GTK.
Figure 27 RSN key negotiation process
RSN key negotiation uses the following process:
1. The AP sends the client EAPOL-Key message 1 that contains a random value ANonce.
2. The client performs the following operations:
a. Uses the random value SNonce, ANonce, and PMK to generate a PTK by using the KDF.
b. Uses the KCK in the PTK to generate the MIC.
c. Returns EAPOL-Key message 2 that contains the SNonce and MIC.
3. The AP performs the following operations:
a. Uses the SNonce, ANonce, and PMK to generate a PTK by using the KDF.
b. Uses the KCK in the PTK to generate the MIC.
c. Compares the received MIC with the local MIC.
d. Generates a GTK with the random GMK and MAC address of the AP by using the KDF if the two MICs are the same.
e. Returns EAPOL-Key message 3 that contains the key installation request tag, MIC, and GTK.
4. The client performs the following operations:
a. Compares the received MIC with the local MIC.
b. Installs the PTK and GTK if the two MICs are the same.
c. Returns EAPOL-Key message 4 that contains the MIC.
5. The AP performs the following operations:
a. Compares the received MIC with the local MIC.
b. Installs the PTK and GTK if the two MICs are the same.
Key updates
Key updates enhance WLAN security. Key updates include PTK updates and GTK updates.
· PTK updates—Updates for the unicast keys using the four-way handshake negotiation.
· GTK updates—Updates for the multicast keys using the two-way handshake negotiation.
Cipher suites
TKIP
Temporal Key Integrity Protocol (TKIP) and WEP both use the RC4 algorithm. You can change the cipher suite from WEP to TKIP by updating the software without changing the hardware. TKIP has the following advantages over WEP:
· TKIP provides longer initialization vectors (IVs) to enhance encryption security. Compared with WEP encryption, TKIP encryption uses the 128-bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48 bits.
· TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP dynamic keys cannot be easily deciphered.
· TKIP offers MIC and countermeasures. If a packet has been tampered with, it will fail the MIC. If two packets fail the MIC in a period, the AP automatically takes countermeasures by stopping providing services in a period to prevent attacks.
CCMP
Counter mode with CBC-MAC Protocol (CCMP) is based on the Counter-Mode/CBC-MAC (CCM) of the Advanced Encryption Standard (AES) encryption algorithm.
CCMP contains a dynamic key negotiation and management method. Each client can dynamically negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP cipher suite. During the encryption process, CCMP uses a 48-bit packet number (PN) to make sure each encrypted packet uses a different PN. This improves WLAN security.
Dynamic WEP mechanism
|
IMPORTANT: The dynamic WEP mechanism uses open system authentication for link layer authentication. |
802.11 provides the dynamic WEP mechanism to ensure that each user uses a private WEP key.
· For unicast communications, the mechanism uses the WEP key negotiated by the client and server during 802.1X authentication.
· For multicast and broadcast communications, the mechanism uses the configured WEP key. If you do not configure a WEP key, the AP randomly generates a WEP key for broadcast and multicast communications.
After the client passes 802.1X authentication, the AP sends the client an RC4-EAPOL packet that contains the unicast WEP key ID, and the multicast and broadcast WEP key and key ID. The unicast WEP key ID is 4.
802.11w management frame protection
About 802.11w management frame protection
The management frame protection service protects a set of robust management frames, such as de-authentication, disassociation, and some robust action frames.
· For unicast management frames, it uses the PTK to encrypt the frames and provides secrecy, integrity, and replay protection.
· For broadcast and multicast management frames, it uses the Broadcast Integrity Protocol (BIP) to provide integrity and replay protection.
The security association (SA) query mechanism is used to enhance security if the AP and client negotiate to use management frame protection. SA queries include active SA queries and passive SA queries.
Active SA query
As shown in Figure 28, active SA query uses the following process:
1. The client sends an association or reassociation request to the AP.
2. Upon receiving the request, the AP sends a response to inform the client that the request is denied and the client can associate at a later time. The response contains the association comeback time.
3. The AP sends an SA query request to verify the status of the client:
? If the AP receives an SA query response within the timeout time, it considers the client online.
? If the AP does not receive an SA query response within the timeout time, it sends another SA query request. If the AP receives an SA query response within the retransmission time, it considers the client online. The AP does not respond to any association or reassociation requests from the client until the association comeback time times out.
? If the AP does not receive an SA query response within the retransmission time, it considers the client offline and allows the client to reassociate.
Figure 28 Active SA query process
Passive SA query
As shown in Figure 29, passive SA query uses the following process:
1. The client triggers the SA query process upon receiving an unencrypted disassociation or deauthentication frame.
2. The client sends an SA query request to the AP.
3. The AP sends an SA query response to the client:
? If the client receives the response, the client determines that the AP is online and does not process the disassociation or deauthentication frame.
? If the client does not receive a response, the client determines that the AP is offline and disassociates with the AP.
Figure 29 Passive SA query process
Protocols and standards
· IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements—2004
· WI-FI Protected Access—Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004
· Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements—802.11, 1999
· IEEE Standard for Local and metropolitan area networks "Port-Based Network Access Control" 802.1X™-2004
· 802.11i IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements
· 802.11w IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements
Feature and hardware compatibility
The following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
WLAN security tasks at a glance
Pre-RSNA tasks at a glance
Tasks at a glance |
(Required.) Setting the cipher suite |
(Required.) Setting the WEP key |
(Optional.) Enabling SNMP notifications for WLAN security |
802.11i tasks at a glance
|
IMPORTANT: · 802.11i requires open system authentication for link layer authentication. · The AKM mode, security IE, and cipher suite must be configured for 802.11i networks. · Management frame protection takes effect only for a network that uses the 802.11i mechanism and is configured with the CCMP cipher suite and RSN security information element. |
Tasks at a glance |
(Required.) Configuring the AKM mode |
(Required.) Setting the security information element |
(Required.) Setting the cipher suite |
(Optional.) Setting the PSK |
(Optional.) Setting the KDF |
(Optional.) Configuring GTK update |
(Optional.) Configuring PTK update |
(Optional.) Setting the TKIP MIC failure hold time |
(Optional.) Setting the WEP key |
(Optional.) Configuring 802.11w management frame protection |
(Optional.) Enabling SNMP notifications for WLAN security |
Dynamic WEP tasks at a glance
Tasks at a glance |
(Optional.) Setting the cipher suite |
(Optional.) Setting the WEP key |
(Required.) Enabling the dynamic WEP mechanism |
(Optional.) Enabling SNMP notifications for WLAN security |
Configuring security features
Configuring the AKM mode
About AKM modes
Each of the following AKM modes must be used with a specific authentication mode:
· 802.1X AKM—802.1X authentication mode.
· Private PSK AKM—MAC authentication mode.
· PSK AKM—MAC or bypass authentication mode.
· WiFi alliance anonymous 802.1X AKM—802.1X authentication mode.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter WLAN service template view. |
wlan service-template service-template-name |
N/A |
3. Configure the AKM mode. |
akm mode { dot1x | private-psk | psk | anonymous-dot1x } |
By default, no AKM mode is configured. |
Setting the security information element
About security information elements
Perform this task to enable an AP to set the security information element (security IE) bit in beacon and probe responses to notify clients of its security capabilities.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter WLAN service template view. |
wlan service-template service-template-name |
N/A |
3. Set the security IE. |
security-ie { osen | rsn | wpa } |
By default, no security IE is set. |
Setting the cipher suite
About cipher suites
The following cipher suites are available:
· WEP (WEP40, WEP104, or WEP128).
· CCMP.
· TKIP.
Restrictions and guidelines
You cannot set both WEP 128 and CCMP or both WEP 128 and TKIP.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter WLAN service template view. |
wlan service-template service-template-name |
N/A |
3. Set the cipher suite. |
cipher-suite { ccmp | tkip | wep40 | wep104 | wep128 } |
By default, no cipher suite is set. |
Setting the PSK
Restrictions and guidelines
The PSK must be set if the AKM mode is PSK. If you configure the PSK when the AKM mode is 802.1X, the WLAN service template can be enabled but the PSK configuration does not take effect.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter WLAN service template view. |
wlan service-template service-template-name |
N/A |
3. Set the PSK. |
preshared-key { pass-phrase | raw-key } { cipher | simple } string |
By default, no PSK is set. |
Setting the KDF
About KDFs
KDFs are used by 802.11i networks to generate PTKs and GTKs. KDFs include HMAC-SHA1 and HMAC-SHA256 algorithms. The HMAC-SHA256 algorithm is more secure than the HMAC-SHA1 algorithm.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter WLAN service template view. |
wlan service-template service-template-name |
N/A |
3. Set the KDF. |
key-derivation { sha1 | sha256 | sha1-and-sha256 } |
By default, the HMAC-SHA1 algorithm is set. |
Configuring GTK update
About GTK update
The system generates the GTK during key negotiation if the AKM, security IE, and cipher suite are configured. This feature updates the GTK to enhance key security based on the following updating modes:
· Time-based—The GTK is updated at the specified interval.
· Packet-based—The GTK is updated after the specified number of packets is sent.
· Offline-triggered—The GTK is updated when a client in the basic service set (BSS) goes offline.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter WLAN service template view. |
wlan service-template service-template-name |
N/A |
3. Enable GTK update. |
gtk-rekey enable |
By default, GTK update is enabled. |
4. (Optional.) Configure a GTK update method. |
gtk-rekey method { packet-based [ packet ] | time-based [ time ] } |
By default, the GTK is updated at an interval of 85400 seconds. The default packet quantity is 10000000 for packet-based GTK update. |
5. (Optional.) Enable the offline-triggered GTK update. |
gtk-rekey client-offline enable |
By default, offline-triggered GTK update is disabled. |
Configuring PTK update
About PTK update
The system generates the PTK during key negotiation when the AKM, security IE, and cipher suite are configured. This feature updates the PTK after the PTK lifetime expires.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter WLAN service template view. |
wlan service-template service-template-name |
N/A |
3. Enable PTK update. |
ptk-rekey enable |
By default, PTK update is enabled. |
4. Set the PTK lifetime. |
ptk-lifetime time |
By default, the PTK lifetime is 43200 seconds. |
Setting the TKIP MIC failure hold time
About the TKIP MIC failure hold time
After configuring the TKIP, you can configure the TKIP MIC failure hold time. If the AP detects two MIC failures within the MIC failure hold time, it disassociates all clients for 60 seconds.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter WLAN service template view. |
wlan service-template service-template-name |
N/A |
3. Set the TKIP MIC failure hold time. |
tkip-cm-time time |
By default, the TKIP MIC failure hold time is 0. The AP does not take any countermeasures. |
Setting the WEP key
Restrictions and guidelines
The WEP key can be used to encrypt all packets for pre-RSNA networks and encrypt multicast packets for 802.11i networks. If the WEP key is not set, a pre-RSNA network does not encrypt packets and an 802.11i network uses the negotiated GTK to encrypt multicast packets.
Do not apply WEP key 4 if the dynamic WEP mechanism is enabled.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter WLAN service template view. |
wlan service-template service-template-name |
N/A |
3. Set the WEP key. |
wep key key-id { wep40 | wep104 | wep128 } { pass-phrase | raw-key } { cipher | simple } string |
By default, no WEP key is set. |
4. (Optional.) Apply the WEP key. |
wep key-id { 1 | 2 | 3 | 4 } |
By default, WEP key 1 is applied. |
Configuring 802.11w management frame protection
About 802.11w management frame protection
When 802.11w management frame protection is disabled, network access is available for all clients, but management frame protection is not performed. When 802.11w management frame protection is enabled, network access and management frame protection availability varies by management frame protection mode.
· Optional mode—Network access is available for all clients, but management frame protection is performed only for clients that support management frame protection.
· Mandatory mode—Network access and management frame protection are available only for clients that support management frame protection.
Restrictions and guidelines
802.11w management frame protection takes effect only for a network that uses the 802.11i mechanism and is configured with the CCMP cipher suite and RSN security IE.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter WLAN service template view. |
wlan service-template service-template-name |
N/A |
3. Enable management frame protection. |
pmf { optional | mandatory } |
By default, management frame protection is disabled. |
4. Set the interval for sending SA query requests. |
pmf saquery retrytimeout timeout |
By default, the interval for sending SA query requests is 200 milliseconds. |
5. Set the maximum transmission attempts for SA query requests. |
pmf saquery retrycount count |
By default, the maximum retransmission attempt number is 4 for SA query requests. |
6. Set the association comeback time. |
pmf association-comeback time |
By default, the association comeback time is 1 second. |
Enabling the dynamic WEP mechanism
About dynamic WEP
If dynamic WEP is enabled, the keys used for packet encryption depend on whether a WEP key is configured.
· If a WEP key is configured, the dynamic WEP mechanism uses the configured WEP key as the multicast and broadcast WEP key. The negotiated unicast WEP has an ID of 4 and uses the cipher suite length setting.
· If no WEP key is configured, the length for both dynamic WEP keys is 104 bits. The negotiated unicast WEP key has an ID of 4. The generated multicast and broadcast WEP key has an ID of 1.
Restrictions and guidelines
The dynamic WEP mechanism must be used with the 802.1X authentication mode.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter WLAN service template view. |
wlan service-template service-template-name |
N/A |
3. Enable the dynamic WEP mechanism. |
wep mode dynamic |
By default, the dynamic WEP mechanism is disabled. |
Enabling SNMP notifications for WLAN security
About SNMP notifications
To report critical WLAN security events to an NMS, enable SNMP notifications for WLAN security. For WLAN security event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable SNMP notifications for WLAN security. |
snmp-agent trap enable wlan usersec |
By default, SNMP notifications are disabled for WLAN security. |
Display and maintenance commands for WLAN security
Execute display commands in any view.
Task |
Command |
Display client information. |
display wlan client [ ap ap-name [ radio radio-id ] | mac-address mac-address | service-template service-template-name ] [ verbose ] For more information about this command, see "WLAN access commands." |
Display WLAN service template information. |
display wlan service-template [ service-template-name ] [ verbose ] For more information about this command, see "WLAN access commands." |
WLAN security configuration examples
Example: Configuring shared key authentication
Network requirements
As shown in Figure 30, the switch functions as a DHCP server to assign IP addresses to the AP and client. Configure shared key authentication to enable the client to access the network by using WEP key 12345.
Configuration procedure
# Create a WLAN service template named service1.
<AC> system-view
[AC] wlan service-template service1
# Specify an SSID of service for the service template.
[AC-wlan-st-service1] ssid service
# Configure a WEP40 plaintext key of 12345 as WEP key 2, and apply WEP key 2.
[AC-wlan-st-service1] cipher-suite wep40
[AC-wlan-st-service1] wep key 2 wep40 pass-phrase simple 12345
[AC-wlan-st-service1] wep key-id 2
# Enable service template service1.
[AC-wlan-st-service1] service-template enable
[AC-wlan-st-service1] quit
# Create an AP named ap1 and specify the model and serial ID.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454
# Bind service template service1 to radio 1 of the AP and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] service-template service1
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] return
Verifying the configuration
# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.
<AC> display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : 64
Frame format : Dot3
Seamless roam status : Disabled
Seamless roam RSSI threshold : 50
Seamless roam RSSI gap : 20
VLAN ID : 1
AKM mode : Not configured
Security IE : Not configured
Cipher suite : WEP40
WEP key ID : 2
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
PTK rekey : Enabled
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
User authentication mode : Bypass
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 4096
Max MAC-auth users per BSS : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : N/A
PMF status : Disabled
Hotspot policy number : Not configured
Forwarding policy status : Disabled
Forwarding policy name : Not configured
Forwarder : AC
FT status : Disabled
QoS trust : Port
QoS priority : 0
Example: Configuring PSK authentication and bypass authentication
Network requirements
As shown in Figure 31, the switch functions as a DHCP server to assign IP addresses to the AP and client.
· Configure open system authentication and bypass authentication.
· Configure the client to use preshared key 12345678 to access the network.
Configuration procedure
1. Create a WLAN service template named service1.
<AC> system-view
[AC] wlan service-template service1
2. Specify an SSID of service for the service template.
[AC-wlan-st-service1] ssid service
3. Configure WLAN security for service template service1:
# Configure the PSK AKM mode and the 12345678 plaintext key.
[AC-wlan-st-service1] akm mode psk
[AC-wlan-st-service1] preshared-key pass-phrase simple 12345678
# Configure CCMP as the cipher suite and WPA as the security IE.
[AC-wlan-st-service1] cipher-suite ccmp
[AC-wlan-st-service1] security-ie wpa
4. Enable service template service1.
[AC-wlan-st-service1] service-template enable
[AC-wlan-st-service1] quit
5. Create an AP named ap1 and specify the model and serial ID.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454
6. Bind service template service1 to radio 1 of the AP and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] service-template service1
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] return
Verifying the configuration
# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.
<AC> display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : 64
Frame format : Dot3
Seamless roam status : Disabled
Seamless roam RSSI threshold : 50
Seamless roam RSSI gap : 20
VLAN ID : 1
AKM mode : PSK
Security IE : WPA
Cipher suite : CCMP
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
PTK rekey : Enabled
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
User authentication mode : Bypass
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 4096
Max MAC-auth users per BSS : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : N/A
PMF status : Disabled
Hotspot policy number : Not configured
Forwarding policy status : Disabled
Forwarding policy name : Not configured
Forwarder : AC
FT status : Disabled
QoS trust : Port
QoS priority : 0
Example: Configuring PSK authentication and MAC authentication
Network requirements
As shown in Figure 32, the switch functions as a DHCP server to assign IP addresses to the AP and client.
· Configure open system authentication and MAC authentication so that the client can access the network by using login username abc and password 123.
· Configure the client to use preshared key 12345678 to access the network.
Configuration procedure
1. Configure a username of abc and a password of 123 on the RADIUS server and make sure the RADIUS server and AC can reach each other. (Details not shown.)
2. Create a WLAN service template named service1.
<AC> system-view
[AC] wlan service-template service1
3. Specify an SSID of service for the service template.
[AC-wlan-st-service1] ssid service
4. Configure WLAN security for service template service1:
# Configure the PSK AKM mode and the 12345678 plaintext key.
[AC-wlan-st-service1] akm mode psk
[AC-wlan-st-service1] preshared-key pass-phrase simple 12345678
# Configure CCMP as the cipher suite and WPA as the security IE.
[AC-wlan-st-service1] cipher-suite ccmp
[AC-wlan-st-service1] security-ie wpa
# Configure MAC authentication.
[AC-wlan-st-service1] client-security authentication-mode mac
5. Enable service template service1.
[AC-wlan-st-service1] service-template enable
[AC-wlan-st-service1] quit
6. Configure a RADIUS scheme:
# Create a RADIUS scheme named radius1 and enter its view.
[AC] radius scheme radius1
# Specify the primary authentication server and accounting server.
[AC-radius-radius1] primary authentication 10.1.1.3 1812
[AC-radius-radius1] primary accounting 10.1.1.3 1813
# Set the shared keys for authentication and accounting to 12345678 in plaintext.
[AC-radius-radius1] key authentication simple 12345678
[AC-radius-radius1] key accounting simple 12345678
# Set the format for the usernames sent to the RADIUS server based on the RADIUS server configuration:
? Exclude domain names from the usernames sent to the RADIUS server.
[Device-radius-rs1] user-name-format without-domain
[Device-radius-rs1] quit
? Include domain names in the usernames sent to the RADIUS server.
[Device-radius-rs1] user-name-format with-domain
[Device-radius-rs1] quit
7. Create an ISP domain named dom1 and configure a RADIUS scheme for the ISP domain.
[AC] domain dom1
[AC-isp-dom1] authentication lan-access radius-scheme radius1
[AC-isp-dom1] authorization lan-access radius-scheme radius1
[AC-isp-dom1] accounting lan-access radius-scheme radius1
[AC-isp-dom1] quit
8. Configure an ISP domain of dom1, a username of abc, and password 123 for the user.
[AC] mac-authentication mac domain dom1
[AC] mac-authentication user-name-format fixed account abc password simple 123
9. Create an AP named ap1 and specify the model and serial ID.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454
10. Bind service template service1 to radio 1 of the AP and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] service-template service1
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] return
|
NOTE: For more information about the AAA and RADIUS commands in this section, see Security Command Reference. |
Verifying the configuration
# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.
<AC> display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : 64
Frame format : Dot3
Seamless roam status : Disabled
Seamless roam RSSI threshold : 50
Seamless roam RSSI gap : 20
VLAN ID : 1
AKM mode : PSK
Security IE : WPA
Cipher suite : CCMP
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
PTK rekey : Enabled
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
User authentication mode : MAC
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 4096
Max MAC-auth users per BSS : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : N/A
PMF status : Disabled
Hotspot policy number : Not configured
Forwarding policy status : Disabled
Forwarding policy name : Not configured
Forwarder : AC
FT status : Disabled
QoS trust : Port
QoS priority : 0
Example: Configuring 802.1X AKM
Network requirements
As shown in Figure 33, the switch functions as a DHCP server to assign IP addresses to the AP and client.
· Configure open system authentication and 802.1X authentication so that the client can access the network by using login username abcdef and password 123456.
· Configure 802.1X as the AKM mode.
Configuration procedure
2. Configure the 802.1X client. (Details not shown.)
3. Create a WLAN service template named service1.
<AC> system-view
[AC] wlan service-template service1
4. Specify an SSID of service for the service template.
[AC-wlan-st-service1] ssid service
5. Configure WLAN security for service template service1:
# Configure 802.1X as the AKM mode.
[AC-wlan-st-service1] akm mode dot1x
# Configure CCMP as the cipher suite and WPA as the security IE.
[AC-wlan-st-service1] cipher-suite ccmp
[AC-wlan-st-service1] security-ie wpa
# Configure the 802.1X authentication mode.
[AC-wlan-st-service1] client-security authentication-mode dot1x
6. Enable service template service1.
[AC-wlan-st-service1] service-template enable
[AC-wlan-st-service1] quit
7. Configure a RADIUS scheme:
# Create a RADIUS scheme named radius1 and enter its view.
[AC] radius scheme radius1
# Specify the primary authentication server and accounting server.
[AC-radius-radius1] primary authentication 10.1.1.3 1812
[AC-radius-radius1] primary accounting 10.1.1.3 1813
# Set the shared keys for authentication and accounting to 12345 in plaintext.
[AC-radius-radius1] key authentication simple 12345
[AC-radius-radius1] key accounting simple 12345
# Set the format for the usernames sent to the RADIUS server based on the RADIUS server configuration:
? Exclude domain names from the usernames sent to the RADIUS server.
[Device-radius-rs1] user-name-format without-domain
[Device-radius-rs1] quit
? Include domain names in the usernames sent to the RADIUS server.
[Device-radius-rs1] user-name-format with-domain
[Device-radius-rs1] quit
8. Create an ISP domain named dom1 and configure a RADIUS scheme for the ISP domain.
[AC] domain dom1
[AC-isp-dom1] authentication lan-access radius-scheme radius1
[AC-isp-dom1] authorization lan-access radius-scheme radius1
[AC-isp-dom1] accounting lan-access radius-scheme radius1
[AC-isp-dom1] quit
9. Configure ISP domain dom1 as the default ISP domain.
[AC] domain default enable dom1
10. Create an AP named ap1 and specify the model and serial ID.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454
11. Bind service template service1 to radio 1 of the AP and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] service-template service1
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] return
|
NOTE: For more information about the AAA and RADIUS commands in this section, see Security Command Reference. |
Verifying the configuration
# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.
<AC> display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : 64
Frame format : Dot3
Seamless roam status : Disabled
Seamless roam RSSI threshold : 50
Seamless roam RSSI gap : 20
VLAN ID : 1
AKM mode : dot1x
Security IE : WPA
Cipher suite : CCMP
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
PTK rekey : Enabled
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
User authentication mode : 802.1X
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 4096
Max MAC-auth users per BSS : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : N/A
PMF status : Disabled
Hotspot policy number : Not configured
Forwarding policy status : Disabled
Forwarding policy name : Not configured
Forwarder : AC
FT status : Disabled
QoS trust : Port
QoS priority : 0
Example: Configuring management frame protection
Network requirements
As shown in Figure 34, the switch functions as a DHCP server to assign IP addresses to the AP and client.
· Configure the client to use preshared key 12345678 to access the network.
· Configure the CCMP cipher suite, RSN security IE, and management frame protection.
Configuration procedure
1. Create a WLAN service template named service1.
<AC> system-view
[AC] wlan service-template service1
2. Specify an SSID of service for the service template.
[AC-wlan-st-service1] ssid service
3. Configure management frame protection:
# Enable management frame protection in optional mode.
[AC-wlan-st-service1] pmf optional
# Set the KDF to sha1-and-sha256.
[AC-wlan-st-service1] key-derivation sha1-and-sha256
4. Configure the 802.11i mechanism:
# Configure the PSK AKM mode and the 12345678 plaintext key.
[AC-wlan-st-service1] akm mode psk
[AC-wlan-st-service1] preshared-key pass-phrase simple 12345678
# Configure CCMP as the cipher suite and RSN as the security IE.
[AC-wlan-st-service1] cipher-suite ccmp
[AC-wlan-st-service1] security-ie rsn
5. Enable service template service1.
[AC-wlan-st-service1] service-template enable
[AC-wlan-st-service1] quit
6. Create an AP named ap1 and specify the model and serial ID.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454
7. Bind service template service1 to radio 1 of the AP and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] service-template service1
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] return
Verifying the configuration
# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.
<AC> display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : 64
Frame format : Dot3
Seamless roam status : Disabled
Seamless roam RSSI threshold : 50
Seamless roam RSSI gap : 20
VLAN ID : 1
AKM mode : PSK
Security IE : RSN
Cipher suite : CCMP
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
PTK rekey : Enabled
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
User authentication mode : Bypass
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 4096
Max MAC-auth users per BSS : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : SHA1-AND-SHA256
PMF status : Optional
Hotspot policy number : Not configured
Forwarding policy status : Disabled
Forwarding policy name : Not configured
Forwarder : AC
FT status : Disabled
QoS trust : Port
QoS priority : 0
# Use the display wlan client verbose command to verify the management frame protection negotiation results after a 802.11w client comes online.
<AC> display wlan client verbose
Total number of clients: 1
MAC address : 5250-0012-0411
IPv4 address : 135.3.2.1
IPv6 address : N/A
Username : 11w
AID : 1
AP ID : 1
AP name : ap1
Radio ID : 1
SSID : service
BSSID : 1111-2222-3333
VLAN ID : 1
Sleep count : 147
Power save mode : Active
Wireless mode : 802.11a
Channel bandwidth : 20MHz
SM power save : Disabled
Short GI for 20MHz : Not supported
Short GI for 40MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
Block Ack : TID 0 In
Support HT-MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15
Supported rates : 1, 2, 5.5, 6, 9, 11,
12, 18, 24, 36, 48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 46
Rx/Tx rate : 39/65
Authentication method : Open system
Security mode : RSN
AKM mode : 802.1X
Cipher suite : CCMP
User authentication mode : 802.1X
Authorization ACL ID : N/A
Authorization user profile : N/A
Roam status : N/A
Key derivation : SHA1
PMF status : Enabled
Forwarding policy name : N/A
Online time : 0days 0hours 2minutes 56seconds
FT status : Inactive
Example: Configuring dynamic WEP
Network requirements
As shown in Figure 35, the switch functions as a DHCP server to assign IP addresses to the AP and client.
· Configure open system authentication and 802.1X authentication so that the client can access the network by using login username abcdef and password 123456.
· Configure the dynamic WEP mechanism.
Configuration procedure
1. Configure a username of abcdef and a password of 123456 on the RADIUS server and make sure the RADIUS server and AC can reach each other. (Details not shown.)
2. Configure the 802.1X client. (Details not shown.)
3. Create a WLAN service template named service1.
<AC> system-view
[AC] wlan service-template service1
4. Specify an SSID of service for the service template.
[AC-wlan-st-service1] ssid service
5. Enable the dynamic WEP mechanism.
[AC-wlan-st-service1] wep mode dynamic
6. Configure the 802.1X authentication mode.
[AC-wlan-st-service1] client-security authentication-mode dot1x
7. Enable service template service1.
[AC-wlan-st-service1] service-template enable
[AC-wlan-st-service1] quit
8. Configure a RADIUS scheme:
# Create a RADIUS scheme named radius1 and enter its view.
[AC] radius scheme radius1
# Specify the primary authentication server and accounting server.
[AC-radius-radius1] primary authentication 10.1.1.3 1812
[AC-radius-radius1] primary accounting 10.1.1.3 1813
# Set the shared keys for authentication and accounting to 12345 in plaintext.
[AC-radius-radius1] key authentication simple 12345
[AC-radius-radius1] key accounting simple 12345
# Set the format for the usernames sent to the RADIUS server based on the RADIUS server configuration:
? Exclude domain names from the usernames sent to the RADIUS server.
[Device-radius-rs1] user-name-format without-domain
[Device-radius-rs1] quit
? Include domain names in the usernames sent to the RADIUS server.
[Device-radius-rs1] user-name-format with-domain
[Device-radius-rs1] quit
9. Create an ISP domain named dom1 and configure a RADIUS scheme for the ISP domain.
[AC] domain dom1
[AC-isp-dom1] authentication lan-access radius-scheme radius1
[AC-isp-dom1] authorization lan-access radius-scheme radius1
[AC-isp-dom1] accounting lan-access radius-scheme radius1
[AC-isp-dom1] quit
10. Configure ISP domain dom1 as the default ISP domain.
[AC] domain default enable dom1
11. Create an AP named ap1 and specify the model and serial ID.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454
12. Bind service template service1 to radio 1 of the AP and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] service-template service1
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] return
|
NOTE: For more information about the AAA and RADIUS commands in this section, see Security Command Reference. |
Verifying the configuration
# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.
<AC> display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : 64
Frame format : Dot3
Seamless roam status : Disabled
Seamless roam RSSI threshold : 50
Seamless roam RSSI gap : 20
VLAN ID : 1
AKM mode : Not configured
Security IE : Not configured
Cipher suite : WEP104
WEP key ID : 1
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
PTK rekey : Enabled
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
User authentication mode : 802.1X
Intrusionprotection : Disabled
Intrusionprotection mode : Temporary-block
Temporary block time : 180 sec
Temporaryservicestop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 4096
Max MAC-auth users per BSS : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : N/A
PMF status : Disabled
Hotspot policy number : Not configured
Forwarding policy status : Disabled
Forwarding policy name : Not configured
Forwarder : AC
FT status : Disabled
QoS trust : Port
QoS priority : 0
Example: Configuring private PSK authentication and MAC authentication
Network requirements
As shown in Figure 36, the switch functions as a DHCP server to assign IP addresses to the AP and client.
· Configure the MAC authentication mode so that the client can access the network by using its MAC address as the login username and password.
· Configure the private PSK AKM mode so that the client can use its MAC address as the PSK.
Configuration procedure
1. Configure a username of 00-23-12-45-67-7a and a password of 00-23-12-45-67-7a on the RADIUS server and make sure the RADIUS server and AC can reach each other. (Details not shown.)
2. Create a WLAN service template named service1.
<AC> system-view
[AC] wlan service-template service1
3. Specify an SSID of service for the service template.
[AC-wlan-st-service1] ssid service
4. Configure WLAN security for service template service1:
# Configure private PSK as the AKM mode.
[AC-wlan-st-service1] akm mode psk
# Configure CCMP as the cipher suite and WPA as the security IE.
[AC-wlan-st-service1] cipher-suite ccmp
[AC-wlan-st-service1] security-ie wpa
# Configure MAC authentication.
[AC-wlan-st-service1] client-security authentication-mode mac
5. Enable service template service1.
[AC-wlan-st-service1] service-template enable
[AC-wlan-st-service1] quit
6. Configure a RADIUS scheme:
# Create a RADIUS scheme named radius1 and enter its view.
[AC] radius scheme radius1
# Specify the primary authentication server and accounting server.
[AC-radius-radius1] primary authentication 10.1.1.3 1812
[AC-radius-radius1] primary accounting 10.1.1.3 1813
# Set the shared keys for authentication and accounting to 12345678 in plaintext.
[AC-radius-radius1] key authentication simple 12345678
[AC-radius-radius1] key accounting simple 12345678
# Set the format for the usernames sent to the RADIUS server based on the RADIUS server configuration:
? Exclude domain names from the usernames sent to the RADIUS server.
[Device-radius-rs1] user-name-format without-domain
[Device-radius-rs1] quit
? Include domain names in the usernames sent to the RADIUS server.
[Device-radius-rs1] user-name-format with-domain
[Device-radius-rs1] quit
7. Create an ISP domain named dom1 and configure a RADIUS scheme for the ISP domain.
[AC] domain dom1
[AC-isp-dom1] authentication lan-access radius-scheme radius1
[AC-isp-dom1] authorization lan-access radius-scheme radius1
[AC-isp-dom1] accounting lan-access radius-scheme radius1
[AC-isp-dom1] quit
8. Configure the MAC address as the username and password for ISP domain dom1.
[AC] mac-authentication domain dom1
[AC] mac-authentication user-name-format mac-address with-hyphen lowercase
9. Create an AP named ap1 and specify the model and serial ID.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454
10. Bind service template service1 to radio 1 of the AP and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] service-template service1
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] return
|
NOTE: For more information about the AAA and RADIUS commands in this section, see Security Command Reference. |
Verifying the configuration
# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.
<AC> display wlan service-template service1 verbose
Service template name : service1
Description : Not configured
SSID : service
SSID-hide : Disabled
User-isolation : Disabled
Service template status : Enabled
Maximum clients per BSS : 64
Frame format : Dot3
Seamless roam status : Disabled
Seamless roam RSSI threshold : 50
Seamless roam RSSI gap : 20
VLAN ID : 1
AKM mode : Private-PSK
Security IE : WPA
Cipher suite : CCMP
TKIP countermeasure time : 0
PTK lifetime : 43200 sec
PTK rekey : Enabled
GTK rekey : Enabled
GTK rekey method : Time-based
GTK rekey time : 86400 sec
GTK rekey client-offline : Enabled
User authentication mode : MAC
Intrusion protection : Disabled
Intrusion protection mode : Temporary-block
Temporary block time : 180 sec
Temporary service stop time : 20 sec
Fail VLAN ID : Not configured
802.1X handshake : Disabled
802.1X handshake secure : Disabled
802.1X domain : Not configured
MAC-auth domain : Not configured
Max 802.1X users per BSS : 4096
Max MAC-auth users per BSS : 4096
802.1X re-authenticate : Disabled
Authorization fail mode : Online
Accounting fail mode : Online
Authorization : Permitted
Key derivation : N/A
PMF status : Disabled
Hotspot policy number : Not configured
Forwarding policy status : Disabled
Forwarding policy name : Not configured
Forwarder : AC
FT status : Disabled
QoS trust : Port
QoS priority : 0
Configuring WLAN authentication
About WLAN authentication
The term "AC" in this document refers to MSR routers that can function as ACs.
This chapter describes H3C implementation of WLAN authentication. WLAN authentication performs MAC-based network access control for WLAN clients to ensure access security.
WLAN authentication includes the following authentication methods:
· 802.1X authentication—Uses Extensible Authentication Protocol (EAP) to transport authentication information for the client, the authenticator, and the authentication server.
· MAC authentication—Controls network access by authenticating source MAC addresses. The feature does not require any client software. Clients do not have to enter usernames or passwords for network access. The authenticator initiates a MAC authentication process when it detects an unknown source MAC address. If the MAC address passes authentication, the client can access authorized network resources. If the authentication fails, the authenticator marks the MAC address as a silent MAC address and rejects the client's access.
· OUI authentication—Examines the OUIs in the MAC addresses of clients. A client passes OUI authentication if the client's OUI matches one of the OUIs configured for the authenticator.
|
NOTE: An OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In MAC addresses, the first three octets are the OUI. |
Authentication modes
Authentication mode |
Working mechanism |
Whether intrusion protection can be triggered |
bypass (the default) |
Does not perform authentication. |
No |
dot1x |
Performs 802.1X authentication only. |
Yes |
mac |
Performs MAC authentication only. |
Yes |
mac-then-dot1x |
Performs MAC authentication first, and then 802.1X authentication. If the client passes MAC authentication, 802.1X authentication is not performed. |
Yes |
dot1x-then-mac |
Performs 802.1X authentication first, and then MAC authentication. If the client passes 802.1X authentication, MAC authentication is not performed. |
Yes |
oui-then-dot1x |
Performs OUI authentication first, and then 802.1X authentication. If the client passes OUI authentication, 802.1X authentication is not performed. |
Yes |
802.1X authentication
For more information about 802.1X architecture, EAP relay, EAP termination, and EAP packet encapsulation, see Security Configuration Guide.
Authentication methods
You can perform 802.1X authentication on the authenticator (local authentication) or through a RADIUS server. For information about RADIUS authentication and local authentication, see AAA in Security Configuration Guide.
Authenticator
The authenticator authenticates the client to control access to the WLAN. Either the AC or AP can be specified as the authenticator by using the client-security authentication-location command.
EAP packet encapsulation
802.1X defines EAP over LAN (EAPOL) for passing EAP packets between the client and the authenticator over a WLAN. Between the authenticator and the authentication server, 802.1X delivers authentication information by using one of the following methods:
· Encapsulates EAP packets in RADIUS by using EAP over RADIUS (EAPOR), as described in "EAP relay."
· Extracts authentication information from the EAP packets and encapsulates the information in standard RADIUS packets, as described in "EAP termination."
For information about EAP packet encapsulation, see Security Configuration Guide.
EAP relay
In this mode, the authenticator uses EAPOR packets to send authentication information to the RADIUS server. The RADIUS server must support the EAP-Message and Message-Authenticator attributes.
Figure 37 shows the basic 802.1X authentication process in EAP relay mode. In this example, EAP-MD5 is used.
|
NOTE: If the AP is specified as the authenticator, it uses the same authentication process as Figure 37 except that the AP handles the EAP and RADIUS packets. |
Figure 37 802.1X authentication process in EAP relay mode
The following steps describe the 802.1X authentication process:
1. When a user launches the 802.1X client and enters a registered username and password, the 802.1X client sends an EAPOL-Start packet to the authenticator.
For information about the client and AP association, see "Configuring WLAN security."
2. The authenticator responds with an EAP-Request/Identity packet to request for the username.
3. The client sends the username in an EAP-Response/Identity packet to the authenticator.
4. The authenticator relays the EAP-Response/Identity packet in a RADIUS Access-Request packet to the authentication server.
6. The authenticator transmits the EAP-Request/MD5-Challenge packet to the client.
7. The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5-Challenge packet to the authenticator.
8. The authenticator relays the EAP-Response/MD5-Challenge packet in a RADIUS Access-Request packet to the authentication server.
9. The authentication server compares the received encrypted password with the encrypted password it generated at step 5. If the two passwords are identical, the server considers the client valid and sends a RADIUS Access-Accept packet to the authenticator.
10. Upon receiving the RADIUS Access-Accept packet, the authenticator allows the client to access the network.
11. After the client comes online, the authenticator periodically sends handshake requests to examine whether the client is still online.
12. Upon receiving a handshake request, the client returns a response. If the client fails to return a response after a number of consecutive handshake attempts (two by default), the authenticator logs off the client. This handshake mechanism enables timely release of the network resources used by 802.1X clients that have abnormally gone offline.
13. The client sends an EAPOL-Logoff packet to request a logoff from the authenticator.
14. In response to the EAPOL-Logoff packet, the authenticator sends an EAP-Failure packet to the client.
EAP termination
In this mode, the authenticator performs the following operations:
1. Terminates the EAP packets received from the client.
2. Encapsulates the client authentication information in standard RADIUS packets.
3. Uses PAP or CHAP to communicate with the RADIUS server.
Figure 38 shows the basic 802.1X authentication process in EAP termination mode. In this example, CHAP authentication is used.
|
NOTE: If the AP is specified as the authenticator, it uses the same authentication process as Figure 38 except that the AP handles the EAP and RADIUS packets. |
Figure 38 802.1X authentication process in EAP termination mode
In EAP termination mode, the authentication device rather than the authentication server generates an MD5 challenge for password encryption. The authentication device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
802.1X authentication initiation
Both the client and the authenticator can initiate 802.1X authentication.
· Client initiation—After the client is associated with the authenticator, it sends an EAPOL-Start packet to the authenticator to initiate 802.1X authentication.
· Authenticator initiation—After the client is associated with the authenticator, the authenticator sends an EAP-Request/Identity packet to initiate the authentication. The authenticator retransmits the packet if no response has been received within the client timeout timer.
MAC authentication
Authentication methods
You can perform MAC authentication on the authenticator (local authentication) or through a RADIUS server. For information about RADIUS authentication and local authentication, see AAA in Security Configuration Guide.
Authenticator
The authenticator authenticates the client to control access to the WLAN. Either the AC or AP can be specified as the authenticator by using the client-security authentication-location command.
User account policies
User accounts are required for identifying clients. MAC authentication supports the following user account policies:
· One MAC-based user account for each client. The authenticator uses the unknown source MAC addresses in packets as the usernames and passwords of clients for MAC authentication.
· One shared user account for all clients. You specify one username and password, which are not necessarily a MAC address, for all MAC authentication clients on the authenticator. The username is a case-sensitive string of 1 to 55 characters which cannot include the at sign (@). The password can be a plaintext string of 1 to 63 characters or ciphertext string of 1 to 117 characters.
MAC authentication procedures
RADIUS authentication:
· MAC-based accounts—The authenticator sends the source MAC address of the packet as the username and password to the RADIUS server for authentication.
· A shared account—The authenticator sends the shared account username and password to the RADIUS server for authentication.
Local authentication:
· MAC-based accounts—The authenticator uses the source MAC address of the packet as the username and password to search the local account database for a match.
· A shared account—The authenticator uses the shared account username and password to search the local account database for a match.
Intrusion protection
When the authenticator detects an association request from a client that fails authentication, intrusion protection is triggered. The feature takes one of the following predefined actions on the BSS where the request is received:
· temporary-block (default)—Adds the source MAC address of the request to the blocked MAC address list and drops the request packet. The client at a blocked MAC address cannot establish connections with the AP within a period. To set the period, use the client-security intrusion-protection timer temporary-block command.
· service-stop—Stops the BSS where the request is received until the BSS is enabled manually on the radio interface.
· temporary-service-stop—Stops the BSS where the request is received for a period. To set the period, use the client-security intrusion-protection timer temporary-service-stop command.
|
NOTE: Intrusion protection action is not supported in bypass mode. |
WLAN VLAN manipulation
VLAN authorization
You can specify authorization VLANs for a WLAN client to control the client's access to network resources. When the client passes 802.1X or MAC authentication, the authentication server assigns the authorization VLAN information to the authenticator. When the device acts as the authenticator, it can resolve server-assigned VLANs of the following formats:
· VLAN ID.
· VLAN name.
The VLAN name represents the VLAN description on the access device.
· VLAN group name.
For more information about VLAN groups, see Layer 2—LAN Switching Configuration Guide.
· Combination of VLAN IDs and VLAN names.
In the string, some VLANs are represented by their IDs, and some VLANs are represented by their names.
If the server assigns a group of VLANs, the access device selects and assigns a VLAN according to the VLAN ID format. Table 25 describes the VLAN selection and assignment rules for a group of authorization VLANs.
Table 25 VLAN selection and assignment for a group of authorization VLANs
Types of authorized VLANs |
VLAN selection and assignment rules |
· VLANs by IDs · VLANs by names · Combination of VLAN IDs and VLAN names |
The device selects the VLAN with the lowest ID from the group of VLANs. |
VLAN group name |
1. The device selects the VLAN that has the fewest number of online users. 2. If multiple VLANs have the same number of online 802.1X users, the device selects the VLAN with the lowest ID. |
|
NOTE: The device converts VLAN names and VLAN group names into VLAN IDs before it assigns a VLAN to the client. |
The device fails VLAN authorization for a client in the following situations:
· The device fails to resolve the authorization VLAN information.
· The server assigns a VLAN name to the device, but the device does not have any VLAN using the name.
· The server assigns a VLAN group name to the device, but the VLAN group does not exist or the VLAN group has not been assigned any VLAN.
Authorization VLAN information is used to control data forwarding, so they must be assigned by the device that forwards data traffic. VLAN assignment can be local VLAN assignment or remote VLAN assignment, depending on whether the authenticator and the forwarding device are the same device.
· Local VLAN assignment—The authenticator and the forwarding device are the same device. After the authenticator obtains the authorization VLAN information, it resolves the information and assigns the VLAN.
· Remote VLAN assignment—The authenticator and the forwarding device are different devices. After the authenticator obtains the authorization VLAN information, it sends the information to the remote forwarding device. The forwarding device then resolves the information and assigns the VLAN.
For more information about VLANs, see Layer 2—LAN Switching Configuration Guide.
Auth-Fail VLAN
The WLAN Auth-Fail VLAN accommodates clients that have failed WLAN authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates clients that have entered wrong passwords or usernames. The Auth-Fail VLAN does not accommodate WLAN clients that have failed authentication for authentication timeouts or network connection issues.
Clients in the Auth-Fail VLAN can access a limited set of network resources.
The authenticator reauthenticates a client in the Auth-Fail VLAN at the interval of 30 seconds.
· If the client passes the reauthentication, the authenticator assigns the client to the authorization VLAN. If no authorization VLAN is configured, the client is assigned to the initial VLAN.
· If the client fails the reauthentication, the client is still in the Auth-Fail VLAN.
Clients that use RSNA cannot be assigned to the Auth-Fail VLAN after they fail 802.1X authentication. The authenticator directly logs off the clients.
The Auth-Fail VLAN feature takes precedence over intrusion protection. When a client fails authentication, the Auth-Fail VLAN setting applies first. If no Auth-Fail VLAN is configured, the intrusion protection feature takes effect. If neither feature is configured, the authenticator directly logs off the client.
Critical VLAN
The WLAN critical VLAN accommodates clients that have failed WLAN authentication because all RADIUS servers in their ISP domains are unreachable. Clients in the critical VLAN can access a limited set of network resources depending on the configuration.
The authenticator reauthenticates a client in the critical VLAN at the interval of 30 seconds.
· If the client passes the reauthentication, the authenticator assigns the client to the authorization VLAN. If no authorization VLAN is configured, the client is assigned to the initial VLAN.
· If the client fails the reauthentication because all the RADIUS servers are unreachable, the client is still in the critical VLAN.
· If the client fails the reauthentication for any reason other than unreachable servers, the device assigns the client to the Auth-Fail VLAN. If no Auth-Fail VLAN is configured, the device handles the client depending on the intrusion protection setting. If the intrusion protection feature is not configured, the device logs off the client.
The critical VLAN feature does not take effect on clients that use RSNA. When these clients fail authentication because all the RADIUS servers are unreachable, the authenticator directly logs off the clients.
ACL assignment
You can specify an ACL for an 802.1X or MAC authentication client to control the client's access to network resources. After the client passes authentication, the authentication server assigns the ACL to the client for filtering traffic for this client. The authentication server can be on the local device that acts as the authenticator or on a RADIUS server. In either case, you must configure rules for the ACL on the authenticator. If the AP acts as the authenticator, you must configure the ACL rules on the AC.
To change the access control criteria for the client, you can use one of the following methods:
· Modify the ACL rules on the authenticator.
· Specify another ACL for the client on the authentication server.
For more information about ACLs, see ACL and QoS Configuration Guide.
User profile assignment
You can specify a user profile for a WLAN client to control the client's access to network resources. After the client passes 802.1X or MAC authentication, the authentication server assigns the user profile to the client for filtering traffic. The authentication server can be on the local device that acts as the authenticator or on a RADIUS server. In either case, you must configure the user profile on the authenticator. If the AP acts as the authenticator, you must configure the user profile on the AC.
To change the client's access permissions, you can use one of the following methods:
· Modify the user profile configuration on the authenticator.
· Specify another user profile for the client on the authentication server.
For more information about user profiles, see Security Configuration Guide.
BYOD access control
This feature allows the RADIUS server to push different register pages and assign different authorization attributes to clients on different endpoint devices.
|
NOTE: This feature supports only IMC servers to act as the RADIUS server at the current version. |
The following process illustrates the BYOD access control for a WLAN client that passes 802.1X or MAC authentication:
1. The authenticator performs the following operations:
a. Obtains the Option 55 attribute from DHCP packets.
b. Delivers the Option 55 attribute to the RADIUS server.
On an IMC server, the Option 55 attribute will be delivered to UAM.
2. The BYOD-capable RADIUS server performs the following operations:
a. Uses the Option 55 attribute to identify endpoint device information including endpoint type, operating system, and vendor.
b. Sends a register page and assigns authorization attributes to the client according to the device information.
Feature and hardware compatibility
The following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
WLAN authentication tasks at a glance
Prerequisites for WLAN authentication
802.1X configuration prerequisites
Before you configure 802.1X authentication, complete the following tasks:
· Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. For more information, see AAA in Security Configuration Guide.
· If RADIUS authentication is used, create user accounts on the RADIUS server.
· If local authentication is used, create local user accounts on the access device and set the service type to lan-access.
MAC authentication configuration prerequisites
Before you configure MAC authentication, configure an ISP domain and specify an AAA method. For more information, see AAA in Security Configuration Guide.
· For local authentication, you must also create local user accounts (including usernames and passwords) and specify the lan-access service for local users.
· For RADIUS authentication, make sure the device and the RADIUS server can reach each other and create user accounts on the RADIUS server. If you are using MAC-based accounts, make sure the username and password for each account are the same as the MAC address of each MAC authentication user.
Configuring global WLAN authentication parameters
Setting OUIs for OUI authentication
About setting OUI values for OUI authentication
Perform this task only for the oui-then-dot1x authentication mode.
Restrictions and guidelines
The device supports a maximum of 16 OUIs.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set OUI values for OUI authentication. |
By default, no OUI values are set for OUI authentication. For more information about this command, see Security Command Reference. |
Enabling EAP relay or EAP termination for 802.1X authentication
Restrictions and guidelines
If EAP relay mode is used, the following restrictions and guidelines apply:
· The user-name-format command in RADIUS scheme view does not take effect. The device sends the authentication data from the client to the server without any modification. For information about the user-name-format command, see Security Command Reference.
· Make sure the RADIUS server use the same authentication method as the client. For the authenticator, you only need to use the dot1x authentication-method eap command to enable EAP relay.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable EAP relay or EAP termination. |
dot1x authentication-method { chap | eap | pap } |
By default, the device performs EAP termination and uses CHAP to communicate with the RADIUS server. For more information about this command, see Security Command Reference. |
Specifying 802.1X-supported domain name delimiters
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Specify a set of domain name delimiters for 802.1X clients. |
dot1x domain-delimiter string |
By default, only the at sign (@) delimiter is supported. For more information about this command, see Security Command Reference. |
Setting the maximum number of 802.1X authentication request attempts
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the maximum number of attempts for sending an 802.1X authentication request. |
dot1x retry max-retry-value |
The default setting is 2. For more information about this command, see Security Command Reference. |
Setting the 802.1X authentication timers
About 802.1X authentication timers
802.1X uses the following timers to control interactions with the client and the RADIUS server:
· Client timeout timer—Starts when the device sends an EAP-Request/MD5-Challenge packet to a client. If the device does not receive a response when this timer expires, it retransmits the request to the client. If the device has made the maximum transmission attempts without receiving a response, the client fails authentication. To set the maximum attempts, use the dot1x retry command.
· Server timeout timer—Starts when the device sends a RADIUS Access-Request packet to the authentication server. If the device does not receive a response when this timer expires, the device retransmits the request to the server.
· Handshake timer—Starts after a client passes authentication when the online user handshake is enabled. The device sends handshake messages to the client at every handshake interval. The device logs off the client if it does not receive any response from the client after the maximum handshake attempts. To set the maximum attempts, use the dot1x retry command.
· Periodic reauthentication timer—Starts after a client passes authentication when periodic online user reauthentication is enabled. The device reauthenticates the client at the configured interval. Any change to the timer takes effect only on clients that come online after the change.
Restrictions and guidelines
In most cases, the default settings are sufficient. You can edit the timers, depending on the network conditions. The following are two examples:
· In a low-speed network, increase the client timeout timer.
· In a network with authentication servers of different performances, adjust the server timeout timer.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the client timeout timer. |
dot1x timer supp-timeout supp-timeout-value |
The default setting is 30 seconds. For more information about this command, see Security Command Reference. |
3. Set the server timeout timer. |
dot1x timer server-timeout server-timeout-value |
The default setting is 100 seconds. For more information about this command, see Security Command Reference. |
4. Set the handshake timer. |
The default setting is 15 seconds. For more information about this command, see Security Command Reference. |
|
5. Set the periodic reauthentication timer. |
The default setting is 3600 seconds. For more information about this command, see Security Command Reference. |
Configuring the MAC authentication user account format
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the MAC authentication user account format. |
·
Use one MAC-based user account for each
client: ·
Use one shared user account for all
clients: |
By default, the device uses the MAC address of a client as the username and password for MAC authentication. The MAC address is in the hexadecimal notation without hyphens, and letters are in lower case. For more information about this command, see Security Command Reference. |
Specifying a global MAC authentication domain
About MAC authentication domain selection
MAC authentication chooses an ISP domain for WLAN clients in the following order:
1. The domain specified on the service template.
2. The global MAC authentication domain specified in system view.
3. The default domain.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Specify an ISP domain for MAC authentication clients. |
By default, no ISP domain is specified for MAC authentication clients in system view. For more information about this command, see Security Command Reference. |
Setting the MAC authentication server timeout timer
About the MAC authentication server timeout timer
MAC authentication starts the server timeout timer when the device sends an authentication request to a RADIUS server. If the device does not receive any response from the RADIUS server within the timeout timer, the device regards the server unavailable. If the timer expires during MAC authentication, the client cannot access the network.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the MAC authentication server timeout timer. |
mac-authentication timer server-timeout server-timeout-value |
The default setting is 100 seconds. For more information about this command, see Security Command Reference. |
Configuring service-specific WLAN authentication parameters
Setting the authentication mode
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
N/A |
|
3. Set the authentication mode for WLAN clients. |
client-security authentication-mode { dot1x | dot1x-then-mac | mac | mac-then-dot1x | oui-then-dot1x } |
By default, the bypass mode applies. The device does not perform authentication. Clients can access the device directly. |
Specifying the authenticator for WLAN clients
About specifying the authenticator for WLAN authentication
You can specify the AC or AP to act as the authenticator to perform local or RADIUS-based authentication for WLAN clients.
Restrictions and guidelines
For a successful authentication, the authenticator cannot be the AP if the AC is configured to forward client data traffic. For information about specifying the device for forwarding client data traffic, see "Configuring WLAN access."
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Specify the authenticator for WLAN clients. |
client-security authentication-location { ac | ap } |
By default, the AC acts as the authenticator to authenticate WLAN clients. |
Specifying an EAP mode for 802.1X authentication
About specifying an EAP mode for 802.1X authentication
The EAP mode determines the EAP protocol provisions and packet format that the device uses to interact with clients.
802.1X supports the following EAP modes:
· extended—Requires the device to interact with clients according to the provisions and packet format defined by the H3C proprietary EAP protocol.
· standard—Requires the device to interact with clients according to the provisions and packet format defined by the standard EAP protocol.
Restrictions and guidelines
Perform this task only when an IMC server is used as the RADIUS server. Specify the extended mode for iNode clients, and specify the standard mode for other clients.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Specify an EAP mode for 802.1X authentication. |
dot1x eap { extended | standard } |
By default, the EAP mode is standard for 802.1X authentication. |
Ignoring 802.1X or MAC authentication failures
About ignoring 802.1X or MAC authentication failures
This feature applies to the following clients:
· Clients that use 802.1X authentication.
This feature enables the device to ignore the 802.1X authentication failures and allow clients that have failed 802.1X authentication to come online.
· Clients that use both RADIUS-based MAC authentication and portal authentication.
Typically, a WLAN client must pass MAC authentication and portal authentication in turn to access network resources. The client provides username and password each time portal authentication is performed.
This feature simplifies the authentication process for a client as follows:
? If the RADIUS server already records the client's MAC authentication information, the client passes MAC authentication. The device allows the client to access network resources without performing portal authentication.
? If the RADIUS server does not record the client's MAC authentication information, the client fails MAC authentication. The device ignores the MAC authentication failure and performs portal authentication for the client. If the client passes portal authentication, it can access network resources. The MAC address of the portal authenticated client will be recorded as MAC authentication information on the RADIUS server.
Restrictions and guidelines
For 802.1X clients that use RSN to roam to a new AP, do not configure this feature.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Configure the device to ignore 802.1X or MAC authentication failures. |
client-security ignore-authentication |
By default, the device does not ignore the authentication failures for wireless clients that perform 802.1X authentication or perform RADIUS-based MAC authentication. |
Enabling URL redirection for WLAN MAC authentication clients
About URL redirection
A client is allowed to pass RADIUS-based MAC authentication only when its credential information (username and password) and MAC address are recorded on the RADIUS server.
This feature facilitates MAC authentication for a client whose credential information and MAC address are not recorded on the RADIUS server. After this feature is enabled, RADIUS-based MAC authentication for the client proceeds as follows:
1. The RADIUS server assigns an authorization ACL and redirect URL after it receives the client's authentication request. The ACL denies the client's access to the external network.
2. The device redirects the client to the authentication page specified by the redirect URL when it receives the client's HTTP request.
3. On the authentication page, the client enters the username and password provided by the service provider to complete the Web authentication. The client's credential information and MAC address will be recorded.
4. After the client passes the Web authentication, the Web authentication server on the RADIUS server sends a DM request to log off the client.
For information about DMs, see AAA in Security Configuration Guide.
5. At the next MAC authentication attempt, the client can pass MAC authentication.
Restrictions and guidelines
This feature is applicable to scenarios where only RADIUS-based MAC authentication is used.
To cooperate with this feature, you must configure the authorization ACL and redirect URL for a client by following these restrictions and guidelines:
· The ACL must permit the client and the Web authentication server to exchange packets. For information about authorization ACLs, see MAC authentication in Security Configuration Guide.
· If the client uses DHCP to obtain a dynamic IP address, the ACL must permit the client and the DHCP server to exchange packets.
· You can configure other ACL rules as needed to filter packets.
· The redirect URL is the Web address that the client uses for Web authentication.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Enable URL redirection for WLAN authentication clients. |
client url-redirect enable |
By default, URL redirection is disabled for WLAN MAC authentication clients. |
Configuring a WLAN Auth-Fail VLAN
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
N/A |
|
3. Configure a WLAN Auth-Fail VLAN. |
By default, no WLAN Auth-Fail VLAN exists. You can configure only one Auth-Fail VLAN for the service template. |
Configuring a WLAN critical VLAN
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Configure a WLAN critical VLAN. |
By default, no WLAN critical VLAN exists. You can configure only one critical VLAN for the service template. |
Ignoring authorization information from the server
About ignoring authorization information from the server
You can configure the device to ignore the authorization information received from the server (local or remote) after a client passes 802.1X or MAC authentication. Authorization information includes VLAN, ACL, and user profile information.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Ignore the authorization information received from the authentication server. |
By default, authorization information received from the authentication server is used. |
Enabling the authorization-fail-offline feature
About the authorization-fail-offline feature
The authorization-fail-offline feature logs off WLAN clients that fail ACL or user profile authorization.
A client fails ACL or user profile authorization in the following situations:
· The device or server fails to authorize the specified ACL or user profile to the client.
· The authorized ACL or user profile does not exist.
Restrictions and guidelines
This feature does not apply to clients that fail VLAN authorization. The device always logs off these clients.
Procedure
Command |
Remarks |
|
1. Enter system view. |
N/A |
|
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
By default, this feature is disabled. The device does not log off clients that fail ACL or user profile authorization, and it outputs system logs. |
Configuring intrusion protection
About intrusion protection
This feature enables the device to take the predefined action on the BSS where an association request is received from a client that fails authentication. For more information, see "Intrusion protection."
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Enable the intrusion protection feature. |
By default, intrusion protection is disabled. |
|
4. (Optional.) Configure the intrusion protection action. |
By default, temporary-block is used. |
|
5. (Optional.) Set the blocking period for illegal clients. |
client-security intrusion-protection timer temporary-block time |
The default setting is 180 seconds. |
6. (Optional.) Set the silence period during which the BSS remains disabled. |
client-security intrusion-protection timer temporary-service-stop time |
The default setting is 20 seconds. |
Configuring the online user handshake feature
About the online user handshake feature
The online user handshake feature examines the connectivity status of online 802.1X clients. The device sends handshake messages to online clients at the interval specified by the dot1x timer handshake-period command. If the device does not receive any responses from an online client after it has made the maximum handshake attempts, the device sets the client to offline state.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Enable the online user handshake feature. |
dot1x handshake enable |
By default, this feature is disabled. |
Configuring the online user handshake security feature
About the online user handshake security feature
The online user handshake security feature adds authentication information in the handshake messages. This feature can prevent illegal clients from forging legal 802.1X clients to exchange handshake messages with the device. With this feature, the device compares the authentication information in the handshake response message from a client with that assigned by the authentication server. If no match is found, the device logs off the client.
Restrictions and guidelines
To use the online user handshake security feature, make sure the online user handshake feature is enabled.
The online user handshake security feature protects only online authenticated 802.1X clients.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Enable the online user handshake feature. |
By default, this feature is disabled. |
|
4. Enable the online user handshake security feature. |
By default, this feature is disabled. |
Specifying an 802.1X authentication domain
About 802.1X authentication domain selection
802.1X authentication chooses an ISP domain for WLAN clients in the following order:
· The domain specified on the service template.
· The domain specified by username.
· The default domain.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Specify an 802.1X authentication domain for the service template. |
By default, no 802.1X authentication domain is specified for the service template. |
Setting the maximum number of concurrent 802.1X clients
About the maximum number of concurrent 802.1X clients
When the maximum number of concurrent 802.1X clients is reached for a service template, new 802.1X clients are rejected.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Set the maximum number of concurrent 802.1X clients for a service template. |
The default setting is 4096. |
Enabling the periodic online user reauthentication feature
About periodic online user reauthentication
Periodic online user reauthentication tracks the connection status of online clients, and updates the authorization attributes assigned by the server. The attributes include the ACL, VLAN, and user profile-based QoS. The reauthentication interval is user configurable.
The server-assigned session timeout timer (Session-Timeout attribute) and termination action (Termination-Action attribute) can affect the periodic online user reauthentication feature. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display dot1x connection command (see Security Command Reference).
· If the termination action is Default (logoff), periodic online user reauthentication on the device takes effect only when the periodic reauthentication timer is shorter than the session timeout timer.
· If the termination action is Radius-request, the periodic online user reauthentication configuration on the device does not take effect. The device reauthenticates the online 802.1X clients after the session timeout timer expires.
Support for the assignment of Session-Timeout and Termination-Action attributes depends on the server model.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Enable periodic online user reauthentication. |
dot1x re-authenticate enable |
By default, this feature is disabled. |
Setting the maximum number of concurrent MAC authentication clients
About the maximum number of concurrent MAC authentication clients
When the maximum number of concurrent MAC authentication clients is reached for a service template, new MAC authentication clients are rejected.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Set the maximum number of concurrent MAC authentication clients for the service template. |
The default setting is 4096. |
Specifying a service-specific MAC authentication domain
About MAC authentication domain selection
MAC authentication chooses an ISP domain for WLAN clients in the following order:
· The domain specified on the service template.
· The global MAC authentication domain specified in system view.
· The default domain.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Specify an ISP domain for MAC authentication clients. |
mac-authentication domain domain-name |
By default, no ISP domain is specified for MAC authentication clients. |
Configuring the accounting-start trigger feature
About accounting-start trigger
This feature controls the device whether to send start-accounting requests to the accounting server for clients that use IP addresses of a specific type. The feature takes effect on clients that have passed 802.1X or MAC authentication. You can also set an accounting delay timer. The device can send start-accounting requests to the accounting server for 802.1X or MAC authenticated clients only when the delay timer expires for the clients. For more information about accounting, see AAA in Security Configuration Guide.
Restrictions and guidelines
To configure an IP address type to have the accounting-start qualification, you must enable learning for IP addresses of that type. For information about wireless client IP address learning, see "Configuring WLAN IP snooping."
If you configure the accounting-start trigger feature on a service template that has been enabled, the configuration takes effect only on subsequent clients. It does not affect clients that have been online since before the feature is configured.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Specify an IP address type to have the accounting-start qualification. |
client-security accounting-start trigger { ipv4 | ipv4-ipv6 | ipv6 | none } |
By default, only IPv4 addresses have the accounting-start qualification. |
4. (Optional.) Set the accounting delay. |
client-security accounting-delay time time [ no-ip-logoff ] |
By default, the device sends start-accounting requests for a client when it learns the required IP address of the client. |
Configuring the accounting-update trigger feature
About accounting-update trigger
This feature enables the device to send update-accounting requests to the accounting server for a client when the learned IP address of the client changes. The IP change-triggered accounting update facilitates precise accounting.
Restrictions and guidelines
This feature takes effect only when the accounting-start trigger feature takes effect.
This feature is independent of the periodic realtime accounting feature. For example, if you configure the accounting-update trigger as client IP addresses changing to IPv6 addresses and set the realtime accounting interval to 12 minutes, both settings take effect. For a client that uses the settings, the device sends update-accounting requests every 12 minutes and triggers accounting update whenever the client IP address changes to an IPv6 address. For more information about the realtime accounting interval, see AAA in Security Configuration Guide.
If you configure the accounting-update trigger feature on a service template that has been enabled, the configuration takes effect only on subsequent clients. It does not affect clients that have been online since before the feature is configured.
Procedure
To configure the accounting-update trigger feature:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Specify an IP address type to have the accounting-update qualification. |
client-security accounting-update trigger { ipv4 | ipv4-ipv6 | ipv6 } |
By default, the device sends update-accounting requests to the accounting server at the server-assigned or user-defined realtime accounting interval. |
Display and maintenance commands for WLAN authentication settings
Execute display commands in any view and reset commands in user view.
Task |
Command |
Display online 802.1X client information. |
display dot1x connection [ ap ap-name [ radio radio-id ] | interface interface-type interface-number | user-mac mac-address | user-name name-string ] |
Display 802.1X session connection information, statistics, or configuration information. |
|
Display MAC authentication connections. |
|
Display MAC authentication information. |
|
Display blocked MAC address information. |
display wlan client-security block-mac [ ap ap-name [ radio radio-id ] ] |
Clear 802.1X statistics. |
reset dot1x statistics [ ap ap-name [ radio radio-id ] | interface interface-type interface-number ] |
Clear MAC authentication statistics. |
|
NOTE: For more information about the display dot1x connection, display dot1x, reset dot1x statistics, display mac-authentication connection, display mac-authentication, and reset mac-authentication statistics commands, see Security Command Reference. |
WLAN authentication configuration examples
Example: Configuring 802.1X CHAP local authentication
Network configuration
As shown in Figure 39, configure the AC to use CHAP to perform 802.1X local authentication for the client.
Procedure
1. Configure 802.1X and the local client:
# Configure the AC to perform EAP termination and use CHAP.
[AC] dot1x authentication-method chap
# Add a local network access user with username chap1 and password 123456 in plain text.
[AC] local-user chap1 class network
[AC-luser-network-chap1] password simple 123456
# Set the service type to lan-access.
[AC-luser-network-chap1] service-type lan-access
[AC-luser-network-chap1] quit
2. Configure AAA methods for the ISP domain:
# Create an ISP domain named local.
[AC] domain local
# Configure the ISP domain to use local authentication, local authorization, and local accounting for LAN clients.
[AC-isp-local] authentication lan-access local
[AC-isp-local] authorization lan-access local
[AC-isp-local] accounting lan-access local
[AC-isp-local] quit
3. Configure a service template:
# Create a service template named wlas_local_chap.
[AC] wlan service-template wlas_local_chap
# Set the authentication mode to 802.1X.
[AC-wlan-st-wlas_local_chap] client-security authentication-mode dot1x
# Specify ISP domain local for the service template.
[AC-wlan-st-wlas_local_chap] dot1x domain local
# Set the SSID to wlas_local_chap.
[AC-wlan-st-wlas_local_chap] ssid wlas_local_chap
# Enable the service template.
[AC-wlan-st-wlas_local_chap] service-template enable
[AC-wlan-st-wlas_local_chap] quit
4. Configure manual AP ap1, and bind the service template to the AP radio:
# Create ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050
# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.
[AC-wlan-ap-ap1-radio-1] channel 149
[AC-wlan-ap-ap1-radio-1] radio enable
# Bind service template wlas_local_chap to radio 1.
[AC-wlan-ap-ap1-radio-1] service-template wlas_local_chap
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
Verifying the configuration
# Verify the 802.1X configuration.
[AC] display wlan service-template
[AC] display dot1x
# Display the client connection information after an 802.1X client passes authentication.
[AC] display dot1x connection
Example: Configuring 802.1X EAP-PEAP RADIUS authentication
Network configuration
As shown in Figure 40, configure the AC to perform 802.1X RADIUS authentication for the client by using EAP-PEAP.
Procedure
a. Configure 802.1X and the RADIUS scheme:
# Configure the AC to use EAP relay to authenticate 802.1X clients.
[AC] dot1x authentication-method eap
# Create a RADIUS scheme.
[AC] radius scheme imcc
# Specify the primary authentication server and the primary accounting server.
[AC-radius-imcc] primary authentication 10.18.1.88 1812
[AC-radius-imcc] primary accounting 10.18.1.88 1813
# Set the shared key for secure communication with the server to 12345678 in plain text.
[AC-radius-imcc] key authentication simple 12345678
[AC-radius-imcc] key accounting simple 12345678
# Exclude domain names in the usernames sent to the RADIUS server.
[AC-radius-imcc] user-name-format without-domain
[AC-radius-imcc] quit
b. Configure AAA methods for the ISP domain:
# Create an ISP domain named imc.
[AC] domain imc
# Configure the ISP domain to use RADIUS scheme imcc for authentication, authorization, and accounting of LAN clients.
[AC-isp-imc] authentication lan-access radius-scheme imcc
[AC-isp-imc] authorization lan-access radius-scheme imcc
[AC-isp-imc] accounting lan-access radius-scheme imcc
[AC-isp-imc] quit
c. Configure a service template:
# Create a service template named wlas_imc_peap.
[AC] wlan service-template wlas_imc_peap
# Set the authentication mode to 802.1X.
[AC-wlan-st-wlas_imc_peap] client-security authentication-mode dot1x
# Specify ISP domain imc for the service template.
[AC-wlan-st-wlas_imc_peap] dot1x domain imc
# Set the SSID to wlas_imc_peap.
[AC-wlan-st-wlas_imc_peap] ssid wlas_imc_peap
# Set the AKM mode to 802.1X.
[AC-wlan-st-wlas_imc_peap] akm mode dot1x
# Set the CCMP cipher suite.
[AC-wlan-st-wlas_imc_peap] cipher-suite ccmp
# Enable the RSN-IE in the beacon and probe responses.
[AC-wlan-st-wlas_imc_peap] security-ie rsn
# Enable the service template.
[AC-wlan-st-wlas_imc_peap] service-template enable
[AC-wlan-st-wlas_imc_peap] quit
d. Configure manual AP ap1, and bind the service template to an AP radio:
# Create ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050
# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] channel 149
[AC-wlan-ap-ap1-radio-1] radio enable
# Bind service template wlas_imc_peap to radio 1.
[AC-wlan-ap-ap1-radio-1] service-template wlas_imc_peap
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
2. Configure the RADIUS server:
In this example, the RADIUS server runs IMC PLAT 7.1 and IMC UAM 7.1, and the EAP-PEAP certificate has been installed.
# Add an access device:
a. Click the User tab.
b. From the navigation tree, select User Access Policy > Access Device Management > Access Device.
c. Click Add.
The Add Access Device page appears.
d. In the Access Configuration area, configure the following parameters, as shown in Figure 41:
- Enter 12345678 in the Shared Key and Confirm Shared Key fields.
- Use the default values for other parameters.
e. In the Device List area, click Select or Add Manually to add the device at 10.18.1.1 as an access device.
f. Click OK.
Figure 41 Adding an access device
# Add an access policy:
a. Click the User tab.
b. From the navigation tree, select User Access Policy > Access Policy.
c. Click Add.
d. On the Add Access Policy page, configure the following parameters, as shown in Figure 42:
- Enter dot1x in the Access Policy Name field.
- Select EAP for the Certificate Authentication field.
- Select EAP-PEAP Auth from the Certificate Type list, and select MS-CHAPV2 Auth from the Certificate Sub-Type list.
The certificate sub-type on the IMC server must be the same as the identity authentication method configured on the client.
e. Click OK.
Figure 42 Adding an access policy
# Add an access service:
a. Click the User tab.
b. From the navigation tree, select User Access Policy > Access Service.
c. Click Add.
d. On the Add Access Service page, configure the following parameters, as shown in Figure 43:
- Enter dot1x in the Service Name field.
- Select dot1x from the Default Access Policy list.
e. Click OK.
Figure 43 Adding an access service
# Add an access user:
a. Click the User tab.
b. From the navigation tree, select Access User > All Access Users.
The access user list appears.
c. Click Add.
The Add Access User page appears.
d. In the Access Information area, configure the following parameters, as shown in Figure 44:
- Click Select or Add User to associate the user with IMC Platform user user.
- Enter user in the Account Name field.
- Enter dot1x in the Password and Confirm Password fields.
e. In the Access Service area, select dot1x from the list.
f. Click OK.
Figure 44 Adding an access user account
3. Configure the WLAN client:
The WLAN client has been installed with the EAP-PEAP certificate.
To configure the WLAN client, perform the following tasks (details not shown):
? Select PEAP for identity authentication.
? Disable the client from verifying the server certificate.
? Disable the client from automatically using the Windows login name and password.
Verifying the configuration
1. On the client, verify that you can use username user and password dot1x to access the network. (Details not shown.)
2. On the AC, perform the following tasks to verify that the user has passed authentication and come online:
# Display online 802.1X client information.
[AC] display dot1x connection
User MAC address : 0023-8933-2090
AP name : ap1
Radio ID : 1
SSID : wlas_imc_peap
BSSID : 000f-e201-0003
User name : user
Authentication domain : imc
Authentication method : EAP
Initial VLAN : 1
Authorization VLAN : N/A
Authorization ACL number : N/A
Authorization user profile : N/A
Termination action : Default
Session timeout period : 6001 s
Online from : 2014/04/18 09:25:18
Online duration : 0h 1m 1s
Total connections: 1.
# Display WLAN client information.
[AC] display wlan client
Total number of clients : 1
MAC address Username AP name RID IP address IPv6 address VLAN
0023-8933-2090 user ap1 1 10.18.1.100 1
Example: Configuring RADIUS-based MAC authentication
Network configuration
As shown in Figure 45, configure the AC to use the RADIUS server to perform MAC authentication for the client.
Procedure
Make sure the RADIUS server, AC, AP, and client can reach each other. (Details not shown.)
1. Configure the AC:
a. Configure the RADIUS scheme:
# Create a RADIUS scheme.
<AC> system-view
[AC] radius scheme imcc
# Specify the primary authentication server and the primary accounting server.
[AC-radius-imcc] primary authentication 10.18.1.88 1812
[AC-radius-imcc] primary accounting 10.18.1.88 1813
# Set the shared key for secure communication with the server to 12345678 in plain text.
[AC-radius-imcc] key authentication simple 12345678
[AC-radius-imcc] key accounting simple 12345678
# Exclude domain names in the usernames sent to the RADIUS server.
[AC-radius-imcc] user-name-format without-domain
[AC-radius-imcc] quit
b. Configure AAA methods for the ISP domain:
# Create an ISP domain named imc.
[AC] domain imc
# Configure the ISP domain to use RADIUS scheme imcc for authentication, authorization, and accounting of LAN clients.
[AC-isp-imc] authentication lan-access radius-scheme imcc
[AC-isp-imc] authorization lan-access radius-scheme imcc
[AC-isp-imc] accounting lan-access radius-scheme imcc
[AC-isp-imc] quit
c. Specify username 123 and password aaa_maca in plain text for the account shared by MAC authentication clients.
[AC] mac-authentication user-name-format fixed account 123 password simple aaa_maca
d. Configure a service template:
# Create a service template named maca_imc.
[AC] wlan service-template maca_imc
# Set the SSID to maca_imc.
[AC-wlan-st-maca_imc] ssid maca_imc
# Set the authentication mode to MAC authentication.
[AC-wlan-st-maca_imc] client-security authentication-mode mac
# Specify ISP domain imc for the service template.
[AC-wlan-st-maca_imc] mac-authentication domain imc
# Enable the service template.
[AC-wlan-st-maca_imc] service-template enable
[AC-wlan-st-maca_imc] quit
e. Configure manual AP ap1, and bind the service template to an AP radio:
# Create a manual AP named ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050
# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] channel 149
[AC-wlan-ap-ap1-radio-1] radio enable
# Bind service template maca_imc to radio 1.
[AC-wlan-ap-ap1-radio-1] service-template maca_imc
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
2. Configure the RADIUS server:
In this example, the RADIUS server runs IMC PLAT 7.1 and IMC UAM 7.1.
# Add an access device:
a. Click the User tab.
b. From the navigation tree, select User Access Policy > Access Device Management > Access Device.
c. Click Add.
The Add Access Device page appears.
d. In the Access Configuration area, configure the following parameters, as shown in Figure 46:
- Enter 12345678 in the Shared Key and Confirm Shared Key fields.
- Use the default values for other parameters.
e. In the Device List area, click Select or Add Manually to add the device at 10.18.1.1 as an access device.
f. Click OK.
Figure 46 Adding an access device
# Add an access policy:
a. Click the User tab.
b. From the navigation tree, select User Access Policy > Access Policy.
c. Click Add.
d. On the Add Access Policy page, configure the following parameters, as shown in Figure 47:
- Enter aaa_maca in the Access Policy Name field.
- Use the default values for other parameters.
e. Click OK.
Figure 47 Adding an access policy
# Add an access service:
a. Click the User tab.
b. From the navigation tree, select User Access Policy > Access Service.
c. Click Add.
d. On the Add Access Service page, configure the following parameters, as shown in Figure 48:
- Enter aaa_maca in the Service Name field.
- Select aaa_maca from the Default Access Policy list.
e. Click OK.
Figure 48 Adding an access service
# Add an access user:
a. Click the User tab.
b. From the navigation tree, select Access User > All Access Users.
The access user list appears.
c. Click Add.
The Add Access User page appears.
d. In the Access Information area, configure the following parameters, as shown in Figure 49:
- Click Select or Add User to associate the user with IMC Platform user 123.
- Enter 123 in the Account Name field.
- Enter aaa_maca in the Password and Confirm Password fields.
e. In the Access Service area, select aaa_maca from the list.
f. Click OK.
Figure 49 Adding an access user account
Verifying the configuration
1. On the client, verify that you can use username 123 and password aaa_maca to access the network. (Details not shown.)
2. On the AC, perform the following tasks to verify that the user has passed authentication and come online:
# Display online MAC authentication client information.
[AC] display mac-authentication connection
User MAC address : 0023-8933-2098
AP name : ap1
Radio ID : 1
SSID : maca_imc
BSSID : 000f-e201-0001
User name : 123
Authentication domain : imc
Initial VLAN : 1
Authorization VLAN : N/A
Authorization ACL number : N/A
Authorization user profile : N/A
Termination action : Default
Session timeout period : 6001 s
Online from : 2014/04/17 17:21:12
Online duration : 0h 0m 30s
Total connections: 1.
# Display WLAN client information.
[AC] display wlan client
Total number of clients : 1
MAC address Username AP name RID IP address IPv6 address VLAN
0023-8933-2098 123 ap1 1 10.18.1.100 1
WIPS overview
The term "AC" in this document refers to MSR routers that can function as ACs.
About WIPS
Wireless Intrusion Prevention System (WIPS) helps you monitor your WLAN, detect attacks and rogue devices, and take countermeasures. WIPS provides a complete solution for WLAN security.
WIPS components
WIPS contains the network management module, ACs, and sensors (APs enabled with WIPS).
· The sensors monitor the WLAN, collect channel information, and report the information to the AC for further analysis.
· The AC determines attacks and rogue devices, takes countermeasures, and triggers alarms.
· The network management module allows you to configure WIPS in the Web interface. It provides configuration management, report generation, and alarm management functions.
WIPS features
WIPS provides the following features:
· Attack detection—WIPS detects attacks by listening for 802.11 frames and triggers alarms to notify the administrator.
· Signature-based attack detection—WIPS provides signature-based attack detection. A signature contains a packet identification method and actions to take on the matching packets.
· Device classification—WIPS identifies wireless devices by listening for 802.11 frames and classifies the devices based on the classification rules.
· Countermeasures—WIPS enables you to take countermeasures against rogue devices.
Attack detection
Flood attack detection
An AP might be facing a flood attack if it receives a large number of same-type frames within a short period of time. To prevent the AP from being overwhelmed, WIPS periodically examines incoming packet statistics, and triggers an alarm when it detects a suspicious flood attack. WIPS can detect the following flood attacks:
· Authentication request flood attack—Floods the association table of an AP by imitating many clients sending authentication requests to the AP.
· Probe request/association request/reassociation request flood attack—Floods the association table of an AP by imitating many clients sending probe requests/association requests/reassociation requests to the AP.
· EAPOL-start flood attack—Exhausts the AP's resources by imitating many clients sending EAPOL-start frames defined in IEEE 802.1X to the AP.
· Broadcast/unicast deauthentication flood attack—Spoofs deauthentication frames from the AP to the associated clients to disassociate the clients from the AP. This attack can rapidly terminate wireless services to multiple clients.
· Broadcast/unicast disassociation flood attack—Spoofs disassociation frames from the AP to the associated clients to disassociate the clients from the AP. This attack can rapidly terminate wireless services to multiple clients.
· RTS/CTS flood attack—Floods RTS/CTS frames to reserve the RF medium and force other wireless devices sharing the RF medium to hold back their transmissions. This attack takes advantage of vulnerabilities of the virtual carrier mechanism.
· Block Ack flood attack—Floods Block Ack frames to the AP to interrupt the operation of the Block Ack mechanism.
· Null data flood attack—Spoofs null data frames with a power management bit of 1 from a client to the AP. The AP determines that the client is in power save mode and buffers frames for the client. When the aging time of the buffered frames expires, the AP discards the frames. This interrupts the client's communication with the AP.
· Beacon flood attack—Floods beacon frames imitating a large number of fake APs to interrupt client association.
· EAPOL-logoff flood attack—The IEEE 802.1X standard defines the authentication protocol using Extensible Authentication Protocol over LANs (EAPOL). A client needs to send an EAPOL-logoff frame to terminate the session with an AP. The EAPOL-logoff frames are not authenticated, and an attacker can spoof EAPOL-logoff frames to disassociate a client.
· EAP-success/failure flood attack—In a WLAN using 802.1X authentication, an AP sends an EAP-success or EAP-failure frame to a client to inform the client of authentication success or failure. An attacker can spoof the MAC address of an AP to send EAP-success or EAP-failure frames to a client to disrupt the authentication process.
Malformed packet detection
WIPS determines that a frame is malformed if the frame matches the criteria shown in Table 26, and it then triggers alarms and logs.
Table 26 Malformed frame match criteria
Detection type |
Applicable frames |
Match criteria |
Invalid IE length detection |
All management frames |
The IE length does not conform to the 802.11 protocol. The remaining length of the IE is not zero after the packet is resolved. |
Duplicate IE detection |
All management frames |
Duplicate IE. This type of detection is not applicable to vendor-defined IEs. |
Redundant IE detection |
All management frames |
The IE is not a necessary IE to the frame and is not a reserved IE. |
Invalid packet length detection |
All management frames |
The remaining length of the IE is not zero after the packet payload is resolved. |
Abnormal IBSS and ESS setting detection |
· Beacon frames · Probe response frames |
Both IBSS and ESS are set to 1. |
Malformed authentication request frame detection |
Authentication request frames |
· The authentication algorithm number does not conform to the 802.11 protocol and is larger than 3. · The authentication transaction sequence number is 1 and the status code is not 0. · The authentication transaction sequence number is larger than 4. |
Malformed association request frame detection |
Association request frames |
The frame length is 0. |
Malformed HT IE detection |
· Beacon frames · Probe responses · Association responses · Reassociation requests |
· The SM power save value for the HT capabilities IE is 2. · The secondary channel offset value for the HT operation IE is 2. |
Oversized duration detection |
· Unicast management frames · Unicast data frames · RTS, CTS, and ACK frames |
The packet duration value is larger than the specified threshold. |
Malformed probe response frame detection |
Probe response frames |
The frame is not a mesh frame and its SSID length is 0. |
Invalid deauthentication code detection |
Deauthentication frames |
The reason code is 0 or is in the range of 67 to 65535. |
Invalid disassociation code detection |
Disassociation frames |
The reason code is 0 or is in the range of 67 to 65535. |
Oversized SSID detection |
· Beacon frames · Probe requests · Probe responses · Association request frames |
The SSID length is larger than 32. |
FATA-Jack detection |
Authentication frames |
The value of the authentication algorithm number is 2. |
Invalid source address detection |
All management frames |
· The TO DS is 1, indicating that the frame is sent to the AP by a client. · The source MAC address of the frame is a multicast or broadcast address. |
Oversized EAPOL key detection |
EAPOL-Key frames |
The TO DS is 1 and the length of the key is larger than 0. |
Spoofing attack detection
In a spoofing attack, the attacker sends frames on behalf of another device to threaten the network. WIPS supports detection of the following spoofing attacks:
· Frame spoofing—A fake AP spoofs an authorized AP to send beacon or probe response frames to induce clients to associate with it.
· AP MAC address spoofing—A client spoofs an authorized AP to send deauthentication or disassociation frames to other clients. This can cause the clients to go offline and affect the correct operation of the WLAN.
· Client MAC address spoofing—A fake AP spoofs an authorized client to associate with an authorized AP.
Frame spoofing attack detection
WIPS calculates the startup time of an AP by using the frame receiving time and timestamp. If the calculated startup time of the AP is not the same as the startup time recorded in WIPS, WIPS determines that this is a spoofing attack.
AP MAC address spoofing attack detection
WIPS examines the MAC address of the sender. If the MAC address of the sender already exists in the AP MAC address table, WIPS determines that this is a spoofing attack.
Client MAC address spoofing attack detection
WIPS examines the MAC address of the sender. If the MAC address of the sender already exists in the client MAC address table, WIPS determines that this is a spoofing attack.
Weak IV detection
When the RC4 encryption algorithm, used by the WEP security protocol, uses an insecure IV, the WEP key is more likely to be cracked. An IV is a weak IV if its first byte is smaller than 16 (decimal) and its second byte is FF. WIPS prevents this kind of attack by detecting the IV in each WEP packet.
Omerta attack detection
Omerta is a DoS attack tool based on the 802.11 protocol. It sends disassociation frames with the reason code 0x01 to disassociate clients. Reason code 0x01 indicates an unknown disassociation reason. WIPS detects Omerta attacks by detecting the reason code of each disassociation frame.
Broadcast disassociation/deauthentication attack detection
An attacker spoofs a legitimate AP to send a broadcast disassociation or deauthentication frame to log off all clients associated with the AP.
Detection on clients with the 40 MHz bandwidth mode disabled
802.11n devices support both the 20 MHz and 40 MHz bandwidth modes. If the 40 MHz bandwidth mode is disabled on a client, other clients associated with the same AP as the client must also use the 20 MHz bandwidth. This affects network throughput and efficiency.
WIPS detects such clients by detecting probe request frames sent by the clients.
Power save attack detection
An attacker spoofs the MAC address of a client to send power save on frames to an AP. The AP caches the frames for the client. The attacked client cannot receive data frames because the AP determines that the client is still in power save mode. When the aging time of the cached frames expires, the AP discards the frames. WIPS detects power save attacks by determining the ratio of power save on frames to power save off frames.
Prohibited channel detection
After you configure a permitted channel list and enable prohibited channel detection, WIPS determines that channels that are not in the permitted channel list are prohibited channels.
Soft AP detection
A soft AP refers to a client that acts as an AP and provides wireless services. An attacker can access the internal network through a soft AP and then initiate further attacks. WIPS detects soft APs by detecting the interval at which a device switches its roles between client and AP. WIPS does not perform soft AP detection on unassociated clients.
Windows bridge detection
When a wireless client connected to a wired network establishes a Windows bridge through the wired NIC, the client can bridge an external AP with the internal network. This might bring security problems to the internal network. WIPS detects Windows bridges by analyzing data frames sent by associated clients.
Unencrypted device detection
An authorized AP or client that is transmitting unencrypted frames might bring security problems to the network. WIPS detects unencrypted devices by analyzing the frames sent the by authorized APs or clients.
Hotspot attack detection
An attacker sets up a rogue AP with the same SSID as a hotspot to lure the clients to associate with it. After the clients associate with the malicious AP, the attacker initiates further attacks to obtain client information.
You can configure a hotspot file to enable WIPS to detect hotspot attacks.
AP impersonation attack detection
In an AP impersonation attack, a malicious AP that has the same BSSID and ESSID as a legitimate AP lures the clients to associate with it. Then this impersonating AP initiates hotspot attacks or fools the detection system.
WIPS detects AP impersonation attacks by detecting the interval at which an AP sends beacon frames.
HT-greenfield AP detection
An AP operating in HT-greenfield mode might cause collisions, errors, and retransmissions because it cannot communicate with 802.11a/b/g devices. WIPS detects HT-greenfield APs by analyzing the beacon frames or probe response frames sent by APs.
Honeypot AP detection
In a honeypot AP attack, the attacker sets up a malicious AP to lure clients to associate with it. The SSID of the malicious AP is similar to the SSID of a legitimate AP. After a client associates with a honeypot AP, the honeypot AP initiates further attacks such as port scanning or fake authentication to obtain client information.
WIPS detects honeypot APs by detecting SSIDs of external APs. If the similarity between the SSID of an external AP and the SSID of a legitimate AP reaches the specified threshold, WIPS generates an alarm.
MITM attack detection
In an MITM attack, the attacker sets up a rogue AP and lures a client to associate with it. Then the rogue AP spoofs the MAC address of the client to associate with the authorized AP. When the client and the authorized AP communicate, the rogue AP captures packets from both the client and the authorized AP. The rogue AP might modify the frames and obtain the frame information. WIPS detects MITM attacks by detecting clients that are disassociated from an authorized AP and associated with a honeypot AP. WIPS can detect MITM attacks only when you enable both honeypot AP detection and MITM attack detection.
Wireless bridge detection
An attacker might intrude on the internal networks through a wireless bridge. When detecting a wireless bridge, WIPS generates an alarm. If the wireless bridge is in a mesh network, WIPS records the mesh link.
Association/reassociation DoS attack detection
An association/reassociation DoS attack floods the association table of an AP by imitating many clients sending association requests to the AP. When the number of entries in the table reaches the upper limit, the AP cannot process requests from legitimate clients.
AP flood attack detection
WIPS detects the number of APs in the WLAN and triggers an alarm for an AP flood attack when the number of APs exceeds the specified threshold.
Device entry attack detection
Attackers can send invalid packets to WIPS to increase processing costs. WIPS periodically examines the learned device entries to determine whether to rate limit device entry learning. If the number of AP or client entries learned within the specified interval exceeds the threshold, WIPS triggers an alarm and stops learning new entries.
Signature-based attack detection
WIPS provides signature-based attack detection. A signature contains a packet identification method and actions to take on the matching packets. The sensor matches the detected packets against the signature, and takes actions defined in the signature if a packet matches the signature.
A signature can contain a maximum of six subsignatures, which can be defined based on the frame type, MAC address, serial ID, SSID length, SSID, and frame pattern. A packet matches a signature only when it matches all the subsignatures in the signature.
Device classification
AP classification
AP categories
As shown in Table 27, WIPS classifies detected APs according to the predefined classification rules.
Category |
Description |
Classification rule |
Authorized AP |
An AP that is permitted in the WLAN. |
· Has been connected to the AC and not in the prohibited device list. · Configured as an authorized AP. · In the permitted device list. · Classified as an authorized AP by a user-defined AP classification rule. |
Rogue AP |
An AP that cannot be used in the WLAN. |
· In the prohibited device list. · Not in the OUI configuration file. · Configured as a rogue AP. · Classified as a rogue AP by a user-defined AP classification rule. If the wired port on an AP has been connected to the network and the AP is not connected to the AC, the AP might be a rogue AP. |
Misconfigured AP |
An AP that can be used in the WLAN but has incorrect configuration. |
· Configured as a misconfigured AP. · Classified as a misconfigured AP by a user-defined AP classification rule. |
External AP |
An AP that is in an adjacent WLAN. |
· Configured as an external AP. · Classified as an external AP by a user-defined AP classification rule. |
Ad hoc |
An AP operating in Ad hoc mode. WIPS detects Ad hoc APs by listening to beacon frames. |
N/A |
Mesh AP |
An AP in a WLAN mesh network. |
WIPS identifies mesh APs through beacon frames. |
Potential-authorized AP |
An AP that is possibly authorized. |
An AP is a potential-authorized AP if it meets all the following conditions: · Not in the permitted device list. · Not in the prohibited device list. · Not in the trusted SSID list. · Not in the trusted OUI list. · Has been connected to the AC. · Not manually classified. · Does not match any user-defined AP classification rules. |
Potential-rogue AP |
An AP that is possibly a rogue AP. |
Has incorrect wireless configuration and is not in any one of the following lists: · Permitted device list. · Prohibited device list. · Trusted OUI list. If the wired port on an AP has been connected to the network, the AP is a rogue AP. |
Potential-external AP |
An AP that is possibly an external AP. |
· Has incorrect wireless service configuration. · The wired port has not been connected to the network. · Not in any one of the following lists: ? Permitted device list. ? Prohibited device list. ? Trusted OUI list. |
Uncategorized AP |
An AP whose category cannot be determined. |
N/A |
AP classification flow
WIPS classifies detected APs by following the process shown in Figure 50.
Figure 50 AP classification flow
Client classification
As shown in Table 28, WIPS classifies detected clients based on the predefined classification rules.
Client categories
Table 28 Client classification
Category |
Description |
Classification rule |
Authorized client |
A client that is permitted in the WLAN. |
· In the prohibited device list and associated with an authorized AP. · Has passed authentication and is associated with an authorized AP. |
Unauthorized client |
A client that cannot be used in the WLAN. |
· In the prohibited device list. · Associated with a rogue AP. · Not in the OUI configuration file. |
Misassociated client |
A client that is associated with an unauthorized AP. |
In the permitted device list but associated with an unauthorized AP. A misassociated client might introduce security threats to the network. |
Uncategorized client |
A client whose category cannot be determined. |
N/A |
Client classification flow
WIPS classifies detected clients by following the process shown in Figure 51.
Figure 51 Client classification flow
Countermeasures
Rogue devices are susceptible to attacks and might bring security problems to the WLAN. WIPS enables you to take countermeasures against rogue devices.
Configuring WIPS
Feature and hardware compatibility
The following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
WIPS tasks at a glance
Tasks at a glance |
(Required.) Enabling WIPS |
(Optional.) Configuring attack detection: |
(Optional.) Configuring signature-based attack detection: |
(Optional.) Configuring device classification: · Configuring an automatic device classification policy |
(Optional.) Configuring countermeasures: |
(Optional.) Detecting clients with NAT configured |
(Optional.) Configuring the alarm-ignoring feature |
(Optional.) Configuring APs to perform WIPS scanning while providing access services |
(Optional.) Configuring OUIs |
Enabling WIPS
About enabling WIPS
You can divide a wireless network into multiple virtual security domains (VSDs) and apply different policies to these VSDs.
Before configuring WIPS for a radio of an AP, you must add the AP to a VSD.
Procedure
To enable WIPS in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Add the AP to a VSD. |
wips virtual-security-domain vsd-name |
By default, an AP uses the configuration in AP group view. |
4. Enter radio view. |
radio radio-id |
N/A |
5. Enable WIPS. |
wips enable |
By default, an AP uses the configuration in AP group view. |
To enable WIPS in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
6. Enter AP group view. |
wlan ap-group group-name |
N/A |
7. Add the AP group to a VSD. |
wips virtual-security-domain vsd-name |
By default, an AP group is not in any VSD. |
8. Enter AP model view. |
ap-model ap-model |
N/A |
9. Enter radio view. |
radio radio-id |
N/A |
10. Enable WIPS. |
wips enable |
By default, WIPS is disabled. |
Configuring attack detection
Configuring an attack detection policy
Configuring a flood attack detection policy
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
11. Enter WIPS view. |
wips |
By default, the WIPS view is not configured. |
12. Create an attack detection policy and enter its view. |
detect policy policy-name |
By default, no attack detection policies exist. |
13. Configure association request flood attack detection. |
flood association-request [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, association request flood attack detection is disabled. |
14. Configure authentication request flood attack detection. |
flood authentication [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, authentication request flood attack detection is disabled. |
15. Configure beacon flood attack detection. |
flood beacon [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, beacon flood attack detection is disabled. |
16. Configure Block Ack flood attack detection. |
flood block-ack [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, Block Ack flood attack detection is disabled. |
17. Configure RTS flood attack detection. |
flood rts [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, RTS flood attack detection is disabled. |
18. Configure CTS flood attack detection. |
flood cts [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, CTS flood attack detection is disabled. |
19. Configure deauthentication flood attack detection. |
flood deauthentication [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, deauthentication flood attack detection is disabled. |
20. Configure disassociation flood attack detection. |
flood disassociation [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, disassociation flood attack detection is disabled. |
21. Configure EAPOL-start flood attack detection. |
flood eapol-start [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, EAPOL-start flood attack detection is disabled. |
22. Configure null data flood attack detection. |
flood null data [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, null data flood attack detection is disabled. |
23. Configure probe request flood attack detection. |
flood probe-request [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, probe request flood attack detection is disabled. |
24. Configure reassociation request flood attack detection. |
flood reassociation-request [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, reassociation request flood attack detection is disabled. |
25. Configure EAPOL-logoff flood attack detection. |
flood eapol-logoff [ interval interval-value | quiet quiet-value | threshold threshold-value ]* |
By default, EAPOL-logoff flood attack detection is disabled. |
26. Configure EAP-failure flood attack detection. |
flood eap-failure [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, EAP-failure flood attack detection is disabled. |
27. Configure EAP-success flood attack detection. |
flood eap-success [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, EAP-success flood attack detection is disabled. |
Configuring a malformed packet detection policy
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
28. Enter WIPS view. |
wips |
N/A |
29. Create an attack detection policy and enter its view. |
detect policy policy-name |
By default, no attack detection policies exist. |
30. Configure duplicated IE detection. |
malformed duplicated-ie [ quiet quiet-value ] |
By default, duplicated IE detection is disabled. |
31. Configure FATA-Jack detection. |
malformed fata-jack [ quiet quiet-value ] |
By default, FATA-Jack detection is disabled. |
32. Configure abnormal IBSS or ESS setting detection. |
malformed illegal-ibss-ess [ quiet quiet-value ] |
By default, abnormal IBSS or ESS setting detection is disabled. |
33. Configure invalid source address detection. |
malformed invalid-address-combination [ quiet quiet-value ] |
By default, invalid source address detection is disabled. |
34. Configure malformed association request frame detection. |
malformed invalid-assoc-req [ quiet quiet-value ] |
By default, malformed association request frame detection is disabled. |
35. Configure malformed authentication request frame detection. |
malformed invalid-auth [ quiet quiet-value ] |
By default, malformed authentication request frame detection is disabled. |
36. Configure invalid deauthentication code detection. |
malformed invalid-deauth-code [ quiet quiet-value ] |
By default, invalid deauthentication code detection is disabled. |
37. Configure invalid disassociation code detection. |
malformed invalid-disassoc-code [ quiet quiet-value ] |
By default, invalid disassociation code detection is disabled. |
38. Configure invalid IE length detection. |
malformed invalid-ie-length [ quiet quiet-value ] |
By default, invalid IE length detection is disabled. |
39. Configure malformed HT IE detection. |
malformed invalid-ht-ie [ quiet quiet-value ] |
By default, malformed HT IE detection is disabled. |
40. Configure invalid packet length detection. |
malformed invalid-pkt-length [ quiet quiet-value ] |
By default, invalid packet length detection is disabled. |
41. Configure oversized duration detection. |
malformed large-duration [ quiet quiet-value | threshold value ] |
By default, oversized duration detection is disabled. |
42. Configure malformed probe response frame detection. |
malformed null-probe-resp [ quiet quiet-value ] |
By default, malformed probe response frame detection is disabled. |
43. Configure oversized EAPOL key detection. |
malformed overflow-eapol-key [ quiet quiet-value ] |
By default, oversized EAPOL key detection is disabled. |
44. Configure oversized SSID detection. |
malformed overflow-ssid [ quiet quiet-value ] |
By default, oversized SSID detection is disabled. |
45. Configure redundant IE detection. |
malformed redundant-ie [ quiet quiet-value ] |
By default, redundant IE detection is disabled. |
Configuring an attack detection policy for other attacks
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
46. Enter WIPS view. |
wips |
N/A |
47. Create an attack detection policy and enter its view. |
detect policy policy-name |
By default, no attack detection policies exist. |
48. Configure client MAC address spoofing attack detection. |
client-spoofing [ quiet quiet-value ] |
By default, client MAC address spoofing attack detection is disabled. |
49. Configure AP MAC address spoofing attack detection. |
ap-spoofing [ quiet quiet-value ] |
By default, AP MAC address spoofing attack detection is disabled. |
50. Configure weak IV detection. |
weak-iv [ quiet quiet-value ] |
By default, weak IV detection is disabled. |
51. Configure Omerta attack detection. |
omerta [ quiet quiet-value ] |
By default, Omerta attack detection is disabled. |
52. Configure broadcast disassociation attack detection. |
disassociation-broadcast [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, broadcast disassociation attack detection is disabled. |
53. Configure spoof deauthentication frame detection. |
deauth-spoofing [ quiet quiet ] |
By default, spoof deauthentication frame detection is disabled. |
54. Configure broadcast deauthentication attack detection. |
deauthentication-broadcast [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, broadcast deauthentication attack detection is disabled. |
55. Configure detection on clients with the 40 MHz bandwidth mode disabled. |
ht-40mhz-intolerance [ quiet quiet-value ] |
By default, detection on clients with the 40 MHz bandwidth mode disabled is disabled. |
56. Configure power saving attack detection. |
power-save [ interval interval-value | minoffpacket packet-value | onoffpercent percent-value | quiet quiet-value ] * |
By default, power saving attack detection is disabled. |
57. Configure the permitted channel list. |
permit-channel channel-id-list |
By default, no channel is added to the permitted channel list. |
58. Configure prohibited channel detection. |
prohibited-channel [ quiet quiet-value ] |
By default, prohibited channel detection is disabled. |
59. Configure Windows bridge detection. |
windows-bridge [ quiet quiet-value ] |
By default, Windows bridge detection is disabled. |
60. Configure unencrypted authorized AP detection. |
unencrypted-authorized-ap [ quiet quiet-value ] |
By default, unencrypted authorized AP detection is disabled. |
61. Configure unencrypted authorized client detection. |
unencrypted-trust-client [ quiet quiet-value ] |
By default, unencrypted authorized client detection is disabled. |
62. Configure soft AP detection. |
soft-ap [ convert-time time-value ] |
By default, soft AP detection is disabled. |
63. Configure AP impersonation attack detection. |
ap-impersonation [ quiet quiet-value ] |
By default, AP impersonation attack detection is disabled. |
64. Configure HT-greenfield AP detection. |
ht-greenfield [ quiet quiet-value ] |
By default, HT-greenfield AP detection is disabled. |
65. Configure association/reassociation DoS attack detection. |
association-table-overflow [ quiet quiet-value ] |
By default, association/reassociation DoS attack detection is disabled. |
66. Configure wireless bridge detection. |
wireless-bridge [ quiet quiet-value ] |
By default, wireless bridge detection is disabled. |
67. Configure AP flood attack detection. |
ap-flood [ apnum apnum-value | exceed exceed-value | quiet quiet-value ] * |
By default, AP flood attack detection is disabled. |
68. Configure honeypot AP detection. |
honeypot-ap [ similarity similarity-value | quiet quiet-value ] * |
By default, honeypot AP detection is disabled. |
69. Configure MITM attack detection. |
man-in-the-middle [ quiet quiet-value ] |
By default, MITM attack detection is disabled. |
70. Configure channel change detection. |
ap-channel-change [ quiet quiet-value ] |
By default, channel change detection is disabled. |
71. Return to WIPS view. |
quit |
N/A |
72. Import hotspot information from a configuration file. |
import hotspot file-name |
By default, no hotspot information is imported. |
73. Create an attack detection policy and enter its view. |
detect policy policy-name |
By default, no attack detection policies exist. |
74. Configure hotspot attack detection. |
hotspot-attack [ quiet quiet-value ] |
By default, hotspot attack detection is disabled. |
Configuring a device entry attack detection policy
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
75. Enter WIPS view. |
wips |
N/A |
76. Create an attack detection policy and enter its view. |
detect policy policy-name |
By default, no attack detection policies exist. |
77. Rate limit client entry learning. |
client-rate-limit [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, the statistics collection interval is 60 seconds, the quiet time is 1200 seconds, and the client entry threshold is 512. |
78. Set a client entry timer. |
client-timer inactive inactive-value aging aging-value |
By default, the inactive time is 300 seconds, and the aging time is 600 seconds. When a client does not receive or send packets within the inactive time, WIPS sets the client to inactive state. When a client does not receive or send frames within the aging time, WIPS deletes the entry. |
79. Rate limit AP entry learning. |
ap-rate-limit [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, the statistics collection interval is 60 seconds, the quiet time is 1200 seconds, and the AP entry threshold is 64. |
80. Set an AP entry timer. |
ap-timer inactive inactive-value aging aging-value |
By default, the inactive time for APs is 300 seconds, and the aging time is 600 seconds. When an AP does not receive or send packets within the inactive time, WIPS sets the AP to inactive state. When an AP does not receive or send frames within the aging time, WIPS deletes the entry. |
Applying an attack detection policy
About applying an attack detection policy
Applying an attack detection policy to a VSD enables the attack detection policy to take effect on all radios in the VSD.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
81. Enter WIPS view. |
wips |
N/A |
82. Create a VSD and enter its view. |
virtual-security-domain vsd-name |
By default, no VSDs exist. |
83. Apply an attack detection policy to the VSD. |
apply detect policy policy-name |
By default, no attack detection policy is applied to a VSD. |
Configuring signature-based attack detection
Configuring a signature
About signatures
If you configure multiple signatures, WIPS matches detected packets against the configured signatures in ascending order of ID until a match is found.
You can configure one or multiple subsignatures for a signature. A packet matches a signature only when it matches all the subsignatures of the signature.
Restrictions and guidelines
You can configure a maximum of six subsignatures for a signature to match different attributes of packets.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
84. Enter WIPS view. |
wips |
N/A |
85. Create a signature and enter its view. |
signature rule rule-id |
By default, no signatures exist. |
86. Configure a subsignature to match the frame type of a frame. |
frame-type { control | data | management [ frame-subtype { association-request | association-response | authentication | beacon | deauthentication | disassociation | probe-request } ] } |
By default, no subsignature is configured to match the frame type of a frame. |
87. Configure a subsignature to match the MAC address of a frame. |
mac-address { bssid | destination | source } mac-address |
By default, no subsignature is configured to match the MAC address of a frame. |
88. Configure a subsignature to match the sequence number of a frame. |
seq-number seq-value1 [ to seq-value2 ] |
By default, no subsignature is configured to match the sequence number of a frame. |
89. Configure a subsignature to match the SSID length of a frame. |
ssid-length length-value1 [ to length-value2 ] |
By default, no subsignature is configured to match the SSID length of a frame. |
90. Configure a subsignature to match the SSID of a frame. |
ssid [ case-sensitive ] [ not ] { equal | include } string |
By default, no subsignature is configured to match the SSID of a frame. |
91. Configure a subsignature to match the specified bits of a frame. |
pattern pattern-number offset offset-value mask hex-value value1 [ to value2 ] [ from-payload ] |
By default, no subsignature is configured to match the specified bits of a frame. |
92. Configure the subsignatures to be in logical AND relationship. |
By default, the subsignatures are in logical OR relationship. A packet matches a signature if it matches any of the subsignatures of the signature. After you configure this command, a packet matches a signature only when it matches all the subsignatures of the signature. |
Configuring a signature policy
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
93. Enter WIPS view. |
wips |
N/A |
94. Create a signature policy and enter its view. |
signature policy policy-name |
By default, no signature policies exist. |
95. Bind the specified signature to the signature policy. |
apply signature rule rule-id |
By default, no signature is bound to a signature policy. |
96. Enable WIPS to detect packets that match the signature. |
detect signature [ interval interval-value | quiet quiet-value | threshold threshold-value ] * |
By default, detection on packets that match a signature is enabled. The statistics collection interval is 60 seconds, the quiet interval is 600 seconds, and the alarm threshold is 50. |
Applying a signature policy
About applying a signature policy
Applying a signature policy to a VSD enables the signature policy to take effect on all radios in the VSD.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
97. Enter WIPS view. |
wips |
N/A |
98. Create a VSD and enter its view. |
virtual-security-domain vsd-name |
By default, no VSDs exist. |
99. Apply the specified signature policy to the VSD. |
apply signature policy policy-name |
By default, no signature policy is applied to a VSD. |
Configuring device classification
Configuring a classification policy
About classification policies
You can enable WIPS to classify devices by using the following methods:
· Automatic classification—WIPS automatically classifies devices by adding MAC addresses, OUIs, or SSIDs to the specified lists. WIPS also allows you to classify APs by using user-defined AP classification rules.
· Manual classification—You manually specify a category for a device. Manual classification is applicable only to APs.
If you configure both automatic classification and manual classification, manual classification takes effect.
Configuring an automatic device classification policy
Configuring an automatic device classification policy
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
100. Enter WIPS view. |
wips |
N/A |
101. Create a classification policy and enter its view. |
classification policy policy-name |
By default, no classification policies exist. |
102. Configure WIPS to classify devices with invalid OUIs as rogue devices. |
invalid-oui-classify illegal |
By default, WIPS does not classify devices with invalid OUIs as rogue devices. |
103. Add a MAC address to the permitted device list. |
trust mac-address mac-address |
By default, no MAC address exists in the permitted device list. |
104. Add an OUI to the trusted OUI list. |
trust oui oui |
By default, no OUIs exist in the trusted OUI list. This command is applicable only to AP classification. |
105. Add an SSID to the trusted SSID list. |
trust ssid ssid-name |
By default, no SSIDs exist in the trusted SSID list. |
106. Add a MAC address to the static prohibited device list. |
block mac-address mac-address |
By default, no MAC addresses exist in to the static prohibited device list. |
107. Bind the specified AP classification rule to the classification policy. |
apply ap-classification rule rule-id { authorized-ap | { { external-ap | misconfigured-ap | rogue-ap } [ severity-level level ] } } |
By default, no AP classification rule is bound to a classification policy. |
108. Configure the AP classification rule criteria to be in logical AND relationship. |
By default, the AP classification rule criteria are in logical OR relationship. An AP matches an AP classification rule if it matches any of the criteria of the AP classification rule. After you configure this command, an AP matches an AP classification rule only when it matches all criteria of the AP classification rule. |
Configuring an AP classification rule
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
109. Enter WIPS view. |
wips |
N/A |
110. Create an AP classification rule and enter its view. |
ap-classification rule rule-id |
By default, no AP classification rules exist. |
111. Configure the AP classification rule to match the RSSI of an AP. |
rssi value1 [ to value2 ] |
By default, an AP classification rule does not match the RSSI of an AP. |
112. Configure the AP classification rule to match the SSID of the wireless service for an AP. |
ssid [ case-sensitive ] [ not ] { equal | include } ssid-string |
By default, an AP classification rule does not match the SSID of the wireless service for an AP. |
113. Configure the AP classification rule to match the running time of an AP. |
up-duration value1 [ to value2 ] |
By default, an AP classification rule does not match the running time of an AP. |
114. Configure the AP classification rule to match the number of associated clients for an AP. |
client-online value1 [ to value2 ] |
By default, an AP classification rule does not match the number of associated clients for an AP. |
115. Configure the AP classification rule to match the number of sensors that detect an AP. |
discovered-ap value1 [ to value2 ] |
By default, an AP classification rule does not match the number of sensors that detect an AP. |
116. Configure the AP classification rule to match the security mode used by an AP. |
security { equal | include } { clear | wep | wpa | wpa2 } |
By default, an AP classification rule does not match the security mode used by an AP. |
117. Configure the AP classification rule to match the authentication mode used by an AP. |
authentication { equal | include } { 802.1x | none | other | psk } |
By default, an AP classification rule does not match the authentication mode used by an AP. |
118. Configure the AP classification rule to match the OUI information of an AP. |
oui oui-info |
By default, an AP classification rule does not match the OUI information of an AP. |
Configuring a manual AP classification policy
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
119. Enter WIPS view. |
wips |
N/A |
120. Create a classification policy and enter its view. |
classification policy policy-name |
By default, no classification policies exist. |
121. Specify a category for the specified AP. |
manual-classify mac-address mac-address { authorized-ap | external-ap | misconfigured-ap | rogue-ap } |
By default, no category is specified for an AP. |
Applying a classification policy
About applying a classification policy
Applying a classification policy to a VSD enables the classification to take effect on all radios in the VSD.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
122. Enter WIPS view. |
wips |
N/A |
123. Enter VSD view. |
virtual-security-domain vsd-name |
By default, no VSDs exist. |
124. Apply a classification policy to the VSD. |
apply classification policy policy-name |
By default, no classification policy is applied to a VSD. |
Configuring countermeasures
Configuring a countermeasure policy
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
125. Enter WIPS view. |
wips |
N/A |
126. Create a countermeasure policy and enter its view. |
countermeasure policy policy-name |
By default, no countermeasure policies exist. |
127. Enable WIPS to take countermeasures against external APs. |
countermeasure external-ap |
By default, WIPS does not take countermeasures against external APs. |
128. Enable WIPS to take countermeasures against misconfigured APs. |
countermeasure misconfigured-ap |
By default, WIPS does not take countermeasures against misconfigured APs. |
129. Enable WIPS to take countermeasures against misassociated clients. |
countermeasure misassociation-client |
By default, WIPS does not take countermeasures against misassociated clients. |
130. Enable WIPS to take countermeasures against potential-authorized APs. |
countermeasure potential-authorized-ap |
By default, WIPS does not take countermeasures against potential-authorized APs. |
131. Enable WIPS to take countermeasures against potential-external APs. |
countermeasure potential-external-ap |
By default, WIPS does not take countermeasures against potential-external APs. |
132. Enable WIPS to take countermeasures against potential-rogue APs. |
countermeasure potential-rogue-ap |
By default, WIPS does not take countermeasures against potential-rogue APs. |
133. Enable WIPS to take countermeasures against rogue APs. |
countermeasure rogue-ap |
By default, WIPS does not take countermeasures against rogue APs. |
134. Enable WIPS to take countermeasures against unauthorized clients. |
countermeasure unauthorized-client |
By default, WIPS does not take countermeasures against unauthorized clients. |
135. Enable WIPS to take countermeasures against uncategorized APs. |
countermeasure uncategorized-ap |
By default, WIPS does not take countermeasures against uncategorized APs. |
136. Enable WIPS to take countermeasures against uncategorized clients. |
countermeasure uncategorized-client |
By default, WIPS does not take countermeasures against uncategorized clients. |
137. Enable WIPS to take countermeasures against the specified device. |
countermeasure mac-address mac-address |
By default, WIPS does not take countermeasures against devices. |
138. Enable WIPS to take countermeasures against Ad hoc devices. |
countermeasure adhoc |
By default, WIPS does not take countermeasures against Ad hoc devices. |
139. Enable WIPS to take countermeasures against devices that launch broadcast deauthentication attacks. |
countermeasure attack deauth-broadcast |
By default, WIPS does not take countermeasures against devices that launch broadcast deauthentication attacks. |
140. Enable WIPS to take countermeasures against devices that launch broadcast disassociation attacks. |
countermeasure attack disassoc-broadcast |
By default, WIPS does not take countermeasures against devices that launch broadcast disassociation attacks. |
141. Enable WIPS to take countermeasures against honeypot APs. |
countermeasure attack honeypot-ap |
By default, WIPS does not take countermeasures against honeypot APs. |
142. Enable WIPS to take countermeasures against devices that launch hotspot attacks. |
countermeasure attack hotspot-attack |
By default, WIPS does not take countermeasures against devices that launch hotspot attacks. |
143. Enable WIPS to take countermeasures against devices with the 40 MHz bandwidth mode disabled. |
countermeasure attack ht-40-mhz-intolerance |
By default, WIPS does not take countermeasures against devices with the 40 MHz bandwidth mode disabled. |
144. Enable WIPS to take countermeasures against devices that send malformed packets. |
countermeasure attack malformed-packet |
By default, WIPS does not take countermeasures against devices that send malformed packets. |
145. Enable WIPS to take countermeasures against devices that launch MITM attacks. |
countermeasure attack man-in-the-middle |
By default, WIPS does not take countermeasures against devices that launch MITM attacks. |
146. Enable WIPS to take countermeasures against devices that launch Omerta attacks. |
countermeasure attack omerta |
By default, WIPS does not take countermeasures against devices that launch Omerta attacks. |
147. Enable WIPS to take countermeasures against devices that launch power save attacks. |
countermeasure attack power-save |
By default, WIPS does not take countermeasures against devices that launch power save attacks. |
148. Enable WIPS to take countermeasures against soft APs. |
countermeasure attack soft-ap |
By default, WIPS does not take countermeasures against soft APs. |
149. Enable WIPS to take countermeasures against unencrypted authorized clients. |
countermeasure attack unencrypted-trust-client |
By default, WIPS does not take countermeasures against unencrypted authorized clients. |
150. Enable WIPS to take countermeasures against devices that use weak IVs. |
countermeasure attack weak-iv |
By default, WIPS does not take countermeasures against devices that use weak IVs. |
151. Enable WIPS to take countermeasures against devices that launch Windows bridge attacks. |
countermeasure attack windows-bridge |
By default, WIPS does not take countermeasures against devices that launch Windows bridge attacks. |
152. Enable WIPS to take countermeasures against all attackers. |
countermeasure attack all |
By default, WIPS does not take countermeasures against all attackers. |
153. Enable all sensors that detect an attacker to take countermeasures against the attacker. |
select sensor all |
By default, only the sensor that most recently detects an attacker takes countermeasures against the attacker. |
Applying a countermeasure policy
About applying a countermeasure policy
Applying a countermeasure policy to a VSD enables the countermeasure policy to take effect on all radios in the VSD.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
154. Enter WIPS view. |
wips |
N/A |
155. Create a VSD and enter its view. |
virtual-security-domain vsd-name |
By default, no VSDs exist. |
apply countermeasure policy policy-name |
By default, no countermeasure policy is applied on a VSD. |
Detecting clients with NAT configured
About detecting clients with NAT configured
Perform this task to enable an AP to detect clients with NAT configured to prevent network sharing among clients.
Procedure
To detect clients with NAT configured in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
157. Create an AP and enter AP view. |
wlan ap ap-name [ model model-name ] |
You must specify the name and model when you create an AP. |
158. Enable the AP to detect clients with NAT configured. |
wlan nat-detect enable |
By default, an AP uses the configuration in AP group view. |
To detect clients with NAT configured in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
159. Create an AP group and enter AP group view. |
wlan ap-group group-name |
By default, a system-defined AP group exists. This AP group is named default-group and cannot be deleted. |
160. Enable APs in the AP group to detect clients with NAT configured. |
wlan nat-detect enable |
By default, APs do not detect clients with NAT configured. |
Configuring the alarm-ignoring feature
About the alarm-ignoring feature
With this feature configured, WIPS does not trigger any alarms for wireless devices in the alarm-ignored device list and devices that use a random MAC address.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
161. Enter WIPS view. |
wips |
N/A |
162. Add the MAC address of a device to the alarm-ignored device list. |
ignorelist mac-address mac-address |
By default, no MAC address is added to the alarm-ignored device list. |
163. Configure WIPS to not trigger alarms for devices that use a random MAC address. |
random-mac-scan enable |
By default, WIPS triggers alarms for devices that use a random MAC address. |
Configuring APs to perform WIPS scanning while providing access services
About configuring APs to perform WIPS scanning while providing access services
This feature enhances the WIPS detection and protection capabilities but decreases the access service capability.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
164. Enter WIPS view. |
wips |
N/A |
165. Configure APs to perform WIPS scanning while providing access services. |
access-scan enable |
By default, APs do not perform WIPS scanning while they are providing access services. |
Configuring OUIs
About OUIs
An Organizational Unique Identifier (OUI) is the first three bytes of a device's MAC address and is used to identify the vendor of the device.
After the AC starts, it automatically imports OUIs in the default OUI configuration file to the OUI library.
You can also manually configure the OUI library as follows:
· Use the import oui command to import OUIs from an OUI configuration file to the OUI library.
The system will display the numbers of imported OUIs, updated OUIs, existing OUIs, and OUIs failed to be imported.
· Use the export oui command to export OUIs in the OUI library to an OUI configuration file.
The system will display the number of OUIs successfully exported and the number of OUIs failed to be exported.
Procedure
Command |
|
1. Enter system view. |
system-view |
166. Enter WIPS view. |
wips |
167. Import OUIs from an OUI configuration file to the OUI library. |
import oui file-name |
168. Export OUIs in the OUI library to an OUI configuration file. |
export oui file-name |
169. Enter user view. |
return |
170. Delete all embedded OUIs in the OUI library. |
reset wips embedded-oui |
Display and maintenance commands for WIPS
Execute display commands in any view and reset commands in user view.
Command |
|
Display information about all sensors. |
display wips sensor |
Display attack detection information collected by sensors. |
display wips statistics [ receive | virtual-security-domain vsd-name ] |
Display information about countermeasures that WIPS has taken against rogue devices. |
display wips virtual-security-domain vsd-name countermeasure record |
Display information about wireless devices detected in a VSD. |
display wips virtual-security-domain vsd-name device [ ap [ adhoc | authorized | external | mesh | misconfigured | potential-authorized | potential-external | potential-rogue | rogue | uncategorized ] | client [ [ dissociative-client ] [ authorized | misassociation | unauthorized | uncategorized ] ] | mac-address mac-address ] [ verbose ] |
Display information about detected NAT-configured clients. |
display wlan nat-detect [ mac-address mac-address ] |
Clear information received from all sensors. |
reset wips statistics |
Clear information about countermeasures that WIPS has taken against rogue devices. |
reset wips virtual-security-domain vsd-name countermeasure record |
Clear learned AP or client entries for a VSD. |
reset wips virtual-security-domain vsd-name { ap { all | mac-address mac-address} | client { all | mac-address mac-address } | all } |
Clear information about detected NAT-configured clients. |
reset wlan nat-detect |
WIPS configuration examples
Example: Configuring device classification and countermeasures
Network configuration
As shown in Figure 52, the sensor connects to the AC through the switch. AP 1 and AP 2 provide wireless services to clients through SSID abc. Perform the following tasks:
· Enable WIPS for the sensor.
· Configure wireless device classification to add MAC address 000f-1c35-12a5 to the static prohibited device list and SSID abc is added to the trusted SSID list.
· Configure countermeasures to enable WIPS to take countermeasures against potential-external APs and unauthorized clients.
Procedure
# Configure wireless services on the AC. (Details not shown.)
For more information about wireless service configuration, see "Configuring WLAN access."
# Create a VSD named vsd1.
<AC> system-view
[AC] wips
[AC-wips] virtual-security-domain vsd1
[AC-wips-vsd-vsd1] quit
[AC-wips] quit
# Create an AP named Sensor and enable WIPS for the AP.
[AC] wlan ap Sensor model WA2620-WiNet
[AC-wlan-ap-Sensor] serial-id 210235A1GQB139000435
[AC-wlan-ap-Sensor] radio 1
[AC-wlan-ap-Sensor-radio-1] radio enable
[AC-wlan-ap-Sensor-radio-1] wips enable
[AC-wlan-ap-Sensor-radio-1] quit
#Add AP Sensor to VSD vsd1.
[AC-wlan-ap-Sensor] wips virtual-security-domain vsd1
[AC-wlan-ap-Sensor] quit
# Create a classification policy named class1, add the MAC address of Client 2 to the prohibited device list, and add SSID abc to the trusted SSID list.
[AC] wips
[AC-wips] classification policy class1
[AC-wips-cls-class1] block mac-address 000f-1c35-12a5
[AC-wips-cls-class1] trust ssid abc
[AC-wips-cls-class1] quit
# Apply classification policy class1 to VSD vsd1.
[AC-wips] virtual-security-domain vsd1
[AC-wips-vsd-vsd1] apply classification policy class1
[AC-wips-vsd-vsd1] quit
# Create a countermeasure policy named protect, and enable WIPS to take countermeasures against unauthorized clients and potential-external APs.
[AC-wips] countermeasure policy protect
[AC-wips-cms-protect] countermeasure unauthorized-client
[AC-wips-cms-protect] countermeasure potential-external-ap
[AC-wips-cms-protect] quit
# Apply countermeasure policy protect to VSD vsd1.
[AC-wips] virtual-security-domain vsd1
[AC-wips-vsd-vsd1] apply countermeasure policy protect
[AC-wips-vsd-vsd1] quit
[AC-wips] quit
Verifying the configuration
# Display wireless device classification information for VSD vsd1.
[AC] display wips virtual-security-domain vsd1 device
Total 3 detected devices in virtual-security-domain vsd1
Class: Auth - authorization; Ext - extern; Mis - mistake;
Unauth - unauthorized; Uncate - uncategorized;
(A) - associate; (C) - config; (P) - potential
MAC address Type Class Duration Sensors Channel Status
00e0-fc00-5829 AP Auth 00h 10m 24s 1 149 Active
000f-e228-2528 AP Auth 00h 10m 04s 1 149 Active
000f-e223-1616 AP Ext(P) 00h 10m 46s 1 149 Active
000f-1c35-12a5 Client Unauth 00h 10m 02s 1 149 Active
000f-e201-0102 Client Auth 00h 10m 02s 1 149 Active
The output shows that the AP with MAC address 000f-e223-1616 is classified as a potential-external AP and the client with MAC address 000f-1c35-12a5 is classified as an unauthorized client.
# Display information about countermeasures that WIPS has taken against the devices.
[AC] display wips virtual-security-domain vsd1 countermeasure record
Total 2 times countermeasure, current 2 countermeasure record in virtual-security-domain vsd1
Reason: Attack; Ass - associated; Black - blacklist;
Class - classification; Manu - manual;
MAC address Type Reason Countermeasure AP Radio ID Time
00e0-fc00-5829 AP Class Sensor 1 2014-06-03/09:30:25
000f-e228-2528 AP Class Sensor 1 2014-06-03/19:31:56
000f-e223-1616 AP Class Sensor 1 2014-06-03/10:30:36
000f-1c35-12a5 Client Class Sensor 1 2014-06-03/09:13:26
000f-e201-0102 Client Class Sensor 1 2014-06-03/09:33:46
The output shows that WIPS has taken countermeasures against the unauthorized client with MAC address 000f-1c35-12a5 and the potential-external AP with MAC address 000f-e223-1616.
Example: Configuring malformed packet and flood attack detection
Network configuration
As shown in Figure 53, configure the two APs that connect to the AC through the switch as sensors. Add Sensor 1 and Sensor 2 to VSD VSD_1. Configure malformed packet detection and flood attack detection to enable WIPS to trigger an alarm when it detects beacon flood attacks or malformed packets with duplicated IE.
Procedure
# Configure wireless services on the AC. (Details not shown.)
For more information about wireless service configuration, see "Configuring WLAN access."
# Create an AP named sensor1 and enable WIPS for the AP.
<AC> system-view
[AC] wlan ap sensor1 model WA2620-WiNet
[AC-wlan-ap-sensor1] serial-id 210235A1GQB139000435
[AC-wlan-ap-sensor1] radio 1
[AC-wlan-ap-sensor1-radio-1] radio enable
[AC-wlan-ap-sensor1-radio-1] wips enable
[AC-wlan-ap-sensor1-radio-1] return
# Create an AP named sensor2 and enable WIPS for the AP.
<AC> system-view
[AC] wlan ap sensor2 model WA2620-WiNet
[AC-wlan-ap-sensor2] serial-id 210235A1GQB139000436
[AC-wlan-ap-sensor2] radio 1
[AC-wlan-ap-sensor2-radio-1] radio enable
[AC-wlan-ap-sensor2-radio-1] wips enable
[AC-wlan-ap-sensor2-radio-1] quit
[AC-wlan-ap-sensor2] quit
# Create a VSD named VSD_1.
[AC] wips
[AC-wips] virtual-security-domain VSD_1
[AC-wips-vsd-VSD_1] quit
# Create an attack detection policy named dtc1.
[AC-wips] detect policy dtc1
# Enable detection on malformed packets with duplicated IE, and set the quiet time to 50 seconds.
[AC-wips-dtc-dtc1] malformed duplicated-ie quiet 50
# Enable beacon flood attack detection, and set the statistics interval, threshold, and quiet time to 100 seconds, 200, and 50 seconds, respectively.
[AC-wips-dtc-dtc1] flood beacon interval 100 quiet 50 threshold 200
[AC-wips-dtc-dtc1] quit
# Apply attack detection policy dtc1 to VSD VSD_1.
[AC-wips] virtual-security-domain VSD_1
[AC-wips-vsd-VSD_1] apply detect policy dtc1
[AC-wips-vsd-VSD_1] quit
[AC-wips] quit
# Add AP sensor1 to VSD VSD_1.
[AC] wlan ap sensor1
[AC-wlan-ap-sensor1] wips virtual-security-domain VSD_1
[AC-wlan-ap-sensor1] quit
# Add AP sensor2 to VSD VSD_1.
[AC] wlan ap sensor2
[AC-wlan-ap-sensor2] wips virtual-security-domain VSD_1
[AC-wlan-ap-sensor2] return
Verifying the configuration
# Display packet statistics when WIPS does not detect any attacks in the WLAN. The output shows that no malformed packet or flood attack message exists.
<AC> display wips statistics receive
Information from sensor 1
Information about attack statistics:
Detected association-request flood messages: 0
Detected authentication flood messages: 0
Detected beacon flood messages: 0
Detected block-ack flood messages: 0
Detected cts flood messages: 0
Detected deauthentication flood messages: 0
Detected disassociation flood messages: 0
Detected eapol-start flood messages: 0
Detected null-data flood messages: 0
Detected probe-request flood messages: 0
Detected reassociation-request flood messages: 0
Detected rts flood messages: 0
Detected duplicated-ie messages: 0
Detected fata-jack messages: 0
Detected illegal-ibss-ess messages: 0
Detected invalid-address-combination messages: 0
Detected invalid-assoc-req messages: 0
Detected invalid-auth messages: 0
Detected invalid-deauth-code messages: 0
Detected invalid-disassoc-code messages: 0
Detected invalid-ht-ie messages: 0
Detected invalid-ie-length messages: 0
Detected invalid-pkt-length messages: 0
Detected large-duration messages: 0
Detected null-probe-resp messages: 0
Detected overflow-eapol-key messages: 0
Detected overflow-ssid messages: 0
Detected redundant-ie messages: 0
Detected AP spoof AP messages: 0
Detected AP spoof client messages: 0
Detected AP spoof ad-hoc messages: 0
Detected ad-hoc spoof AP messages: 0
Detected client spoof AP messages: 0
Detected weak IV messages: 0
Detected excess AP messages: 0
Detected excess client messages: 0
Detected sig rule messages: 0
Information from sensor 2
Information about attack statistics:
Detected association-request flood messages: 0
Detected authentication flood messages: 0
Detected beacon flood messages: 0
Detected block-ack flood messages: 0
Detected cts flood messages: 0
Detected deauthentication flood messages: 0
Detected disassociation flood messages: 0
Detected eapol-start flood messages: 0
Detected null-data flood messages: 0
Detected probe-request flood messages: 0
Detected reassociation-request flood messages: 0
Detected rts flood messages: 0
Detected duplicated-ie messages: 0
Detected fata-jack messages: 0
Detected illegal-ibss-ess messages: 0
Detected invalid-address-combination messages: 0
Detected invalid-assoc-req messages: 0
Detected invalid-auth messages: 0
Detected invalid-deauth-code messages: 0
Detected invalid-disassoc-code messages: 0
Detected invalid-ht-ie messages: 0
Detected invalid-ie-length messages: 0
Detected invalid-pkt-length messages: 0
Detected large-duration messages: 0
Detected null-probe-resp messages: 0
Detected overflow-eapol-key messages: 0
Detected overflow-ssid messages: 0
Detected redundant-ie messages: 0
Detected AP spoof AP messages: 0
Detected AP spoof client messages: 0
Detected AP spoof ad-hoc messages: 0
Detected ad-hoc spoof AP messages: 0
Detected client spoof AP messages: 0
Detected weak IV messages: 0
Detected excess AP messages: 0
Detected excess client messages: 0
Detected sig rule messages: 0
# Display packet statistics when WIPS detects beacon flood attacks and malformed packets with duplicated IE. The output shows that the number of detected messages is 28 for malformed packets with duplicated IE and the number of detected messages is 18 for beacon flood attacks.
<AC> display wips statistics receive
Information from sensor 1
Information about attack statistics:
Detected association-request flood messages: 0
Detected authentication flood messages: 0
Detected beacon flood messages: 18
Detected block-ack flood messages: 0
Detected cts flood messages: 0
Detected deauthentication flood messages: 0
Detected disassociation flood messages: 0
Detected eapol-start flood messages: 0
Detected null-data flood messages: 0
Detected probe-request flood messages: 0
Detected reassociation-request flood messages: 0
Detected rts flood messages: 0
Detected duplicated-ie messages: 0
Detected fata-jack messages: 0
Detected illegal-ibss-ess messages: 0
Detected invalid-address-combination messages: 0
Detected invalid-assoc-req messages: 0
Detected invalid-auth messages: 0
Detected invalid-deauth-code messages: 0
Detected invalid-disassoc-code messages: 0
Detected invalid-ht-ie messages: 0
Detected invalid-ie-length messages: 0
Detected invalid-pkt-length messages: 0
Detected large-duration messages: 0
Detected null-probe-resp messages: 0
Detected overflow-eapol-key messages: 0
Detected overflow-ssid messages: 0
Detected redundant-ie messages: 0
Detected AP spoof AP messages: 0
Detected AP spoof client messages: 0
Detected AP spoof ad-hoc messages: 0
Detected ad-hoc spoof AP messages: 0
Detected client spoof AP messages: 0
Detected weak IV messages: 0
Detected excess AP messages: 0
Detected excess client messages: 0
Detected sig rule messages: 0
Information from sensor 2
Information about attack statistics:
Detected association-request flood messages: 0
Detected authentication flood messages: 0
Detected beacon flood messages: 0
Detected block-ack flood messages: 0
Detected cts flood messages: 0
Detected deauthentication flood messages: 0
Detected disassociation flood messages: 0
Detected eapol-start flood messages: 0
Detected null-data flood messages: 0
Detected probe-request flood messages: 0
Detected reassociation-request flood messages: 0
Detected rts flood messages: 0
Detected duplicated-ie messages: 28
Detected fata-jack messages: 0
Detected illegal-ibss-ess messages: 0
Detected invalid-address-combination messages: 0
Detected invalid-assoc-req messages: 0
Detected invalid-auth messages: 0
Detected invalid-deauth-code messages: 0
Detected invalid-disassoc-code messages: 0
Detected invalid-ht-ie messages: 0
Detected invalid-ie-length messages: 0
Detected invalid-pkt-length messages: 0
Detected large-duration messages: 0
Detected null-probe-resp messages: 0
Detected overflow-eapol-key messages: 0
Detected overflow-ssid messages: 0
Detected redundant-ie messages: 0
Detected AP spoof AP messages: 0
Detected AP spoof client messages: 0
Detected AP spoof ad-hoc messages: 0
Detected ad-hoc spoof AP messages: 0
Detected client spoof AP messages: 0
Detected weak IV messages: 0
Detected excess AP messages: 0
Detected excess client messages: 0
Detected sig rule messages: 0
Example: Configuring signature-based attack detection
Network configuration
As shown in Figure 54, AP 1 and AP 2 provide wireless services for clients through SSID abc. Enable WIPS for the sensor, and configure a signature to enable WIPS to trigger an alarm when it detects beacon frames whose SSIDs are not abc.
Procedure
# Configure wireless services on the AC. (Details not shown.)
For more information about wireless service configuration, see "Configuring WLAN access."
# Create an AP named sensor1 and enable WIPS for the AP.
<AC> system-view
[AC] wlan ap sensor1 model WA2620-WiNet
[AC-wlan-ap-sensor1] serial-id 210235A1GQB139000435
[AC-wlan-ap-sensor1] radio 1
[AC-wlan-ap-sensor1-radio-1] radio enable
[AC-wlan-ap-sensor1-radio-1] wips enable
[AC-wlan-ap-sensor1-radio-1] quit
[AC-wlan-ap-sensor1 ] quit
# Create a VSD named vsd1.
[AC] wips
[AC-wips] virtual-security-domain vsd1
[AC-wips] quit
# Add the AP sensor1 to the VSD vsd1.
[AC] wlan ap sensor1
[AC-wlan-ap-sensor1] wips virtual-security-domain vsd1
[AC-wlan-ap-sensor1] quit
# Create signature 1, and configure a subsignature to match beacon frames and a subsignature to match frames whose SSIDs are not abc.
[AC] wips
[AC-wips] signature rule 1
[AC-wips-sig-rule-1] frame-type management frame-subtype beacon
[AC-wips-sig-rule-1] ssid not equal abc
[AC-wips-sig-rule-1] quit
# Create a signature policy named sig1, and bind signature 1 to signature policy sig1.
[AC-wips] signature policy sig1
[AC-wips-sig-sig1] apply signature rule 1
# Enable WIPS to detect packets that match the signature, and set the statistics collection interval, quiet time, and alarm threshold to 5 seconds, 60 seconds, and 60, respectively.
[AC-wips-sig-sig1] detect signature interval 5 quiet 60 threshold 60
[AC-wips-sig-sig1] quit
# Apply signature policy sig1 to VSD vsd1.
[AC] wips
[AC-wips] virtual-security-domain vsd1
[AC-wips-vsd-vsd1] apply signature policy sig1
[AC-wips-vsd-vsd1] quit
Verifying the configuration
# Verify that the AC receives an alarm from the sensor when the sensor detects the wireless service with SSID free_wlan.
WIPS/5/WIPS_SIGNATURE: -VSD=vsd1-RuleID=1; Signature rule matched.
# Display attack detection information collected from sensors. The output shows that the number of detected messages is 26 for packets that match the signature.
[AC] display wips statistics receive
Information from sensor
Information about attack statistics:
Detected association-request flood messages: 0
Detected authentication flood messages: 0
Detected beacon flood messages: 0
Detected block-ack flood messages: 0
Detected cts flood messages: 0
Detected deauthentication flood messages: 0
Detected disassociation flood messages: 0
Detected eapol-start flood messages: 0
Detected null-data flood messages: 0
Detected probe-request flood messages: 0
Detected reassociation-request flood messages: 0
Detected rts flood messages: 0
Detected duplicated-ie messages: 0
Detected fata-jack messages: 0
Detected illegal-ibss-ess messages: 0
Detected invalid-address-combination messages: 0
Detected invalid-assoc-req messages: 0
Detected invalid-auth messages: 0
Detected invalid-deauth-code messages: 0
Detected invalid-disassoc-code messages: 0
Detected invalid-ht-ie messages: 0
Detected invalid-ie-length messages: 0
Detected invalid-pkt-length messages: 0
Detected large-duration messages: 0
Detected null-probe-resp messages: 0
Detected overflow-eapol-key messages: 0
Detected overflow-ssid messages: 0
Detected redundant-ie messages: 0
Detected AP spoof AP messages: 0
Detected AP spoof client messages: 0
Detected AP spoof ad-hoc messages: 0
Detected ad-hoc spoof AP messages: 0
Detected client spoof AP messages: 0
Detected weak IV messages: 0
Detected excess AP messages: 0
Detected excess client messages: 0
Detected sig rule messages: 26
Configuring WLAN QoS
The term "AC" in this document refers to MSR routers that can function as ACs.
About WLAN QoS
An 802.11 network provides contention-based wireless access. To provide applications with QoS services, IEEE developed 802.11e for 802.11-based WLANs.
WLAN QoS features include WMM, SVP, bandwidth guaranteeing, and client rate limiting.
WMM protocol
About WMM
Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM) standard to allow QoS provision devices of different vendors to interoperate. WMM enables a WLAN to provide QoS services, so that audio and video applications can have better performance in WLANs.
The Distributed Coordination Function (DCF) in 802.11 requires APs and clients to use the carrier sense multiple access with collision avoidance (CSMA/CA) access mechanism. APs or clients listen to the channel before they hold the channel for data transmission. When the specified idle duration of the channel times out, APs or clients randomly select a backoff slot within the contention window to perform backoff. The device that finishes backoff first gets the channel. With 802.11, all devices have the same idle duration and contention window. Therefore, they are equal when contending for a channel.
To provide QoS services, WMM divides data traffic into four ACs that have different priorities. Traffic in an AC with a high priority has a better chance to use the channel.
Terminology
· Enhanced distributed channel access—EDCA is a channel contention mechanism defined by WMM to preferentially transmit packets with high priority and allocate more bandwidth to such packets.
· Access category—WMM defines the following ACs: AC-VO for voice traffic, AC-VI for video traffic, AC-BE for best effort traffic, and AC-BK for background traffic. The priorities of the four ACs are in descending order.
· Connect Admission Control—CAC limits the number of clients that can use high-priority ACs (AC-VO and AC-VI) to make sure there is enough bandwidth for these clients.
· Unscheduled automatic power save delivery—U-APSD is a power saving method defined by WMM to save client power.
EDCA parameters
· Arbitration inter-frame spacing number—In 802.11-based WLAN, each client has the same idle duration (DIFS), but WMM defines an idle duration for each AC. The idle duration increases as the AIFSN increases.
· Exponent form of CWmin/Exponent form of CWmax—ECWmin/ECWmax determines the backoff slots, which increase as the two values increase.
· Transmission opportunity limit—TXOP limit specifies the maximum time that a client can hold the channel after a successful contention. A larger value represents a longer time. If the value is 0, a client can send only one packet each time it holds the channel.
CAC admission policies
CAC requires a client to obtain permission from an AP before it can use a high-priority AC for transmission. This guarantees bandwidth for the clients that have gained access. CAC controls real time traffic (AC-VO and AC-VI traffic) but not common data traffic (AC-BE and AC-BK traffic).
If a client wants to use a high-priority AC (AC-VO or AC-VI), it must send a request to the AP. The AP returns a positive or negative response based on either of the following admission control policies:
· Channel usage-based admission policy—The AP calculates the total time that the existing high-priority AC queues occupy the channel per unit time, and then calculates the time that the requesting traffic will occupy the channel per unit time. If the sum of the two values is smaller than or equal to the maximum hold time of the channel, the client can use the requested AC queue. If it is not, the request is rejected.
· Client-based admission policy—If the number of clients using high-priority AC queues is smaller than the maximum number of high-priority AC clients, the request is accepted. If it is not, the request is rejected. During calculation, a client is counted as one client if it is using both the AC-VO and AC-VI queues.
If the request is rejected because of lack of media resources, the AP assigns AC-BE to the client. Clients that already use high-priority AC queues will not be affected.
When calculating media resources, the AP takes requests before CAC is enabled into account. Whether subsequent requests for high-priority AC queues will be accepted is greatly restricted by the resource usage.
U-APSD power-save mechanism
U-APSD enables clients in sleep mode to wake up and receive the specified number of packets only after receiving a trigger packet. U-APSD improves the 802.11 APSD power saving mechanism.
U-APSD is automatically enabled after you enable WMM.
ACK policy
WMM defines the following ACK policies:
· Normal ACK—The recipient acknowledges each received unicast packet.
· No ACK—The recipient does not acknowledge received packets during wireless packet exchange. This policy improves the transmission efficiency in an environment where communication quality is strong and interference is weak. If communication quality deteriorates, this policy might increase the packet loss rate. For A-MPDU packets sent by 802.11n clients, the No ACK policy does not take effect.
SVP
SpectraLink Voice Priority (SVP) is developed by SpectraLink to provide QoS services for voice traffic.
Bandwidth guaranteeing
This feature provides the following functions:
· Ensures that traffic from all BSSs can pass through freely when the network is not congested.
· Ensures that each BSS can get the guaranteed bandwidth when the network is congested.
This feature improves bandwidth efficiency and maintains fair use of bandwidth among WLAN services. For example, you assign SSID1, SSID2, and SSID3 25%, 25%, and 50% of the total bandwidth. When the network is not congested, SSID1 can use all idle bandwidth in addition to its guaranteed bandwidth. When the network is congested, SSID1 is guaranteed with 25% of the bandwidth.
This feature applies only to AP-to-client traffic.
Client rate limiting
This feature prevents aggressive use of bandwidth by one client and ensures fair use of bandwidth among clients associated with the same AP.
You can configure either of the following modes for client rate limiting:
· Dynamic mode—Sets the total bandwidth shared by all clients. The rate limit for each client is the total rate divided by the number of online clients. For example, if the total rate is 10 Mbps and five clients are online, the rate limit for each client is 2 Mbps.
· Static mode—Sets the bandwidth that can be used by each client. When the rate limit multiplied by the number of associated clients exceeds the available bandwidth provided by the AP, the clients might not get the set bandwidth.
Protocols and standards
· 802.11e-2005, Amendment 8: Medium Access Control (MAC) Quality of Service Enhancements, IEEE Computer Society, 2005
· Wi-Fi, WMM Specification version 1.1, Wi-Fi Alliance, 2005
Feature and hardware compatibility
Only the following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC/3610/3620/3620-DP/3640/3660.
Restrictions and guidelines: WLAN QoS configuration
You can configure APs by using the following methods:
· Configure APs one by one in AP view.
· Assign APs to an AP group and configure the AP group in AP group view.
· Configure all APs in global configuration view.
For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.
Configuring WMM
WMM tasks at a glance
Tasks at a glance |
(Required.) Enabling WMM |
(Optional.) Setting EDCA parameters |
(Optional.) Setting EDCA parameters of AC-BE or AC-BK queues for clients |
(Optional.) Setting EDCA parameters of AC-VI or AC-VO queues for clients |
(Optional.) Configuring a port to trust packet priority for priority mapping |
Enabling WMM
To enable WMM in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enable WMM. |
wmm enable |
By default, an AP uses the configuration in AP group radio view. The 802.11n protocol requires all 802.11n clients to support WLAN QoS. For 802.11n clients to communicate with the associated AP, enable WMM when the radio operates in 802.11an or 802.11gn mode. |
To enable WMM in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
N/A |
|
3. Enter AP model view. |
N/A |
|
4. Enter radio view. |
radio radio-id |
N/A |
5. Enable WMM. |
wmm enable |
By default, WMM is enabled. The 802.11n protocol requires all 802.11n clients to support WLAN QoS. For 802.11n clients to communicate with the associated AP, enable WMM when the radio operates in 802.11an or 802.11gn mode. |
Setting EDCA parameters
To set EDCA parameters in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set EDCA parameters. |
edca radio { ac-be | ac-bk | ac-vi | ac-vo } { ack-policy { noack | normalack } | aifsn aifsn-value | ecw ecwmin ecwmin-value ecwmax ecwmax-value | txoplimit txoplimit-value } * |
By default, an AP uses the configuration in AP group radio view. |
To set EDCA parameters in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
N/A |
|
3. Enter AP model view. |
N/A |
|
4. Enter radio view. |
radio radio-id |
N/A |
5. Set EDCA parameters. |
edca radio { ac-be | ac-bk | ac-vi | ac-vo } { ack-policy { noack | normalack } | aifsn aifsn-value | ecw ecwmin ecwmin-value ecwmax ecwmax-value | txoplimit txoplimit-value } * |
The default values for EDCA parameters are shown in Table 29. |
Table 29 Default EDCA parameter values
AC |
AIFSN |
ECWmin |
ECWmax |
TXOP Limit |
AC-BK |
7 |
4 |
10 |
0 |
AC-BE |
3 |
4 |
6 |
0 |
AC-VI |
1 |
3 |
4 |
94 |
AC-VO |
1 |
2 |
3 |
47 |
Setting EDCA parameters of AC-BE or AC-BK queues for clients
To set EDCA parameters of AC-BE or AC-BK queues for clients in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set EDCA parameters of AC-BE or AC-BK queues for clients. |
edca client { ac-be | ac-bk } { aifsn aifsn-value | ecw ecwmin ecwmin-value ecwmax ecwmax-value | txoplimit txoplimit-value } * |
By default, an AP uses the configuration in AP group radio view. |
To set EDCA parameters of AC-BE or AC-BK queues for clients in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
N/A |
|
3. Enter AP model view. |
N/A |
|
4. Enter radio view. |
radio radio-id |
N/A |
5. Set EDCA parameters of AC-BE or AC-BK queues for clients. |
edca client { ac-be | ac-bk } { aifsn aifsn-value | ecw ecwmin ecwmin-value ecwmax ecwmax-value | txoplimit txoplimit-value } * |
The default values are shown in Table 30. |
Table 30 Default EDCA parameter values of AC-BE or AC-BK queues for clients
AC |
AIFSN |
ECWmin |
ECWmax |
TXOP Limit |
AC-BK |
7 |
4 |
10 |
0 |
AC-BE |
3 |
4 |
10 |
0 |
Setting EDCA parameters of AC-VI or AC-VO queues for clients
To set EDCA parameters of AC-VI or AC-VO queues for clients in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set EDCA parameters of AC-VI or AC-VO queues for clients. |
edca client { ac-vi | ac-vo } { aifsn aifsn-value | cac { disable | enable } | ecw ecwmin ecwmin-value ecwmax ecwmax-value | txoplimit txoplimit-value } * |
By default, an AP uses the configuration in AP group radio view. |
5. (Optional.) Configure the CAC policy. |
cac policy { channelutilization [ channelutilization-value ] | client [ client-number ] } |
By default, an AP uses the configuration in AP group radio view. |
To set EDCA parameters of AC-VI or AC-VO queues for clients in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
N/A |
|
3. Enter AP model view. |
N/A |
|
4. Enter radio view. |
radio radio-id |
N/A |
5. Set EDCA parameters of AC-VI or AC-VO queues for clients. |
edca client { ac-vi | ac-vo } { aifsn aifsn-value | cac { disable | enable } | ecw ecwmin ecwmin-value ecwmax ecwmax-value | txoplimit txoplimit-value } * |
The default values are shown in Table 31. |
6. (Optional.) Configure the CAC policy. |
cac policy { channelutilization [ channelutilization-value ] | client [ client-number ] } |
By default, the client-based admission policy is used, and the maximum number of admitted clients is 20. |
Table 31 Default EDCA parameter values of AC-VI or AC-VO queues for clients
AC |
AIFSN |
ECWmin |
ECWmax |
TXOP Limit |
AC-VI |
2 |
3 |
4 |
94 |
AC-VO |
2 |
2 |
3 |
47 |
Configuring a port to trust packet priority for priority mapping
About priority mapping
When the packet trust mode is disabled, an AP assigns the port priority to all packets for the service template.
Restrictions and guidelines
This feature takes effect only on uplink packets.
The port priority setting does not take effect if the trusted packet priority type is configured.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
N/A |
|
3. Configure the trusted packet priority type. |
By default, the port priority is trusted. |
|
4. Set the port priority. |
By default, the port priority is 0. |
Configuring SVP mapping
About SVP mapping
This feature assigns packets that have the protocol ID 119 in the IP header to the AC-VI or AC-VO queue to provide SVP packets with the specified priority. SVP does not require random backoff for SVP packets. Therefore, you can set both ECWmin and ECWmax to 0 when there are only SVP packets in the AC-VI or AC-VO queue.
When SVP mapping is disabled, SVP packets are assigned to the AC-BE queue.
Restrictions and guidelines
SVP mapping takes effect only on non-WMM clients.
Procedure
To configure SVP mapping in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enable SVP mapping. |
svp map-ac { ac-vi | ac-vo } |
By default, an AP uses the configuration in AP group radio view. To disable SVP mapping, use the svp map-ac disable command. |
To configure SVP mapping in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
N/A |
|
3. Enter AP model view. |
N/A |
|
4. Enter radio view. |
radio radio-id |
N/A |
5. Enable SVP mapping. |
svp map-ac { ac-vi | ac-vo } |
By default, SVP mapping is disabled. To disable SVP mapping, use the svp map-ac disable command. |
Configuring bandwidth guaranteeing
To configure bandwidth guaranteeing in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the maximum bandwidth for the specified radio mode. |
wlan max-bandwidth { dot11a | dot11ac | dot11an | dot11b | dot11g | dot11gac | dot11gn } bandwidth |
The following default settings apply: · 30000 Kbps for dot11a and dot11g. · 250000 Kbps for dot11an, dot11gn, and dot11gac. · 500000 Kbps for dot11ac. · 7000 Kbps for dot11b. |
3. Enter AP view. |
wlan ap ap-name |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Configure bandwidth guaranteeing. |
bandwidth-guarantee { disable | enable } |
The following default settings apply: · If the service template setting in AP group view is used, the AP uses the configuration in AP group radio view. · If a service template is manually bound to the radio, bandwidth guaranteeing is disabled. |
6. Set a guaranteed bandwidth percentage for the specified service template. |
bandwidth-guarantee service-template service-template-name percent percent |
The following default settings apply: · If the service template setting in AP group view is used, the AP uses the configuration in AP group radio view. · If a service template is manually bound to the radio, a service template does not have a guaranteed bandwidth. |
To configure bandwidth guaranteeing in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the maximum bandwidth for the specified radio mode. |
wlan max-bandwidth { dot11a | dot11ac | dot11an | dot11b | dot11g | dot11gac | dot11gn } bandwidth |
The following default settings apply: · 30000 Kbps for dot11a and dot11g. · 250000 Kbps for dot11an, dot11gn, and dot11gac. · 500000 Kbps for dot11ac. · 7000 Kbps for dot11b. |
3. Enter AP group view. |
wlan ap-group group-name |
N/A |
4. Enter AP model view. |
ap-model ap-model |
N/A |
5. Enter radio view. |
radio radio-id |
N/A |
6. Configure bandwidth guaranteeing. |
bandwidth-guarantee { disable | enable } |
By default, bandwidth guaranteeing is disabled. |
7. Set a guaranteed bandwidth percentage for the specified service template. |
bandwidth-guarantee service-template service-template-name percent percent |
By default, a service template does not have a guaranteed bandwidth. |
Configuring client rate limiting
About client rate limiting
By rate limit method, you can configure service-template-based, radio-based, or client-type-based client rate limiting. By rate limit mode, you can configure the dynamic or static mode for client rate limiting.
If more than one method and mode are configured, all settings take effect. The rate for a client will be limited to the minimum value among all the client rate limiting settings.
Restrictions and guidelines
Service-template-based client rate limiting takes effect on all clients associated with the same service template.
Radio-based client rate limiting takes effect on all clients associated with the same radio.
Client-type-based client rate limiting takes effect on all clients of the specified protocol.
Procedure
To configure service-template-based client rate limiting:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Enable service-template-based client rate limiting. |
client-rate-limit enable |
By default, service-template-based client rate limiting is disabled. |
4. Configure service-template-based client rate limiting. |
client-rate-limit { inbound | outbound } mode { dynamic | static } cir cir |
By default, service-template-based client rate is not limited. |
To configure radio-based client rate limiting in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enable or disable radio-based client rate limiting. |
client-rate-limit { disable | enable } |
By default, an AP uses the configuration in AP group radio view. |
5. Configure radio-based client rate limiting. |
client-rate-limit { inbound | outbound } mode { dynamic | static } cir cir |
By default, an AP uses the configuration in AP group radio view. |
To configure radio-based client rate limiting in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Enable or disable radio-based client rate limiting. |
client-rate-limit { disable | enable } |
By default, radio-based client rate limiting is disabled. |
6. Configure radio-based client rate limiting. |
client-rate-limit { inbound | outbound } mode { dynamic | static } cir cir |
By default, radio-based client rate is not limited. |
To configure client-type-based client rate limiting:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure client-type-based client rate limiting. |
wlan client-rate-limit { dot11a | dot11ac | dot11an | dot11b | dot11g | dot11gac | dot11gn } { inbound | outbound } cir cir [ cbs cbs ] |
By default, client-type-based client rate is not limited. |
Display and maintenance commands for WMM
Execute display commands in any view and reset commands in user view.
Task |
Command |
Display WMM statistics for radios. |
|
Display WMM statistics for clients. |
display wlan wmm client [ ap ap-name | mac-address mac-address ] |
Clear WMM statistics for radios. |
reset wlan wmm radio [ ap ap-name ] |
Clear WMM statistics for clients. |
reset wlan wmm client [ ap ap-name | mac-address mac-address ] |
WLAN QoS configuration examples
Example: Configuring basic WMM
Network configuration
As shown in Figure 56, enable WMM on the AC so that the AP and the client can prioritize the traffic.
Procedure
# Create a service template named market, set the SSID to market, and enable the service template.
<AC> system-view
[AC] wlan service-template market
[AC-wlan-st-market] ssid market
[AC-wlan-st-market] service-template enable
[AC-wlan-st-market] quit
# Create a manual AP named ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
# Enable WMM, bind service template market to radio 1, and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] wmm enable
[AC-wlan-ap-ap1-radio-1] service-template market
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
Verifying the configuration
# Display WMM statistics for radios.
[AC] display wlan wmm radio
AP ID : 1 AP Name : ap1
Radio : 1
Client EDCA updates : 0
QoS mode : WMM
WMM status : Enabled
Radio max AIFSN : 15 Radio max ECWmin : 10
Radio max TXOPLimit : 32767 Radio max ECWmax : 10
CAC information
Clients accepted : 0
Voice : 0
Video : 0
Total request medium time(μs) : 0
Voice(μs) : 0
Video(μs) : 0
Calls rejected due to insufficient resources : 0
Calls rejected due to invalid parameters : 0
Calls rejected due to invalid medium time : 0
Calls rejected due to invalid delay bound : 0
Radio : 2
Client EDCA updates : 0
QoS mode : WMM
WMM status : Enabled
Radio max AIFSN : 15 Radio max ECWmin : 10
Radio max TXOPLimit : 32767 Radio max ECWmax : 10
CAC information
Clients accepted : 0
Voice : 0
Video : 0
Total request medium time(μs) : 0
Voice(μs) : 0
Video(μs) : 0
Calls rejected due to insufficient resources : 0
Calls rejected due to invalid parameters : 0
Calls rejected due to invalid medium time : 0
Calls rejected due to invalid delay bound : 0
Example: Configuring CAC
Network configuration
As shown in Figure 57, configure CAC to allow a maximum of 10 clients to use the AC-VO and AC-VI queues.
Procedure
1. Create a service template named market, set the SSID to market, and enable the service template.
<AC> system-view
[AC] wlan service-template market
[AC-wlan-st-market] ssid market
[AC-wlan-st-market] service-template enable
[AC-wlan-st-market] quit
2. Create a manual AP named ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
3. Configure WMM:
# Bind service template market to radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] service-template market
# Enable WMM for AC-VO and AC-VI queues, and configure a CAC policy to limit the number of clients to 10.
[AC-wlan-ap-ap1-radio-1] wmm enable
[AC-wlan-ap-ap1-radio-1] edca client ac-vo cac enable
[AC-wlan-ap-ap1-radio-1] edca client ac-vi cac enable
[AC-wlan-ap-ap1-radio-1] cac policy client 10
# Enable radio 1.
[AC-wlan-ap-ap1-radio-1] radio enable
Verifying the configuration
# Assume that a client requests to use a high-priority AC queue (AC-VO or AC-VI). Verify the following information:
· If the number of clients using high-priority AC queues is smaller than the maximum number of high-priority AC clients (10 in this example), the request is accepted.
· If the number of clients using high-priority AC queues is equal to the maximum number of high-priority AC clients (10 in this example), the request is rejected. The AP decreases the priority of packets from the client.
Example: Configuring SVP mapping
Network configuration
As shown in Figure 58, configure SVP mapping on the AC to assign SVP packets to the AC-VO queue. Set ECWmin and ECWmax to 0 for the AC-VO queue of the AP.
Procedure
1. Create a service template named market, set the SSID to market, and enable the service template.
<AC> system-view
[AC] wlan service-template market
[AC-wlan-st-market] ssid market
[AC-wlan-st-market] service-template enable
[AC-wlan-st-market] quit
2. Create a manual AP named ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
3. Configure SVP mapping:
# Enable WMM.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] wmm enable
# Assign SVP packets to the AC-VO queue, and set EDCA parameters of AC-VO queues for clients.
[AC-wlan-ap-ap1-radio-1] svp map-ac ac-vo
[AC-wlan-ap-ap1-radio-1] edca client ac-vo ecw ecwmin 0 ecwmax 0
# Bind service template market to radio 1, and enable the radio.
[AC-wlan-ap-ap1-radio-1] service-template market
[AC-wlan-ap-ap1-radio-1] radio enable
Verifying the configuration
# Verify that the AC assigns SVP packets to the AC-VO queue if a non-WMM client comes online and sends SVP packets to the AC.
Example: Configuring traffic differentiation
Network configuration
As shown in Figure 59, configure priority mapping on the AC to add 802.11 packets from the client to the AC-VO queue.
Procedure
# Create a service template named market, and set the SSID to market.
<AC> system-view
[AC] wlan service-template market
[AC-wlan-st-market] ssid market
# Configure priority mapping, and enable the service template.
[AC-wlan-st-market] qos priority 7
[AC-wlan-st-market] service-template enable
[AC-wlan-st-market] quit
# Create a manual AP named ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
# Enable WMM.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] wmm enable
# Bind service template market to radio 1, and enable radio 1.
[AC-wlan-ap-ap1-radio-1] service-template market
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
Verifying the configuration
# Verify that packets from the client have been added to the AC-VO queue.
[AC] display wlan statistics client
MAC address : 0015-005e-97cc
AP name : ap1
Radio ID : 1
SSID : market
BSSID : 5866-ba74-e570
RSSI : 27
Sent frames:
Back ground : 0/0 (frames/bytes)
Best effort : 0/0 (frames/bytes)
Video : 0/0 (frames/bytes)
Voice : 14/1092 (frames/bytes)
Received frames:
Back ground : 0/0 (frames/bytes)
Best effort : 66/8177 (frames/bytes)
Video : 0/0 (frames/bytes)
Voice : 0/0 (frames/bytes)
Discarded frames:
Back ground : 0/0 (frames/bytes)
Best effort : 0/0 (frames/bytes)
Video : 0/0 (frames/bytes)
Voice : 0/0 (frames/bytes)
Example: Configuring bandwidth guaranteeing
Network configuration
As shown in Figure 60, Clients 1, 2, and 3 access the network through SSIDs research, office, and entertain, respectively.
For the network to operate correctly, guarantee 20% of the bandwidth for SSID office, 80% for research, and none for entertain.
Procedure
# Create a service template named office, set the SSID to office, and enable the service template.
<AC> system-view
[AC] wlan service-template office
[AC-wlan-st-office] ssid office
[AC-wlan-st-office] service-template enable
[AC-wlan-st-office] quit
# Create a service template named research, set the SSID to research, and enable the service template.
[AC] wlan service-template research
[AC-wlan-st-research] ssid research
[AC-wlan-st-research] service-template enable
[AC-wlan-st-research] quit
# Create a service template named entertain, set the SSID to entertain, and enable the service template.
[AC] wlan service-template entertain
[AC-wlan-st-entertain] ssid entertain
[AC-wlan-st-entertain] service-template enable
[AC-wlan-st-entertain] quit
# Set the maximum bandwidth to 10000 Kbps for the 802.11ac radio.
[AC] wlan max-bandwidth dot11ac 10000
# Create a manual AP named ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050
# Set the radio mode to dot11ac for radio 1, bind the service templates office, research, and entertain to radio 1, and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] type dot11ac
[AC-wlan-ap-ap1-radio-1] service-template office
[AC-wlan-ap-ap1-radio-1] service-template research
[AC-wlan-ap-ap1-radio-1] service-template entertain
[AC-wlan-ap-ap1-radio-1] radio enable
# Enable bandwidth guaranteeing.
[AC-wlan-ap-ap1-radio-1] bandwidth-guarantee enable
# Set the guaranteed bandwidth percentage to 20% for the service template office and 80% for service template research.
[AC-wlan-ap-ap1-radio-1] bandwidth-guarantee service-template office percent 20
[AC-wlan-ap-ap1-radio-1] bandwidth-guarantee service-template research percent 80
[AC-wlan-ap-ap1-radio-1] return
Verifying the configuration
# Verify that the rate of traffic from the AP to any client is not limited when the total traffic rate is lower than 10000 Kbps.
# Send traffic from the AP to Client 1 and Client 2 at a rate of over 2000 Kbps and over 8000 Kbps, respectively, to verify the following items:
· The AP sends traffic to Client 1 at 2000 Kbps.
· The AP sends traffic to Client 2 at 8000 Kbps.
· The rate of traffic from the AP to Client 3 is limited.
Example: Configuring client rate limiting
Network configuration
As shown in Figure 61, the AC is in the same network as the AP. Perform the following tasks on the AC:
· Configure static mode client rate limiting to limit the rate of incoming client traffic.
· Configure dynamic mode client rate limiting to limit the rate of outgoing client traffic.
Procedure
# Create a service template named service, and set its SSID to service.
<AC> system-view
[AC] wlan service-template service
[AC-wlan-st-service] ssid service
# Enable client rate limiting for service template service, and configure client rate limiting as follows:
· Limit the rate of incoming traffic to 8000 Kbps in static mode.
· Limit the rate of outgoing traffic to 8000 Kbps in dynamic mode.
[AC-wlan-st-service] client-rate-limit enable
[AC-wlan-st-service] client-rate-limit inbound mode static cir 8000
[AC-wlan-st-service] client-rate-limit outbound mode dynamic cir 8000
[AC-wlan-st-service] service-template enable
[AC-wlan-st-service] quit
# Create a manual AP named ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050
# Bind service template service to radio 1, and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] service-template service
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] return
Configuring WLAN roaming
The term "AC" in this document refers to MSR routers that can function as ACs.
About WLAN roaming
WLAN roaming enables clients to seamlessly roam among APs in an ESS while retaining their IP address and authorization information during the roaming process.
Intra-AC roaming enables clients to roam among APs that are managed by the same AC.
As shown in Figure 62, intra-AC roaming uses the following procedure:
1. The client comes online from AP 1, and the AC creates a roaming entry for the client.
2. The client roams to AP 2. The AC examines the roaming entry for the client and determines whether to perform fast roaming.
If the client is an RSN + 802.1X client, fast roaming is used, and the client can be associated with AP 2 without reauthentication. If it is not, the client needs to be reauthenticated before being associated with AP 2.
Feature and hardware compatibility
Only the following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC/3610/3620/3620-DP/3640/3660.
Restrictions and guidelines: WLAN roaming configuration
For a service template where an AP is configured as the client authenticator, WLAN roaming is not supported. For more information about client authentication, see "WLAN authentication overview" and "Configuring WLAN authentication."
Enabling SNMP notifications for WLAN roaming
About enabling SNMP notifications for WLAN roaming
To report critical WLAN roaming events to an NMS, enable SNMP notifications for WLAN roaming. For WLAN roaming event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see the network management and monitoring configuration guide for the device.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable SNMP notifications for WLAN roaming. |
snmp-agent trap enable wlan mobility |
By default, SNMP notifications for WLAN roaming are disabled. |
Display and maintenance commands for WLAN roaming
Execute display commands in any view.
Task |
Command |
Display roam-track information for a client on the AC. |
WLAN roaming configuration examples
Example: Configuring intra-AC roaming
Network configuration
As shown in Figure 63, configure intra-AC roaming to enable the client to roam from AP 1 to AP 2. The two APs are managed by the same AC.
Procedure
# Create a service template named service, set the SSID to 1, and enable the service template.
[AC] wlan service-template service
[AC-wlan-st-service] ssid 1
[AC-wlan-st-service] service-template enable
[AC-wlan-st-service] quit
# Create a manual AP named ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 219801A0CNC13C004126
# Bind the service template to radio 1 of AP 1.
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] service-template service
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
# Create a manual AP named ap2, and specify the AP model and serial ID.
[AC] wlan ap ap2 model WA2620-WiNet
[AC-wlan-ap-ap2] serial-id 219801A0CNC125002216
# Bind the service template to radio 1 of AP 2.
[AC-wlan-ap-ap2-radio-1] radio enable
[AC-wlan-ap-ap2-radio-1] service-template service
[AC-wlan-ap-ap2-radio-1] quit
[AC-wlan-ap-ap2] quit
Verifying the configuration
# Enable the client to come online from AP 1. (Details not shown.)
# Verify that the client associates with AP 1, and the roaming status is N/A, which indicates that the client has not performed any roaming.
[AC] display wlan client verbose
Total number of clients: 1
MAC address : 000f-e265-6400
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 1
AP name : ap1
Radio ID : 1
SSID : 1
BSSID : 000f-e200-4444
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : Open system
Security mode : PRE-RSNA
AKM mode : Not configured
Cipher suite : N/A
User authentication mode : Bypass
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : N/A
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 1minutes 13seconds
FT status : Inactive
# Verify that the AC has a roaming entry for the client.
[AC] display wlan mobility roam-track mac-address 9cd3-6d9e-6778
Total entries: 1
BSSID Created at Online time AC IP address RID AP name
000f-e200-4444 2016-06-14 11:12:28 00hr 01min 16sec 127.0.0.1 1 ap1
# Enable the client roam to AP 2. (Details not shown.)
# Verify that the client has associated with AP 2, and the roaming status is Intra-AC roam.
[AC] display wlan client verbose
Total number of clients: 1
MAC address : 000f-e265-6400
IPv4 address : 10.1.1.114
IPv6 address : N/A
Username : N/A
AID : 1
AP ID : 2
AP name : ap2
Radio ID : 1
SSID : 1
BSSID : 000f-e203-7777
VLAN ID : 1
Sleep count : 242
Wireless mode : 802.11ac
Channel bandwidth : 80MHz
SM power save : Enabled
SM power save mode : Dynamic
Short GI for 20MHz : Supported
Short GI for 40MHz : Supported
Short GI for 80MHz : Supported
Short GI for 160/80+80MHz : Not supported
STBC RX capability : Not supported
STBC TX capability : Not supported
LDPC RX capability : Not supported
SU beamformee capability : Not supported
MU beamformee capability : Not supported
Beamformee STS capability : N/A
Block Ack : TID 0 In
Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8
NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8
Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,
8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20,
21, 22, 23
Supported rates : 6, 9, 12, 18, 24, 36,
48, 54 Mbps
QoS mode : WMM
Listen interval : 10
RSSI : 62
Rx/Tx rate : 130/11
Authentication method : Open system
Security mode : PRE-RSNA
AKM mode : Not configured
Cipher suite : N/A
User authentication mode : Bypass
Authorization ACL ID : 3001(Not effective)
Authorization user profile : N/A
Roam status : Intra-AC roam
Key derivation : SHA1
PMF status : Enabled
Forward policy name : Not configured
Online time : 0days 0hours 5minutes 13seconds
FT status : Inactive
# Verify that the AC has updated the roaming entry for the client.
[AC] display wlan mobility roam-track mac-address 9cd3-6d9e-6778
Total entries: 2
BSSID Created at Online time AC IP address RID AP name
000f-e203-7777 2016-06-14 11:12:28 00hr 01min 02sec 127.0.0.1 1 ap2
000f-e200-4444 2016-06-14 11:12:04 00hr 03min 51sec 127.0.0.1 1 ap2
Configuring WLAN radio resource measurement
The term "AC" in this document refers to MSR routers that can function as ACs.
About WLAN radio resource measurement
WLAN radio resource measurement measures channel qualities and radio performance. It enables client and APs to learn the wireless environment and use wireless resources such as spectrum, power, and bandwidth more effectively.
WLAN radio resource measurement includes 802.11h measurement and 802.11k measurement.
802.11h measurement
802.11h measurement measures channels in the 5 GHz band. Table 32 lists the measurement types it supports.
Type |
Description |
|
Spectrum management measurement |
Basic |
Measures whether a client has detected any of the following: · Packets from other BSSs. · OFDM preambles. · Radar signals. · Unknown signals. |
Clear Channel Assessment (CCA) |
Percentage of time that the channel was busy during the measurement period. |
|
Receive Power Indication (RPI) |
Percentage of time that each RPI was used during the measurement period. |
|
Transmit Power Control (TPC) measurement |
Measures the link redundancy and transmission power for clients. |
802.11h measurement operates in the following procedure:
1. An AP sets the Spectrum Mgmt field to 1 in beacons, probe responses, association responses, or reassociation responses to notify the clients that they can send 802.11h measurement requests.
2. Upon receiving a measurement request from a client, the AP performs the required measurement and sends a report to the client.
The AP can also send measurement requests periodically to clients and collect measurement reports from clients.
802.11k measurement
802.11k measurement measures channels in both the 2.4 GHz and 5 GHz bands. Table 33 lists the measurement types it supports.
Type |
Description |
|
Radio measurement |
Beacon |
Measures the Received Channel Power Indicator (RCPI) and Received Signal to Noise Indicator (RSNI) of beacons, measurement pilot packets, and probe responses. |
Frame |
Measures the number of frames transmitted and the average RCPI for these frames. |
|
Station statistics |
Measures the received and transmitted fragment counts, received and transmitted multicast frame counts, failed counts, retry counts, ACK failure counts. |
|
Transmit stream |
Measures the frame of a specific transmit stream. |
|
Channel load |
Measures the channel usage. |
|
Location |
Measures the relative locations of a requester and the requested. |
|
Noise histogram |
Measures the distribution of noise in different decibel ranges. |
|
Link measurement |
Measures RCPI, RSNI, and link redundancy for a requested link. |
|
Neighbor measurement |
Measures the channel and BSSID of neighbor APs. |
802.11k measurement operates in the following procedure:
1. An AP sets the Radio Measurement field to 1 in beacons, probe responses, association responses, or reassociation responses to notify the clients that they can send 802.11k measurement requests.
These frames also carry measurement capabilities of the AP to inform clients of measurement types that the AP supports.
The AP periodically sends Measurement Pilot frames to help clients fast discover the AP. Measurement Pilot frames are sent more frequently than beacons and carry less information.
2. Upon receiving a measurement request from a client, the AP performs the required measurement and sends a report to the client.
The AP can also send measurement requests periodically to clients and collect measurement reports from clients.
Feature and hardware compatibility
The following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Restrictions and guidelines: Radio resource measurement configuration
You can configure APs by using the following methods:
· Configure APs one by one in AP view.
· Assign APs to an AP group and configure the AP group in AP group view.
· Configure all APs in global configuration view.
For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.
WLAN radio resource measurement tasks at a glance
Tasks at a glance |
(Required.) Enabling radio resource management |
(Optional.) Setting the measurement duration and interval |
(Optional.) Setting the match mode for client radio resource measurement capabilities |
Enabling radio resource management
To enable radio resource measurement in radio view:
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enable a measurement type. |
measure { all | link | neighbor | radio | spectrum | tpc } enable |
By default, the configuration in AP group view is used. The spectrum and tpc keywords are available only for 5 GHz radios. |
5. Enable radio resource measurement. |
resource-measure enable |
By default, the configuration in AP group view is used. You must enable radio resource measurement if you enable link, neighbor, or radio measurement. |
6. Enable spectrum management. |
spectrum-management enable |
By default, the configuration in AP group view is used. Spectrum or TPC measurement takes effect only after you enable spectrum management. For more information about this command, see WLAN Command Reference (AC). |
To enable radio resource measurement in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter AP group radio view. |
radio radio-id |
N/A |
5. Enable a measurement type. |
measure { all | link | neighbor | radio | spectrum | tpc } enable |
By default, measurement is disabled. The spectrum and tpc keywords are available only for 5 GHz radios. |
6. Enable radio resource measurement. |
resource-measure enable |
By default, radio resource measurement is disabled. You must enable radio resource measurement if you enable link, neighbor, or radio measurement. |
7. Enable spectrum management. |
spectrum-management enable |
By default, spectrum management is disabled. Spectrum or TPC measurement takes effect only after you enable spectrum management. For more information about this command, see WLAN Command Reference (AC). |
Setting the measurement duration and interval
About radio resource measurement
When radio resource measurement is enabled for an AP, the AP sends measurement requests that carry the measurement duration to clients at the specified interval.
Procedure
To set the measurement duration and interval in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the measurement duration. |
measure-duration time |
By default, the configuration in AP group view is used. |
5. Set the measurement interval. |
measure-interval value |
By default, the configuration in AP group view is used. |
To set the measurement duration and interval in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter AP group radio view. |
radio radio-id |
N/A |
5. Set the measurement duration. |
measure-duration time |
By default, the measurement duration is 500 TUs. |
6. Set the measurement interval. |
measure-interval value |
By default, the measurement interval is 30 seconds. |
Setting the match mode for client radio resource measurement capabilities
About the match modes for client radio resource measurement capabilities
Set the match mode to allow a client to associate with an AP based on the predefined match criteria. Radio resource measurement capability refers to the radio resource measurement types supported by the AP and client. The device supports the following match modes for client radio resource measurement capabilities:
· All—A client is allowed to associate with an AP only when all of its radio resource measurement capabilities match the AP's radio resource measurement capabilities.
· None—Client radio resource measurement capabilities are not checked.
· Partial—A client is allowed to associate with an AP as long as one of its radio resource measurement capabilities matches any of the AP's radio resource measurement capabilities.
Procedure
To set the match mode for client radio resource measurement capabilities in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the match mode for client radio resource measurement capabilities. |
rm-capability mode { all | none | partial } |
By default, the configuration in AP group view is used. |
To set the match mode for client radio resource measurement capabilities in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter AP group radio view. |
radio radio-id |
N/A |
5. Set the match mode for client radio resource measurement capabilities. |
rm-capability mode { all | none | partial } |
By default, an AP does not check the radio resource measurement capabilities of a client. |
Display and maintenance commands for WLAN radio resource measurement
Execute display commands in any view.
Task |
Command |
Display client measurement reports. |
display wlan measure-report ap ap-name radio radio-id [ client mac-address mac-address ] |
Radio resource measurement configuration examples
Example: Configuring radio resource measurement
Network requirements
As shown in Figure 64, configure radio resource measurement to meet the following requirements:
· The client can come online only when all its radio resource measurement capabilities match the AP's.
· The client can perform all types of measurements.
Configuration procedures
# Create service template 1.
<AC> system-view
[AC] wlan service-template 1
# Set the SSID to resource-measure, and enable the service template.
[AC-wlan-st-1] ssid resource-measure
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
# Create manual AP ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454
# Enter radio view of radio 1.
[AC-wlan-ap-ap1] radio 1
# Enable spectrum management.
[AC-wlan-ap-ap1-radio-1] spectrum-management enable
# Enable radio resource measurement.
[AC-wlan-ap-ap1-radio-1] resource-measure enable
# Enable all measurement features.
[AC-wlan-ap-ap1-radio-1] measure all enable
# Set the match mode for client radio resource measurement capabilities to All.
[AC-wlan-ap-ap1-radio-1] rm-capability mode all
# Bind the service template to radio 1, and enable the radio.
[AC-wlan-ap-ap1-radio-1] service-template 1
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
Verifying the configuration
# Verify that the client has come online.
[AC] display wlan client
Total number of clients: 1
MAC address Username AP name RID IP address VLAN ID
00ee-bd44-557f N/A ap1 1 1.1.1.1 1
# Display measurement reports from the client.
[AC] display wlan measure-report ap ap1 radio 1
Total number of clients: 1
Client MAC address : 00ee-bd44-557f
Link measurement:
Link margin : 2 dBm
RCPI : -85 dBm
RSNI : 53 dBm
Noise histogram:
Antenna ID : 3
ANPI : -56 dBm
IPI0 to IPI10 density : 5 12 16 13 8 5 5 15 17 1 3
Spectrum measurement:
Transmit power : 20 dBm
BSS : Detected
OFDM preamble : Detected
Radar : Detected
Unidentified signal : Undetected
CCA busy fraction : 60
RPI0 to RPI7 density : 3 7 11 19 15 23 15 7
Frame report entry:
BSSID : a072-2351-e253
PHY type : fhss
Average RCPI : -10 dBm
Last RSNI : 2 dBm
Last RCPI : -20 dBm
Frames : 1
Dot11BSSAverageAccessDelay group:
Average access delay : 32 ms
BestEffort average access delay : 1 ms
Background average access delay : 1 ms
Video average access delay : 1 ms
Voice average access delay : 1 ms
Clients : 32
Channel utilization rate : 11
Transmit stream:
Traffic ID : 0
Sent MSDUs : 60
Discarded MSDUs : 5
Failed MSDUs : 3
MSDUs resent multiple times : 3
Lost QoS CF-Polls : 2
Average queue delay : 2 ms
Average transmit delay : 1 ms
Bin0 range : 0 to 10 ms
Bin0 to Bin5 : 5 10 10 5 10 10
Configuring channel scanning
The term "AC" in this document refers to MSR routers that can function as ACs.
About channel scanning
Channel scanning enables APs to scan channels and capture wireless packets. The AC analyzes the captured wireless packets to obtain wireless service information, including interferences, error bit rate, and wireless signal strength. Channel scanning provides data for WLAN RRM and WIPS, and enhances wireless service quality.
Basic concepts
· Scanning period—In this period, an AP only scans a channel and does not provide wireless services.
· Service period—In this period, an AP scans its working channel and provides wireless services simultaneously for a time period that is the same as the scanning period. After that, the AP only provides wireless services.
Work mechanism
An AP scans each channel on the channel scanning list in turn regardless of whether the AP provides wireless services, and each channel is scanned for a scanning period. If the AP does not provide wireless services, it starts scanning periods consecutively. If the AP provides wireless services, it starts service periods and scanning periods alternatively.
For example, Figure 65 shows the channel scanning mechanism for an AP when the AP works on channel 6 and the channel scanning list contains channels 1, 6, and 11.
Figure 65 Channel scanning mechanism
Feature and hardware compatibility
The following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Restrictions and guidelines: Channel scanning configuration
You can configure APs by using the following methods:
· Configure APs one by one in AP view.
· Assign APs to an AP group and configure the AP group in AP group view.
· Configure all APs in global configuration view.
For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.
Channel scanning tasks at a glance
Tasks at a glance |
(Required.) Setting the scanning period |
(Required.) Setting the maximum service period |
(Required.) Setting the service idle timeout timer |
(Optional.) Configuring the channel scanning blacklist or whitelist |
(Optional.) Configuring all-channel scanning |
Setting the scanning period
About the scanning period
The scanning period defines the time period in which an AP scans a channel. In a service period, an AP scans its working channel and provides wireless services simultaneously for a time period that is the same as the scanning period.
Restrictions and guidelines
The scanning period cannot be greater than the maximum service period.
Procedure
To set the scanning period in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the scanning period. |
scan scan-time scan-time |
By default, a radio uses the configuration in AP group radio view. |
To set the scanning period in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
5. Enter AP group view. |
wlan ap-group group-name |
N/A |
6. Enter AP model view. |
ap-model ap-model |
N/A |
7. Enter radio view. |
radio radio-id |
N/A |
8. Set the scanning period. |
scan scan-time scan-time |
By default, the scanning period is 100 milliseconds. |
Setting the maximum service period
About the maximum service period
To ensure both scanning and service quality, you can set the maximum service period. When the maximum service period is reached, the AP starts a scanning period regardless of whether it has traffic to forward. To ensure wireless service quality, you can configure the AP to not limit the service period. The AP does not start a scanning period unless the service idle timeout timer expires.
Procedure
To set the maximum service period in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
9. Enter AP view. |
wlan ap ap-name |
N/A |
10. Enter radio view. |
radio radio-id |
N/A |
11. Set the maximum service period. |
scan max-service-time { max-service-time | no-limit } |
By default, a radio uses the configuration in AP group radio view. |
To set the maximum service period in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the maximum service period. |
scan max-service-time { max-service-time | no-limit } |
By default, the maximum service period is 5000 milliseconds. |
Setting the service idle timeout timer
About the service idle timeout timer
During a service period, an AP does not begin a new scanning period until the current service period exceeds the scanning period even if the specified service idle timeout timer expires.
Restrictions and guidelines
The service idle timeout timer cannot be greater than the maximum service period.
Procedure
To set the service idle timeout timer in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
12. Enter AP view. |
wlan ap ap-name |
N/A |
13. Enter radio view. |
radio radio-id |
N/A |
14. Set the service idle timeout timer. |
scan idle-time idle-time |
By default, a radio uses the configuration in AP group radio view. |
To set the service idle timeout timer in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the service idle timeout timer. |
scan idle-time idle-time |
By default, the service idle timeout timer is 100 milliseconds. |
Configuring the channel scanning blacklist or whitelist
About the channel scanning blacklist or whitelist
If you configure the blacklist for an AP, the AP will not scan non-working channels in the blacklist. If you configure the whitelist for an AP, the AP will scan only channels in the whitelist and the working channel.
Restrictions and guidelines
You cannot configure both the channel scanning blacklist and whitelist for the same AP.
Procedure
To configure the channel scanning blacklist or whitelist in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Add the specified channels to the channel scanning blacklist. |
scan channel blacklist channel-list |
Choose either task. By default, a radio uses the configuration in AP group radio view. |
5. Add the specified channels to the channel scanning whitelist. |
scan channel whitelist channel-list |
To configure the channel scanning blacklist or whitelist in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Add the specified channels to the channel scanning blacklist. |
scan channel blacklist channel-list |
Choose either task. By default, no channel scanning blacklist or whitelist exists. |
6. Add the specified channels to the channel scanning whitelist. |
scan channel whitelist channel-list |
Configuring all-channel scanning
About all-channel scanning
An AP alternatively scans 2.4 GHz channels and 5 GHz channels at the specified interval when all-channel scanning is enabled. When all-channel scanning is disabled, an AP scans only channels of the configured band.
Restrictions and guidelines
This feature is applicable only to dual-band radios.
Procedure
To configure all-channel scanning in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Configure all-channel scanning. |
scan mode all { disable | enable } |
By default, a radio uses the configuration in AP group radio view. |
5. Set the interval for the radio to scan all channels. |
scan mode all interval interval-value |
By default, a radio uses the configuration in AP group radio view. |
To configure all-channel scanning in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Configure all-channel scanning. |
scan mode all { disable | enable } |
By default, all-channel scanning is disabled. |
6. Set the interval for the radio to scan all channels. |
scan mode all [ interval interval-value ] |
By default, the interval for an AP to scan all channels is 3000 milliseconds. |
Channel scanning configuration examples
Example: Configuring relative forwarding preferred channel scanning
Network configuration
To ensure both channel scanning and wireless service quality, configure channel scanning and set the maximum service period for AP 1, as shown in Figure 66.
Procedure
# Create a manual AP and specify the model and serial ID.
<AC> system-view
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454
# Enter radio view of radio 1.
[AC-wlan-ap-ap1] radio 1
# Set the scanning period to 200 milliseconds.
[AC-wlan-ap-ap1-radio-1] scan scan-time 200
# Set the maximum service period to 5000 milliseconds.
[AC-wlan-ap-ap1-radio-1] scan max-service-time 5000
# Set the service idle timeout timer to 100 milliseconds.
[AC-wlan-ap-ap1-radio-1] scan idle-time 100
Example: Configuring absolute forwarding preferred channel scanning
Network configuration
To ensure wireless service quality, configure channel scanning and configure AP 1 to not limit the service period, as shown in Figure 67.
Procedure
# Create a manual AP and specify the model and serial ID.
<AC> system-view
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454
# Enter radio view.
[AC-wlan-ap-ap1] radio 1
# Set the scanning period to 100 milliseconds.
[AC-wlan-ap-ap1-radio-1] scan scan-time 100
# Configure the radio to not limit the service period.
[AC-wlan-ap-ap1-radio-1] scan max-service-time no-limit
# Set the service idle timeout timer to 100 milliseconds.
[AC-wlan-ap-ap1-radio-1] scan idle-time 100
Configuring band navigation
The term "AC" in this document refers to MSR routers that can function as ACs.
About band navigation
As shown in Figure 68, band navigation is enabled in the WLAN. Client 1 and Client 2 are associated with the 2.4 GHz radio. When the dual-band client Client 3 requests to associate with the 2.4 GHz radio, the AP rejects Client 3 and directs it to the 5 GHz radio.
Feature and hardware compatibility
The following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Restrictions and guidelines: Band navigation configuration
You can configure APs by using the following methods:
· Configure APs one by one in AP view.
· Assign APs to an AP group and configure the AP group in AP group view.
· Configure all APs in global configuration view.
For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.
Do not enable band navigation in a WLAN where most clients in the WLAN support only the 2.4 GHz band or in a WLAN that is sensitive to traffic delay.
Band navigation tasks at a glance
Tasks at a glance |
(Required.) Enabling band navigation globally |
(Required.) Enabling AP-based band navigation |
(Optional.) Configuring load balancing for band navigation |
(Optional.) Configuring band navigation parameters |
Prerequisites for band navigation
Complete the following tasks before configuring band navigation:
· Disable quick association. For more information about quick association, see "Configuring WLAN access."
· Enable both the 5 GHz and 2.4 GHz radios and bind the radios to the same service template.
Enabling band navigation globally
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable band navigation globally. |
wlan band-navigation enable |
By default, band navigation is disabled globally. |
Enabling AP-based band navigation
Restrictions and guidelines
Band navigation takes effect on an AP only when you enable band navigation both globally and for the AP.
Procedure
To enable AP-based band navigation in AP view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enable band navigation for the AP. |
band-navigation enable |
By default, an AP uses the configuration in AP group view. |
To enable AP-based band navigation in AP group view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enable band navigation for APs in the AP group. |
band-navigation enable |
By default, band navigation is enabled. |
Configuring load balancing for band navigation
About load balancing for band navigation
An AP rejects the 5 GHz association request of a client when the following conditions are met:
· The number of clients on the 5 GHz radio reaches the specified threshold.
· The client number gap between the 5 GHz radio and the radio that has the fewest clients reaches the specified threshold.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure load balancing for band navigation. |
wlan band-navigation balance session session [ gap gap ] |
By default, load balancing is disabled for band navigation. |
Configuring band navigation parameters
About band navigation parameters
The following parameters affect band navigation:
· Maximum number of denials for 5 GHz association requests—If the number of times that a 5 GHz radio rejects a client reaches the specified maximum number, the radio accepts the association request of the client.
· Band navigation RSSI threshold—A client might be detected by multiple radios. A 5 GHz radio rejects the association request of a client if the client's RSSI is lower than the band navigation RSSI threshold.
· Client information aging time—When an AP receives an association request from a client, the AP records the client's information and starts the client information aging timer. If the AP does not receive any probe requests or association requests from the client before the aging timer expires, the AP deletes the client's information.
Configure an appropriate client information aging time to ensure both client association and system resource efficiency.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the maximum number of denials for 5 GHz association requests. |
wlan band-navigation balance access-denial access-denial |
By default, the maximum number of denials for 5 GHz association requests is 1. |
3. Set the band navigation RSSI threshold. |
wlan band-navigation rssi-threshold rssi-threshold |
By default, the band navigation RSSI threshold is 15. |
4. Set the client information aging time. |
wlan band-navigation aging-time aging-time |
By default, the client information aging time is 180 seconds. |
Band navigation configuration examples
Example: Configuring band navigation
Network configuration
As shown in Figure 69, both the 5 GHz radio and the 2.4 GHz radio are enabled on the AP. Configure band navigation and load balancing for band navigation to load balance the radios.
Procedure
# Create service template 1 and set its SSID to band-navigation.
<AC> system-view
[AC] wlan service-template 1
[AC-wlan-st-1] ssid band-navigation
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
# Create AP template ap1, and specify the model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
# Enter radio view of radio 1, and configure radio 1 to operate in 802.11n (5 GHz) mode.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] type dot11an
# Bind service template 1 to radio 1 of AP 1, and enable radio 1.
[AC-wlan-ap-ap1-radio-1] service-template 1
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] quit
# Enter radio view of radio 2, and configure radio 2 to operate in 802.11n (2.4 GHz) mode.
[AC-wlan-ap-ap1] radio 2
[AC-wlan-ap-ap1-radio-2] type dot11gn
# Bind service template 1 to radio 2 of AP 1, and enable radio 2.
[AC-wlan-ap-ap1-radio-2] service-template 1
[AC-wlan-ap-ap1-radio-2] radio enable
[AC-wlan-ap-ap1-radio-2] quit
[AC-wlan-ap-ap1] quit
# Enable band navigation globally.
[AC] wlan band-navigation enable
# Enable band navigation for AP 1.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] band-navigation enable
[AC-wlan-ap-ap1] quit
# Enable load balancing for band navigation, and set the client number threshold and client number gap threshold to 5 and 2, respectively.
[AC] wlan band-navigation balance session 5 gap 2
# Set the maximum number of denials for 5 GHz association requests to 3.
[AC] wlan band-navigation balance access-denial 3
# Set the band navigation RSSI threshold to 30.
[AC] wlan band-navigation rssi-threshold 30
# Set the client information aging time to 160 seconds.
[AC] wlan band-navigation aging-time 160
Verifying the configuration
1. Verify that a dual-band client is associated with the 5 GHz radio when it requests to associate with the AP. (Details not shown.)
2. Verify that a dual-band client is associated with the 2.4 GHz radio when the following conditions are met:
? The number of clients on the 5 GHz radio reaches 5.
? The client number gap between the 5 GHz radio and the 2.4 GHz radio reaches 2. (Details not shown.)
Configuring WLAN multicast optimization
The term "AC" in this document refers to MSR routers that can function as ACs.
About WLAN multicast optimization
Multicast transmission in a wireless network has the following limitations:
· Great packet loss upon poor link quality—Multicast packets do not require acknowledgments and lost packets are not retransmitted.
· Low transmission efficiency—The device sends multicast packets at the lowest mandatory rate.
With these limitations, multicast transmission cannot meet the requirements for applications that are not sensitive to time delay but sensitive to data integrity. To address this issue, you can configure WLAN multicast optimization.
WLAN multicast optimization mechanism
WLAN multicast optimization enables an AP to convert multicast packets to unicast packets.
Figure 70 Data transmission with WLAN multicast optimization enabled
WLAN multicast optimization entries
WLAN multicast optimization uses multicast optimization entries to manage traffic forwarding. The multicast optimization entries use the clients' MAC addresses as indexes. A multicast optimization entry records information about multicast groups that clients join, multicast sources from which clients receive traffic, multicast group version, and multicast optimization mode.
After you enable WLAN multicast optimization, an AP creates or updates multicast optimization entries for a client according to the IGMP reports received from the client. If IGMPv3 or MLDv2 is used, the AP can also update the multicast sources allowed by the client. The AP removes a multicast optimization entry if it receives a leave message from the client or when the aging time for the entry expires. If you disable WLAN multicast optimization for the service template that an AP uses, the AP removes all multicast optimization entries.
When an AP receives a non-IGMP or non-MLD packet from a multicast source, the AP matches the multicast group address in the packet against the multicast optimization entries. If a match is found, the AP converts the multicast packet to unicast packets and sends the unicast packets to all clients in the multicast group. If no match is found, the AP discards the packet.
Feature and hardware compatibility
The following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
WLAN multicast optimization tasks at a glance
Tasks at a glance |
(Required.) Enabling WLAN multicast optimization |
(Optional.) Configuring a multicast optimization policy |
(Optional.) Setting rate limits for IGMP/MLD packets from clients |
(Optional.) Setting the limit for multicast optimization entries |
(Optional.) Setting the limit for multicast optimization entries per client |
(Optional.) Setting the aging time for multicast optimization entries |
Enabling WLAN multicast optimization
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter service template view. |
wlan service-template service-template-name |
N/A |
3. Enable WLAN multicast optimization. |
·
Enable IPv4 WLAN multicast
optimization: ·
Enable IPv6 WLAN multicast optimization: |
By default, WLAN multicast optimization is disabled. |
Configuring a multicast optimization policy
About multicast optimization policies
A multicast optimization policy defines the maximum number of clients that WLAN multicast optimization supports and defines the following actions an AP takes when the limit is reached:
· Unicast forwarding—Sends unicast packets converted from a multicast packet to only n (n equal to the specified threshold) clients that are randomly selected.
· Multicast forwarding—Forwards the multicast packet to all clients.
· Packet dropping—Drops the multicast packet.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure a multicast optimization policy. |
·
Configure an IPv4 WLAN multicast optimization
policy: ·
Configure an IPv6 WLAN multicast optimization
policy: |
By default, no multicast optimization policies exist and an AP performs multicast optimization for all clients. If you do not specify an action, an AP performs unicast forwarding. |
Setting rate limits for IGMP/MLD packets from clients
About rate limits for IGMP/MLD packets from clients
Perform this task to configure the maximum number of IGMP or MLD packets that an AP can receive from clients within the specified interval. The AP discards the excessive IGMP or MLD packets. For more information about IGMP or MLD, see IP Multicast Configuration Guide.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the rate limit for IGMP or MLD packets from clients. |
·
Set the rate limit for IGMP packets from
clients: ·
Set the rate limit for MLD packets from
clients: |
By default, no rate limit is set for IGMP or MLD packets from clients. |
Setting the limit for multicast optimization entries
About the limit for multicast optimization entries
Each time a client joins a multicast group, the AP creates a multicast optimization entry for the multicast group. If multicast sources have been specified for a client when the client joins the multicast group, the AP also creates a multicast optimization entry for each multicast source. When a client leaves a multicast group or rejects a multicast source, the AP deletes the relevant multicast optimization entry for the client. These might consume system resources.
Perform this task to limit the number of multicast optimization entries to save system resources.
When the number of multicast optimization entries reaches the limit, the AP stops creating new entries until the number falls below the limit.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the limit for multicast optimization entries. |
·
Set the limit for IPv4 multicast optimization
entries: ·
Set the limit for IPv6 multicast optimization
entries: |
By default, no limit is set for multicast optimization entries. |
Setting the limit for multicast optimization entries per client
About the limit for multicast optimization entries per client
Perform this task to limit the number of multicast optimization entries that an AP maintains for each client to prevent a client from occupying excessive system resources.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the limit for multicast optimization entries per client. |
·
Set the limit for IPv4 multicast
optimization entries per client: ·
Set the limit for IPv6 multicast
optimization entries per client: |
By default, no limit is set for multicast optimization entries per client. |
Setting the aging time for multicast optimization entries
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the aging time for multicast optimization entries. |
·
Set the aging time for IPv4 multicast
optimization entries: ·
Set the aging time for IPv6 multicast
optimization entries: |
By default, the aging time is 260 seconds for multicast optimization entries. |
Display and maintenance commands for WLAN multicast optimization
Execute display commands in any view and reset commands in user view.
Tasks |
Command |
Display IPv6 multicast optimization entry information. |
display wlan ipv6 multicast-optimization entry [ client mac-address [ group group-ip [ source source-ip ] ] ] |
Display IPv4 multicast optimization entry information. |
display wlan multicast-optimization entry [ client mac-address [ group group-ip [ source source-ip ] ] ] |
Clear IPv6 multicast optimization entries. |
reset wlan ipv6 multicast-optimization entry { all | client mac-address [ group group-ip [ source source-ip ] ] } |
Clear IPv6 multicast optimization entries for the specified multicast group. |
reset wlan ipv6 multicast-optimization entry group group-ip [ source source-ip ] |
Clear IPv4 multicast optimization entries. |
reset wlan multicast-optimization entry { all | client mac-address [ group group-ip [ source source-ip ] ] } |
Clear IPv4 multicast optimization entries for the specified multicast group. |
reset wlan multicast-optimization entry group group-ip [ source source-ip ] |
WLAN multicast optimization configuration examples
Example: Configuring basic WLAN multicast optimization
Network configuration
As shown in Figure 71, the switch acts as the DHCP server to assign IP addresses to the AP and clients, and the AP provides wireless services to the clients through the SSID service. Configure WLAN multicast optimization to manage multicast packet forwarding.
Procedure
# Enable IGMP snooping both globally and for VLAN 1.
<AC> system-view
[AC] igmp-snooping
[AC-igmp-snooping] quit
[AC] vlan 1
[AC-vlan1] igmp-snooping enable
[AC-vlan1] quit
# Create service template 1, set its SSID to service, and enable WLAN multicast optimization for it.
[AC] wlan service-template 1
[AC-wlan-st-1] ssid service
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] multicast-optimization enable
[AC-wlan-st-1] quit
# Create an AP named ap1, specify its model and serial ID, and bind radio 1 of the AP to service template 1.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A29G007C000021
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] radio enable
[AC-wlan-ap-ap1-radio-1] service-template 1
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
# Set the aging time to 300 seconds for IPv4 multicast optimization entries.
[AC] wlan multicast-optimization aging-time 300
# Configure the AP to receive a maximum of 100 IGMP packets from clients every 60 seconds.
[AC] wlan multicast-optimization packet-rate-limit interval 60 threshold 100
# Set the limit for IPv4 multicast optimization entries to 100.
[AC] wlan multicast-optimization global entry-limit 100
# Set the limit for IPv4 multicast optimization entries per client to 10.
[AC] wlan multicast-optimization client entry-limit 10
# Set the maximum number of clients that WLAN multicast optimization supports to 2, and configure the AP to drop multicast packets when the number of clients reaches the threshold.
[AC] wlan multicast-optimization entry client-limit 2 drop
Verifying the configuration
# Verify the following information after Client 1 and Client 2 join the multicast group with the address 230.1.1.1 and the multicast source address 1.1.1.1 has been specified. (Details not shown.):
· The AP has created multicast optimization entries for Client 1 and Client 2.
· Client 1 and Client 2 can receive traffic from the multicast source.
# Display information about multicast optimization entries after Client 3 joins the multicast group with the address 230.1.1.1 and the multicast source address 1.1.1.1 has been specified.
[AC] display wlan multicast-optimization entry
Total 3 clients reported
Client: 0001-0001-0001
Reported from AP 1 on radio 1
Total number of groups: 1
Group: 230.1.1.1
Version: IGMPv3
Mode: Include
Duration: 00h 00m 30s
Sources: 1
Source: 1.1.1.1
Duration: 00h 00m 30s
Client: 0001-0001-0002
Reported from AP 1 on radio 1
Total number of groups: 1
Group: 230.1.1.1
Version: IGMPv3
Mode: Include
Duration: 00h 00m 15s
Sources: 1
Source: 1.1.1.1
Duration: 00h 00m 15s
Reported from AP 1 on radio 1
Total number of groups: 1
Group: 230.1.1.1
Version: IGMPv3
Mode: Include
Duration: 00h 00m 10s
Sources: 1
Source: 1.1.1.1
Duration: 00h 00m 10s
The output shows that the AP has created multicast optimization entries for Client 3.
# Verify that Client 1, Client 2, and Client 3 cannot receive traffic from the multicast source because the number of clients that WLAN multicast optimization supports exceeds the limit. (Details not shown.)
Configuring cloud connections
The term "AC" in this document refers to MSR routers that can function as ACs.
About cloud connections
A cloud connection is a management tunnel established between a local device and the H3C Oasis server. It enables you to manage the local device from the H3C Oasis server without accessing the network where the device resides.
Multiple subconnections
After a local device establishes a connection with the H3C Oasis server, service modules on the local device can establish multiple subconnections with the microservices on the H3C Oasis server. These subconnections are independent from each other and provide separate communication channels for different services. This mechanism avoids interference among different services.
Cloud connection establishment
This section uses an AC and the H3C Oasis server as an example. The cloud connection is established as follows:
1. The AC sends an authentication request to the H3C Oasis server.
2. The H3C Oasis server sends an authentication success packet to the AC.
The AC passes the authentication only if the serial number of the AC has been added to the H3C Oasis server. If the authentication fails, the H3C Oasis server sends an authentication failure packet to the AC.
3. The AC sends a registration request to the H3C Oasis server.
4. The H3C Oasis server sends a registration response to the AC.
The registration response contains the uniform resource locator (URL) used to establish a cloud connection.
5. The AC uses the URL to send a handshake request (changing the protocol from HTTP to WebSocket) to the H3C Oasis server.
6. The H3C Oasis server sends a handshake response to the AC to finish establishing the cloud connection.
7. After the cloud connection is established, the AC automatically obtains the subconnection URLs and establishes subconnections with the H3C Oasis server based on the service needs.
Figure 72 Establishing a cloud connection
Feature and hardware compatibility
The following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Configuring a cloud connection
Configuring the H3C Oasis server
For a successful cloud connection establishment, add the serial number of the device to be managed to the H3C Oasis server.
Configuring the local device
About configuring the local device
You can specify a domain name for the H3C Oasis server and log in to the server through the domain name on a remote PC to manage the local device.
If the local device does not receive a response from the H3C Oasis server within three keepalive intervals, the device sends a registration request to re-establish the cloud connection.
To prevent NAT entry aging, the local device sends ping packets to the H3C Oasis server periodically.
Restrictions and guidelines
Reduce the ping interval value if the network condition is poor or the NAT entry aging time is short.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the domain name of the H3C Oasis server. |
cloud-management server domain domain-name |
By default, the domain name of the H3C Oasis server is not configured. |
3. (Optional.) Set the keepalive interval. |
cloud-management keepalive interval |
By default, the keepalive interval is 180 seconds. |
4. (Optional.) Set the ping interval. |
cloud-management ping interval |
By default, the ping interval is 60 seconds. |
Display and maintenance commands for cloud connections
Execute display commands in any view.
Task |
Command |
Display cloud connection state information. |
display cloud-management state |
Cloud connection configuration examples
Example: Configuring a cloud connection
Network configuration
As shown in Figure 73, configure the AC to establish a cloud connection with the H3C Oasis server.
Procedure
1. Configure IP addresses for interfaces as shown in Figure 73, and configure a routing protocol to make sure the devices can reach each other. (Details not shown.)
2. Log in to the H3C Oasis server to add the serial number of the AC to the server. (Details not shown.)
3. Configure the domain name of the H3C Oasis server as lvzhouv3.h3c.com.
<AC> system-view
[AC] cloud-management server domain lvzhouv3.h3c.com
|
NOTE: The DNS service is provided by the ISP DNS server. |
Verifying the configuration
# Verify that the AC and the H3C Oasis server have established a cloud connection.
[AC] display cloud-management state
Cloud connection state : Established
Device state : Request_success
Cloud server address : 10.1.1.1
Cloud server domain name : lvzhouv3.h3c.com
Local port : 443
Connected at : Wed Jan 27 14:18:40 2016
Duration : 00d 00h 02m 01s
Configuring WLAN RRM
The term "AC" in this document refers to MSR routers that can function as ACs.
About WLAN RRM
WLAN Radio Resource Management (RRM) provides an intelligent and scalable radio management solution to allow a WLAN to adapt to environment changes and maintain the optimal radio resource condition.
Operating mechanism
RRM enables the AC to monitor and analyze its associated radios, and optimize radio resources with features such as dynamic frequency selection (DFS), transmit power control (TPC), and spectrum analysis.
Dynamic frequency selection
Two adjacent radios on the same channel might cause signal collision, and other radio sources such as radar signals and microwave ovens might interfere with the operation of radios. With DFS, the AC selects an optimal channel for each radio in real time to avoid co-channel interference and interference from other radio sources.
The following factors will trigger DFS:
· Error code rate—Physical layer error code rate and CRC error rate. CRC error rate shows the proportion of packets with CRC errors among all 802.11 packets.
· Interference rate—Proportion of interference packets among all data packets. Interference packets are packets destined for other radios.
· Retransmission count—Data retransmissions caused by failure to receive ACK messages.
· Radar signal—Radar signals detected on the current channel. In this case, the AC selects a new channel and immediately notifies the radio to change its working channel.
The AC uses the following procedure to perform DFS for a radio:
1. Detects the current channel and selects an optimal channel when the CRC error threshold, the interference threshold, or the system-defined retransmission threshold is reached on the current channel.
2. Compares the quality between the current channel and the optimal channel. The radio does not use the optimal channel until the quality gap between the two channels exceeds the tolerance level.
Figure 74 shows a DFS example. When the quality of the channels for BSS 1, BSS 3, and BSS 5 reaches a DFS threshold, the AC selects an optimal channel for each of them. This ensures wireless service quality.
Figure 74 Dynamic frequency selection
Transmit power control
TPC enables the AC to dynamically control access point transmit power based on real-time WLAN conditions. It can achieve desired RF coverage while avoiding channel interference between radios.
The AC maintains a neighbor report for each radio on its associated APs to record information about other radios detected by this radio. The AC can manage only radios associated with it.
The AC uses the following procedure to perform TPC for a radio:
1. Determines whether the number of manageable radios (all-channel radios or overlapping-channel radios) that can detect this radio has reached the adjacency factor.
If the number has not reached the adjacency factor, the radio uses the maximum transmit power.
If the number has reached the adjacency factor, the AC goes to step 2:
2. Ranks the radio's RSSIs detected by these manageable radios in descending order.
3. Compares the RSSI specified by the adjacency factor with the power adjustment threshold and takes one of the following actions:
? Decreases the radio's transmit power when the RSSI rises above the threshold.
? Increases the radio's transmit power when the RSSI drops below the threshold.
Radios that can participate in TPC calculation for a radio include the following types:
· All-channel radios—Include all manageable radios that detect the radio. TPC based on all-channel radios can better control the signal coverage.
· Overlapping-channel radios—Include manageable radios that detect the radio on a channel overlapping with the radio's transmit channel. TPC based on overlapping-channel radios can expand signal coverage without increasing interference.
As shown in Figure 75, each AP has only one radio enabled. Before AP 4 joins, the number of manageable radios detected by each radio does not reach the adjacency factor 3. The radios use the maximum transmit power. After AP 4 joins, the number of manageable radios detected by each radio reaches the adjacency factor 3. The AC uses TPC to adjust the transmit powers for all radios.
Figure 75 Transmit power control
Spectrum management
Spectrum management is 802.11h compliant. It is used on 5 GHz WLANs to ensure that clients meet the regulatory requirements for operation in the 5 GHz band. It enables an AP to notify its associated clients of the allowed maximum transmit power. The AP can deny the association request from a client if the power and channel of the client do not meet the regulatory requirements.
Feature and hardware compatibility
The following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Restrictions and guidelines: WLAN RRM
You can configure APs by using the following methods:
· Configure APs one by one in AP view.
· Assign APs to an AP group and configure the AP group in AP group view.
· Configure all APs in global configuration view.
For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.
WLAN RRM tasks at a glance
Configuring DFS
About DFS
The AC supports the following DFS methods:
· Periodic auto-DFS—The AC automatically performs DFS for a radio at the channel calibration interval.
· Scheduled auto-DFS—The AC performs DFS at the specified time in a time range. Use this method when interference is severe to avoid affecting ongoing wireless services.
· On-demand DFS—The AC waits for a channel calibration interval and then performs DFS for all radios. You must perform this task every time you want the AC to perform DFS for radios.
Configuration prerequisites
For DFS to work, configure the AC to automatically select a channel for a radio and not lock the channel by using the channel auto unlock command. For more information about the channel { channel-number | auto { lock | unlock } } command, see WLAN Command Reference (AC).
Setting the DFS sensitivity mode
About DFS sensitivity modes
DFS supports the following sensitivity modes: low, medium, high, and custom. DFS configured with a higher sensitivity can be triggered more easily.
Restrictions and guidelines
DFS trigger parameters will be restored to the default if you change the sensitivity mode. The default settings vary by sensitivity mode. Record the configured DFS trigger parameters if necessary before you change the sensitivity mode from custom to low, medium, or high.
You can configure DFS trigger parameters only when the sensitivity mode is custom.
Procedure
To set the DFS sensitivity mode in RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enter RRM view. |
rrm |
N/A |
5. Set the DFS sensitivity mode. |
calibrate-channel self-decisive sensitivity { custom | high | low | medium } |
By default, the configuration in AP group RRM view is used. |
To set the DFS sensitivity mode in AP group RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Enter RRM view. |
rrm |
N/A |
6. Set the DFS sensitivity mode. |
calibrate-channel self-decisive sensitivity { custom | high | low | medium } |
By default, the DFS sensitivity mode is custom. |
Configuring DFS trigger parameters
Restrictions and guidelines
As a best practice for accurate channel adjustment, configure the same DFS trigger parameters for all radios enabled with DFS.
You can configure DFS trigger parameters only when the DFS sensitivity mode is custom.
Procedure
To configure DFS trigger parameters in RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enter RRM view. |
rrm |
N/A |
5. Set the CRC error threshold. |
crc-error-threshold percent |
By default, the configuration in AP group RRM view is used. |
6. Set the interference threshold. |
interference-threshold percent |
By default, the configuration in AP group RRM view is used. |
7. Set the tolerance level. |
tolerance-level percent |
By default, the configuration in AP group RRM view is used. |
To configure DFS trigger parameters in AP group RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Enter RRM view. |
rrm |
N/A |
6. Set the CRC error threshold. |
crc-error-threshold percent |
By default, the CRC error threshold is 20. |
7. Set the interference threshold. |
interference-threshold percent |
By default, the interference threshold is 50. |
8. Set the tolerance level. |
tolerance-level percent |
By default, the tolerance level is 20. |
Configuring periodic auto-DFS
Restrictions and guidelines
For wireless service stability, you can configure DFS suppression to suppress periodic auto-DFS when the online client quantity reaches the specified threshold.
Procedure
To configure periodic auto-DFS in RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. (Optional.) Set the channel calibration interval. |
wlan rrm calibration-channel interval minutes |
By default, the channel calibration interval is 8 minutes. |
3. Enter AP view. |
wlan ap ap-name |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Enter RRM view. |
rrm |
N/A |
6. Enable auto-DFS. |
calibrate-channel self-decisive enable |
By default, the configuration in AP group RRM view is used. |
7. Set the auto-DFS mode to periodic. |
calibrate-channel mode periodic |
By default, the configuration in AP group RRM view is used. |
8. (Optional.) Configure DFS suppression. |
calibrate-channel suppression { disable | enable [ client-number number ] } |
By default, the configuration in AP group RRM view is used. |
To configure periodic auto-DFS in AP group RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. (Optional.) Set the channel calibration interval. |
wlan rrm calibration-channel interval minutes |
By default, the channel calibration interval is 8 minutes. |
3. Enter AP group view. |
wlan ap-group group-name |
N/A |
4. Enter AP model view. |
ap-model ap-model |
N/A |
5. Enter radio view. |
radio radio-id |
N/A |
6. Enter RRM view. |
rrm |
N/A |
7. Enable auto-DFS. |
calibrate-channel self-decisive enable |
By default, auto-DFS is disabled. |
8. Set the auto-DFS mode to periodic. |
calibrate-channel mode periodic |
By default, the auto-DFS mode is periodic. |
9. (Optional.) Configure DFS suppression. |
calibrate-channel suppression { disable | enable [ client-number number ] } |
By default, DFS suppression is disabled. |
Configuring scheduled auto-DFS
About configuring scheduled auto-DFS
Scheduled auto-DFS enables the AC to collect statistics to generate channel reports and neighbor reports within the specified time range.
Restrictions and guidelines
Perform the following tasks to configure scheduled auto-DFS:
1. Create a time range.
2. Configure a job and schedule.
a. Create a job and assign commands to the job.
b. Create a schedule and assign the job, a user role, and an execution time to the schedule.
3. Enable auto-DFS.
4. Set the auto-DFS mode to scheduled.
5. Specify a time range for channel monitoring. For more information about creating a time range, see time range in ACL and QoS configuration Guide.
Procedure
To configure scheduled auto-DFS in RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a time range. |
time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 } |
By default, no time range exists. |
3. Create a job and enter its view. |
scheduler job job-name |
By default, no job exists. |
4. Assign commands to the job. |
command 1 system-view |
By default, no command is assigned to a job. |
command 2 wlan ap ap-name [ model model-name ] |
||
command 3 radio radio-id |
||
command 4 rrm |
||
command 5 calibrate-channel pronto |
||
5. Return to system view. |
quit |
N/A |
6. Create a schedule and enter its view. |
scheduler schedule schedule-name |
By default, no schedule exists. |
7. Assign a job to the schedule. |
job job-name |
By default, no job is assigned to a schedule. |
8. Assign a user role to the schedule. |
user-role role-name |
By default, the user role of the schedule creator is assigned to the schedule. |
9. Specify an execution date and time for the schedule. |
time at time date |
Execute one of the three commands. By default, no execution time is specified for a schedule. |
10. Specify one or more execution days and the execution time for the schedule. |
time once at time [ month-date month-day | week-day week-day&<1-7> ] |
|
11. Specify the delay time for executing the schedule. |
time once delay time |
|
12. Return to system view. |
quit |
N/A |
13. Enter AP view. |
wlan ap ap-name |
N/A |
14. Enter radio view. |
radio radio-id |
N/A |
15. Enter RRM view. |
rrm |
N/A |
16. Enable auto-DFS. |
calibrate-channel self-decisive enable |
By default, the configuration in AP group RRM view is used. |
calibrate-channel mode scheduled |
By default, the configuration in AP group RRM view is used. |
|
18. Specify a time range for channel monitoring. |
calibrate-channel monitoring time-range time-range-name |
By default, the configuration in AP group RRM view is used. |
To configure scheduled auto-DFS in AP group RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a time range. |
time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 } |
By default, no time range exists. |
3. Create a job and enter its view. |
scheduler job job-name |
By default, no job exists. |
4. Assign commands to the job. |
command 1 system-view |
By default, no command is assigned to a job. |
command 2 wlan ap-group group-name |
||
command 3 ap-model ap-model |
||
command 4 radio radio-id |
||
command 5 rrm |
||
command 6 calibrate-channel pronto |
||
5. Return to system view. |
quit |
N/A |
6. Create a schedule and enter its view. |
scheduler schedule schedule-name |
By default, no schedule exists. |
7. Assign a job to the schedule. |
job job-name |
By default, no job is assigned to a schedule. |
8. Assign a user role to the schedule. |
user-role role-name |
By default, the user role of the schedule creator is assigned to the schedule. |
9. Specify an execution date and time for the schedule. |
time at time date |
Execute one of the three commands. By default, no execution time is specified for a schedule. |
10. Specify one or more execution days and the execution time for the schedule. |
time once at time [ month-date month-day | week-day week-day&<1-7> ] |
|
11. Specify the delay time for executing the schedule. |
time once delay time |
|
12. Return to system view. |
quit |
N/A |
13. Enter AP group view. |
wlan ap-group group-name |
N/A |
14. Enter AP model view. |
ap-model ap-model |
N/A |
15. Enter radio view. |
radio radio-id |
N/A |
16. Enter RRM view. |
rrm |
N/A |
17. Enable auto-DFS. |
calibrate-channel self-decisive enable |
By default, auto-DFS is disabled. |
18. Set the auto-DFS mode to scheduled. |
calibrate-channel mode scheduled |
By default, the auto-DFS mode is periodic. |
19. Specify a time range for channel monitoring. |
calibrate-channel monitoring time-range time-range-name |
By default, no time range is specified for channel monitoring. |
Configuring on-demand DFS
Restrictions and guidelines
This feature consumes system resources. Use it with caution.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable on-demand DFS for radios of all APs. |
wlan calibrate-channel pronto ap all |
N/A |
3. (Optional.) Set the channel calibration interval. |
wlan rrm calibration-channel interval minutes |
By default, the channel calibration interval is 8 minutes. |
Configuring an RRM holddown group
About RRM holddown groups
To prevent frequent channel adjustments from affecting wireless services, you can add the specified radios to an RRM holddown group. Each time the channel of a radio in the RRM holddown group changes, the system starts a channel holddown timer for the radio. The channel for the radio does not change until the channel holddown timer expires.
If you execute on-demand DFS, the system performs DFS when the calibration interval expires regardless of whether the channel holddown time expires.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create an RRM holddown group and enter its view. |
wlan rrm-calibration-group group-id |
By default, no RRM holddown group exists. |
3. (Optional.) Set a description for the RRM holddown group. |
description text |
By default, no description is set for the RRM holddown group. |
4. Add a radio to the RRM holddown group. |
ap ap-name radio radio-id |
By default, no radio exists in the RRM holddown group. |
5. (Optional.) Set the channel holddown time. |
channel holddown-time minutes |
By default, the channel holddown time is 720 minutes. |
Configuring TPC
About TPC
The AC supports the following TPC methods:
· Periodic auto-TPC—The AC automatically performs TPC for a radio at the power calibration interval.
· On-demand TPC—The AC waits for a power calibration interval and then performs TPC for all radios. You must perform this task every time you want the AC to perform TPC for radios.
Configuration prerequisites
Make sure the power lock feature is disabled before configuring TPC. For more information about power lock, see "Configuring radio management."
Setting the TPC mode
About TPC modes
The AC supports the density, coverage, and custom TPC modes. To avoid interference among APs, use the density mode. To increase signal coverage performance, use the coverage mode. If these two modes cannot meet your network requirements, use the custom mode to customize power adjustment settings.
Restrictions and guidelines
In either density or coverage mode, power adjustment settings are defined by the system and cannot be changed.
Procedure
To set the TPC mode in RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enter RRM view. |
rrm |
N/A |
5. Set the TPC mode. |
calibrate-power mode { coverage | custom | density } |
By default, the configuration in AP group RRM view is used. |
To set the TPC mode in AP group RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Enter RRM view. |
rrm |
N/A |
6. Set the TPC mode. |
calibrate-power mode { coverage | custom | density } |
By default, the TPC mode is custom. |
Configuring TPC trigger parameters
Restrictions and guidelines
The adjacency factor and power adjustment threshold determine TPC for a radio. The adjacency factor defines the quantity of manageable detected radios that trigger TPC and the ranking of the RSSI used for comparison with the power adjustment threshold. Set an appropriate adjacency factor as needed.
As a best practice for accurate power adjustment, configure the same TPC trigger parameters for all radios enabled with TPC.
Procedure
To configure TPC trigger parameters in RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enter RRM view. |
rrm |
N/A |
5. Set the adjacency factor. |
adjacency-factor neighbor |
By default, the configuration in AP group RRM view is used. |
6. Set the power adjustment threshold. |
calibrate-power threshold value |
By default, the configuration in AP group RRM view is used. |
7. Specify the type of radios to participate in TPC calculation. |
adjacency-factor radio-selection { all-channel | overlapping-channel } |
By default, the configuration in AP group RRM view is used. |
To configure TPC trigger parameters in AP group RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Enter RRM view. |
rrm |
N/A |
6. Set the adjacency factor. |
adjacency-factor neighbor |
By default, the adjacency factor is 3. |
7. Set the power adjustment threshold. |
calibrate-power threshold value |
By default, the power adjustment threshold is 65 dBm. |
8. Specify the type of radios to participate in TPC calculation. |
adjacency-factor radio-selection { all-channel | overlapping-channel } |
By default, all-channel radios participate in TPC calculation. |
Setting the minimum transmit power
About the minimum transmit power
This feature ensures that a radio can still be detected after TPC is performed.
Procedure
To set the minimum transmit power in RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enter RRM view. |
rrm |
N/A |
5. Set the minimum transmit power. |
calibrate-power min tx-power |
By default, the configuration in AP group RRM view is used. |
To set the minimum transmit power in AP group RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Enter RRM view. |
rrm |
N/A |
6. Set the minimum transmit power. |
calibrate-power min tx-power |
By default, the minimum transmit power is 1 dBm. |
Configuring periodic auto-TPC
To configure periodic auto-TPC in RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. (Optional.) Set the power calibration interval. |
wlan rrm calibration-power interval minutes |
By default, the power calibration interval is 8 minutes. |
3. Enter AP view. |
wlan ap ap-name |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Enter RRM view. |
rrm |
N/A |
6. Enable periodic auto-TPC. |
calibrate-power self-decisive enable |
By default, the configuration in AP group RRM view is used. |
To configure periodic auto-TPC in AP group RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. (Optional.) Set the power calibration interval. |
wlan rrm calibration-power interval minutes |
By default, the power calibration interval is 8 minutes. |
3. Enter AP group view. |
wlan ap-group group-name |
N/A |
4. Enter AP model view. |
ap-model ap-model |
N/A |
5. Enter radio view. |
radio radio-id |
N/A |
6. Enter RRM view. |
rrm |
N/A |
7. Enable periodic auto-TPC. |
calibrate-power self-decisive enable |
By default, periodic auto-TPC is disabled. |
Configuring on-demand TPC
Restrictions and guidelines
This feature consumes system resources. Use it with caution.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable on-demand TPC for radios of all APs. |
wlan calibrate-power pronto ap all |
N/A |
3. (Optional.) Set the power calibration interval. |
wlan rrm calibration-power interval minutes |
By default, the power calibration interval is 8 minutes. |
Configuring an RRM holddown group
About RRM holddown groups
To prevent frequent power adjustments from affecting wireless services, you can add the specified radios to an RRM holddown group. Each time the power of a radio in the RRM holddown group changes, the system starts a power holddown timer for the radio. The power for the radio does not change until the power holddown timer expires.
If you execute on-demand DFS, the system performs DFS when the calibration interval expires regardless of whether the power holddown time expires.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create an RRM holddown group and enter its view. |
wlan rrm-calibration-group group-id |
By default, no RRM holddown group exists. |
3. (Optional.) Set a description for the RRM holddown group. |
description text |
By default, no description is set for the RRM holddown group. |
4. Add a radio to the RRM holddown group. |
ap ap-name radio radio-id |
By default, no radio exists in the RRM holddown group. |
5. (Optional.) Set the power holddown time. |
power holddown-time minutes |
By default, the power holddown time is 60 minutes. |
Configuring spectrum management
Enabling spectrum management
Restrictions and guidelines
This feature is available only for 5 GHz radios.
Procedure
To enable spectrum management in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enable spectrum management. |
spectrum-management enable |
By default, the configuration in AP group radio view is used. |
To enable spectrum management in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Specify an AP model. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Enable spectrum management. |
spectrum-management enable |
By default, spectrum management is disabled. |
Setting the power constraint mode
About power constraint modes
This feature enables a radio to restrict the transmit power of its associated clients to avoid interference with other wireless devices. Upon receiving a beacon frame or probe response that contains the power constraint value from the radio, a client uses its new local maximum transmit power to transmit traffic. The new local maximum transmit power is the maximum transmit power level specified for the channel minus the power constraint value.
You can set the following power constraint modes for a radio:
· Manual—You specify a power constraint value.
· Auto—The radio automatically calculates the power constraint value.
Restrictions and guidelines
This feature is available only for 5 GHz radios.
Power constraint takes effect only when you enable spectrum management or radio resource measurement. For more information about radio resource management, see "Configuring WLAN radio resource measurement."
Procedure
To set the power constraint mode in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the power constraint mode. |
power-constraint mode { auto [ anpi-interval anpi-interval-value ] | manual power-constraint } |
By default, the configuration in AP group radio view is used. |
To set the power constraint mode in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Specify an AP model. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the power constraint mode. |
power-constraint mode { auto [ anpi-interval anpi-interval-value ] | manual power-constraint } |
By default, the power constraint mode is auto. |
Setting the channel switch mode
About setting the channel switch mode
This feature enables a radio to send a channel switch announcement to the associated clients when the radio is changing to a new channel. The announcement contains the new channel number and information about whether the clients can continue sending frames.
Restrictions and guidelines
This feature is available only for 5 GHz radios.
Procedure
To set the channel switch mode in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the channel switch mode. |
channel-switch mode { continuous | suspend } |
By default, the configuration in AP group radio view is used. |
To set the channel switch mode in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Specify an AP model. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the channel switch mode. |
channel-switch mode { continuous | suspend } |
By default, the channel switch mode is suspend. Online clients stop sending frames during channel switch. |
Setting the transmit power capability match mode
About transmit power capability match modes
This feature allows clients to associate with a radio based on the predefined match criteria. Transmit power capability refers to the minimum and maximum powers with which a client and a radio can transmit frames in the current channel. The device supports the following client power capability match modes:
· All—A client is allowed to associate with a radio only when each of its transmit power capabilities matches each of the radio's transmit power capabilities.
· None—Client transmit power capabilities are not checked.
· Partial—A client is allowed to associate with a radio as long as one of its transmit power capabilities matches any transmit power capabilities of the radio.
Restrictions and guidelines
The transmit power capability match mode takes effect only when you enable spectrum management or radio resource measurement. For more information about radio resource management, see "Configuring WLAN radio resource measurement."
Procedure
To set the transmit power capability match mode in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the transmit power capability match mode. |
power-capability mode { all | none | partial } |
By default, the configuration in AP group radio view is used. |
To set the transmit power capability match mode in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Specify an AP model. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the power capability match mode. |
power-capability mode { all | none | partial } |
By default, client transmit power capabilities are not checked. |
Setting the channel capability match mode
About channel capability match modes
This feature allows clients to associate with a radio based on the predefined match criteria. Channel capability refers to the channels a client and a radio each support. The device provides the following client channel capability match modes:
· All—A client is allowed to associate with a radio only when each of its supported channels match each of the radio's supported channels.
· None—Client channel capabilities are not checked.
· Partial—A client is allowed to associate with a radio as long as one of its supported channels matches any supported channels of the radio.
Restrictions and guidelines
This feature is available only for 5 GHz radios.
Procedure
To set the client channel capability match mode in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Set the client channel capability match mode. |
power-capability mode { all | none | partial } |
By default, the configuration in AP group radio view is used. |
To set the client channel capability match mode in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Specify an AP model. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Set the channel capability match mode. |
power-capability mode { all | none | partial } |
By default, client channel capabilities are not checked. |
Configuring a radio baseline
About radio baselines
A radio baseline saves the working channel, transmit rate, and other radio attributes for radios. You can create a radio baseline by saving the current radio settings and apply the baseline to use these settings as needed.
A radio baseline is saved in a .csv file in the file system on the AC.
A radio baseline cannot be applied to a radio when one of the following conditions is met:
· The radio is down.
· No service template is bound to the radio or the bound service template is disabled.
· The channel in the baseline is illegal.
· The radio uses a manually specified channel.
· The working channel or the transmit power of the radio is locked.
· The channel or power holddown timer for the radio has not expired.
· The channel in the baseline does not match the specified channel gap.
· The transmit power in the baseline is lower than the specified minimum transmit power for the radio.
· The transmit power in the baseline is higher than the specified maximum transmit power for the radio.
· The radio mode, location identifier, or bandwidth in the baseline does not match the radio mode, location identifier, or bandwidth of the radio.
Procedure
Step |
Command |
1. Enter system view. |
system-view |
2. Create a radio baseline by saving the current radio settings. |
wlan rrm baseline save name baseline-name { ap ap-name [ radio radio-id ] | ap-group group-name [ ap-model ap-model ] [ radio radio-id ] | global } |
3. Apply the baseline. |
wlan rrm baseline apply name baseline-name |
4. (Optional.) Delete a radio baseline. |
wlan rrm baseline remove name baseline-name |
Enabling radio scanning
About radio scanning
This feature enables APs to scan the WLAN environment and report collected statistics to the AC at the specified interval. The AC uses the statistics to generate channel reports and neighbor reports.
To view the channel reports and neighbor reports, use the display wlan rrm-status ap command.
Restrictions and guidelines
This feature will be automatically enabled if you have configured periodic auto-DFS, scheduled auto-DFS, or periodic auto-TPC.
Procedure
To enable radio scanning in RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enter RRM view. |
rrm |
N/A |
5. Enable radio scanning. |
scan-only enable |
By default, the configuration in AP group RRM view is used. |
To enable radio scanning in AP group RRM view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Enter RRM view. |
rrm |
N/A |
6. Enable radio scanning. |
scan-only enable |
By default, radio scanning is disabled. |
Enabling SNMP notifications for WLAN RRM
About SNMP notifications for WLAN RRM
To report critical WLAN RRM events to an NMS, enable SNMP notifications for WLAN RRM. For WLAN RRM event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable SNMP notifications for WLAN RRM. |
snmp-agent trap enable wlan rrm |
By default, SNMP notifications are disabled for WLAN RRM. |
Display and maintenance commands for WLAN RRM
Execute display commands in any view.
Task |
Command |
Display radio baseline information. |
display wlan rrm baseline { all | name baseline-name } [ verbose ] |
Display the history records of radio baseline application. |
display wlan rrm baseline apply-history [ verbose ] |
Display the channel and power adjustment history. |
display wlan rrm-history ap { all | name ap-name } |
Display WLAN RRM information. |
display wlan rrm-status ap { all | name ap-name } |
Display RRM holddown group information. |
display wlan rrm-calibration-group { all | group-id } |
WLAN RRM configuration examples
Example: Configuring periodic auto-DFS
Network requirements
As shown in Figure 76, configure periodic auto-DFS to adjust channels for radios of the APs when a channel adjustment trigger condition is met. Add radio 1 of AP 1 to an RRM holddown group to avoid frequent channel adjustments.
Configuration procedure
# Establish a CAPWAP tunnel between the AC and each AP. For more information, see "Managing APs." (Details not shown.)
# Enable auto-DFS for AP ap1 and set the auto-DFS mode to periodic.
<AC> system-view
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] rrm
[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel self-decisive enable
[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel mode periodic
# Configure DFS trigger parameters.
[AC-wlan-ap-ap1-radio-1-rrm] crc-error-threshold 20
[AC-wlan-ap-ap1-radio-1-rrm] interference-threshold 50
[AC-wlan-ap-ap1-radio-1-rrm] tolerance-level 20
[AC-wlan-ap-ap1-radio-1-rrm] quit
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
# Create RRM holddown group 10.
[AC] wlan rrm-calibration-group 10
# Add radio 1 of AP ap1 to RRM holddown group 10.
[AC-wlan-rc-group-10] ap name ap1 radio 1
# Set the channel holddown time to 600 minutes.
[AC-wlan-rc-group-10] channel holddown-time 600
# Configure auto-DFS for AP 2 and AP 3 in the same way auto-DFS is configured for AP 1. (Details not shown.)
Verifying the configuration
# Execute the display wlan rrm-status ap all command. Verify that the working channels for radios of the APs change when a channel adjustment trigger condition is met and the calibration interval is reached. (Details not shown.)
Use the display wlan rrm-history ap all command to view the channel adjustment reason. (Details not shown.)
# Verify that the channel for radio 1 on AP 1 remains unchanged within 600 minutes after the first DFS. (Details not shown.)
Example: Configuring scheduled auto-DFS
Network requirements
As shown in Figure 77, configure scheduled auto-DFS to adjust channels for radios of the APs when a channel adjustment trigger condition is met.
Configuration procedure
# Establish a CAPWAP tunnel between the AC and each AP. For more information, see "Managing APs." (Details not shown.)
# Create a time range.
<AC> system-view
[AC] time-range time1 from 15:20 2015/04/17 to 18:20 2015/04/17
# Create a job and assign commands to the job.
[AC] scheduler job calibratechannel
[AC-job-calibratechannel] command 1 system-view
[AC-job-calibratechannel] command 2 wlan ap ap1
[AC-job-calibratechannel] command 3 radio 1
[AC-job-calibratechannel] command 4 rrm
[AC-job-calibratechannel] command 5 calibrate-channel pronto
[AC-job-calibratechannel] quit
# Create a schedule and assign the job to the schedule.
[AC] scheduler schedule schedule1
[AC-schedule-schedule1] job calibratechannel
# Specify an execution date and time for the schedule.
[AC-schedule-schedule1] time at 20:20 2015/04/17
[AC-schedule-schedule1] quit
# Enable auto-DFS on AP ap1 and set the auto-DFS mode to scheduled.
[AC] wlan ap ap1
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] rrm
[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel self-decisive enable
[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel mode scheduled
# Configure AP ap1 to perform channel monitoring during time range time1.
[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel monitoring time-range time1
# Configure auto-DFS attributes.
[AC-wlan-ap-ap1-radio-1-rrm] crc-error-threshold 10
[AC-wlan-ap-ap1-radio-1-rrm] interference-threshold 40
[AC-wlan-ap-ap1-radio-1-rrm] tolerance-level 15
[AC-wlan-ap-ap1-radio-1-rrm] quit
# Configure auto-DFS for AP 2 and AP 3 in the same way auto-DFS is configured for AP 1. (Details not shown.)
Verifying the configuration
# Execute the display wlan rrm-status ap all command. Verify that the working channels for radios of the APs change when a channel adjustment trigger condition is met and the calibration interval is reached. (Details not shown.)
Use the display wlan rrm-history ap all command to view the channel adjustment reason. (Details not shown.)
Example: Configuring periodic auto-TPC
Network requirements
As shown in Figure 78, configure periodic auto-TPC and set the adjacency factor to 3 to enable the AC to perform periodic auto-TPC when AP 4 joins. Add radio 1 of AP 1 to an RRM holddown group to avoid frequent power adjustments.
Configuration procedure
# Establish a CAPWAP tunnel between the AC and each AP. For more information, see "Managing APs." (Details not shown.)
# Enable periodic auto-TPC for AP ap1.
<AC> system-view
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] rrm
[AC-wlan-ap-ap1-radio-1-rrm] calibrate-power self-decisive enable
# Configure TPC trigger parameters.
[AC-wlan-ap-ap1-radio-1-rrm] adjacency-factor 3
[AC-wlan-ap-ap1-radio-1-rrm] calibrate-power threshold 80
[AC-wlan-ap-ap1-radio-1-rrm] calibrate-power min 1
[AC-wlan-ap-ap1-radio-1-rrm] quit
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
# Create RRM holddown group 10.
[AC] wlan rrm-calibration-group 10
# Add radio 1 of AP ap1 to RRM holddown group 10.
[AC-wlan-rc-group-10] ap name ap1 radio 1
# Set the power holddown time to 100 minutes.
[AC-wlan-rc-group-10] power holddown-time 100
# Configure periodic auto-TPC for AP 2, AP 3, and AP 4 in the same way periodic auto-TPC is configured for AP 1. (Details not shown.)
Verifying the configuration
# Use the display wlan rrm-status ap all command to verify the following information:
· AP 1 increases its transmit power when AP 4 detects that the power of AP 1 is lower than the power adjustment threshold.
· AP 1 decreases its transmit power when AP 4 detects that the power of AP 1 is higher than the power adjustment threshold.
· The adjusted power of AP 1 is not lower than the minimum transmit power (1 dBm in this example).
# Verify that the power of radio 1 on AP 1 remains unchanged within 100 minutes after the first TPC. (Details not shown.)
Example: Configuring spectrum management
Network requirements
As shown in Figure 79, configure spectrum management to restrict the transmit power of the client and allow the client to continue sending frames during channel switch.
Configuration procedure
# Enable spectrum management.
<AC> system-view
[AC] wlan ap officeap model WA2620-WiNet
[AC-wlan-ap-officeap] radio 1
[AC-wlan-ap-officeap-radio-1] spectrum-management enable
# Set the channel capability match mode to all.
[AC-wlan-ap-officeap-radio-1] channel-capability mode all
# Set the transmit power capability match mode to all.
[AC-wlan-ap-officeap-radio-1] power-capability mode all
# Set the power constraint mode to manual and set the power constraint value to 5 dBm.
[AC-wlan-ap-officeap-radio-1] power-constraint mode manual 5
# Set the channel switch mode to continuous.
[AC-wlan-ap-officeap-radio-1] channel-switch mode continuous
Verifying the configuration
# Execute the display wlan client command to verify that the client can successfully associate with the radio. (Details not shown.)
Configuring WLAN IP snooping
The term "AC" in this document refers to MSR routers that can function as ACs.
About WLAN IP snooping
WLAN IP snooping enables an AP to learn clients' IP addresses through snooping ARP, DHCP, ND, and HTTP packets and generate snooping entries that record client IP address, MAC address, and learning method. The entries will be used by AAA for 802.1X and MAC authentication client accounting or by IP Source Guard to determine whether to forward client packets. For more information about IP Source Guard, see Security Configuration Guide.
In an AP+AC network, APs report snooping entries to the AC.
Client IPv4 address learning
An AP learns client IPv4 addresses by using the following methods:
· Snooping ARP packets sent by clients.
For more information about ARP, see Layer 3—IP Services Configuration Guides.
· Snooping DHCPv4 packets exchanged between client and server.
For more information about DHCP, see Layer 3—IP Services Configuration Guides.
· Snooping HTTP requests redirected to the portal server.
For more information about portal authentication, see Security Configuration Guides.
The priorities for learning IP addresses through snooping DHCPv4 packets, ARP packets, and HTTP requests are in descending order.
Client IPv6 address learning
An AP learns client IPv6 addresses by using the following methods:
· Snooping DHCPv6 packets exchanged between client and server.
For more information about DHCPv6, see Layer 3—IP Services Configuration Guides.
· Snooping ND packets, including Router Advertisement (RA) packets, Neighbor Solicitation (NS) packets, and Neighbor Advertisement (NA) packets sent by clients.
For more information about ND, see Layer 3—IP Services Configuration Guides.
· Snooping HTTP requests redirected to the portal server.
For more information about portal authentication, see Security Configuration Guides.
The priorities for learning IPv6 addresses through snooping DHCPv6 packets, ND packets, and HTTP requests are in descending order.
Feature and hardware compatibility
The following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
WLAN IP snooping tasks at a glance
Tasks at a glance |
(Optional.) Disabling snooping ARP packets |
(Optional.) Disabling snooping DHCPv4 packets |
(Optional.) Enabling snooping DHCPv6 packets |
(Optional.) Enabling snooping ND packets |
(Optional.) Disabling SNMP from getting client IPv6 addresses learned from ND packets |
(Optional.) Enabling snooping HTTP requests redirected to the portal server |
Disabling snooping ARP packets
About ARP packet snooping
By default, an AP learns client IPv4 addresses by snooping ARP and DHCPv4 packets. Perform this task to disable client IPv4 address learning from ARP packets.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a service template and enter its view. |
wlan service-template service-template-name |
N/A |
3. Disable snooping ARP packets. |
undo client ipv4-snooping arp-learning enable |
By default, snooping ARP packets is enabled. |
Disabling snooping DHCPv4 packets
About DHCPv4 packet snooping
By default, an AP learns client IPv4 addresses by snooping ARP and DHCPv4 packets. Perform this task to disable client IPv4 address learning from DHCPv4 packets.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a service template and enter its view. |
wlan service-template service-template-name |
N/A |
3. Disable snooping DHCPv4 packets. |
undo client ipv4-snooping dhcp-learning enable |
By default, snooping DHCPv4 packets is enabled. |
Enabling snooping DHCPv6 packets
About DHCPv6 packet snooping
By default, an AP does not learn client IPv6 addresses. Perform this task to enable client IPv6 address learning from DHCPv6 packets.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a service template and enter its view. |
wlan service-template service-template-name |
N/A |
3. Enable snooping DHCPv6 packets. |
client ipv6-snooping dhcpv6-learning enable |
By default, snooping DHCPv6 packets is disabled. |
Enabling snooping ND packets
About ND packet snooping
By default, an AP does not learn client IPv6 addresses. Perform this task to enable client IPv6 address learning from ND packets.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a service template and enter its view. |
wlan service-template service-template-name |
N/A |
3. Enable snooping ND packets. |
client ipv6-snooping nd-learning enable |
By default, snooping ND packets is disabled. |
Disabling SNMP from getting client IPv6 addresses learned from ND packets
About client IPv6 address obtaining for SNMP
By default, SNMP obtains client IPv6 addresses learned from both DHCPv6 and ND packets. Perform this task to enable SNMP to obtain only client IPv6 addresses learned from DHCPv6 packets.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a service template and enter its view. |
wlan service-template service-template-name |
N/A |
3. Disable SNMP from getting client IPv6 addresses learned from ND packets. |
undo client ipv6-snooping snmp-nd-report enable |
By default, SNMP obtains client IPv6 addresses learned from both DHCPv6 and ND packets. |
Enabling snooping HTTP requests redirected to the portal server
About HTTP requests redirected to the portal server
Before a client passes portal authentication, all of its HTTP requests are redirected to the portal server. Perform this task to enable an AP to snoop the redirected HTTP requests and learn client IPv4 addresses.
For more information about portal authentication, see portal in Security Configuration Guide.
Restrictions and guidelines
This feature can only be used to learn IP addresses of portal-authenticated clients.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a service template and enter its view. |
wlan service-template service-template-name |
N/A |
3. Enable snooping HTTP requests redirected to the portal server. |
client ip-snooping http-learning enable |
By default, snooping HTTP requests is disabled. |
WLAN IP snooping configuration examples
Example: Configuring WLAN IP snooping
Network requirements
As shown in Figure 80, configure the AP to learn the client's IPv6 address from DHCPv6 packets.
Configuration procedure
# Configure wireless services. (Details not shown.)
For more information, see "Managing APs" and "Configuring WLAN access."
# Enable snooping DHCPv6 packets.
<AC> system-view
[AC] wlan service-template service
[AC-wlan-st-service] client ipv6-snooping dhcpv6-learning enable
Configuring WLAN load balancing
The term "AC" in this document refers to MSR routers that can function as ACs.
This chapter assumes that an AP has only one radio enabled.
About WLAN load balancing
WLAN load balancing dynamically loads balance clients across APs to ensure wireless service quality and adequate bandwidth for clients in high-density WLANs.
Networking scheme
To configure WLAN load balancing among specific APs, the APs must be managed by the same AC, and the clients can discover the APs. As shown in Figure 81, AP 1, AP 2, and AP 3 are managed by the same AC. Load balancing is enabled on AP 1, AP 2, and AP 3. AP 3 has reached its maximum load. When Client 5 tries to associate with AP 3, the AC rejects the association request and directs Client 5 to AP 1 or AP 2.
Work mechanism
The AC performs load balancing when the following conditions are met:
· The load of an AP reaches the threshold.
· The load gap between the AP and the AP that has the lightest load reaches the load gap threshold.
When the load and load gap for the AP reach their respective threshold, the AP rejects the association request of a client. If the number of times that the AP rejects the client reaches the specified maximum number of denials for association requests, the AP accepts the client's association request.
Load balancing modes
The AC supports session-mode, traffic-mode, and bandwidth-mode load balancing. It performs load balancing of a specific mode when the following conditions are met:
· The specified session/traffic/bandwidth threshold is reached.
· The specified session/traffic/bandwidth gap threshold is reached.
Session-mode load balancing
As shown in Figure 82, Client 1 associates with AP 1, and Client 2 through Client 4 associate with AP 2. The session threshold and session gap threshold are set to 3 and 2, respectively. When Client 5 tries to associate with AP 2, AP 2 rejects the request because both the session threshold and session gap threshold are reached.
Figure 82 Session-mode load balancing
Traffic-mode load balancing
As shown in Figure 83, Client 1 associates with AP 1, and Client 2 associates with AP 2. When the traffic of AP 1 and the traffic gap between AP 1 and AP 2 reach their respective threshold, AP 1 rejects the association request from Client 3.
Figure 83 Traffic-mode load balancing
Bandwidth-mode load balancing
As shown in Figure 84, Client 1 associates with AP 1, and Client 2 associates with AP 2. When the bandwidth of AP 1 and the bandwidth gap between AP 1 and AP 2 reach their respective thresholds, AP 1 rejects the association request from Client 3.
Figure 84 Bandwidth-mode load balancing
Load balancing types
The AC supports the following load balancing types:
· Radio based—The AC determines the APs that will participate in load balancing based on the neighbor reports of the APs. The neighbor report of an AP records the MAC address and RSSI value of each client that is detected by the AP. The AC determines that an AP will participate in load balancing when either of the following conditions is met:
? A client requests to associate with the AP.
? The AP detects that a client's RSSI has reached the RSSI threshold but the client does not request to associate with the AP.
· Load balancing group based—You add the radios of desired APs to a load balancing group. The AC does not perform load balancing only on radios in this load balancing group.
Feature and hardware compatibility
The following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Restrictions and guidelines: WLAN load balancing configuration
When a client requests to access the WLAN, the system performs load balancing only among APs that are managed by the same AC and can be detected by the client.
WLAN load balancing tasks at a glance
Tasks at a glance |
Remarks |
(Required.) Enabling WLAN load balancing |
N/A |
(Required.) Setting a load balancing mode |
N/A |
(Optional.) Configuring a load balancing group |
If you do not create any load balancing groups, the AC performs radio-based load balancing. |
(Optional.) Configuring load balancing parameters |
N/A |
(Optional.) Enabling SNMP notifications for WLAN load balancing |
N/A |
Prerequisites for WLAN load balancing
Before you configure load balancing, make sure the quick association function is disabled. For more information about quick association, see "Enabling quick association."
Enabling WLAN load balancing
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable WLAN load balancing. |
wlan load-balance enable |
By default, WLAN load balancing is disabled. |
Setting a load balancing mode
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
2. Set a load balancing mode. |
·
Set session-mode load balancing: ·
Set traffic-mode load balancing: ·
Set bandwidth-mode load balancing: |
By default, session-mode load balancing is used. |
Configuring a load balancing group
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a load balancing group and enter its view. |
wlan load-balance group group-id |
By default, no load balancing groups exist. The AC performs radio-based load balancing. |
3. Add a radio of an AP to the load balancing group. |
ap name ap-name radio radio-id |
By default, no radios exist in the load balancing group. |
4. (Optional.) Set a description for the load balancing group. |
description text |
By default, no description is set for the load balancing group. |
Configuring load balancing parameters
About load balancing parameters
The following parameters affect load balancing calculation:
· Load balancing RSSI threshold—If an AP detects that the RSSI of a client is lower than the specified RSSI threshold, the AP performs either of the following operations:
? If multiple APs can detect the client, the AP participates in load balancing only when the client requests to associate with the AP.
? If only this AP can detect the client, the AP decreases the maximum number of denials to 1 so that the client has more chances to associate with the AP.
· Maximum number of denials for association requests—If the number of times that an AP rejects a client reaches the specified maximum number of denials for association requests, the AP accepts the association request of the client.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the RSSI threshold. |
wlan load-balance rssi-threshold rssi-threshold |
By default, the RSSI threshold is 25. |
3. Set the maximum number of denials for association requests. |
wlan load-balance access-denial access-denial |
By default, the maximum number of denials is 10 for association requests. |
Enabling SNMP notifications for WLAN load balancing
About SNMP notifications for WLAN load balancing
To report critical WLAN load balancing events to an NMS, enable SNMP notifications for WLAN load balancing. For WLAN load balancing event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable SNMP notifications for WLAN load balancing. |
snmp-agent trap enable wlan load-balance |
By default, SNMP notifications for WLAN load balancing are disabled. |
Display and maintenance commands for WLAN load balancing
Execute the display command in any view.
Task |
Command |
Display load balancing group information. |
display wlan load-balance group { group-id | all } |
Display load balancing information for radios that are bound to a service template. |
display wlan load-balance status service-template template-name { client mac-address | group group-id } |
WLAN load balancing configuration examples (on radios)
Example: Configuring session-mode load balancing
Network configuration
As shown in Figure 85, AP 1 and AP 2 are managed by the AC and the clients can discover the APs. Client 1 associates with AP 1, and Client 2 through Client 4 associate with AP 2.
Configure the AC to perform session-mode load balancing on AP 1 and AP 2 when the following conditions are met:
· The number of sessions on one AP reaches 3.
· The session gap between the APs reaches 2.
Procedure
# Create wireless service template 1, and set its SSID to session-balance.
<AC> system-view
[AC] wlan service-template 1
[AC-wlan-st-1] ssid session-balance
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
# Create AP template ap1, and specify the model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
# Bind service template 1 to radio 2 of AP 1.
[AC-wlan-ap-ap1] radio 2
[AC-wlan-ap-ap1-radio-2] service-template 1
[AC-wlan-ap-ap1-radio-2] radio enable
[AC-wlan-ap-ap1-radio-2] quit
[AC-wlan-ap-ap1] quit
# Create AP template ap2, and specify the model and serial ID.
[AC] wlan ap ap2 model WA2620-WiNet
[AC-wlan-ap-ap2] serial-id 210235A29G007C000021
# Bind service template 1 to radio 2 of AP 2.
[AC-wlan-ap-ap2] radio 2
[AC-wlan-ap-ap2-radio-2] service-template 1
[AC-wlan-ap-ap2-radio-2] radio enable
[AC-wlan-ap-ap2-radio-2] quit
[AC-wlan-ap-ap2] quit
# Set the load balancing mode to session mode, and set the session threshold and session gap threshold to 3 and 2, respectively.
[AC] wlan load-balance mode session 3 gap 2
# Enable WLAN load balancing.
[AC] wlan load-balance enable
Verifying the configuration
# Verify that the AC performs session-mode load balancing for AP 1 and AP 2 when the following conditions are met:
· The number of sessions on AP 2 reaches 3.
· The session gap between the APs reaches 2. (Details not shown.)
# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)
Example: Configuring traffic-mode load balancing
Network configuration
As shown in Figure 86, AP 1 and AP 2 are managed by the AC and the clients can discover the APs. The maximum bandwidth for each AP is 150 Mbps.
Configure the AC to perform traffic-mode load balancing on AP 1 and AP 2 when the following conditions are met:
· The traffic of one AP reaches 30 Mbps (20% of the maximum bandwidth).
· The traffic gap between the APs reaches 15 Mbps (10% of the maximum bandwidth).
Procedure
# Create wireless service template 1, and set its SSID to traffic-balance.
<AC> system-view
[AC] wlan service-template 1
[AC-wlan-st-1] ssid traffic-balance
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
# Create AP template ap1, and specify the model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
# Bind service template 1 to radio 2 of AP 1.
[AC-wlan-ap-ap1] radio 2
[AC-wlan-ap-ap1-radio-2] service-template 1
[AC-wlan-ap-ap1-radio-2] radio enable
[AC-wlan-ap-ap1-radio-2] quit
[AC-wlan-ap-ap1] quit
# Create AP template ap2, and specify the model and serial ID.
[AC] wlan ap ap2 model WA2620-WiNet
[AC-wlan-ap-ap2] serial-id 210235A29G007C000021
# Bind service template 1 to radio 2 of AP 2.
[AC-wlan-ap-ap2] radio 2
[AC-wlan-ap-ap2-radio-2] service-template 1
[AC-wlan-ap-ap2-radio-2] radio enable
[AC-wlan-ap-ap2-radio-2] quit
[AC-wlan-ap-ap2] quit
# Set the load balancing mode to traffic mode, and set the traffic threshold and traffic gap threshold to 20% and 10%, respectively.
[AC] wlan load-balance mode traffic 10 gap 10
# Enable WLAN load balancing.
[AC] wlan load-balance enable
Verifying the configuration
# Verify that the AC performs traffic-mode load balancing for AP 1 and AP 2 when the following conditions are met:
· The traffic of AP 2 reaches 30 Mbps.
· The traffic gap between the APs reaches 15 Mbps. (Details not shown.)
# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)
Example: Configuring bandwidth-mode load balancing
Network configuration
As shown in Figure 87, AP 1 and AP 2 are managed by the AC and the clients can discover the APs.
Configure the AC to perform bandwidth-mode load balancing on AP 1 and AP 2 when the following conditions are met:
· The bandwidth of one AP reaches 12 Mbps.
· The bandwidth gap between the APs reaches 3 Mbps.
Procedure
# Create wireless service template 1, and set its SSID to bandwidth-balance.
<AC> system-view
[AC] wlan service-template 1
[AC-wlan-st-1] ssid bandwidth-balance
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
# Create AP template ap1, and specify the model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
# Bind service template 1 to radio 2 of AP 1.
[AC-wlan-ap-ap1] radio 2
[AC-wlan-ap-ap1-radio-2] service-template 1
[AC-wlan-ap-ap1-radio-2] radio enable
[AC-wlan-ap-ap1-radio-2] quit
[AC-wlan-ap-ap1] quit
# Create AP template ap2, and specify the model and serial ID.
[AC] wlan ap ap2 model WA2620-WiNet
[AC-wlan-ap-ap2] serial-id 210235A29G007C000021
# Bind service template 1 to radio 2 of AP 2.
[AC-wlan-ap-ap2] radio 2
[AC-wlan-ap-ap2-radio-2] service-template 1
[AC-wlan-ap-ap2-radio-2] radio enable
[AC-wlan-ap-ap2-radio-2] quit
[AC-wlan-ap-ap2] quit
# Set the load balancing mode to bandwidth mode, and set the bandwidth threshold and bandwidth gap threshold to 12 Mbps and 3 Mbps, respectively.
[AC] wlan load-balance mode bandwidth 12 gap 3
# Enable WLAN load balancing.
[AC] wlan load-balance enable
Verifying the configuration
# Verify that the AC performs bandwidth-mode load balancing for AP 1 and AP 2 when the following conditions are met:
· The bandwidth of AP 2 reaches 12 Mbps.
· The bandwidth gap between the APs reaches 3 Mbps. (Details not shown.)
# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)
WLAN load balancing configuration examples (on a load balancing group)
Example: Configuring session-mode load balancing
Network configuration
As shown in Figure 88, AP 1, AP 2, and AP 3 are managed by the AC and the clients can discover the APs. Client 1 associates with radio 2 of AP 1. Client 3 through Client 5 associate with radio 2 of AP 2.
Configure the AC to perform session-mode load balancing on radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:
· The number of sessions on one radio reaches 3.
· The session gap between the radios reaches 2.
Procedure
# Create wireless service template 1, and set its SSID to session-balance.
<AC> system-view
[AC] wlan service-template 1
[AC-wlan-st-1] ssid session-balance
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
# Create AP template ap1, and specify the model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
# Bind service template 1 to radio 2 of AP 1.
[AC-wlan-ap-ap1] radio 2
[AC-wlan-ap-ap1-radio-2] service-template 1
[AC-wlan-ap-ap1-radio-2] radio enable
[AC-wlan-ap-ap1-radio-2] quit
[AC-wlan-ap-ap1] quit
# Create AP template ap2, and specify the model and serial ID.
[AC] wlan ap ap2 model WA2620-WiNet
[AC-wlan-ap-ap2] serial-id 210235A29G007C000021
# Bind service template 1 to radio 2 of AP 2.
[AC-wlan-ap-ap2] radio 2
[AC-wlan-ap-ap2-radio-2] service-template 1
[AC-wlan-ap-ap2-radio-2] radio enable
[AC-wlan-ap-ap2-radio-2] quit
[AC-wlan-ap-ap2] quit
# Create AP template ap3, and specify the model and serial ID.
[AC] wlan ap ap3 model WA2620-WiNet
[AC-wlan-ap-ap3] serial-id 210235A29G007C000022
# Bind service template 1 to radio 2 of AP 3.
[AC-wlan-ap-ap3] radio 2
[AC-wlan-ap-ap3-radio-2] service-template 1
[AC-wlan-ap-ap3-radio-2] radio enable
[AC-wlan-ap-ap3-radio-2] quit
[AC-wlan-ap-ap3] quit
# Set the load balancing mode to session mode, and set the session threshold and session gap threshold to 3 and 2, respectively.
[AC] wlan load-balance mode session 3 gap 2
# Create load balancing group 1.
[AC] wlan load-balance group 1
# Add radio 2 of AP 1 and radio 2 of AP 2 to load balancing group 1.
[AC-wlan-lb-group-1] ap name ap1 radio 2
[AC-wlan-lb-group-1] ap name ap2 radio 2
# Enable WLAN load balancing.
[AC] wlan load-balance enable
Verifying the configuration
# Verify that the AC performs session-mode load balancing for radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:
· The number of sessions on either radio reaches 3.
· The session gap between the radios reaches 2. (Details not shown.)
# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)
Example: Configuring traffic-mode load balancing
Network configuration
As shown in Figure 89, AP 1, AP 2, and AP 3 are managed by the AC and the clients can discover the APs. The maximum bandwidth for each AP is 150 Mbps.
Configure the AC to perform traffic-mode load balancing on radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:
· The traffic of one radio reaches 30 Mbps (20% of the maximum bandwidth).
· The traffic gap between the radios reaches 15 Mbps (10% of the maximum bandwidth).
Procedure
# Create wireless service template 1, and set its SSID to traffic-balance.
<AC> system
[AC] wlan service-template 1
[AC-wlan-st-1] ssid traffic-balance
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
# Create AP template ap1, and specify the model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
# Bind service template 1 to radio 2 of AP 1.
[AC-wlan-ap-ap1] radio 2
[AC-wlan-ap-ap1-radio-2] service-template 1
[AC-wlan-ap-ap1-radio-2] radio enable
[AC-wlan-ap-ap1-radio-2] quit
[AC-wlan-ap-ap1] quit
# Create AP template ap2, and specify the model and serial ID.
[AC] wlan ap ap2 model WA2620-WiNet
[AC-wlan-ap-ap2] serial-id 210235A29G007C000021
# Bind service template 1 to radio 2 of AP 2.
[AC-wlan-ap-ap2] radio 2
[AC-wlan-ap-ap2-radio-2] service-template 1
[AC-wlan-ap-ap2-radio-2] radio enable
[AC-wlan-ap-ap2-radio-2] quit
[AC-wlan-ap-ap2] quit
# Create AP template ap3, and specify the model and serial ID.
[AC] wlan ap ap3 model WA2620-WiNet
[AC-wlan-ap-ap3] serial-id 210235A29G007C000022
# Bind service template 1 to radio 2 of AP 3.
[AC-wlan-ap-ap3] radio 2
[AC-wlan-ap-ap3-radio-2] service-template 1
[AC-wlan-ap-ap3-radio-2] radio enable
[AC-wlan-ap-ap3-radio-2] quit
[AC-wlan-ap-ap3] quit
# Set the load balancing mode to traffic mode, and set the traffic threshold and traffic gap threshold to 20% and 10%, respectively.
[AC] wlan load-balance mode traffic 20 gap 10
# Create load balancing group 1.
[AC] wlan load-balance group 1
# Add radio 2 of AP 1 and radio 2 of AP 2 to load balancing group 1.
[AC-wlan-lb-group-1] ap name ap1 radio 2
[AC-wlan-lb-group-1] ap name ap2 radio 2
[AC-wlan-lb-group-1] quit
# Enable WLAN load balancing.
[AC] wlan load-balance enable
Verifying the configuration
# Verify that the AC performs traffic-mode load balancing for radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:
· The traffic of either radio reaches 30 Mbps.
· The traffic gap between the radios reaches 15 Mbps. (Details not shown.)
# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)
Example: Configuring bandwidth-mode load balancing
Network configuration
As shown in Figure 90, AP 1, AP 2, and AP 3 are managed by the AC and the clients can discover the APs.
Configure the AC to perform bandwidth-mode load balancing on radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:
· The bandwidth of one radio reaches 12 Mbps.
· The bandwidth gap between the radios reaches 3 Mbps.
Procedure
# Create wireless service template 1, and set its SSID to bandwidth-balance.
<AC> system
[AC] wlan service-template 1
[AC-wlan-st-1] ssid bandwidth-balance
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
# Create AP template ap1, and specify the model and serial ID.
[AC] wlan ap ap1 model WA2620-WiNet
[AC-wlan-ap-ap1] serial-id 210235A29G007C000020
# Bind service template 1 to radio 2 of AP 1.
[AC-wlan-ap-ap1] radio 2
[AC-wlan-ap-ap1-radio-2] service-template 1
[AC-wlan-ap-ap1-radio-2] radio enable
[AC-wlan-ap-ap1-radio-2] quit
[AC-wlan-ap-ap1] quit
# Create AP template ap2, and specify the model and serial ID.
[AC] wlan ap ap2 model WA2620-WiNet
[AC-wlan-ap-ap2] serial-id 210235A29G007C000021
# Bind service template 1 to radio 2 of AP 2.
[AC-wlan-ap-ap2] radio 2
[AC-wlan-ap-ap2-radio-2] service-template 1
[AC-wlan-ap-ap2-radio-2] radio enable
[AC-wlan-ap-ap2-radio-2] quit
[AC-wlan-ap-ap2] quit
# Create AP template ap3, and specify the model and serial ID.
[AC] wlan ap ap3 model WA2620-WiNet
[AC-wlan-ap-ap3] serial-id 210235A29G007C000022
# Bind service template 1 to radio 2 of AP 3.
[AC-wlan-ap-ap3] radio 2
[AC-wlan-ap-ap3-radio-2] service-template 1
[AC-wlan-ap-ap3-radio-2] radio enable
[AC-wlan-ap-ap3-radio-2] quit
[AC-wlan-ap-ap3] quit
# Set the load balancing mode to bandwidth mode, and set the bandwidth threshold and bandwidth gap threshold to 12 Mbps and 3 Mbps, respectively.
[AC] wlan load-balance mode bandwidth 12 gap 3
# Create load balancing group 1.
[AC] wlan load-balance group 1
# Add radio 2 of AP 1 and radio 2 of AP 2 to load balancing group 1.
[AC-wlan-lb-group-1] ap name ap1 radio 2
[AC-wlan-lb-group-1] ap name ap2 radio 2
[AC-wlan-lb-group-1] quit
# Enable WLAN load balancing.
[AC] wlan load-balance enable
Verifying the configuration
# Verify that the AC performs bandwidth-mode load balancing for radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:
· The bandwidth of either radio reaches 12 Mbps.
· The bandwidth gap between the radios reaches 3 Mbps. (Details not shown.)
# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)
WLAN probe
The term "AC" in this document refers to MSR routers that can function as ACs.
About WLAN probe
WLAN probe enables APs to monitor the WLAN and collect information about wireless devices in the WLAN. Then, the APs send the collected information to the specified server for further analysis.
WLAN probe system
As shown in Figure 91, a WLAN probe system contains the following devices:
· Sensors—APs enabled with WLAN probe. They scan the channels, collect wireless device information, and report the information to the server.
· AC—Manages sensors and reports information received from sensors to the server.
· Server—Analyzes the information received from sensors and the AC.
Work mechanism
A WLAN probe system operates as follows:
1. Wireless devices send 802.11 packets.
2. Sensors collect wireless device information, such as MAC address, device type, RSSI, and time stamp from the packets.
3. Sensors send collected device information to the AC or server.
4. The server analyzes the received information.
Feature and hardware compatibility
The following routers can function as ACs:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
WLAN probe tasks at a glance
Tasks at a glance |
(Required.) Enabling WLAN probe |
(Required.) Specifying a server to receive wireless device information |
(Optional.) Configuring sensors to report wireless device information to the AC |
(Optional.) Enabling real-time reporting of wireless device information to the UDP server |
(Optional.) Setting the coordinates and timezone offset for a sensor |
(Optional.) Reporting wireless device information to the Oasis platform |
(Optional.) Configuring wireless device filtering |
(Optional.) Setting device entry timers |
Enabling WLAN probe
To enable WLAN probe in radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Enter radio view. |
radio radio-id |
N/A |
4. Enable WLAN probe. |
client-proximity-sensor enable |
By default, a radio uses the configuration in AP group radio view. |
To enable WLAN probe in AP group radio view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP group view. |
wlan ap-group group-name |
N/A |
3. Enter AP model view. |
ap-model ap-model |
N/A |
4. Enter radio view. |
radio radio-id |
N/A |
5. Enable WLAN probe. |
client-proximity-sensor enable |
By default, WLAN probe is disabled. |
Specifying a server to receive wireless device information
About specifying a server to receive wireless device information
Perform this task to specify a server for a sensor or the AC to report wireless device information.
Restrictions and guidelines
For the AC to report device information to the server, you must enable sensors to report information about detected devices to the AC.
Procedure
To specify an HTTPS server:
Step |
Command |
Remarks |
1. Enter system view |
system-view |
N/A |
2. Specify an HTTPS server to receive wireless device information. |
client-proximity-sensor server string [ window-time window-time-value | partner partner-value ] * |
By default, no HTTPS server is specified. |
To specify a UDP server for the AC:
Step |
Command |
Remarks |
1. Enter system view |
system-view |
N/A |
2. Specify a UDP server to receive wireless device information. |
client-proximity-sensor udp-server ip-address port port-number [ interval interval | preshared-key [ cipher | simple ] key-string ] * |
By default, no UDP server is specified. |
To specify a UDP server for a sensor:
Step |
Command |
Remarks |
1. Enter system view |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
3. Specify a UDP server to receive wireless device information. |
client-proximity-sensor udp-server ip-address port port-number [ interval interval | preshared-key [ cipher | simple ] key-string ] * |
By default, no UDP server is specified. |
Configuring sensors to report wireless device information to the AC
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable sensors to report information about detected devices to the AC. |
client-proximity-sensor report-ac enable |
By default, sensors do not report information about detected devices to the AC. |
3. (Optional.) Set the interval at which sensors report information about detected devices to the AC. |
client-proximity-sensor report-ac-interval interval |
By default, sensors report information about detected devices to the AC every 3000 milliseconds. |
Enabling real-time reporting of wireless device information to the UDP server
About real-time reporting of wireless device information to the UDP server
After you enable this feature, the device information is reported to the UDP server in real time, rather than at the specified intervals.
Procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable real-time reporting of wireless device information to the UDP server. |
client-proximity-sensor rt-report enable |
By default, real-time reporting of wireless device information to the UDP server is disabled. |
Setting the coordinates and timezone offset for a sensor
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter AP view. |
wlan ap ap-name |
N/A |
client-proximity-sensor coordinates longitude longitude-value latitude latitude-value |
||
4. Set the timezone offset between the AC and the sensor. |
client-proximity-sensor timezone-offset { add | minus } timevalue |
By default, the timezone offset between the AC and the sensor is not set. |
Reporting wireless device information to the Oasis platform
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable the AC to report wireless device information to the Oasis platform. |
undo client-proximity-sensor report-oasis disable |
By default, the AC reports wireless device information to the Oasis platform. |
3. (Optional.) Set the number of client entries that the AC reports to the Oasis platform each time and the report interval. |
client-proximity-sensor report-oasis client interval interval number number |
By default, the AC reports 10 client entries to the Oasis platform every 1000 milliseconds. |
4. (Optional.) Set the RSSI difference threshold for reporting client information to the Oasis platform. |
client-proximity-sensor report-oasis rssi-change-threshold threshold-value |
By default, the RSSI difference threshold is 100. |
Configuring wireless device filtering
About wireless device filtering
Perform this task to configure whether the information about the specified devices is reported or not.
Procedure
Step |
Command |
Remarks |
1. Enter system view |
system-view |
N/A |
2. Configure the MAC address filtering list. |
client-proximity-sensor filter-list list |
By default, the MAC address filtering list is not configured. |
3. Set the RSSI threshold for clients or APs. |
client-proximity-sensor rssi-threshold { ap ap-rssi-value | client client-rssi-value } |
By default, the RSSI thresholds for clients and APs are not set. |
4. Enable reporting of information about Apple terminals that use a random MAC address. |
client-proximity-sensor random-mac-report enable |
By default, information about Apple terminals that use a random MAC address is not reported. |
5. Enable reporting of AP information to the UDP server. |
client-proximity-sensor report-ap enable |
By default, the information about APs is not reported to the UDP server. |
Setting device entry timers
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set the AP entry timers. |
client-proximity-sensor ap-timer inactive inactive-value aging aging-value |
By default, the inactive time and aging time for AP entries are 300 seconds and 600 seconds, respectively. |
3. Set the client entry timers. |
client-proximity-sensor client-timer inactive inactive-value aging aging-value |
By default, the inactive time and aging time for client entries are 300 seconds and 600 seconds, respectively. |
Display and maintenance commands for WLAN probe
Execute display commands in any view and reset commands in user view.
Step |
Command |
Display information about wireless devices detected by sensors. |
display client-proximity-sensor device [ ap | client | mac-address mac-address ] [ verbose ] |
Display information about sensors. |
display client-proximity-sensor sensor |
Display information received from sensors. |
display client-proximity-sensor statistics receive |
Clear wireless device information. |
reset client-proximity-sensor device { ap | client | mac-address mac-address | all } |
Clear information received from sensors. |
reset client-proximity-sensor statistics |
WLAN probe configuration examples
Example: Configuring WLAN probe
Network configuration
As shown in Figure 92, AP 1 and AP 2 provide wireless services for clients through SSID abc.
Enable WLAN probe on the sensor, and configure the AC to report the received wireless device information to the server.
Procedure
# Configure wireless service settings on the AC. (Details not shown.)
For more information, see "Configuring WLAN access."
# Create AP Sensor, and enable WLAN probe for the AP.
<AC> system-view
[AC] wlan ap Sensor model WA5320-WiNet
[AC-wlan-ap-Sensor] serial-id 210235A1GQB139000435
[AC-wlan-ap-Sensor] radio 1
[AC-wlan-ap-Sensor-radio-1] radio enable
[AC-wlan-ap-Sensor-radio-1] client-proximity-sensor enable
[AC-wlan-ap-Sensor-radio-1] quit
[AC-wlan-ap-Sensor] radio 2
[AC-wlan-ap-Sensor-radio-2] radio enable
[AC-wlan-ap-Sensor-radio-2] client-proximity-sensor enable
[AC-wlan-ap-Sensor-radio-1] quit
[AC-wlan-ap-Sensor] quit
# Configure the sensor to report wireless device information to the AC.
[AC] client-proximity-sensor report-ac enable
# Configure the AC to report wireless device information to the UDP server with IP address 192.168.1.123 and port number 1234, and set the report interval to 20 seconds.
[AC] client-proximity-sensor udp-server 192.168.1.123 port 1234 interval 20
Verifying the configuration
# Display wireless device information detected by the sensor.
[AC] display client-proximity-sensor device
Total 3 detected devices
MAC address Type Duration Sensors Channel Status
0021-632F-E9E5 Client 00h 10m 46s 1 11 Active
0021-6330-148B Client 00h 10m 46s 1 6 Active
0212-34B8-A8E0 Client 00h 10m 46s 1 1 Active
# On the management console of the server, view the wireless device information received from the AC. (Details not shown.)
About AP management,1
About band navigation,277
About channel scanning,270
About cloud connections,290
About radio management,51
About WIPS,201
About WLAN access,101
About WLAN authentication,165
About WLAN IP snooping,319
About WLAN load balancing,323
About WLAN multicast optimization,282
About WLAN probe,340
About WLAN QoS,238
About WLAN radio resource measurement,262
About WLAN roaming,256
About WLAN RRM,294
About WLAN security,131
AP management configuration examples,32
AP management tasks at a glance,4
Attack detection,201
Band navigation configuration examples,280
Band navigation tasks at a glance,278
Channel scanning configuration examples,275
Channel scanning tasks at a glance,271
Client access control,103
Cloud connection configuration examples,292
Configuration restrictions and guidelines,106
Configuring 802.11ac functions,87
Configuring 802.11n functions,78
Configuring a CAPWAP tunnel,18
Configuring a cloud connection,291
Configuring a load balancing group,327
Configuring a multicast optimization policy,283
Configuring a radio baseline,312
Configuring AC request retransmission,21
Configuring advanced features for AP management,27
Configuring all-channel scanning,274
Configuring an AP group,13
Configuring APs to perform WIPS scanning while providing access services,226
Configuring attack detection,213
Configuring band navigation parameters,279
Configuring bandwidth guaranteeing,246
Configuring basic radio functions,64
Configuring CAPWAP tunnel establishment,4
Configuring client access control,117
Configuring client rate limiting,247
Configuring countermeasures,222
Configuring device classification,220
Configuring DFS,298
Configuring global WLAN authentication parameters,175
Configuring load balancing for band navigation,279
Configuring load balancing parameters,327
Configuring OUIs,226
Configuring policy-based forwarding,123
Configuring security features,141
Configuring sensors to report wireless device information to the AC,342
Configuring service-specific WLAN authentication parameters,178
Configuring signature-based attack detection,218
Configuring spectrum management,308
Configuring SVP mapping,245
Configuring the alarm-ignoring feature,225
Configuring the channel scanning blacklist or whitelist,273
Configuring the smart antenna feature,92
Configuring TPC,304
Configuring VLANs for APs,14
Configuring wireless client functions,110
Configuring wireless device filtering,344
Configuring wireless services,107
Configuring WMM,241
Countermeasures,211
Deploying a configuration file to an AP,125
Detecting clients with NAT configured,225
Device classification,206
Disabling an AP from responding to broadcast probe requests,121
Disabling SNMP from getting client IPv6 addresses learned from ND packets,321
Disabling snooping ARP packets,320
Disabling snooping DHCPv4 packets,320
Display and maintenance commands for AP management,31
Display and maintenance commands for cloud connections,292
Display and maintenance commands for radio management,93
Display and maintenance commands for WIPS,227
Display and maintenance commands for WLAN access,126
Display and maintenance commands for WLAN authentication settings,187
Display and maintenance commands for WLAN load balancing,328
Display and maintenance commands for WLAN multicast optimization,286
Display and maintenance commands for WLAN probe,345
Display and maintenance commands for WLAN radio resource measurement,267
Display and maintenance commands for WLAN roaming,257
Display and maintenance commands for WLAN RRM,313
Display and maintenance commands for WLAN security,146
Display and maintenance commands for WMM,248
Enabling AP-based band navigation,278
Enabling band navigation globally,278
Enabling or disabling radios,62
Enabling radio resource management,264
Enabling radio scanning,312
Enabling real-time reporting of wireless device information to the UDP server,343
Enabling service anomaly detection,31
Enabling SNMP notifications,27
Enabling SNMP notifications for WLAN access,125
Enabling SNMP notifications for WLAN load balancing,328
Enabling SNMP notifications for WLAN roaming,257
Enabling SNMP notifications for WLAN RRM,313
Enabling SNMP notifications for WLAN security,145
Enabling snooping DHCPv6 packets,321
Enabling snooping HTTP requests redirected to the portal server,322
Enabling snooping ND packets,321
Enabling WIPS,212
Enabling WLAN load balancing,327
Enabling WLAN multicast optimization,283
Enabling WLAN probe,341
Feature and hardware compatibility,296
Feature and hardware compatibility,319
Feature and hardware compatibility,277
Feature and hardware compatibility,340
Feature and hardware compatibility,212
Feature and hardware compatibility,326
Feature and hardware compatibility,270
Feature and hardware compatibility,173
Feature and hardware compatibility,3
Feature and hardware compatibility,256
Feature and hardware compatibility,139
Feature and hardware compatibility,291
Feature and hardware compatibility,60
Feature and hardware compatibility,240
Feature and hardware compatibility,283
Feature and hardware compatibility,106
Feature and hardware compatibility,263
Maintaining APs,22
Preprovisioning APs,24
Prerequisites for band navigation,278
Prerequisites for WLAN authentication,174
Prerequisites for WLAN load balancing,326
Pre-RSNA mechanism,131
Protocols and standards,139
Radio management configuration examples,93
Radio management tasks at a glance,61
Radio resource measurement configuration examples,267
Reporting wireless device information to the Oasis platform,344
Restrictions and guidelines: AP management configuration,4
Restrictions and guidelines: Band navigation configuration,277
Restrictions and guidelines: Channel scanning configuration,271
Restrictions and guidelines: Radio management configuration,60
Restrictions and guidelines: Radio resource measurement configuration,263
Restrictions and guidelines: WLAN load balancing configuration,326
Restrictions and guidelines: WLAN QoS configuration,241
Restrictions and guidelines: WLAN roaming configuration,257
Restrictions and guidelines: WLAN RRM,297
Setting a load balancing mode,327
Setting device entry timers,344
Setting rate limits for IGMP/MLD packets from clients,284
Setting the aging time for multicast optimization entries,286
Setting the coordinates and timezone offset for a sensor,343
Setting the limit for multicast optimization entries,285
Setting the limit for multicast optimization entries per client,285
Setting the match mode for client radio resource measurement capabilities,266
Setting the maximum service period,272
Setting the measurement duration and interval,265
Setting the NAS ID,122
Setting the scanning period,271
Setting the service idle timeout timer,272
Setting the statistics report interval,22
Signature-based attack detection,206
Specifying a radio mode,63
Specifying a region code,120
Specifying a server to receive wireless device information,342
Upgrading APs' software,11
WIPS components,201
WIPS configuration examples,227
WIPS features,201
WIPS tasks at a glance,212
WLAN access configuration examples,127
WLAN access tasks at a glance,106
WLAN authentication configuration examples,188
WLAN authentication tasks at a glance,173
WLAN IP snooping configuration examples,322
WLAN IP snooping tasks at a glance,320
WLAN load balancing configuration examples (on a load balancing group),333
WLAN load balancing configuration examples (on radios),329
WLAN load balancing tasks at a glance,326
WLAN multicast optimization configuration examples,286
WLAN multicast optimization tasks at a glance,283
WLAN probe configuration examples,345
WLAN probe tasks at a glance,341
WLAN QoS configuration examples,248
WLAN radio resource measurement tasks at a glance,264
WLAN roaming configuration examples,257
WLAN RRM configuration examples,314
WLAN RRM tasks at a glance,297
WLAN security configuration examples,146
WLAN security tasks at a glance,140