Managing a large number of APs is both time consuming and costly. The fit AP+AC network architecture enables an AC to implement centralized AP management and maintenance.

Control And Provisioning of Wireless Access Points (CAPWAP) defines how an AP communicates with an AC. It provides a generic encapsulation and transport mechanism between AP and AC. CAPWAP uses UDP and supports both IPv4 and IPv6.

As shown in Figure 1, an AC and an AP establish a data tunnel to forward data packets and a control tunnel to forward control packets.

Figure 1 CAPWAP tunnel

AC discovery

After starting up with zero configurations, an AP automatically creates VLAN-interface 1 and enables the DHCP client, DHCPv6 client, and DNS features on the interface. Then it obtains its own IP address from the DHCP server and discovers ACs by using the following methods:

· Static IP address.

If AC IP addresses have been manually configured for the AP, the AP sends a unicast discovery request to each AC IP address to discover ACs.

· DHCP options.

The AP obtains AC IPv4 addresses from Option 138, Option 43, and IPv6 addresses from Option 52 sent from the DHCP server. It uses these addresses in descending order.

For more information about DHCP options, see Layer 3—IP Services Configuration Guide.

· DNS.

a. The AP obtains the domain name suffix from the DHCP server.

b. The AP adds the suffix to the host name.

c. The DNS server translates the domain name into IP addresses.

For more information about DNS, see Layer 3—IP Services Configuration Guide.

· Broadcast.

The AP broadcasts discovery requests to IP address 255.255.255.255 to discover ACs.

· IPv4 multicast:

The AP sends multicast discovery requests to IPv4 address 224.0.1.140 to discover ACs.

· IPv6 multicast.

The AP sends multicast discovery requests to IPv6 address FF0E::18C to discover ACs.

The methods of static IP address, DHCPv4 options, broadcast/IPv4 multicast, IPv4 DNS, IPv6 multicast, DHCPv6 option, and IPv6 DNS are used in descending order.

The AP does not stop AC discovery until it establishes a CAPWAP tunnel with one of the discovered ACs.

CAPWAP tunnel establishment

Figure 2 Establishing a CAPWAP tunnel

As shown in Figure 2, the AP and an AC establish a CAPWAP tunnel by using the following procedure:

1. The AP sends a discovery request to each AC to discover ACs.

2. Upon receiving a discovery request, an AC determines whether to send a discovery response by performing the following steps:

a. Identifies whether the discovery request is a unicast packet.

- Unicast packet—The AC proceeds to step b.

- Broadcast or multicast packet—The AC proceeds to step b if it is disabled with the feature of responding only to unicast discovery requests. If this feature is enabled, the AC does not send a discovery response.

b. Identifies whether it has manual AP configuration for the AP model specified in the discovery request.

- If manual AP configuration exists, the AC sends a discovery response to the AP. The discovery response contains information about whether the AC has the manual configuration for the AP, the AP connection priority, and the AC's load status.

- If no manual AP configuration exists, the AC proceeds to step c.

c. Identifies whether auto AP is enabled.

- If auto AP is enabled, the AC sends a discovery response to the AP. The discovery response contains the enabling status of auto AP, AP connection priority, and AC's load information.

- If auto AP is disabled, the AP does not send a discovery response.

3. Upon receiving the discovery responses, the AP selects the optimal AC in descending order.

? AC that saves information about the AP.

? AC where the auto AP feature is enabled.

? AC with higher AP connection priority.

? AC with the lighter load.

? AC that is the earliest to respond.

4. The AP sends a join request to the optimal AC.

5. After receiving the join request, the AC examines the information in the request to determine whether to provide access services to the AP and sends a join response.

6. The AP examines the result code in the response upon receiving the join response:

? If the result code represents failure, the AP does not establish a CAPWAP tunnel with the AC.

? If the result code represents success, the AP establishes a CAPWAP tunnel with the AC.

APDB

The Access Point Information Database (APDB) on an AC stores the following AP information:

· AP models.

· Hardware version and software version mappings.

· Information about radios supported by AP models:

? Number of radios.

? Radio type.

? Valid region code.

? Valid antenna type.

? Maximum transmission power.

The AC can establish a CAPWAP tunnel with an AP only when the APDB contains the corresponding AP model information.

You can use the system script and user scripts to manage data in the APDB. The system script is released with the AC software version, and it is automatically loaded each time the AC starts. If you need to add new AP models, upgrade the AC software version (see Fundamentals Configuration Guide) or create a user script and load it on the AC (see "Loading an APDB user script").

Protocols and standards

· RFC 5415, Control And Provisioning of Wireless Access Points (CAPWAP) Protocol Specification

· RFC 5416, Control and Provisioning of Wireless Access Points (CAPWAP) Protocol Binding for IEEE 802.11

· RFC 5417, Control And Provisioning of Wireless Access Points (CAPWAP) Access Controller DHCP Option

Feature and hardware compatibility

Only the following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC/3610/3620/3620-DP/3640/3660.

Restrictions and guidelines: AP management configuration

You can configure APs by using the following methods:

· Configure APs one by one in AP view.

· Assign APs to an AP group and configure the AP group in AP group view.

· Configure all APs in global configuration view.

For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.

AP management tasks at a glance

Tasks at a glance
(Required.) Configuring CAPWAP tunnel establishment
(Optional.) Upgrading APs' software
(Optional.) Configuring an AP group
(Optional.) Configuring VLANs for APs
(Optional.) Configuring a CAPWAP tunnel
(Optional.) Configuring AC request retransmission
(Optional.) Setting the statistics report interval
(Optional.) Maintaining APs
(Optional.) Preprovisioning APs
(Optional.) Enabling SNMP notifications
(Optional.) Configuring advanced features for AP management
(Optional.) Enabling service anomaly detection

Configuring CAPWAP tunnel establishment

Prerequisites for configuring CAPWAP tunnel establishment

Before you manage APs, complete the following tasks:

· Create a DHCP address pool on the DHCP server to assign IP addresses to APs.

· If DHCP options are used for AC discovery, configure Option 138, Option 43, or Option 52 in the specified DHCP address pool on the DHCP server.

· If DNS is used for AC discovery, configure the IP address of the DNS server and the AC domain name suffix in the specified DHCP address pool on the DHCP server. Then configure the mapping between the domain name and the AC IP address on the DNS server.

· Make sure the APs and the AC can reach each other.

For more information about DHCP and DNS, see Layer 3—IP Services Configuration Guide.

Creating a manual AP

About manual APs

You can create a manual AP on the AC based on the AP model, serial ID, and MAC address of the AP you are using. An AP prefers to establish a CAPWAP tunnel with an AC that saves the manual AP configuration.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a manual AP and enter its view.	wlan ap ap-name	By default, no manual APs exist. You must specify the model name when you create an AP.
3. Specify the serial ID or the MAC address for the AP.	· Specify the serial ID for the AP: serial-id serial-id · Specify the MAC address for the AP: mac-address mac-address	Use either command.
4. (Optional.) Configure a description for the AP.	description text	By default, an AP does not have a description.

Managing auto APs

About the auto AP feature

The auto AP feature enables APs to connect to an AC without manual AP configuration. This feature simplifies configuration when you deploy a large number of APs in a WLAN.

For security purposes, you can use the following methods to authenticate auto APs:

· Local authentication.

The AC authenticates an auto AP by serial ID or MAC address. When an auto AP initiates a connection request, the AC uses an ACL specified by the wlan ap-authentication acl command to match the auto AP. Assume that the AC authenticates the auto AP by serial ID.

? If the serial ID matches a permit rule, the auto AP passes the authentication and associates with the AC.

? If the serial ID matches a deny rule, the auto AP fails the authentication and cannot associate with the AC.

? If the serial ID does not match a rule, the auto AP is determined as an unauthenticated auto AP. An unauthenticated auto AP can associate with the AC but cannot provide wireless services.

· Remote authentication.

Remote authentication is used for authenticating unauthenticated auto APs. The AC uses the serial ID or MAC address of an unauthenticated auto AP as the username and password and sends them to the authentication server for authentication. If the authentication succeeds, the AC accepts the AP. If it does not succeed, the AC rejects the AP.

· Manual authentication.

Manual authentication is used for authenticating unauthenticated auto APs.

The AC determines whether to accept an unauthenticated auto AP depending on the manual authentication configuration.

Restrictions and guidelines

To prevent illegal APs from associating with the AC, disable the auto AP feature after all required APs are associated with the AC.

You must convert auto APs to manual APs after they come online because of the following reasons:

· Auto APs can re-associate with the AC upon an AC reboot or CAPWAP tunnel termination only when they are converted to manual APs.

· You can individually configure auto APs only when they are converted to manual APs.

Prerequisites

Before you configure remote authentication for auto APs, specify an authentication domain and AAA scheme on the AC and create user accounts on the RADIUS server. For information about authentication domain and AAA scheme configuration, see AAA in Security Configuration Guide.

Tasks at a glance

1. Enabling the auto AP feature

2. (Optional.) Converting auto APs to manual APs

3. (Optional.) Configuring auto AP authentication

? Configuring auto AP local authentication

? Configuring auto AP remote authentication

? Manually authenticating unauthenticated auto APs

4. (Optional.) Disabling unauthenticated auto APs from associating with the AC

5. (Optional.) Restarting unauthenticated auto APs

Enabling the auto AP feature

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the auto AP feature.	wlan auto-ap enable	By default, the auto AP feature is disabled.

Converting auto APs to manual APs

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Convert auto APs to manual APs.	· Convert online auto APs to manual APs: wlan auto-ap persistent { all \| name auto-ap-name [ new-ap-name ] } · Convert auto APs to manual APs automatically after auto APs come online: wlan auto-persistent enable	Use either command. By default, auto APs are not converted to manual APs. The wlan auto-persistent enable command does not take effect on auto APs that are already online.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Convert auto APs to manual APs.

· Convert online auto APs to manual APs:
wlan auto-ap persistent { all | name auto-ap-name [ new-ap-name ] }

· Convert auto APs to manual APs automatically after auto APs come online:
wlan auto-persistent enable

Use either command.

By default, auto APs are not converted to manual APs.

The wlan auto-persistent enable command does not take effect on auto APs that are already online.

Configuring auto AP local authentication

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify an authentication method.	wlan ap-authentication method { mac-address \| serial-id }	By default, the AC authenticates auto APs by MAC address.
3. Create a WLAN AP ACL.	acl wlan ap { acl-number \| name acl-name }	By default, no WLAN AP ACLs exist. For more information about this command, see ACL and QoS Command Reference.
4. Return to the system view.	quit	N/A
5. Specify an ACL for authenticating auto APs.	wlan ap-authentication acl acl-number	By default, no ACL is specified for authenticating auto APs.
6. Create ACL rules for the WLAN AP ACL.	· (Method 1) Manually create a rule: a. acl wlan ap { acl-number \| name acl-name } b. rule [ rule-id ] { deny \| permit } [ mac mac-address mac-mask ] [ serial-id serial-id ] c. quit · (Method 2) Import an auto AP authentication file to generate ACL rules: wlan ap-authentication import file-name	By default, no WLAN AP ACL rules exist. Use either method or both methods according to actual network requirements.
7. Enable auto AP authentication.	wlan ap-authentication enable	By default, auto AP authentication is disabled.

Configuring auto AP remote authentication

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify an authentication domain for unauthenticated auto APs.	wlan ap-authentication domain domain-name	By default, no authentication domain is specified for unauthenticated auto APs.

Manually authenticating unauthenticated auto APs

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Manually authenticate unauthenticated auto APs.	wlan ap-authentication { accept \| reject } ap-unauthenticated { all \| name ap-name }	By default, manual authentication is not configured for unauthenticated auto APs.

Disabling unauthenticated auto APs from associating with the AC

This feature reduces waste of system resources.

To disable unauthenticated auto APs from associating with the AC:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Disable unauthenticated auto APs from associating with the AC.	undo wlan ap-authentication permit-unauthenticated	By default, unauthenticated auto APs can associate with the AC but cannot provide wireless services.

Restarting unauthenticated auto APs

Perform the following task in user view:

Task	Command	Remarks
Restart unauthenticated auto APs.	reset wlan ap unauthenticated	The auto APs will be reauthenticated after being restarted.

Setting the discovery-response timeout timer

About the discovery-response timeout timer

The discovery-response timeout timer specifies the timeout time for an AP to wait for another discovery response. Whenever an AP receives a discovery response packet, the discovery-response timeout timer is created or refreshed. When the timeout timer expires, the AP sends a join request to the optimal AC.

Restrictions and guidelines

If the network condition is poor, set a larger discovery-response timeout timer.

Procedure

To set the discovery-response timeout timer in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Set the discovery-response timeout timer.	discovery-response wait-time seconds	By default, an AP uses the configuration in AP group view.

To set the discovery-response timeout timer in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the discovery-response timeout timer.	discovery-response wait-time seconds	The default setting is 2 seconds.

Setting the AP connection priority for the AC

To set the AP connection priority in AP view :

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Set the AP connection priority for the AC.	priority priority	By default, an AP uses the configuration in AP group view. A larger number represents a higher priority.

To set the AP connection priority in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the AP connection priority for the AC.	priority priority	The default setting is 4. A larger number represents a higher priority.

Enabling the AC to respond only to unicast discovery requests

About responding only to unicast discovery requests

An AP can send unicast, multicast, and broadcast discovery requests to discover ACs. This feature enables an AC to respond only to unicast discovery requests.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the AC to respond only to unicast discovery requests.	wlan capwap discovery-policy unicast	By default, the AC can respond to unicast, multicast, and broadcast discovery requests.

Configuring AC rediscovery

About AC rediscovery

An AC enabled with AC rediscovery will add the CAPWAP Control IP Address message element to the discovery responses sent to APs. Upon receiving such a discovery response, an AP establishes a CAPWAP tunnel by using the following procedure:

1. Examines whether a discovery request has been sent to each IP address specified in the CAPWAP Control IP Address message element.

2. Performs either of the following operations:

? Sends a join request to the specified IP address representing the optimal AC for CAPWAP establishment if discovery requests have been sent.

? Sends a discovery request to each specified IP address to initiate a new AC discovery process if no discovery requests have been sent.

An AC disabled with AC rediscovery does not add the CAPWAP Control IP Address message element in discovery responses sent to APs. APs that receive the discovery responses will send join requests to the source IP address of the discovery responses to establish CAPWAP tunnels with the AC.

Procedure

To configure AC rediscovery in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Configure AC rediscovery.	control-address { disable \| enable }	By default, an AP uses the configuration in AP group view. If no configuration exists in AP group view, the AP uses the configuration in global configuration view.
4. Specify the IP address to be added in the CAPWAP Control IP Address message element.	control-address { ip ipv4-address \| ipv6 ipv6-address }	By default, an AP uses the configuration in AP group view. If no configuration exists in AP group view, the AP uses the configuration in global configuration view. You can specify a maximum of three IPv4 or IPv6 addresses to be added in the CAPWAP Control IP Address message element.

To configure AC rediscovery in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure AC rediscovery.	control-address { disable \| enable }	By default, an AP uses the configuration in global configuration view.
4. Specify the IP address to be added in the CAPWAP Control IP Address message element.	control-address { ip ipv4-address \| ipv6 ipv6-address }	By default, an AP uses the configuration in global configuration view. You can specify a maximum of three IPv4 or IPv6 addresses to be added in the CAPWAP Control IP Address message element.

To configure AC rediscovery in global configuration view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Configure AC rediscovery.	control-address { disable \| enable }	By default, AC rediscovery is disabled.
4. Specify the IP address to be added in the CAPWAP Control IP Address message element.	control-address { ip ipv4-address \| ipv6 ipv6-address }	By default, the IP address in the element is AC's IP address. You can specify a maximum of three IPv4 or IPv6 addresses to be added in the CAPWAP Control IP Address message element.

Upgrading APs' software

About software upgrade

With software upgrade enabled, the AC examines the AP software version while establishing a CAPWAP tunnel with an AP. If this feature is disabled, the AC does not examine the software version of the AP and directly establishes a CAPWAP tunnel with the AP.

Software upgrade for an AP proceeds as follows:

1. The AP reports the software version and AP model information to the AC.

2. The AC examines the received AP software version.

? If a match is found, the AC establishes a CAPWAP tunnel with the AP.

? If no match is found, the AC sends a message that notifies the AP of the AP software version inconsistency.

3. Upon receiving the inconsistency message, the AP requests a software version from the AC.

4. The AC assigns the software version to the AP after receiving the request.

5. The AP upgrades the software version, restarts, and establishes a CAPWAP tunnel with the AC.

Configuring software upgrade

To configure software upgrade in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Configure software upgrade.	firmware-upgrade { disable \| enable }	By default, an AP uses the configuration in AP group view. If no software upgrade configuration exists in AP group view, the AP uses the configuration in global configuration view.

To configure software upgrade in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure software upgrade.	firmware-upgrade { disable \| enable }	By default, an AP uses the configuration in global configuration view.

To configure software upgrade in global configuration view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Configure software upgrade.	firmware-upgrade { disable \| enable }	By default, the software upgrade feature is enabled.

Configuring the mapping between a software version and a hardware version of an AP model

About configuring software and hardware version mapping for an AP model

Perform this task to configure the mapping between a software version and a hardware version of an AP model for software upgrade.

Perform this task only when the AP software version for an AP model stored in the APDB is inconsistent with the software version you expect for the AP model. To display the AP software version for each AP model in the APDB, use the display wlan ap-model command.

For example, the APDB has a hardware version and software version mapping entry (hardware version Ver.C and software version E2108) for AP model WA4320i-CAN. If you expect this AP to use software version E2105 when it comes online, perform the following steps:

1. Configure the mapping between software version E2105 and hardware version Ver.C of AP model WA4320i-ACN.

2. Save the AP image file of software version E2105 to the AC's local folder.

3. Configure the AC to prefer the AP image file stored in the local folder for software version assignment.

Restrictions and guidelines

To avoid CAPWAP tunnel establishment failure, use this feature under the guidance of H3C Support.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the mapping between a software version and a hardware version of an AP model.	wlan apdb model-name hardware-version software-version	By default, the software version for a hardware version of an AP model is the software version that is stored in APDB user scripts.

Specifying the preferred location for the AC to obtain an AP image file

About specifying the preferred location for the AC to obtain an AP image file

The AC assigns an AP image file to an AP if the AP requests a software version during CAPWAP tunnel establishment. You can specify the preferred location as the AC's RAM or local folder for the AC to obtain an AP image file. If the AC cannot obtain an AP image file from the preferred location, it obtains an AP image file from the other location. If no AP image file exists, the AC fails to obtain an image file and cannot assign a software version to the AP.

Restrictions and guidelines

The AC can assign only .ipe AP image files to APs.

If you specify the local folder, make sure the AC uses a CF card as the default file system and the AP image file is stored in the root directory of the file system on the AC.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify the preferred location for the AC to obtain an AP image file.	wlan image-load filepath { local \| ram }	By default, the AC prefers the AP image file stored in the RAM when assigning a software version to an AP.

Configuring an AP group

About AP groups

This feature enables you to configure multiple APs in a batch to reduce configuration workload.

APs in an AP group use the configuration of the group. By default, all APs belong to system-defined AP group default-group. The system-defined AP group cannot be deleted.

You can configure AP grouping rules by AP name, serial ID, MAC address, and IP address to add APs to the specified AP group. Priorities of these grouping rules are in descending order. If an AP does not match any grouping rules, it is added to the default AP group.

Restrictions and guidelines

An AP can be added to only one AP group.

You cannot delete an AP group that contains an AP. An AP group that has grouping rules but does not contain any APs can be deleted.

When you configure an AP grouping rule, follow these restrictions and guidelines:

· You cannot create the same grouping rule for different AP groups. If you do so, the most recent configuration takes effect.

· You cannot create grouping rules for the default AP group.

· AP grouping rules by IPv4 or IPv6 addresses for an AP group or for different AP groups cannot overlap with each other.

· An AP group supports a maximum of 32 AP grouping rules by IPv4 or IPv6 addresses.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an AP group and enter its view.	wlan ap-group group-name	By default, a default AP group exists.
3. (Optional.) Configure a description for the AP group.	description text	By default, an AP group does not have a description.
4. Create an AP grouping rule by AP names.	ap ap-name-list	N/A
5. Create an AP grouping rule by serial IDs.	serial-id serial-id	N/A
6. Create an AP grouping rule by MAC addresses.	mac-address mac-address	N/A
7. Create an AP grouping rule by IPv4 addresses.	if-match ip ip-address { mask-length \| mask }	N/A
8. Create an AP grouping rule by IPv6 addresses.	if-match ipv6 { ipv6-address prefix-length \| ipv6-address/prefix-length }	N/A
9. (Optional.) Create an AP regrouping rule.	wlan re-group { ap ap-name \| ap-group old-group-name \| mac-address mac-address \| serial-id serial-id } group-name	N/A

Configuring VLANs for APs

NOTE:

Support for this feature depends on the AP model.

About VLANs for APs

Perform this task to enable the AC to assign VLAN settings to APs for packet forwarding and isolation. For example, when you enable an AP to forward client data traffic, you need to configure ports of the AP to allow client traffic from different VLANs.

For information about VLANs, see Layer 2—LAN Switching Configuration Guide. For information about client data traffic forwarder configuration, see "Configuring WLAN access."

Tasks at a glance

1. Configuring basic VLAN settings

2. Assigning a port to a VLAN

? Assigning an access port to a VLAN

? Assigning a trunk port to VLANs

? Assigning a hybrid port to VLANs

3. Assigning VLAN settings to APs

Configuring basic VLAN settings

To configure basic VLAN settings in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. (Optional.) Create a VLAN and enter its view, or create a list of VLANs.	vlan { vlan-id1 [ to vlan-id2 ] \| all }	By default, only VLAN 1 (the system default VLAN) exists.
4. Enter VLAN view.	vlan vlan-id	To configure a VLAN after you create a list of VLANs, you must perform this step.
5. Assign a name to the VLAN.	name text	By default, an AP uses the configuration in AP group view.
6. Configure the description of the VLAN.	description text	By default, an AP uses the configuration in AP group view.

To configure basic VLAN settings in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. (Optional.) Create a VLAN and enter its view, or create a list of VLANs.	vlan { vlan-id1 [ to vlan-id2 ] \| all }	By default, only VLAN 1 (the system default VLAN) exists.
4. Enter VLAN view.	vlan vlan-id	To configure a VLAN after you create a list of VLANs, you must perform this step.
5. Assign a name for the VLAN.	name text	By default, the name of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in a four-digit format. If the VLAN ID has less than four digits, leading zeros are added. For example, the name of VLAN 100 is VLAN 0100.
6. Configure the description of the VLAN.	description text	By default, the description of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in a four-digit format. If the VLAN ID has less than four digits, leading zeros are added. For example, the default description of VLAN 100 is VLAN 0100.

Assigning an access port to a VLAN

To assign an access port to a VLAN in an AP's Layer 2 Ethernet interface view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter Layer 2 Ethernet interface view.	· Enter GigabitEthernet interface view: gigabitethernet interface-number · Enter Smarterate-Ethernet interface view: smartrate-ethernet interface-number	Use either command depending on AP models and network requirements.
4. Set the link type to access.	port link-type access	By default, a port uses the configuration in an AP group's Layer 2 Ethernet interface view.
5. Assign the access port to a VLAN.	port access vlan vlan-id	By default, an access port uses the configuration in an AP group's Layer 2 Ethernet interface view.

To assign an access port to a VLAN in an AP group's Layer 2 Ethernet interface view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter Layer 2 Ethernet interface view.	· Enter GigabitEthernet interface view: gigabitethernet interface-number · Enter Smarterate-Ethernet interface view: smartrate-ethernet interface-number	Use either command depending on AP models and network requirements.
5. Set the link type to access.	port link-type access	By default, all ports are access ports.
6. Assign the access port to a VLAN.	port access vlan vlan-id	By default, an access port belongs to VLAN 1.

Assigning a trunk port to VLANs

To assign a trunk port to VLANs in an AP's Layer 2 Ethernet interface view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter Layer 2 Ethernet interface view.	· Enter GigabitEthernet interface view: gigabitethernet interface-number · Enter Smarterate-Ethernet interface view: smartrate-ethernet interface-number	Use either command depending on AP models and network requirements.
4. Set the link type to trunk.	port link-type trunk	By default, a port uses the configuration in an AP group's Layer 2 Ethernet interface view.
5. Assign the trunk port to the specified VLANs.	port trunk permit vlan { vlan-id-list \| all }	By default, a trunk port uses the configuration in an AP group's Layer 2 Ethernet interface view.
6. (Optional.) Set the PVID for the trunk port.	port trunk pvid vlan vlan-id	By default, a trunk port uses the configuration in an AP group's Layer 2 Ethernet interface view.

To assign a trunk port to VLANs in an AP group's Layer 2 Ethernet interface view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter Layer 2 Ethernet interface view.	· Enter GigabitEthernet interface view: gigabitethernet interface-number · Enter Smarterate-Ethernet interface view: smartrate-ethernet interface-number	Use a command based on AP models and network requirements.
5. Set the link type to trunk.	port link-type trunk	By default, all ports are access ports.
6. Assign the trunk port to the specified VLANs.	port trunk permit vlan { vlan-id-list \| all }	By default, a trunk port permits only VLAN 1.
7. (Optional.) Set the PVID for the trunk port.	port trunk pvid vlan vlan-id	The default setting is VLAN 1.

Assigning a hybrid port to VLANs

To assign a hybrid port to VLANs in an AP's Layer 2 Ethernet interface view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter Layer 2 Ethernet interface view.	· Enter GigabitEthernet interface view: gigabitethernet interface-number · Enter Smarterate-Ethernet interface view: smartrate-ethernet interface-number	Use either command depending on AP models and network requirements.
4. Set the link type to hybrid.	port link-type hybrid	By default, a port uses the configuration in an AP group's Layer 2 Ethernet interface view.
5. Assign the hybrid port to the specified VLANs.	port hybrid vlan vlan-id-list { tagged \| untagged }	By default, a hybrid port uses the configuration in an AP group's Layer 2 Ethernet interface view.
6. (Optional.) Set the PVID for the hybrid port.	port hybrid pvid vlan vlan-id	By default, a hybrid port uses the configuration in an AP group's Layer 2 Ethernet interface view.

To assign a hybrid port to VLANs in an AP group's Layer 2 Ethernet interface view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter Layer 2 Ethernet interface view.	· Enter GigabitEthernet interface view: gigabitethernet interface-number · Enter Smarterate-Ethernet interface view: smartrate-ethernet interface-number	Use either command depending on AP models and network requirements.
5. Set the link type to hybrid.	port link-type hybrid	By default, all ports are access ports.
6. Assign the hybrid port to the specified VLANs.	port hybrid vlan vlan-id-list { tagged \| untagged }	By default, a hybrid port is an untagged member of the VLAN to which the port belongs when its link type is access.
7. (Optional.) Set the PVID for the hybrid port.	port hybrid pvid vlan vlan-id	By default, the PVID of a hybrid port is the ID of the VLAN to which the port belongs when its link type is access.

Assigning VLAN settings to APs

About assigning VLAN settings to APs

The AC assigns VLAN settings to an AP or an AP group only when the remote configuration assignment feature is enabled.

Procedure

To assign VLAN settings in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enable remote configuration assignment to assign VLAN settings to the AP.	remote-configuration enable	By default, an AP uses the configuration in AP group view.

To assign VLAN settings in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enable remote configuration assignment to assign VLAN settings to the APs in the AP group.	remote-configuration enable	By default, remote configuration assignment is disabled.

Configuring a CAPWAP tunnel

Configuring CAPWAP tunnel encryption

About CAPWAP tunnel encryption

CAPWAP tunnel encryption uses the Datagram Transport Layer Security (DTLS) protocol to encrypt control and data packets transmitted over a CAPWAP tunnel.

When CAPWAP control tunnel encryption is enabled, an AP establishes a CAPWAP tunnel with the AC after receiving a discovery response with the encryption flag from the AC. Then, the AC and the AP encrypt control packets transmitted in the CAPWAP control tunnel after the DTLS handshake.

When CAPWAP data tunnel encryption is enabled, an AP exchanges encryption information including keys with the AC through the CAPWAP control tunnel upon receiving the first keepalive packet from the AC. After the exchange, the AC and the AP encrypt data packets transmitted in the CAPWAP data tunnel. Keepalive packets are not encrypted.

Restrictions and guidelines

CAPWAP tunnel encryption takes effect on an AP only when the AP restarts.

Procedure

To configure CAPWAP tunnel encryption in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Configure CAPWAP control tunnel encryption.	tunnel encryption { disable \| enable }	By default, an AP uses the configuration in AP group view.
4. Configure CAPWAP data tunnel encryption.	data-tunnel encryption { disable \| enable }	By default, an AP uses the configuration in AP group view. Make sure you have enabled CAPWAP control tunnel encryption.

To configure CAPWAP tunnel encryption in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure CAPWAP control tunnel encryption.	tunnel encryption { disable \| enable }	By default, CAPWAP control tunnel encryption is disabled.
4. Configure CAPWAP data tunnel encryption.	data-tunnel encryption { disable \| enable }	By default, CAPWAP data tunnel encryption is disabled. Make sure you have enabled CAPWAP control tunnel encryption.

Configuring CAPWAP tunnel latency detection

About CAPWAP tunnel latency detection

This feature enables an AC to detect the transmission latency of CAPWAP control frames or data frames from an AP to the AC and back.

This feature takes effect only on the master AC after a CAPWAP tunnel is established.

When an AP goes offline, CAPWAP tunnel latency detection automatically stops. To restart CAPWAP tunnel latency detection when the AP comes online, execute the tunnel latency-detect start command again.

To display CAPWAP tunnel latency information, use the display wlan ap tunnel latency command.

Procedure

Step	Command		Remarks
1. Enter system view.	system-view		N/A
2. Enter AP view.		wlan ap ap-name		N/A
3. Configure CAPWAP tunnel latency detection.	tunnel latency-detect { start \| stop }		By default, CAPWAP tunnel latency detection is not started.

Setting the echo interval for an AP

About setting the echo interval

An AP sends echo requests to the AC at the specified echo interval to identify whether the CAPWAP control tunnel is operating correctly. If the AP does not receive any echo responses from the AC within a specific period of time, the AP terminates the connection. If the AC does not receive any echo requests within a specific period of time, the AC terminates the connection..

To set the echo interval for an AP in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Set the interval for the AP to send echo requests.	echo-interval interval	By default, an AP uses the configuration in AP group view.

To set the echo interval for APs in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the interval for the APs in the AP group to send echo requests.	echo-interval interval	The default setting is 10 seconds.

Setting the maximum fragment size for CAPWAP packets

About setting the maximum fragment size for CAPWAP packets

Perform this task to prevent intermediate devices from dropping packets between AC and AP if the AP connects to the AC across the Internet.

Any maximum fragment size modification takes effect immediately on online APs.

Procedure

To set the maximum fragment size for CAPWAP packets in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Set the maximum fragment size for CAPWAP control or data packets.	fragment-size { control control-size \| data data-size }	By default, an AP uses the configuration in AP group view.

To set the maximum fragment size for CAPWAP packets in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the maximum fragment size for CAPWAP control or data packets.	fragment-size { control control-size \| data data-size }	By default, the maximum fragment size for CAPWAP control packets and data packets is 1450 bytes and 1500 bytes, respectively.

Setting the TCP MSS for CAPWAP tunnels

About setting the TCP MSS

Perform this task to set the value of the Maximum Segment Size (MSS) option in SYN packets transmitted over a CAPWAP tunnel.

The MSS option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment. If the size of a TCP segment is smaller than or equal to the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, TCP fragments the segment based on the receiver's MSS.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the TCP MSS for CAPWAP tunnels.	wlan tcp mss value	The default setting is 1460 bytes.

Configuring AC request retransmission

About AC request retransmission

The AC retransmits a request to an AP at the retransmission interval until the maximum number of request retransmission attempts is reached or a response is received.

Procedure

To configure AC request retransmission in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Set the maximum number of request retransmission attempts.	retransmit-count value	By default, an AP uses the configuration in AP group view.
4. Set the interval at which an AC request is retransmitted.	retransmit-interval interval	By default, an AP uses the configuration in AP group view.

To configure AC request retransmission in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the maximum number of request retransmission attempts.	retransmit-count value	The default setting is 3.
4. Set the interval at which an AC request is retransmitted.	retransmit-interval interval	The default setting is 5 seconds.

Setting the statistics report interval

About setting the statistics report interval

Perform this task to change the interval for an AP to report its statistics. You can use the statistics to monitor the operating status of radios on the AP.

Procedure

To set the statistics report interval in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Set the statistics report interval.	statistics-interval interval	By default, an AP uses the configuration in AP group view.

To set the statistics report interval in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the statistics report interval.	statistics-interval interval	The default setting is 50 seconds.

Maintaining APs

Resetting APs

Perform the following task in user view:

Task	Command
Reset all APs or the specified AP.	reset wlan ap { all \| ap-group group-name \| model model-name \| name ap-name \| native }

Renaming a manual AP

Step	Command
1. Enter system view.	system-view
2. Rename a manual AP.	wlan rename-ap ap-name new-ap-name

Managing the file system of an AP

About file system management for an AP

You can perform the following tasks on an AC to manage files for an AP after the AP establishes a CAPWAP tunnel with the AC:

· View file information for the AP.

· Delete a file from the AP.

· Download an image file from the AC to the AP.

Restrictions and guidelines

This feature takes effect only on master ACs.

Procedure

Step	Command
1. Display information about files or file folders on an AP.	display wlan ap name ap-name files
2. Enter system view.	system-view
3. Enter AP view.	wlan ap ap-name
4. Delete a file from the AP.	delete file filename
5. Download an image file to the AP.	download file file-name

Setting a LED lighting mode

About LED lighting modes

You can configure LEDs on an AP to flash in the following modes:

· quiet—All LEDs are off.

· awake—All LEDs flash once every minute. Support for this mode depends on the AP model.

· always-on—All LEDs are steady on. Support for this mode depends on the AP model.

· normal—How LEDs flash in this mode varies by AP model. This mode can identify the running status of an AP.

Restrictions and guidelines

If you set the LED lighting mode to awake or always-on in AP group view, the setting takes effect only on member APs that support the specified LED lighting mode.

Procedure

To set a LED lighting mode in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Set a LED lighting mode.	led-mode { always-on \| awake \| normal \| quiet }	By default, an AP uses the configuration in AP group view.

To set a LED lighting mode in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	By default, a default AP group named default-group exists, and it cannot be deleted.
3. Set a LED lighting mode.	led-mode { always-on \| awake \| normal \| quiet }	By default, the LED lighting mode is normal.

Preprovisioning APs

About AP preprovisioning

AP preprovisioning allows you to configure network settings for fit APs on an AC. The AC automatically assigns these settings to the fit APs in run state through CAPWAP tunnels in a batch. These settings will be saved in preprovisioned configuration file wlan_ap_prvs.xml on the APs. This reduces the workload in large WLAN networks.

Restrictions and guidelines

This feature takes effect only on master ACs.

The save wlan ap-provision command has the same effect as the reset wlan ap provision command if no preprovisioned settings exist.

Tasks at a glance

1. Configuring preprovisioned settings

? Configuring preprovisioned settings for an AP

? Configuring network settings for an AP group

2. Assigning preprovisioned settings to APs

3. Configuring auto loading of preprovisioned settings

Configuring preprovisioned settings for an AP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enable AP preprovisioning and enter AP provision view.	provision	By default, an AP uses the configuration in AP group view.
4. Specify an AC for the AP.	ac { host-name host-name \| ip ipv4-address }	By default, an AP uses the configuration in AP group view.
5. Specify an IPv4 address for the management VLAN interface.	ip address ipv4-address { mask \| mask-length }	By default, no IPv4 address is specified for the management VLAN interface.
6. Specify an IPv6 address for the management VLAN interface.	ipv6 address { ipv6-address prefix-length \| ipv6-address/prefix-length }	By default, no IPv6 address is specified for the management VLAN interface.
7. Set the gateway IP address.	gateway { ip ipv4-address \| ipv6 ipv6-address }	By default, no gateway IP address is specified for an AP.
8. Specify a DNS server.	dns server { ip ipv4-address \| ipv6 ipv6-address }	By default, an AP uses the configuration in AP group view.
9. Set a DNS domain name suffix.	dns domain domain-name	By default, an AP uses the configuration in AP group view.

Configuring network settings for an AP group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enable AP preprovisioning and enter AP group provision view.	provision	By default, AP preprovisioning is disabled.
4. Specify an AC.	ac { host-name host-name \| ip ipv4-address }	By default, no static AC is specified for an AP.
5. Specify a DNS server.	dns server { ip ipv4-address \| ipv6 ipv6-address }	By default, no DNS server is specified for an AP.
6. Set a domain name suffix for the DNS server.	dns domain domain-name	By default, no domain name suffix is specified for a DNS server.

Assigning preprovisioned settings to APs

About assigning preprovisioned settings to APs

Perform this task to enable the AC to assign preprovisioned settings to an AP with which the AC has established a CAPWAP tunnel. The preprovisioned settings will be saved to configuration file wlan_ap_prvs.xml on the AP, and the settings will overwrite the network settings originally saved in the configuration file.

You can use the following methods to assign preprovisioned settings to an AP:

· Manual configuration—You save the preprovisioned settings to configuration file wlan_ap_prvs.xml on the AP after it comes online. The settings take effect immediately.

· Auto assignment of preprovisioned settings—The preprovisioned settings are assigned to an AP when it is coming online. The AP will establish a CAPWAP tunnel with the AC specified in the preprovisioned settings. For information about optimal AC selection , see "CAPWAP tunnel establishment."

Restrictions and guidelines

Manually assigned preprovisioned settings immediately take effect on an online AP. Modifying the AC address configuration in the configuration file of the AP will trigger a new optimal AC selection process. The AP will terminate the original CAPWAP tunnel and establish a CAPWAP tunnel with the new AC.

Saving the network settings to the configuration file on an AP

Perform the following task in any view:

Task	Command
Save the network settings to preprovisioned configuration file wlan_ap_prvs.xml on the specified AP or all APs.	save wlan ap provision { all \| name ap-name }

Configuring auto assignment of preprovisioned settings

To configure auto assignment of preprovisioned settings in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Configure auto assignment of preprovisioned settings for the AP.	provision auto-update { disable \| enable }	By default, an AP uses the configuration in AP group view.

To configure auto assignment of preprovisioned settings in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure auto assignment of preprovisioned settings for APs in the AP group.	provision auto-update { disable \| enable }	By default, auto assignment of preprovisioned settings is disabled.

Configuring auto loading of preprovisioned settings

About auto loading of preprovisioned settings

Auto loading of preprovisioned settings ensures successful CAPWAP tunnel establishment between AP and AC. An AP uses the following procedure to discover an AC when you enable this feature:

1. Uses the preprovisioned settings to discover an AC that has the AP's manual or auto AP configuration.

2. Reboots and uses other methods to discover ACs if AC discovery fails.

3. Reboots and uses the preprovisioned settings again to discover ACs if the AP still fails to discover the target AC.

This AC discovery process will be repeated until the AP discovers the target AC to establish a CAPWAP tunnel.

Procedure

To configure auto loading of preprovisioned settings for an AP:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Configure auto loading of preprovisioned settings for the AP.	provision auto-recover { disable \| enable }	By default, an AP uses the configuration in AP group view.

To configure auto loading of preprovisioned settings for an AP group:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure auto loading of preprovisioned settings for APs in the AP group.	provision auto-recover { disable \| enable }	By default, auto loading of preprovisioned settings is enabled.

Enabling SNMP notifications

About SNMP notifications

To report critical WLAN events to an NMS, enable SNMP notifications. For WLAN event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

Procedure

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable SNMP notifications.

· Enable SNMP notifications for AP management:
snmp-agent trap enable wlan ap

· Enable SNMP notifications for CAPWAP:
snmp-agent trap enable wlan capwap

By default, SNMP notifications for AP management and CAPWAP are disabled.

Configuring advanced features for AP management

Configuring remote AP

About remote AP

Remote AP enables an AP to automatically perform the following operations when the CAPWAP tunnel to the AC is disconnected:

· Forward client traffic.

· Provide client access services if local authentication is enabled and association is enabled at the AP.

Remote AP is applicable to telecommuting, small branches, and SOHO solutions.

Restrictions and guidelines

Remote AP takes effect only on APs that operate in local forwarding mode.

When the tunnel between the AC and AP is recovered, clients that use the AC as the authenticator need reauthentication. Clients that use the AP as the authenticator remain online.

Procedure

To configure remote AP in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Configure remote AP.	hybrid-remote-ap { disable \| enable }	By default, an AP uses the configuration in AP group view.

To configure remote AP in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure remote AP.	hybrid-remote-ap { disable \| enable }	By default, remote AP is disabled.

Configuring the default input power level

NOTE:

Support for this feature depends on the AP model.

About configuring the default input power level

Configure the default input power level for an AP in case the AP cannot obtain its input power level at startup.

An AP automatically detects power supply modes to obtain its input power level at startup. If the AP fails to obtain the input power level, it operates at the low power level before associating with an AC. After the association, it operates at the configured default input power level.

An AP can be powered through a power adapter or through its PoE or PoE+ ports. The following table shows the relationship between the AP's power supply mode and input power level:

Power supply mode	Input power level
· Power adapter. · Multiple PoE+ ports. · Combination of PoE and PoE+ ports.	High
· Single PoE+ port · Multiple PoE ports	Middle
Single PoE port	Low

An AP's support for MIMO modes and USB interfaces varies by input power level, as shown in Table 1.

Table 1 AP's support for MIMO modes and USB interfaces

Input power level	Supported MIMO modes	Whether USB interfaces can be enabled
High	1×1, 2×2, 3×3, and 4×4.	Yes.
Middle	1×1, 2×2, 3×3, and 4×4.	Yes when the MIMO mode is 1×1 or 2×2.
Low	1×1.	No.

Restrictions and guidelines

When you configure the default input power level for an AP, make sure the setting matches its power mode. An excessively low input power level prevents the AP from operating correctly. An excessively high input power level causes overload of the AP in case of power shortage.

Procedure

To configure the default input power level in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Configure the default input power level.	power-level default { high \| low \| middle }	By default, an AP uses the configuration in AP group's AP model view.

To configure the default input power level in an AP group's AP model view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Configure the default input power level.	power-level default { high \| low \| middle }	The default setting is middle.

Enabling or disabling USB interfaces for APs

NOTE:

Support for this feature depends on the AP model.

About configuring USB interfaces

After you enable USB interfaces for an AP, the USB interfaces become active only when either of the following requirements is met:

· The input power level of the AP is high.

· The input power level of the AP is middle and the MIMO mode is 1×1 or 2×2.

For information about input power levels, see "Configuring the default input power level." For information about MIMO modes, see "Configuring radio management."

Procedure

To enable or disable USB interfaces in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enable or disable USB interfaces.	usb { enable \| disable }	By default, an AP uses the configuration in an AP group's AP model view.

To enable or disable USB interfaces in an AP group's AP model view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enable or disable USB interfaces.	usb { enable \| disable }	By default, USB interfaces are disabled.

Loading an APDB user script

About APDB user script loading

This task allows you to add new AP models to the APDB without upgrading AC software.

Restrictions and guidelines

Make sure the user script is valid. Invalid scripts can cause loading failure.

The AP models in the user script must be different from the AP models in the system script.

If you load multiple user scripts on the AC, the most recently loaded user script overwrites the old user scripts.

To reload a user script when the following conditions exist, you must delete the related AP models or use the wlan apdb command to restore the original software version:

· A manual AP or an online auto AP whose model is listed in the old user script exists.

· APs of an AP model listed in the old user script have been added to an AP group.

· The old user script includes an AP model whose software version was already configured.

To prevent AP model configuration lost after an AC reboot, you must reload a user script when you rename, or delete the user script in the file system.

When you replace a user script, the AP model configuration in the old user script will be lost upon an AC reboot if the new user script does not contain AP model configuration of the old script. In this case, you must reload the new user script.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Load an APDB user script.	wlan apdb file user.apdb	By default, no user script is loaded on the AC.

Enabling service anomaly detection

About service anomaly detection

This feature enables an AC to check service status and start a reboot timer upon detecting that no APs are associated with the AC. When the reboot timer (10 minutes) expires, the AC restarts. If an AP comes online on the AC before the reboot timer expires, the AC deletes the timer.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable service anomaly detection.	wlan detect-anomaly enable	By default, service anomaly detection is disabled.

Display and maintenance commands for AP management

Execute display commands in any view and reset commands in user view.

Task	Command
Display information about all APs or the specified AP.	display wlan ap { all \| name ap-name } [ verbose ]
Display address information for all APs or the specified AP.	display wlan ap { all \| name ap-name } address
Display GPS information for all APs or the specified AP.	display wlan ap { all \| name ap-name } gps
Display AP group information for all APs or the specified AP.	display wlan ap { all \| name ap-name } group
Display AP connection records on the AC.	display wlan ap { all \| name ap-name } connection-record
Display AP online duration.	display wlan ap { all \| name ap-name } online-time
Display association failure records for APs.	display wlan ap association-failure-record
Display CAPWAP tunnel down records.	display wlan ap tunnel-down-record
Display the number of installed WLAN licenses.	display wlan license
Display the reboot logs of the specified AP.	display wlan ap name ap-name reboot-log
Display running configuration for all APs or the specified AP.	display wlan ap { all \| ap ap-name } running-configuration [ verbose ]
Display information about all AP groups or the specified AP group.	display wlan ap-group [ brief \| name group-name ]
Display AP model information.	display wlan ap-model { all \| name model-name }
Display tunnel latency information for the specified CAPWAP tunnel.	display wlan ap name ap-name tunnel latency
Display information about distribution of attached APs for ACs (centralized devices in standalone mode).	display wlan ap-distribution all
Display information about distribution of attached APs for ACs (centralized devices in IRF mode).	display wlan ap-distribution { all \| slot slot-number }
Display the attachment location of an AP.	display wlan ap-distribution ap-name ap-name
Clear the reboot logs of all APs or the specified AP.	reset wlan ap reboot-log { all \| name ap-name }
Clear tunnel latency information for all CAPWAP tunnels or the specified CAPWAP tunnel.	reset wlan tunnel latency ap { all \| name ap-name }
Delete configuration file wlan_ap_prvs.xml from all APs or the specified AP.	reset wlan ap provision { all \| name ap-name }

AP management configuration examples

Example: Establishing a CAPWAP tunnel through DHCP

Network configuration

As shown in Figure 3, configure the AP to obtain its IP address and AC IP address from the DHCP server through DHCP Option 43. The AP uses the IP address of the AC to establish a CAPWAP tunnel with the AC.

Figure 3 Network diagram

Procedure

1. Configure the DHCP server:

# Enable the DHCP service.

<DHCP server> system-view

[DHCP server] dhcp enable

# Configure DHCP address pool 1.

[DHCP server] dhcp server ip-pool 1

[DHCP server-dhcp-pool-1] network 1.1.1.0 mask 255.255.255.0

# Configure Option 43 to specify the IP address of the AC in address pool 0. The right-most bytes 01010103 (1.1.1.3) represent the IP address of the AC.

[DHCP server-dhcp-pool-1] option 43 hex 800700000101010103

[DHCP Server-dhcp-pool-1] quit

[DHCP Server] quit

2. Configure the AC:

# Set the IP address of VLAN-interface 1 on the AC to 1.1.1.3/24.

<AC> system-view

[AC] interface vlan-interface 1

[AC-Vlan-interface1] ip address 1.1.1.3 24

[AC-Vlan-interface1] quit

# Create an AP named ap1 with model WA4320i-ACN, and set its serial ID to 210235A1BSC123000050.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050

[AC-wlan-ap-ap1] quit

# Start up the AP. The AP performs the following operations:

? Obtains its IP address 1.1.1.2 from the DHCP server.

? Obtains the IP address of the AC through Option 43.

? Establishes a CAPWAP tunnel with the AC.

Verifying the configuration

# Verify that you can see the following information:

· The AP obtains the IP address of the AC through DHCP.

· The AP and the AC have established a CAPWAP tunnel.

· The AP is in Run state.

[AC] display wlan ap name ap1 verbose

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Backup type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA4320i-ACN

Region code : CN

Region code lock : Disable

Serial ID : 210235A1BSC123000050

MAC address : 0AFB-423B-893C

IP address : 1.1.1.2

UDP port number : 18313

H/W version : Ver.C

S/W version : E2321

Boot version : 1.01

USB state : N/A

Power Level : N/A

PowerInfo : N/A

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

Discovery type : DHCP

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

Data-tunnel encryption : Disabled

LED mode : Normal

Remote configuration : Enabled Radio 1:

Basic BSSID : 7848-59f6-3940

Admin state : Up

Radio type : 802.11ac

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Active band-width : 20/40/80MHz

Secondary channel offset : SCB

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational VHT-MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 44(auto)

Channel usage(%) : 15

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : -102 dBm

Smart antenna : Enabled

Smart antenna policy : Auto

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Radio 2:

Basic BSSID : 7848-59f6-3950

Admin state : Down

Radio type : 802.11b

Antenna type : internal

Client dot11n-only : Disabled

Channel band-width : 20MHz

Active band-width : 20MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 5(auto)

Channel usage(%) : 0

Max power : 20 dBm

Preamble type : Short

Operational rate:

Mandatory : 1, 2, 5.5, 11 Mbps

Multicast : Auto

Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : 0 dBm

Smart antenna : Enabled

Smart antenna policy : Auto

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Example: Establishing a CAPWAP tunnel through DHCPv6

Network configuration

As shown in Figure 4, configure the AP to obtain its IP address and AC IP address from the DHCPv6 server through DHCP Option 52. The AP uses the IP address of the AC to establish a CAPWAP tunnel with the AC.

Figure 4 Network diagram

Procedure

1. Configure the DHCPv6 server:

# Assign an IPv6 address to GigabitEthernet 1/0/1.

<DHCPv6 Server> system-view

[DHCPv6 Server] interface gigabitethernet 1/0/1

[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 address 1::1/64

# Disable RA message advertising suppression.

[DHCPv6 Server-GigabitEthernet1/0/1] undo ipv6 nd ra halt

# Set the managed address configuration flag (M) to 1 in RA advertisements to be sent.

[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 nd autoconfig managed-address-flag

# Set the other stateful configuration flag (O) to 1 in RA advertisements to be sent.

[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 nd autoconfig other-flag

# Enable the DHCPv6 service on GigabitEthernet 1/0/1.

[DHCPv6 Server-GigabitEthernet1/0/1] ipv6 dhcp select server

[DHCPv6 Server-GigabitEthernet1/0/1] quit

# Create a DHCPv6 address pool, and specify an IPv6 subnet for dynamic allocation in the DHCPv6 address pool.

[DHCPv6 Server] ipv6 dhcp pool 1

[DHCPv6 Server-dhcp6-pool-1] network 1::0/64

# Configure Option 52 that specifies an AC address 1::3 in DHCPv6 address pool 1.

[DHCPv6 Server-dhcp-pool-1] option 52 hex 00010000000000000000000000000003

[DHCPv6 Server-dhcp-pool-1] quit

[DHCPv6 Server] quit

2. Configure the AC:

# Set the IP address of VLAN-interface 1 to 1::3/64.

<AC> system-view

[AC] interface vlan-interface 1

[AC-Vlan-interface1] ipv6 address 1::3 64

# Create an AP named ap1 with model WA4320i-ACN, and set its serial ID to 210235A1BSC123000050.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050

[AC-wlan-ap-ap1] quit

# Start up the AP. The AP performs the following operations:

? Obtains its IPv6 address 1::2 from the DHCP server.

? Obtains the IPv6 address of the AC through Option 52.

? Establishes a CAPWAP tunnel with the AC.

Verifying the configuration

# Verify that you can view the following information:

· The AP obtains the IP address of the AC through DHCP.

· The AP and the AC have established a CAPWAP tunnel.

· The AP is in Run state.

[AC] display wlan ap name ap1 verbose

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Backup type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA4320i-ACN

Region code : CN

Region code lock : Disable

Serial ID : 210235A1BSC123000050

MAC address : 0AFB-423B-893C

IP address : 1::2

UDP port number : 18313

H/W version : Ver.C

S/W version : E2321

Boot version : 1.01

USB state : N/A

Power Level : N/A

PowerInfo : N/A

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

Discovery type : DHCP

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

Data-tunnel encryption : Disabled

LED mode : Normal

Remote configuration : Enabled

Radio 1:

Basic BSSID : 7848-59f6-3940

Admin state : Up

Radio type : 802.11ac

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Active band-width : 20/40/80MHz

Secondary channel offset : SCB

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational VHT-MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 44(auto)

Channel usage(%) : 15

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : -102 dBm

Smart antenna : Enabled

Smart antenna policy : Auto

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Radio 2:

Basic BSSID : 7848-59f6-3950

Admin state : Down

Radio type : 802.11b

Antenna type : internal

Client dot11n-only : Disabled

Channel band-width : 20MHz

Active band-width : 20MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 5(auto)

Channel usage(%) : 0

Max power : 0 dBm

Preamble type : Short

Operational rate:

Mandatory : 1, 2, 5.5, 11 Mbps

Multicast : Auto

Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : 5 dBm

Smart antenna : Enabled

Smart antenna policy : Auto

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Example: Establishing a CAPWAP tunnel through DNS

Network configuration

As shown in Figure 5, configure the AP to obtain the IP address of the AC through DNS to establish a CAPWAP tunnel with the AC.

Figure 5 Network diagram

Procedure

1. Configure the DHCP server:

# Enable the DHCP service, configure DHCP address pool 1, and set the domain name suffix of the AC to abc.

<DHCP server> system-view

[DHCP server] dhcp enable

[DHCP server] dhcp server ip-pool 1

[DHCP server-dhcp-pool-1] network 1.1.1.0 mask 255.255.255.0

[DHCP server-dhcp-pool-1] domain-name abc

[DHCP server-dhcp-pool-1] dns-list 1.1.1.4

[DHCP server-dhcp-pool-1] gateway-list 1.1.1.2

[DHCP server-dhcp-pool-1] quit

[DHCP server] quit

2. Configure a mapping between domain name h3c.abc and IP address 2.1.1.1/24. For more information, see Layer 3—IP Services Configuration Guide. (Details not shown.)

3. Configure the AC:

# Set the IP address of VLAN-interface 1 to 2.1.1.1/24.

<AC> system-view

[AC] interface vlan-interface 1

[AC-Vlan-interface1] ip address 2.1.1.1 24

[AC-Vlan-interface1] quit

# Configure a default route with next hop address 2.1.1.2.

[AC] ip route-static 0.0.0.0 0 2.1.1.2

# Create an AP named ap1 with model WA4320i-ACN, and set its serial ID to 210235A1BSC123000050.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050

# Start up the AP.

[AC-wlan-ap-ap1] quit

The AP performs the following operations:

? Obtains its IP address 1.1.1.1, the domain name suffix of the AC, and the IP address of the DNS server from the DHCP server.

? Adds the domain name suffix to the hostname.

? Informs the DNS client to translate the domain name into an IP address.

? Uses the IP address of the AC to establish a CAPWAP tunnel with the AC.

Verifying the configuration

# Verify that you can see the following information:

· The AP and the AC have established a CAPWAP tunnel.

· The AP is in Run state.

· The AP obtains the IP address of the AC through DNS.

[AC] display wlan ap name ap1 verbose

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Backup type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA4320i-ACN

Region code : CN

Region code lock : Disable

Serial ID : 210235A1BSC123000050

MAC address : 0AFB-423B-893C

IP address : 1.1.1.2

UDP port number : 18313

H/W version : Ver.C

S/W version : E2321

Boot version : 1.01

USB state : N/A

Power Level : N/A

PowerInfo : N/A

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

Discovery type : DNS

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

Data-tunnel encryption : Disabled

LED mode : Normal

Remote configuration : Enabled

Radio 1:

Basic BSSID : 7848-59f6-3940

Admin state : Up

Radio type : 802.11ac

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Active band-width : 20/40/80MHz

Secondary channel offset : SCB

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational VHT-MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 44(auto)

Channel usage(%) : 15

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : -102 dBm

Smart antenna : Enabled

Smart antenna policy : Auto

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Radio 2:

Basic BSSID : 7848-59f6-3950

Admin state : Down

Radio type : 802.11b

Antenna type : internal

Client dot11n-only : Disabled

Channel band-width : 20MHz

Active band-width : 20MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 5(auto)

Channel usage(%) : 0

Max power : 20 dBm

Preamble type : Short

Operational rate:

Mandatory : 1, 2, 5.5, 11 Mbps

Multicast : Auto

Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : 0 dBm

Smart antenna : Enabled

Smart antenna policy : Auto

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Example: Configuring the auto AP feature

Network configuration

As shown in Figure 6, enable the auto AP feature on the AC. The AP obtains the AC IP address through DHCP Option 43 and establishes a CAPWAP tunnel with the AC.

Figure 6 Network diagram

Procedure

1. Configure the DHCP server:

# Enable the DHCP service.

<DHCP server> system-view

[DHCP server] dhcp enable

# Configure DHCP address pool 1.

[DHCP server] dhcp server ip-pool 1

[DHCP server-dhcp-pool-1] network 1.1.1.0 mask 255.255.255.0

# Configure Option 43 to specify the IP address of the AC in address pool 0. The right-most bytes 02010102 (2.1.1.2) represent the IP address of the AC.

[DHCP server-dhcp-pool-1] option 43 ip-address hex 800700000102010102

[DHCP Server-dhcp-pool-1] gateway-list 1.1.1.3

[DHCP Server-dhcp-pool-1] quit

[DHCP Server] quit

2. Configure the AC:

# Set the IP address of VLAN-interface 1 on the AC to 2.1.1.2/24.

<AC> system-view

[AC] interface vlan-interface 1

[AC-Vlan-interface1] ip address 2.1.1.2 24

[AC-Vlan-interface1] quit

# Configure a default route with next hop address 2.1.1.1.

[AC] ip route-static 0.0.0.0 0 2.1.1.1

# Enable auto AP.

[AC] wlan auto-ap enable

Verifying the configuration

# Verify that the AP has established a CAPWAP tunnel with the AC.

[AC] display wlan ap name 0011-2200-0101 verbose

AP name : 0011-2200-0101

AP ID : 1

AP group name : default-group

State : Run

Backup type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA4320i-ACN

Region code : CN

Region code lock : Disable

Serial ID : 219801A0CNC138011454

MAC address : 0011-2200-0101

IP address : 1.1.1.2

UDP port number : 18313

H/W version : Ver.C

S/W version : E2321

Boot version : 1.01

USB state : N/A

Power Level : N/A

PowerInfo : N/A

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

Discovery type : DHCP

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

Data-tunnel encryption : Disabled

LED mode : Normal

Remote configuration : Enabled

Radio 1:

Basic BSSID : 7848-59f6-3940

Admin state : Up

Radio type : 802.11ac

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Active band-width : 20/40/80MHz

Secondary channel offset : SCB

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational VHT-MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 44(auto)

Channel usage(%) : 15

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : -102 dBm

Smart antenna : Enabled

Smart antenna policy : Auto

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Radio 2:

Basic BSSID : 7848-59f6-3950

Admin state : Down

Radio type : 802.11b

Antenna type : internal

Client dot11n-only : Disabled

Channel band-width : 20MHz

Active band-width : 20MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 5(auto)

Channel usage(%) : 0

Max power : 20 dBm

Preamble type : Short

Operational rate:

Mandatory : 1, 2, 5.5, 11 Mbps

Multicast : Auto

Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : 0 dBm

Smart antenna : Enabled

Smart antenna policy : Auto

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Example: Configuring AP groups

Network configuration

As shown in Figure 7, configure AP groups and add AP 1 to AP group group1, and AP 2, AP 3, and AP 4 to AP group group2.

Figure 7 Network diagram

Procedure

1. Configure APs to obtain their IP addresses and the AC IP address from the DHCP server. (Details not shown.)

2. Configure manual APs. (Details not shown.)

3. Configure AP groups:

# Create an AP group named group1.

<AC> system-view

[AC] wlan ap-group group1

# Add AP 1 to AP group group1.

[AC-wlan-ap-group-group1] ap ap1

[AC-wlan-ap-group-group1] quit

# Create an AP group named group2.

[AC] wlan ap-group group2

# Add AP 2, AP 3, and AP 4 to AP group group2.

[AC-wlan-ap-group-group2] ap ap2 ap3 ap4

[AC-wlan-ap-group-group2] quit

[AC] quit

Verifying the configuration

# Verify that AP 1 is in AP group group1, and AP 2, AP 3, and AP 4 are in AP group group2.

[AC-wlan-ap-group-group2] display wlan ap-group

Total number of AP groups: 3

AP group name : default-group

Description : Not configured

AP model : Not configured

APs : Not configured

AP group name : group1

Description : Not configured

AP model : WA4320i-ACN

AP grouping rules:

AP name : ap1

Serial ID : Not configured

MAC address : Not configured

IPv4 address : Not configured

IPv6 address : Not configured

APs : ap1 (AP name)

AP group name : group2

Description : Not configured

AP model : WA4320i-ACN

AP grouping rules:

AP name : ap2, ap3, ap4

Serial ID : Not configured

MAC address : Not configured

IPv4 address : Not configured

IPv6 address : Not configured

APs : ap2 (AP name), ap3 (AP name), ap4 (AP name)

Configuring radio management

The term "AC" in this document refers to MSR routers that can function as ACs.

About radio management

Radio frequency (RF) is a rate of electrical oscillation in the range of 300 KHz to 300 GHz. WLAN uses the 2.4 GHz band and 5 GHz band radio frequencies as the transmission media. The 2.4 GHz band includes radio frequencies from 2.4 GHz to 2.4835 GHz. The 5 GHz band includes radio frequencies from 5.150 GHz to 5.350 GHz and from 5.725 GHz to 5.850 GHz.

The term "radio frequency" or its abbreviation RF is also used as a synonym for "radio" in wireless communication.

Radio mode

IEEE defines the 802.11a, 802.11b, 802.11g, 802.11n, and 802.11ac radio modes.

Table 2 provides a comparison of these radio modes.

Table 2 Comparison of 802.11 standards

IEEE standard	Frequency band	Maximum rate	Indoor coverage	Outdoor coverage
802.11a	5 GHz	54 Mbps	About 30 meters (98.43 ft)	About 45 meters (147.64 ft)
802.11b	2.4 GHz	11 Mbps	About 30 meters (98.43 ft)	About 100 meters (328.08 ft)
802.11g	2.4 GHz	54 Mbps	About 30 meters (98.43 ft)	About 100 meters (328.08 ft)
802.11n	2.4 GHz or 5 GHz	600 Mbps	About 300 meters (984.3 ft)	About 600 meters (1968.50 ft)
802.11ac	5 GHz	6900 Mbps	About 300 meters (984.3 ft)	About 600 meters (1968.50 ft)

Channel

A channel is a range of frequencies with a specific bandwidth.

The 2.4 GHz band has 14 channels. The bandwidth for each channel is 20 MHz and each two channels are spaced 5 MHz apart. Among the 14 channels, four groups of non-overlapping channels exist and the most commonly used one contains channels 1, 6, and 11.

The 5 GHz band can provide higher rates and is more immune to interference. There are 24 non-overlapping channels designated to the 5 GHz band. The channels are spaced 20 MHz apart with a bandwidth of 20 MHz. The available channels vary by country.

Transmit power

Transmit power reflects the signal strength of a wireless device. A higher transmit power enables a radio to cover a larger area but it brings more interference to adjacent devices. The signal strength decreases as the transmission distance increases.

Transmission rate

Transmission rate refers to the speed at which wireless devices transmit traffic. It varies by radio mode and spreading, coding, and modulation schemes. The following are rates supported by different types of radios:

· 802.11a—6 Mbps, 9 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps, and 54 Mbps.

· 802.11b—1 Mbps, 2 Mbps, 5.5 Mbps, and 11 Mbps.

· 802.11g—1 Mbps, 2 Mbps, 5.5 Mbps, 6 Mbps, 9 Mbps, 11 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps, and 54 Mbps.

· 802.11n—Rates for 802.11n radios vary by channel bandwidth. For more information, see "MCS."

· 802.11ac—Rates for 802.11ac radios vary by channel bandwidth and number of spatial streams (NSS). For more information, see "VHT-MCS."

MCS

Modulation and Coding Scheme (MCS) defined in IEEE 802.11n-2009 determines the modulation, coding, and number of spatial streams.

MCS types

802.11n MCSs are classified into the following types:

· Mandatory MCSs—Mandatory MCSs for an AP. To associate with an 802.11n AP, a client must support the mandatory MCSs for the AP.

· Supported MCSs—MCSs supported by an AP besides the mandatory MCSs. If a client supports both mandatory and supported MCSs, the client can use a supported rate to communicate with the AP.

· Multicast MCS—MCS for the rate at which an AP transmits multicast frames.

MCS parameters

An MCS is identified by an MCS index, which is represented by an integer in the range of 0 to 76. An MCS index is the mapping from MCS to a data rate.

Table 3 through Table 10 show sample MCS parameters for 20 MHz and 40 MHz.

When the bandwidth mode is 20 MHz, MCS indexes 0 through 15 are mandatory for APs, and MCS indexes 0 through 7 are mandatory for clients.

Table 3 MCS parameters (20 MHz, NSS=1)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
0	1	BPSK	6.5	7.2
1	1	QPSK	13.0	14.4
2	1	QPSK	19.5	21.7
3	1	16-QAM	26.0	28.9
4	1	16-QAM	39.0	43.3
5	1	64-QAM	52.0	57.8
6	1	64-QAM	58.5	65.0
7	1	64-QAM	65.0	72.2

Table 4 MCS parameters (20 MHz, NSS=2)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
8	2	BPSK	13.0	14.4
9	2	QPSK	26.0	28.9
10	2	QPSK	39.0	43.3
11	2	16-QAM	52.0	57.8
12	2	16-QAM	78.0	86.7
13	2	64-QAM	104.0	115.6
14	2	64-QAM	117.0	130.0
15	2	64-QAM	130.0	144.4

Table 5 MCS parameters (20 MHz, NSS=3)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
16	3	BPSK	19.5	21.7
17	3	QPSK	39.0	43.3
18	3	QPSK	58.5	65.0
19	3	16-QAM	78.0	86.7
20	3	16-QAM	117.0	130.0
21	3	64-QAM	156.0	173.3
22	3	64-QAM	175.5	195.0
23	3	64-QAM	195.0	216.7

Table 6 MCS parameters (20 MHz, NSS=4)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
24	4	BPSK	26.0	28.9
25	4	QPSK	52.0	57.8
26	4	QPSK	78.0	86.7
27	4	16-QAM	104.0	115.6
28	4	16-QAM	156.0	173.3
29	4	64-QAM	208.0	231.1
30	4	64-QAM	234.0	260.0
31	4	64-QAM	260.0	288.9

Table 7 MCS parameters (40 MHz, NSS=1)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
0	1	BPSK	13.5	15.0
1	1	QPSK	27.0	30.0
2	1	QPSK	40.5	45.0
3	1	16-QAM	54.0	60.0
4	1	16-QAM	81.0	90.0
5	1	64-QAM	108.0	120.0
6	1	64-QAM	121.5	135.0
7	1	64-QAM	135.0	150.0

Table 8 MCS parameters (40 MHz, NSS=2)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
8	2	BPSK	27.0	30.0
9	2	QPSK	54.0	60.0
10	2	QPSK	81.0	90.0
11	2	16-QAM	108.0	120.0
12	2	16-QAM	162.0	180.0
13	2	64-QAM	216.0	240.0
14	2	64-QAM	243.0	270.0
15	2	64-QAM	270.0	300.0

Table 9 MCS parameters (40 MHz, NSS=3)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
16	3	BPSK	40.5	45.0
17	3	QPSK	81.0	90.0
18	3	QPSK	121.5	135.0
19	3	16-QAM	162.0	180.0
20	3	16-QAM	243.0	270.0
21	3	64-QAM	324.0	360.0
22	3	64-QAM	364.5	405.0
23	3	64-QAM	405.0	450.0

Table 10 MCS parameters (40 MHz, NSS=4)

MCS index	Number of spatial streams	Modulation	Data rate (Mbps)
MCS index	Number of spatial streams	Modulation	800ns GI	400ns GI
24	4	BPSK	54.0	60.0
25	4	QPSK	108.0	120.0
26	4	QPSK	162.0	180.0
27	4	16-QAM	216.0	240.0
28	4	16-QAM	324.0	360.0
29	4	64-QAM	432.0	480.0
30	4	64-QAM	486.0	540.0
31	4	64-QAM	540.0	600.0

NOTE:

· For all the MCS data rate tables, see IEEE 802.11n-2009.

· Support for MCS indexes depends on the device model.

VHT-MCS

Very High Throughput Modulation and Coding Scheme (VHT-MCS) defined in IEEE 802.11ac determines the wireless data rates.

VHT-MCS types

802.11ac VHT-MCSs are classified into the following types:

· Mandatory VHT-MCSs—Mandatory VHT-MCSs for an AP. To associate with an 802.11ac AP, a client must support the mandatory VHT-MCSs for the AP.

· Supported VHT-MCSs—VHT-MCSs supported by an AP besides the mandatory VHT-MCSs. If a client supports both mandatory and supported VHT-MCSs, the client can use a supported rate to communicate with the AP.

· Multicast VHT-MCS—VHT-MCS for the rate at which an AP transmits multicast frames.

VHT-MCS parameters

A VHT-MCS is identified by a VHT-MCS index, which is represented by an integer in the range of 0 to 9. A VHT-MCS index is the mapping from VHT-MCS to a data rate.

802.11ac supports the 20 MHz, 40 MHz, 80 MHz, and 160 MHz bandwidth modes, and supports a maximum of eight spatial streams.

Table 11 through Table 22 show VHT-MCS parameters that are supported by an AP.

Table 11 VHT-MCS parameters (20 MHz, NSS=1)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	6.5	7.2
1	QPSK	13.0	14.4
2	QPSK	19.5	21.7
3	16-QAM	26.0	28.9
4	16-QAM	39.0	43.3
5	64-QAM	52.0	57.8
6	64-QAM	58.5	65.0
7	64-QAM	65.0	72.2
8	256-QAM	78.0	86.7
9	Not valid

Table 12 VHT-MCS parameters (20 MHz, NSS=2)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	13.0	14.4
1	QPSK	26.0	28.9
2	QPSK	39.0	43.3
3	16-QAM	52.0	57.8
4	16-QAM	78.0	86.7
5	64-QAM	104.0	115.6
6	64-QAM	117.0	130.0
7	64-QAM	130.0	144.4
8	256-QAM	156.0	173.3
9	Not valid

Table 13 VHT-MCS parameters (20 MHz, NSS=3)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	19.5	21.7
1	QPSK	39.0	43.3
2	QPSK	58.5	65.0
3	16-QAM	78.0	86.7
4	16-QAM	117.0	130.0
5	64-QAM	156.0	173.3
6	64-QAM	175.5	195.0
7	64-QAM	195.0	216.7
8	256-QAM	234.0	260.0
9	256-QAM	260.0	288.9

Table 14 VHT-MCS parameters (20 MHz, NSS=4)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	26.0	28.9
1	QPSK	52.0	57.8
2	QPSK	78.0	86.7
3	16-QAM	104.0	115.6
4	16-QAM	156.0	173.3
5	64-QAM	208.0	231.1
6	64-QAM	234.0	260.0
7	64-QAM	260.0	288.9
8	256-QAM	312.0	346.7
9	Not valid

Table 15 VHT-MCS parameters (40 MHz, NSS=1)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	13.5	15.0
1	QPSK	27.0	30.0
2	QPSK	40.5	45.0
3	16-QAM	54.0	60.0
4	16-QAM	81.0	90.0
5	64-QAM	108.0	120.0
6	64-QAM	121.5	135.0
7	64-QAM	135.0	150.0
8	256-QAM	162.0	180.0
9	256-QAM	180.0	200.0

Table 16 VHT-MCS parameters (40 MHz, NSS=2)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	27.0	30.0
1	QPSK	54.0	60.0
2	QPSK	81.0	90.0
3	16-QAM	108.0	120.0
4	16-QAM	162.0	180.0
5	64-QAM	216.0	240.0
6	64-QAM	243.0	270.0
7	64-QAM	270.0	300.0
8	256-QAM	324.0	360.0
9	256-QAM	360.0	400.0

Table 17 VHT-MCS parameters (40 MHz, NSS=3)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	40.5	45.0
1	QPSK	81.0	90.0
2	QPSK	121.5	135.0
3	16-QAM	162.0	180.0
4	16-QAM	243.0	270.0
5	64-QAM	324.0	360.0
6	64-QAM	364.5	405.0
7	64-QAM	405.0	450.0
8	256-QAM	486.0	540.0
9	256-QAM	540.0	600.0

Table 18 VHT-MCS parameters(40 MHz, NSS=4)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	54.0	60.0
1	QPSK	108.0	120.0
2	QPSK	162.0	180.0
3	16-QAM	216.0	240.0
4	16-QAM	324.0	360.0
5	64-QAM	432.0	480.0
6	64-QAM	486.0	540.0
7	64-QAM	540.0	600.0
8	256-QAM	648.0	720.0
9	256-QAM	720.0	800.0

Table 19 VHT-MCS parameters (80 MHz, NSS=1)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	29.3	32.5
1	QPSK	58.5	65.0
2	QPSK	87.8	97.5
3	16-QAM	117.0	130.0
4	16-QAM	175.5	195.0
5	64-QAM	234.0	260.0
6	64-QAM	263.0	292.5
7	64-QAM	292.5	325.0
8	256-QAM	351.0	390.0
9	256-QAM	390.0	433.3

Table 20 VHT-MCS parameters (80 MHz, NSS=2)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	58.5	65.0
1	QPSK	117.0	130.0
2	QPSK	175.5	195.0
3	16-QAM	234.0	260.0
4	16-QAM	351.0	390.0
5	64-QAM	468.0	520.0
6	64-QAM	526.5	585.0
7	64-QAM	585.0	650.0
8	256-QAM	702.0	780.0
9	256-QAM	780.0	866.7

Table 21 VHT-MCS parameters (80 MHz, NSS=3)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	87.8	97.5
1	QPSK	175.5	195.0
2	QPSK	263.3	292.5
3	16-QAM	351.0	390.0
4	16-QAM	526.5	585.0
5	64-QAM	702.0	780.0
6	Not valid
7	64-QAM	877.5	975.0
8	256-QAM	1053.0	1170.0
9	256-QAM	1170.0	1300.0

Table 22 VHT-MCS parameters (80 MHz, NSS=4)

VHT-MCS index	Modulation	Data rate (Mbps)
VHT-MCS index	Modulation	800ns GI	400ns GI
0	BPSK	117.0	130.0
1	QPSK	234.0	260.0
2	QPSK	351.0	390.0
3	16-QAM	468.0	520.0
4	16-QAM	702.0	780.0
5	64-QAM	936.0	1040.0
6	64-QAM	1053.0	1170.0
7	64-QAM	1170.0	1300.0
8	256-QAM	1404.0	1560.0
9	256-QAM	1560.0	1733.3

NOTE:

· For all the VHT-MCS data rate tables, see IEEE 802.11ac-2013.

· Support for VHT-MCS indexes depends on the device model.

Feature and hardware compatibility

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

Restrictions and guidelines: Radio management configuration

The priorities for the configuration in radio view, AP group radio view, and global configuration view are in descending order.

Radio management tasks at a glance

Tasks at a glance	Remarks
(Required.) Enabling or disabling radios	N/A
(Required.) Specifying a radio mode	N/A
(Optional.) Configuring basic radio functions: · Configuring channels: ? Specifying a working channel ? Configuring the channel selection blacklist or whitelist · Configuring antenna parameters: ? Setting the antenna type ? Setting the antenna gain · Configuring the transmit power: ? Setting the maximum transmit power ? Configuring power lock · Setting transmission rates · Configuring beacon frames: ? Setting the beacon interval ? Setting the DTIM interval · Configuring collision avoidance: ? Specifying a collision avoidance mode ? Setting the RTS threshold · Configuring frame parameters: ? Setting the fragmentation threshold ? Setting the hardware retransmission limits · Configuring access control: ? Setting the maximum number of clients that can associate with an AP ? Configuring access services for 802.11b clients · Configuring interference avoidance: ? Configuring 802.11g protection ? Configuring ANI · Setting the preamble type · Setting the maximum transmission distance	The basic radio functions are applicable to all radios.
(Optional.) Configuring 802.11n functions: · Specifying the A-MPDU aggregation method · Specifying the A-MSDU aggregation method · Configuring short GI · Configuring LDPC · Configuring STBC · Setting MCS indexes · Configuring the client dot11n-only feature · Setting the 802.11n bandwidth mode · Specifying a MIMO mode · Configuring energy saving · Configuring 802.11n protection	The 802.11n functions are applicable only to 802.11an, 802.11gn, and 802.11ac radios.
(Optional.) Configuring 802.11ac functions: · Setting NSSs · Configuring the client dot11ac-only feature · Setting the 802.11ac bandwidth mode · Configuring TxBF	The 802.11ac functions are applicable only to 802.11ac radios.
(Optional.) Configuring the smart antenna feature	N/A

Enabling or disabling radios

Enabling or disabling all radios

CAUTION:

Disabling all radios terminates wireless services. Use it with caution.

Restrictions and guidelines

This feature takes effect only on manual APs and online auto APs.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable or disable all radios.	wlan radio { enable \| disable }	By default, radios are disabled unless they are already enabled in radio view or AP group radio view.

Enabling or disabling a radio in radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable or disable the radio.	radio { enable \| disable }	By default, a radio is enabled if the wlan radio enable command is executed in system view. If the wlan radio enable command is not executed in system view, a radio uses the configuration in AP group radio view.

Enabling or disabling a radio in AP group radio view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable or disable the radio.	radio { enable \| disable }	By default, a radio is disabled unless it is already enabled by using the wlan radio enable command in system view.

Specifying a radio mode

About radio modes

Available radio functions vary by radio mode. You can configure basic radio functions for all radios, 802.11n functions for 802.11an, 802.11gn, and 802.11ac radios, and 802.11ac functions only for 802.11ac radios.

Restrictions and guidelines

Support for channels and transmit powers depends on the radio mode. When you change the mode of a radio, the system automatically adjusts the channel and power parameters for the radio.

When you change the radio mode in AP group radio view, the default settings for the radio mode related commands are restored.

Procedure

To specify a radio mode in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Specify a radio mode.	type { dot11a \| dot11ac \| dot11an \| dot11b \| dot11g \| dot11gn }	By default, a radio uses the configuration in AP group radio view.

To specify a radio mode in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Specify a radio mode.	type { dot11a \| dot11ac \| dot11an \| dot11b \| dot11g \| dot11gn }	The default setting for this command varies by device model.

Configuring basic radio functions

Specifying a working channel

About specifying a working channel

Perform this task to reduce interference from both wireless and non-wireless devices. You can manually specify a channel or configure the system to automatically select a channel for a radio.

When radar signals are detected on the working channel of a radio, one of the following events occurs:

· If the channel is automatically assigned, the radio changes its channel.

· If the channel is manually specified, the radio changes its channel, and switches back to the specified channel after 30 minutes and then starts the quiet timer. If no radar signals are detected within the quiet time, the radio starts to use the channel. If radar signals are detected within the quiet time, the radio changes it channel again.

Procedure

To specify a working channel in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Specify a working channel.	channel { channel-number \| auto { lock \| unlock } }	By default, a radio uses the configuration in AP group radio view.

To specify a working channel in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Specify a working channel.	channel { channel-number \| auto { lock \| unlock } }	By default, the AC automatically selects a channel for the radio and does not lock the channel.

Configuring the channel selection blacklist or whitelist

About the channel selection blacklist and whitelist

If you configure the blacklist for an AP, the AP will not select channels in the blacklist. If you configure the whitelist for an AP, the AP will select only channels in the whitelist. You cannot configure both the channel selection blacklist and whitelist for the same AP.

Restrictions and guidelines

This feature takes effect only on APs operating in auto channel selection mode.

Procedure

To configure the channel selection blacklist or whitelist in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Add the specified channels to the channel selection blacklist or whitelist.	channel auto-select { blacklist \| whitelist } channel-number	By default, a radio uses the configuration in AP group view.

To configure the channel selection blacklist or whitelist in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Add the specified channels to the channel selection blacklist or whitelist.	channel auto-select { blacklist \| whitelist } channel-number	By default, no channel selection blacklist or the whitelist exists.

Setting the antenna type

About setting the antenna type

Perform this task to set the antenna type for an AP. The antenna type setting for an AP must be consistent with the type of the antenna used on the AP.

To ensure that the Effective Isotropic Radiated Power (EIRP) is within the correct range, the antenna gain automatically changes after you set the antenna type.

Restrictions and guidelines

Antenna types supported by an AP vary by device model.

Procedure

To set the antenna type in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the antenna type.	antenna type antenna-type	By default, a radio uses the configuration in AP group radio view.

To set the antenna type in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the antenna type.	antenna type antenna-type	The default antenna type for an AP varies by device model.

Setting the antenna gain

About setting the antenna gain

EIRP is the actual transmit power of an antenna, and it is the sum of the antenna gain and the maximum transmit power of the radio.

Procedure

To set the antenna gain in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the antenna gain.	custom-antenna gain antenna-gain	By default, a radio uses the configuration in AP group radio view.

To set the antenna gain in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the antenna gain.	custom-antenna gain antenna-gain	By default, the antenna gain is 0 dBi.

Setting the maximum transmit power

Restrictions and guidelines

The transmit power range supported by a radio varies by country code, channel, AP model, radio mode, antenna type, and bandwidth mode. If you change these attributes for a radio after you set the maximum transmit power, the configured maximum transmit power might be out of the supported transmit power range. If this happens, the system automatically adjusts the maximum transmit power to a valid value.

If you enable power lock, the locked power becomes the maximum transmit power. For more information about power lock, see "Configuring power lock."

Procedure

To set the maximum transmit power in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the maximum transmit power.	max-power radio-power	By default, a radio uses the configuration in AP group radio view.

To set the maximum transmit power in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the maximum transmit power.	max-power radio-power	By default, a radio uses the supported maximum transmit power.

Configuring power lock

About power lock

If you enable power lock, the current power is locked and becomes the maximum transmit power. The locked power still takes effect after the AC restarts.

If a radio enabled with power lock switches to a new channel that provides lower power than the locked power, the maximum power supported by the new channel takes effect.

Procedure

To configure power lock in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure power lock.	power-lock { disable \| enable }	By default, a radio uses the configuration in AP group radio view.

To configure power lock in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure power lock.	power-lock { disable \| enable }	By default, power lock is disabled.

Setting transmission rates

About transmission rates

Transmission rates are classified into the following types:

· Prohibited rates—Rates that cannot be used by an AP.

· Mandatory rates—Rates that the clients must support to associate with an AP.

· Supported rates—Rates that an AP supports. After a client associates with an AP, the client can select a higher rate from the supported rates to communicate with the AP. The AP automatically decreases or increases the transmission rate as interference signals, retransmission packets, or dropped packets increase or decrease.

· Multicast rate—Rate at which an AP transmits multicasts and broadcasts. The multicast rate must be selected from the mandatory rates.

Procedure

To set the transmission rates in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the transmission rates for the radio.	rate { multicast { auto \| rate-value } \| { disabled \| mandatory \| supported } rate-value }	By default, a radio uses the configuration in AP group radio view.

To set the transmission rates in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the transmission rates for the radio.	rate { multicast { auto \| rate-value } \| { disabled \| mandatory \| supported } rate-value }	The default settings are as follows: · 802.11a/802.11an/802.11ac radios: ? Prohibited rates—None. ? Mandatory rates—6, 12, and 24. ? Multicast rate—Selected from the mandatory rates. ? Supported rates—9, 18, 36, 48, and 54. · 802.11b radios: ? Prohibited rates—None. ? Mandatory rates—1 and 2. ? Multicast rate—Selected from the mandatory rates. ? Supported rates—5.5, and 11. · 802.11g/802.11gn radios: ? Prohibited rates—None. ? Mandatory rates—1, 2, 5.5, and 11. ? Multicast rate—Selected from the mandatory rates. ? Supported rates—6, 9, 12, 18, 24, 36, 48, and 54.

Setting the beacon interval

About setting the beacon interval

Perform this task to enable an AP to broadcast beacon frames at the specified interval. A short beacon interval enables clients to easily detect the AP but consumes more system resources.

Procedure

To set the beacon interval in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the beacon interval.	beacon-interval interval	By default, a radio uses the configuration in AP group radio view.

To set the beacon interval in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the beacon interval.	beacon-interval interval	By default, the beacon interval is 100 TU.

Setting the DTIM interval

About setting the DTIM interval

An AP periodically broadcasts a beacon compliant with the Delivery Traffic Indication Map (DTIM). After the AP broadcasts the beacon, it sends buffered broadcast and multicast frames based on the value of the DTIM interval. For example, if you set the DTIM interval to 5, the AP sends buffered broadcast and multicast frames every five beacon frames.

Procedure

To set the DTIM interval in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the DTIM interval.	dtim counter	By default, a radio uses the configuration in AP group radio view.

To set the DTIM interval in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the DTIM interval.	dtim counter	By default, the DTIM interval is 1.

Specifying a collision avoidance mode

About collision avoidance modes

Wireless devices operate in half duplex mode and cannot send and receive data simultaneously. To avoid collision, 802.11 allows wireless devices to send Request to Send (RTS) or Clear to Send (CTS) packets before they transmit data.

You can specify either of the following collision avoidance modes for an AP:

· RTS/CTS—An AP sends an RTS packet to a client before sending data to the client. After receiving the RTS packet, the client sends a CTS packet to the AP. The AP begins to send data after receiving the CTS packet, and other devices that detect the RTS or CTS packet do not send data within a specific time period.

· CTS-to-self—An AP sends a CTS packet with its own MAC address as the destination MAC address before sending data to a client. After receiving the CTS-to-self packet, the AP begins to send data, and other devices that detect the CTS-to-self packet do not send data within a specific time period. The CTS-to-self mode reduces the transmission time but might result in hidden node problems.

To ensure wireless resource efficiency, collision avoidance takes effect only when the following conditions are met:

· The size of the packets to be sent is larger than the RTS threshold 2346 bytes.

· 802.11g or 802.11n protection is enabled. For more information about 802.11g or 802.11n protection, see "Configuring 802.11g protection" and "Configuring 802.11n protection."

Procedure

To specify a collision avoidance mode in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Specify a collision avoidance mode.	protection-mode { cts-to-self \| rts-cts }	By default, a radio uses the configuration in AP group radio view.

To specify a collision avoidance mode in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Specify a collision avoidance mode.	protection-mode { cts-to-self \| rts-cts }	By default, the CTS-to-self mode is used.

Setting the RTS threshold

About setting the RTS threshold

802.11 allows wireless devices to send Request to Send (RTS) or Clear to Send (CTS) packets to avoid collision. However, excessive RTS and CTS packets consume system resources and reduce transmission efficiency. You can set an RTS threshold to resolve this problem. The system performs collision avoidance only for packets larger than the RTS threshold.

Restrictions and guidelines

In a low-density WLAN, increase the RTS threshold to improve the network throughput and efficiency. In a high-density WLAN, decrease the RTS threshold to reduce collisions in the network.

Procedure

To set the RTS threshold in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the RTS threshold.	protection-threshold size	By default, a radio uses the configuration in AP group radio view.

To set the RTS threshold in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the RTS threshold.	protection-threshold size	By default, the RTS threshold is 2346 bytes.

Setting the fragmentation threshold

About setting the fragmentation threshold

Frames larger than the fragmentation threshold are fragmented before transmission. Frames smaller than the fragmentation threshold are transmitted without fragmentation.

When a fragment is not received, only this fragment rather than the whole frame is retransmitted.

Restrictions and guidelines

In a WLAN with great interference, decrease the fragmentation threshold and set the MTU (ip mtu command) of packets sent over the radio to be lower than the fragmentation threshold. This improves the network throughput and efficiency.

Procedure

To set the fragmentation threshold in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the fragmentation threshold.	fragment-threshold size	By default, a radio uses the configuration in AP group radio view.

To set the fragmentation threshold in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the fragmentation threshold.	fragment-threshold size	By default, the fragmentation threshold is 2346 bytes.

Setting the hardware retransmission limits

About the hardware retransmission limits

In wireless networks, unicast packets require acknowledgements. If a radio fails to receive the acknowledgement for a packet, it retransmits the packet.

You can set hardware retransmission limits for both large frames and small frames. Transmitting large frames requires a large buffer size and a long time because the system performs collision avoidance for large frames before transmission. Therefore, you can set a small hardware retransmission limit for large frames to save system buffer and transmission time.

Procedure

To set the hardware retransmission limits in radio view:

Step	Command		Remarks
1. Enter system view.	system-view		N/A
2. Enter AP view.	wlan ap ap-name		N/A
3. Enter radio view.	radio radio-id		N/A
4. Set the hardware retransmission limit for small frames.		short-retry threshold count		By default, a radio uses the configuration in AP group radio view.
5. Set the hardware retransmission limit for large frames.		long-retry threshold count		By default, a radio uses the configuration in AP group radio view.

To set the hardware retransmission limits in AP group radio view:

Step	Command		Remarks
1. Enter system view.	system-view		N/A
2. Enter AP group view.	wlan ap-group group-name		N/A
3. Enter AP model view.	ap-model ap-model		N/A
4. Enter radio view.	radio radio-id		N/A
5. Set the hardware retransmission limit for small frames.		short-retry threshold count		By default, the hardware retransmission limit is 7 for small frames.
6. Set the hardware retransmission limit for large frames.		long-retry threshold count		By default, the hardware retransmission limit is 4 for large frames.

Setting the maximum number of clients that can associate with an AP

About the maximum number of associated clients on an AP

When the maximum number of clients is reached on an AP, the AP stops accepting new clients. This prevents the AP from being overloaded.

Procedure

To set the maximum number of clients that can associate with an AP in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the maximum number of clients that can associate with the AP.	client max-count max-number	By default, a radio uses the configuration in AP group radio view.

To set the maximum number of clients that can associate with an AP in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the maximum number of clients that can associate with the AP.	client max-count max-number	By default, no limit is set for the number of clients that can associate with an AP.

Configuring access services for 802.11b clients

About 802.11b client access

To prevent low-speed 802.11b clients from decreasing wireless data transmission performance, you can enable an 802.11g or 802.11gn radio to disable access services for 802.11b clients.

Procedure

To configure access services for 802.11b clients in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure access services for 802.11b clients.	client dot11b-forbidden { disable \| enable }	By default, a radio uses the configuration in AP group radio view.

To configure access services for 802.11b clients in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure access services for 802.11b clients.	client dot11b-forbidden { disable \| enable }	By default, a radio accepts 802.11b clients.

Configuring 802.11g protection

About 802.11g protection

When both 802.11b and 802.11g clients exist in a WLAN, transmission collision might occur because they use different modulation modes. 802.11g protection can avoid such collision. It enables 802.11g, 802.11n, or 802.11ac devices to send RTS/CTS or CTS-to-self packets to inform 802.11b clients to defer access to the medium. For more information about RTS/CTS or CTS-to-self, see "Specifying a collision avoidance mode."

802.11g, 802.11n, or 802.11ac devices send RTS/CTS or CTS-to-self packets before sending data only when 802.11b signals are detected on the channel.

802.11g protection automatically takes effect when 802.11b clients associate with an 802.11g or 802.11n (2.4 GHz) AP.

Restrictions and guidelines

This feature is applicable only to 802.11g and 802.11n (2.4 GHz) radios.

Procedure

To configure 802.11g protection in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure 802.11g protection.	dot11g protection { disable \| enable }	By default, a radio uses the configuration in AP group radio view.

To configure 802.11g protection in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure 802.11g protection.	dot11g protection { disable \| enable }	By default, 802.11g protection is disabled.

Configuring ANI

About ANI

Adaptive Noise Immunity (ANI) enables the device to adjust the anti-noise level as required by the environment to reduce interference.

Procedure

To configure ANI in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure ANI.	ani { disable \| enable }	By default, a radio uses the configuration in AP group radio view.

To configure ANI in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure ANI.	ani { disable \| enable }	By default, ANI is enabled.

Setting the preamble type

About preambles

A preamble is a set of bits in a packet header to synchronize transmission signals between sender and receiver. A short preamble improves network performance and a long preamble ensures compatibility with wireless devices using long preambles.

Restrictions and guidelines

This feature is applicable only to 802.11b, 802.11g, and 802.11gn radios.

Procedure

To set the preamble type in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the preamble type.	preamble { long \| short }	By default, a radio uses the configuration in AP group radio view.

To set the preamble type in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the preamble type.	preamble { long \| short }	By default, a short preamble is used.

Setting the maximum transmission distance

About the maximum transmission distance

The strength of wireless signals gradually degrades as the transmission distance increases. The maximum transmission distance of wireless signals depends on the surrounding environment and on whether an external antenna is used.

· Without an external antenna—About 300 meters (984.25 ft).

· With an external antenna—30 km (18.64 miles) to 50 km (31.07 miles).

· In an area with obstacles—35 m (114.83 ft) to 50 m (164.04 ft).

Procedure

To set the maximum transmission distance in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the maximum transmission distance.	distance distance	By default, a radio uses the configuration in AP group radio view.

To set the maximum transmission distance in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the maximum transmission distance.	distance distance	By default, the maximum transmission distance is 1 km (0.62 miles).

Enabling the continuous mode for a radio

About the continuous mode

This feature is used for network testing only. Do not use it under any other circumstances.

The feature enables continuous data packet sending at the specified rate. When the feature is enabled, do not perform any other operations except for changing the transmit rate.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable the continuous mode for a radio.	continuous-mode { mcs mcs-index \| nss nss-index vht-mcs vhtmcs-index \| rate rate-value }	By default, the continuous mode is disabled. The rate rate-value option applies to all radio types. The mcs mcs-index option applies only to 802.11n and 802.11ac radios. The nss nss-index vht-mcs vhtmcs-index option applies only to 802.11ac radios.

Performing on-demand channel usage measurement

About on-demand channel usage measurement

This feature enables an AP to scan supported channels and display the channel usage after scanning. It takes about one second to scan a channel.

Procedure

Step	Command
1. Enter system view.	system-view
2. Enter AP view.	wlan ap ap-name
3. Enter radio view.	radio radio-id
4. Perform on-demand channel usage measurement.	channel-usage measure

Configuring 802.11n functions

NOTE:

Support for 802.11n functions depends on the device model.

Specifying the A-MPDU aggregation method

About MPDU aggregation

A MAC Protocol Data Unit (MPDU) is a data frame in 802.11 format. MPDU aggregation aggregates multiple MPDUs into one aggregate MPDU (A-MPDU) to reduce additional information, ACK frames, and Physical Layer Convergence Procedure (PLCP) header overhead. This improves network throughput and channel efficiency.

All MPDUs in an A-MPDU must have the same QoS priority, source address, and destination address.

Procedure

To specify the A-MPDU aggregation method in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Specify the A-MPDU aggregation method.	a-mpdu { disable \| enable }	By default, a radio uses the configuration in AP group radio view.

To specify the A-MPDU aggregation method in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Specify the A-MPDU aggregation method.	a-mpdu { disable \| enable }	By default, the A-MPDU aggregation method is disabled.

Specifying the A-MSDU aggregation method

About MSDU aggregation

MSDU aggregation aggregates multiple MSDUs into one aggregate MSDU (A-MSDU) to reduce PLCP preamble, PLCP header, and MAC header overheads. This improves network throughput and frame forwarding efficiency.

All MSDUs in an A-MSDU must have the same QoS priority, source address, and destination address. When a device receives an A-MSDU, it restores the A-MSDU to multiple MSDUs for processing.

Procedure

To specify the A-MSDU aggregation method in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Specify the A-MSDU aggregation method.	a-msdu { disable \| enable }	By default, a radio uses the configuration in AP group radio view.

To specify the A-MSDU aggregation method in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Specify the A-MSDU aggregation method.	a-msdu { disable \| enable }	By default, the A-MSDU aggregation method is enabled.

Configuring short GI

About short GI

802.11 OFDM fragments frames to data blocks for transmission. It uses GI to ensure that the data block transmissions do not interfere with each other and are immune to transmission delays.

The GI used by 802.11a/g is 800 ns. 802.11n supports a short GI of 400 ns, which provides a 10% increase in data rate.

Both the 20 MHz and 40 MHz bandwidth modes support short GI.

Procedure

To configure short GI in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure short GI.	short-gi { disable \| enable }	By default, a radio uses the configuration in AP group radio view.

To configure short GI in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure short GI.	short-gi { disable \| enable }	By default, short GI is enabled.

Configuring LDPC

About LDPC

802.11n introduces the Low-Density Parity Check (LDPC) mechanism to increase the signal-to-noise ratio and enhance transmission quality. LDPC takes effect only when both ends support LDPC.

Procedure

To configure LDPC in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-number	N/A
4. Configure LDPC.	ldpc { disable \| enable }	By default, a radio uses the configuration in AP group radio view.

To configure LDPC in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure LDPC.	ldpc { disable \| enable }	By default, LDPC is disabled.

Configuring STBC

About STBC

The Space-Time Block Coding (STBC) mechanism enhances the reliability of data transmission and does not require clients to have high transmission rates.

Procedure

To configure STBC in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-number	N/A
4. Configure STBC.	stbc { disable \| enable }	By default, a radio uses the configuration in AP group radio view.

To configure STBC in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure STBC.	stbc { disable \| enable }	By default, STBC is enabled.

Setting MCS indexes

About MCS indexes

802.11n clients use the rate corresponding to the MCS index to send unicast frames. 802.11a/b/g clients use the 802.11a/b/g rate to send unicast frames.

If you do not set a multicast MCS index, 802.11n clients and the AP use the 802.11a/b/g multicast rate to send multicast frames. If you set a multicast MCS index, one of following events occurs:

· The AP and clients use the rate corresponding to the multicast MCS index to send multicast frames if only 802.11n and 802.11ac clients exist.

· The AP and clients use the 802.11a/b/g multicast rate to send multicast frames if any 802.11a/b/g clients exist.

When you set the maximum mandatory or supported MCS index, you are specifying a range. For example, if you set the maximum mandatory MCS index to 5, rates corresponding to MCS indexes 0 through 5 are configured as 802.11n mandatory rates.

Restrictions and guidelines

The multicast MCS index cannot be greater than the maximum mandatory MCS index.

The maximum supported MCS index cannot be smaller than the maximum mandatory MCS index.

Procedure

To set MCS indexes in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the maximum mandatory MCS index.	dot11n mandatory maximum-mcs index	The default settings are as follows: · No maximum mandatory MCS index is set if the maximum supported MCS index is set. · The radio uses the configuration in AP group radio view if the maximum supported MCS index is not set.
5. Set the maximum supported MCS index.	dot11n support maximum-mcs index	The default settings are as follows: · The maximum supported MCS index is 76 if the maximum mandatory MCS index is set. · The radio uses the configuration in AP group radio view if the maximum mandatory MCS index is not set.
6. Set the multicast MCS index.	dot11n multicast-mcs index	The default settings are as follows: · No multicast MCS index is set if the maximum supported MCS index or the maximum mandatory MCS index is set. · The radio uses the configuration in AP group radio view if neither the maximum supported MCS index nor the maximum mandatory MCS index is set.

To set MCS indexes in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the maximum mandatory MCS index.	dot11n mandatory maximum-mcs index	By default, no maximum mandatory MCS index is set.
6. Set the maximum supported MCS index.	dot11n support maximum-mcs index	By default, the maximum supported MCS index is 76.
7. Set the multicast MCS index.	dot11n multicast-mcs index	By default, no multicast MCS index is set.

Configuring the client dot11n-only feature

About the client dot11n-only feature

To prevent low-speed 802.11a/b/g clients from decreasing wireless data transmission performance, you can enable the client dot11n-only feature for an AP to accept only 802.11n and 802.11ac clients.

Procedure

To configure the client dot11n-only feature in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure the client dot11n-only feature.	client dot11n-only { disable \| enable }	By default, a radio uses the configuration in AP group radio view.

To configure the client dot11n-only feature in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure the client dot11n-only feature.	client dot11n-only { disable \| enable }	By default, the client dot11n-only feature is disabled.

Setting the 802.11n bandwidth mode

About 802.11n bandwidth modes

802.11n uses the channel structure of 802.11a/b/g, but it increases the number of data subchannels in each 20 MHz channel to 52. This improves data transmission rate.

802.11n binds two adjacent 20 MHz channels to form a 40 MHz channel (one primary channel and one secondary channel). This provides a simple way to double the data rate.

If the current channel of a radio does not support the specified bandwidth mode, the radio clears the channel configuration and selects another channel.

If the bandwidth mode is set to 40 MHz, the radio uses the 40 MHz bandwidth if two adjacent channels that can be bound together exist. If there are no adjacent channels that can be bound together, the radio uses the 20 MHz bandwidth.

Procedure

To set the 802.11n bandwidth mode in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the 802.11n bandwidth mode.	channel band-width { 20 \| 40 [ auto-switch ] }	By default, a radio uses the configuration in AP group radio view. Only 802.11gn radios support the auto-switch keyword.

To setting the 802.11n bandwidth mode in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the 802.11n bandwidth mode.	channel band-width { 20 \| 40 [ auto-switch ] }	By default, the bandwidth mode is 40 MHz for 802.11an radios and 20 MHz for 802.11gn radios. Only 802.11gn radios support the auto-switch keyword.

Specifying a MIMO mode

NOTE:

The number of spatial streams supported by a radio varies by device model.

About MIMO modes

Multiple-input and multiple-output (MIMO) enables a radio to send and receive wireless signals through multiple spatial streams. This improves system capacity and spectrum usage without requiring higher bandwidth.

A radio can operate in one of the following MIMO modes:

· 1x1—Sends and receives wireless signals through one spatial stream.

· 2x2—Sends and receives wireless signals through two spatial streams.

· 3x3—Sends and receives wireless signals through three spatial streams.

· 4x4—Sends and receives wireless signals through four spatial streams.

Procedure

To specify a MIMO mode in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Specify a MIMO mode.	mimo { 1x1 \| 2x2 \| 3x3 \| 4x4 }	By default, a radio uses the configuration in AP group radio view.

To specify a MIMO mode in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Specify a MIMO mode.	mimo { 1x1 \| 2x2 \| 3x3 \| 4x4 }	The default MIMO mode for a radio varies by device model.

Configuring energy saving

About energy saving

After you enable the energy-saving feature, the MIMO mode of a radio automatically changes to 1x1 if no clients associate with the radio.

Procedure

To configure energy saving in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure energy saving.	green-energy-management { disable \| enable }	By default, a radio uses the configuration in AP group radio view.

To configure energy saving in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure energy saving.	green-energy-management { disable \| enable }	By default, energy saving is disabled.

Configuring 802.11n protection

About 802.11n protection

When both 802.11n and non-802.11n clients exist in a WLAN, transmission collision might occur because they use different modulation modes. 802.11n protection can avoid such collision. It enables 802.11n devices to send RTS/CTS or CTS-to-self packets to inform non-802.11n clients to defer access to the medium. For more information about RTS/CTS or CTS-to-self, see "Specifying a collision avoidance mode."

802.11n devices send RTS/CTS or CTS-to-self packets before sending data only when non-802.11n signals are detected on the channel.

802.11n protection automatically takes effect when non-802.11n clients associate with an 802.11n AP.

NOTE:

802.11n devices refer to 802.11n and 802.11ac devices.

Procedure

To configure 802.11n protection in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure 802.11n protection.	dot11n protection { disable \| enable }	By default, a radio uses the configuration in AP group radio view.

To configure 802.11n protection in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure 802.11n protection.	dot11n protection { disable \| enable }	By default, 802.11n protection is disabled.

Configuring 802.11ac functions

NOTE:

Support for 802.11ac depends on the device model.

Setting NSSs

About NSSs

If the AP supports an NSS, it supports all VHT-MCS indexes for the NSS. 802.11ac clients use the rate corresponding to the VHT-MCS index for the NSS to send unicast frames. Non-802.11ac clients use the 802.11a/b/g/n rate to send unicast frames.

If you do not set a multicast NSS, 802.11ac clients and the AP use the 802.11a/b/g/n multicast rate to send multicast frames. If you set a multicast NSS and specify a VHT-MCS index, the following situations occur:

· The AP and clients use the rate corresponding to the VHT-MCS index to send multicast frames if all clients are 802.11ac clients.

· The AP and clients use the 802.11a/b/g/n multicast rate to send multicast frames if any non-802.11ac clients exist.

The maximum mandatory NSS or supported NSS determines a range of 802.11 rates. For example, if the maximum mandatory NSS is 5, rates corresponding to VHT-MCS indexes for NSSs 1 through 5 will be 802.11ac mandatory rates.

Restrictions and guidelines

The maximum supported NSS cannot be smaller than the maximum mandatory NSS and the multicast NSS cannot be greater than the maximum mandatory NSS.

Procedure

To set NSSs in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the maximum mandatory NSS.	dot11ac mandatory maximum-nss nss-number	The default settings are as follows: · If the multicast NSS or the maximum supported NSS is set, no maximum mandatory NSS is set. · If neither the multicast NSS nor the maximum supported NSS is set, the radio uses the configuration in AP group radio view.
5. Set the maximum supported NSS.	dot11ac support maximum-nss nss-number	The default settings are as follows: · If the multicast NSS or the maximum mandatory NSS is set, the maximum supported NSS is 8. · If neither the multicast NSS nor the maximum mandatory NSS is set, the radio uses the configuration in AP group radio view.
6. Set the multicast NSS and specify a VHT-MCS index.	dot11ac multicast-nss nss-number vht-mcs index	The default settings are as follows: · If the maximum supported NSS or the maximum mandatory NSS is set, no multicast NSS is set. · If neither the maximum supported NSS nor the maximum mandatory NSS is set, the radio uses the configuration in AP group radio view.

To set NSSs in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the maximum mandatory NSS.	dot11ac mandatory maximum-nss nss-number	By default, no maximum mandatory NSS is set.
6. Set the maximum supported NSS.	dot11ac support maximum-nss nss-number	By default, the maximum supported NSS is 8.
7. Set the multicast NSS and specify a VHT-MCS index.	dot11ac multicast-nss nss-number vht-mcs index	By default, no multicast NSS is set.

Configuring the client dot11ac-only feature

About the client dot11ac-only feature

To prevent low-speed 802.11a/b/g/n clients from decreasing wireless data transmission performance, you can enable the client dot11ac-only feature for an AP to accept only 802.11ac clients.

Procedure

To configure the client dot11ac-only feature in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure the client dot11ac-only feature.	client dot11ac-only { disable \| enable }	By default, a radio uses the configuration in AP group radio view.

To configure the client dot11ac-only feature in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure the client dot11ac-only feature.	client dot11ac-only { disable \| enable }	By default, the client dot11ac-only feature is disabled.

Setting the 802.11ac bandwidth mode

About 802.11ac bandwidth modes

802.11ac uses the channel structure of 802.11n and increases the maximum bandwidth from 40 MHz to 160 MHz. 802.11ac can bind two adjacent 20/40/80 MHz channels to form a 40/80/160 MHz channel.

The radio uses the specified 40/80/160 MHz bandwidth if adjacent channels can be bound to form a 40/80/160 channel. If adjacent channels cannot form a 40/80/160 channel, the radio uses the next available bandwidth less than the specified one.

For example, the bandwidth mode is set to 80 MHz. The radio uses the 80 MHz bandwidth if adjacent channels that can be bound together exist. If adjacent channels that can be bound to an 80 MHz channel do not exist, but two adjacent channels that can be bound to a 40 MHz channel exist, the 40 MHz bandwidth is used. If no adjacent channels that can be bound together exist, the radio uses the 20 MHz bandwidth.

When the bandwidth mode is set to 80+80 MHz, the radio uses the 160 MHz bandwidth if two adjacent 80 MHz channels that can be bound together exist. If a 160 MHz channel cannot be formed but two non-adjacent 80 MHz channels are available, the radio uses the two 80 MHz channels to achieve the 160 MHz bandwidth.

If the working channel is specified, you can specify the secondary 80 MHz channel for the 160 MHz or 80+80 MHz bandwidth mode. If no working channel is specified, the device automatically selects a secondary channel. The working channel forwards all packets and the secondary channel forwards only data packets.

If the current channel of a radio does not support the specified bandwidth mode, the radio clears the channel configuration and selects another channel.

NOTE:

Support for the 160 MHz and 80+80 MHz bandwidth modes depends on the device model.

Figure 8 802.11ac bandwidth modes

Procedure

To set the 802.11ac bandwidth mode in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the 802.11ac bandwidth mode.	channel band-width { 20 \| 40 \| 80 \| { 160 \| dual-80 } [ secondary-channel channel-number ] }	By default, a radio uses the configuration in AP group radio view.

To set the 802.11ac bandwidth mode in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the 802.11ac bandwidth mode.	channel band-width { 20 \| 40 \| 80 \| { 160 \| dual-80 } [ secondary-channel channel-number ] }	By default, the bandwidth mode is 80 MHz and 20 MHz for 802.11ac radios.

Configuring TxBF

NOTE:

Support for this feature depends on the AP model.

About TxBF

Transmit beamforming (TxBF) enables an AP to adjust transmitting parameters based on the channel information to focus RF signals on intended clients. This feature improves the RF signal quality. TxBF includes single-user TxBF and multi-user TxBF.

· Single-user TxBF—Single-user TxBF enables an AP to improve the signal to one intended client. Single-user TxBF is applicable to WLANs that have widely spread clients, poor network quality, and serious signal attenuation.

· Multi-user TxBF—Multi-user TxBF is part of 802.11ac Wave2. Multi-user TxBF enables an AP to focus different RF signals on their intended clients to reduce interference and transmission delay. This improves traffic throughput and bandwidth usage. Multi-user TxBF is applicable to WLANs that have a large number of clients and require high bandwidth usage and low transmission delay.

Procedure

To configure TxBF in radio view:

Step	Command	Remarks
1. Enter system view,	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure single-user TxBF.	su-txbf { disable \| enable }	By default, a radio uses the configuration in AP group radio view.
5. Configure multi-user TxBF.	mu-txbf { disable \| enable }	By default, a radio uses the configuration in AP group radio view. Multi-user TxBF takes effect only when single-user TxBF is enabled.

To configure TxBF in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure single-user TxBF.	su-txbf { disable \| enable }	By default, single-user TxBF is enabled.
6. Configure multi-user TxBF.	mu-txbf { disable \| enable }	By default, multi-user TxBF is enabled. Multi-user TxBF takes effect only when single-user TxBF is enabled.

Configuring the smart antenna feature

NOTE:

Support for this feature depends on the device model.

About the smart antenna feature

This feature is applicable only to 802.11n and 802.11ac radios.

The smart antenna feature enables an AP to automatically adjust the antenna parameters based on the client location and channel information to improve signal quality and stability.

You can configure a radio to operate in one of the following smart antenna modes:

· auto—Uses the high availability mode for audio and video packets, and uses the high throughput mode for other packets.

· high-availability—Applicable to WLANs that require stable bandwidth, this mode reduces noise and interference impacts, and provides guaranteed bandwidth for clients.

· high-throughput—Applicable to WLANs that require high performance, this mode enhances signal strength and association capability.

Procedure

To configure the smart antenna feature in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable the smart antenna feature.	smart antenna enable	By default, a radio uses the configuration in AP group radio view.
5. Specify a smart antenna mode.	smart-antenna policy { auto \| high-availability \| high-throughput }	By default, a radio uses the configuration in AP group radio view.

To configure the smart antenna feature in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable the smart antenna feature.	smart antenna enable	By default, the smart antenna feature is enabled.
6. Specify a smart antenna mode.	smart-antenna policy { auto \| high-availability \| high-throughput }	By default, the auto mode is used.

Display and maintenance commands for radio management

Execute display commands in any view and reset commands in user view.

Task	Command
Display AP radio information.	display wlan ap { all \| name ap-name } radio [ frequency-band { 5 \| 2.4 } ]
Display radio channel information.	display wlan ap { all \| name ap-name } radio channel
Display radio type information.	display wlan ap { all \| name ap-name } radio type
Display radio statistics.	display wlan ap { all \| name ap-name } radio-statistics
Clear radio statistics.	reset wlan ap { all \| name ap-name } radio-statistics

Radio management configuration examples

Example: Configuring basic radio function

Network requirements

As shown in Figure 9, create a manual AP and set the radio mode, working channel, and maximum transmit power to 802.11gn, channel 11, and 19 dBm, respectively.

Figure 9 Network diagram

Configuration procedure

# Create manual AP ap1, and specify its model and serial ID.

<AC> system-view

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454

# Enter radio view of radio 2.

[AC-wlan-ap-ap1] radio 2

# Set the radio mode to dot11gn.

[AC-wlan-ap-ap1-radio-2] type dot11gn

# Configure radio 2 to work on channel 11.

[AC-wlan-ap-ap1-radio-2] channel 11

# Set the maximum transmit power to 19 dBm.

[AC-wlan-ap-ap1-radio-2] max-power 19

# Enable radio 2.

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] return

Verifying the configuration

# Display information about all radios.

<AC> display wlan ap all verbose

Total number of APs: 1

Total number of connected APs: 1

Total number of connected manual APs: 1

Total number of connected auto APs: 0

Total number of connected common APs: 1

Total number of connected WTUs: 0

Total number of inside APs: 0

Maximum supported APs: 256

Remaining APs: 255

Total AP licenses: 128

Local AP licenses: 2

Server AP licenses: 0

Remaining local AP licenses: 127

Sync AP licenses: 0

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Backup Type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA2620-WiNet

Region code : CN

Region code lock : Disable

Serial ID : 219801A0CNC138011454

MAC address : 0AFB-423B-893C

IP address : 192.168.1.50

UDP control port number : 65488

UDP data port number : N/A

H/W version : Ver.C

S/W version : V700R001B49D001

Boot version : 1.01

USB state : N/A

Power level : N/A

Power info : N/A

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Echo count : 3 counts

Keepalive interval : 10 seconds

discovery-response wait-time : 2 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

CAPWAP data-tunnel status : Down

Discovery type : Static Configuration

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Current AC IP : N/A

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

Data-tunnel encryption : Disabled

LED mode : Normal

Remote configuration : Enabled

Radio 1:

Basic BSSID : 7848-59f6-3940

Admin state : Up

Radio type : 802.11ac

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Secondary channel offset : SCB

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational VHT-MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 44(auto)

Channel usage(%) : 0

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : –102 dBm

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Radio 2:

Basic BSSID : 7848-59f6-3950

Admin state : Up

Radio type : 802.11n(2.4GHz)

Antenna type : internal

Client dot11n-only : Disabled

Channel band-width : 20MHz

Active band-width : 20MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 11

Channel usage(%) : 0

Max power : 19 dBm

Preamble type : Short

Operational rate:

Mandatory : 1, 2, 5.5, 11 Mbps

Multicast : Auto

Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : –105 dBm

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Example: Configuring 802.11n

Network requirements

As shown in Figure 10, specify radio 1 on the AP as an 802.11an radio, and enable the A-MSDU and A-MPDU aggregation methods on the radio.

Figure 10 Network diagram

Configuration procedure

# Create manual AP ap1, and specify its model and serial ID.

<AC> system-view

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050

# Enter radio view of radio 1 on AP 1, and specify the radio as an 802.11an radio.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] type dot11an

# Enable the A-MPDU and A-MSDU aggregation methods.

[AC-wlan-ap-ap1-radio-1] a-mpdu enable

[AC-wlan-ap-ap1-radio-1] a-msdu enable

# Enable radio 1.

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

Verifying the configuration

# Display information about radios on AP 1.

<AC> display wlan ap name ap1 verbose

AP name : ap1

AP ID : 1

AP group name : default-group

State : Run

Backup Type : Master

Online time : 0 days 1 hours 25 minutes 12 seconds

System up time : 0 days 2 hours 22 minutes 12 seconds

Model : WA2620-WiNet

Region code : CN

Region code lock : Disable

Serial ID : 219801A0CNC138011454

MAC address : 0AFB-423B-893C

IP address : 192.168.1.50

UDP control port number : 65488

UDP data port number : N/A

H/W version : Ver.C

S/W version : V700R001B49D001

Boot version : 1.01

USB state : N/A

Power level : N/A

Power info : N/A

Description : wtp1

Priority : 4

Echo interval : 10 seconds

Echo count : 3 counts

Keepalive interval : 10 seconds

discovery-response wait-time : 2 seconds

Statistics report interval : 50 seconds

Fragment size (data) : 1500

Fragment size (control) : 1450

MAC type : Local MAC & Split MAC

Tunnel mode : Local Bridging & 802.3 Frame & Native Frame

CAPWAP data-tunnel status : Down

Discovery type : Static Configuration

Retransmission count : 3

Retransmission interval : 5 seconds

Firmware upgrade : Enabled

Sent control packets : 1

Received control packets : 1

Echo requests : 147

Lost echo responses : 0

Average echo delay : 3

Last reboot reason : User soft reboot

Latest IP address : 10.1.0.2

Current AC IP : N/A

Tunnel down reason : Request wait timer expired

Connection count : 1

Backup Ipv4 : Not configured

Backup Ipv6 : Not configured

Tunnel encryption : Disabled

Data-tunnel encryption : Disabled

LED mode : Normal

Remote configuration : Enabled

Radio 1:

Basic BSSID : 7848-59f6-3940

Admin state : Up

Radio type : 802.11n(5GHz)

Antenna type : internal

Client dot11ac-only : Disabled

Client dot11n-only : Disabled

Channel band-width : 20/40/80MHz

Active band-width : 20/40/80MHz

Secondary channel offset : SCB

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160MHz : Not supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational VHT-MCS Set:

Mandatory : Not configured

Supported : NSS1 0,1,2,3,4,5,6,7,8,9

NSS2 0,1,2,3,4,5,6,7,8,9

Multicast : Not configured

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 44(auto)

Channel usage(%) : 0

Max power : 20 dBm

Operational rate:

Mandatory : 6, 12, 24 Mbps

Multicast : Auto

Supported : 9, 18, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : –102 dBm

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Radio 2:

Basic BSSID : 7848-59f6-3950

Admin state : Up

Radio type : 802.11n(2.4GHz)

Antenna type : internal

Client dot11n-only : Disabled

Channel band-width : 20MHz

Active band-width : 20MHz

Secondary channel offset : SCN

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

A-MSDU : Enabled

A-MPDU : Enabled

LDPC : Not Supported

STBC : Supported

Operational HT MCS Set:

Mandatory : Not configured

Supported : 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,

10, 11, 12, 13, 14, 15

Multicast : Not configured

Channel : 11

Channel usage(%) : 0

Max power : 19 dBm

Preamble type : Short

Operational rate:

Mandatory : 1, 2, 5.5, 11 Mbps

Multicast : Auto

Supported : 6, 9, 12, 18, 24, 36, 48, 54 Mbps

Disabled : Not configured

Distance : 1 km

ANI : Enabled

Fragmentation threshold : 2346 bytes

Beacon interval : 100 TU

Protection threshold : 2346 bytes

Long retry threshold : 4

Short retry threshold : 7

Maximum rx duration : 2000 ms

Noise Floor : –105 dBm

Protection mode : rts-cts

Continuous mode : N/A

HT protection mode : No protection

Configuring WLAN access

The term "AC" in this document refers to MSR routers that can function as ACs.

About WLAN access

A wireless client can access a WLAN only when it completes the scanning, link layer authentication, association, and WLAN authentication processes.

For more information about data link layer authentication, see "Configuring WLAN security."

For more information about WLAN authentication, see "Configuring WLAN authentication."

Figure 11 WLAN access process

Scanning

Active scanning

A wireless client periodically scans surrounding wireless networks by sending probe requests. It obtains network information from received probe responses. Based on whether a probe request carries an SSID, active scanning can be divided into the following types:

· Active scanning of all wireless networks.

As shown in Figure 12, the client periodically sends a probe request on each of its supported channels to scan wireless networks. APs that receive the probe request send a probe response that carries the available wireless network information. The client associates with the optimal AP.

Figure 12 Scanning all wireless networks

· Active scanning of a specific wireless network.

As shown in Figure 13, the client periodically sends a probe request carrying the specified SSID or the SSID of the wireless network it has been associated with. When an AP that can provide wireless services with the specified SSID receives the probe request, it sends a probe response.

Figure 13 Scanning a specific wireless network

Passive scanning

As shown in Figure 14, the clients periodically listen for beacon frames sent by APs on their supported channels to get information about surrounding wireless networks. Then the clients select an AP for association. Passive scanning is used when clients want to save power.

Figure 14 Passive scanning

Association

A client sends an association request to the associated AP after passing date link layer authentication. Upon receiving the request, the AP determines the capability supported by the wireless client and sends an association response to the client. Then the client is associated with the AP.

Client access control

The following client access control methods are available:

· AP group-based access control—Allows clients associated with APs in the specified AP group to access the WLAN.

· SSID-based access control—Allows clients associated with the specified SSID to access the WLAN.

· Whitelist- and blacklist-based access control—Uses the whitelist and blacklists to control access for the specified clients.

· ACL-based access control—Uses ACL rules bound to APs or service templates to control client access.

AP group-based access control

As shown in Figure 15, for AP group-based access control, configure AP group 1 as the permitted AP group for Client 1 and Client 2, and configure AP group 2 as the permitted AP group for Client 3.

When a client passes authentication, the server sends the related user profile to the AC. The AC examines whether the AP with which the client associates is in the permitted AP group. If it is, the client is allowed to access the WLAN. If it is not, the AC logs off the client.

Figure 15 AP group-based access control

SSID-based access control

As shown in Figure 16, for SSID-based access control, configure ssida as the permitted SSID for Client 1 and Client 2, and configure ssidb as the permitted SSID for Client 3.

When a client passes authentication, the server sends the related user profile to the AC. The AC examines whether the associated SSID of the client is the permitted SSID. If it is, the client is allowed to access the WLAN. If it is not, the AC logs off the client.

Figure 16 SSID-based access control

Whitelist- and blacklist-based access control

You can configure the whitelist or blacklists to filter frames from WLAN clients and implement client access control.

Whitelist-based access control

The whitelist contains the MAC addresses of all clients allowed to access the WLAN. Frames from clients not in the whitelist are discarded. This list is manually configured.

Blacklist-based access control

The following blacklists are available for access control:

· Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is manually configured.

· Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. An AP adds the MAC address of a client forbidden to access the WLAN to the list when WIPS is configured or when URL redirection is enabled for WLAN MAC authentication clients. The entries in the list are removed when the aging time expires. For more information about WIPS, see "Configuring WIPS." For more information about WLAN MAC authentication, see "Configuring WLAN authentication."

The dynamic blacklist can take effect on the AC or on APs, depending on the configuration.

Working mechanism

When an AP receives an association request and sends an Add Mobile message to the AC, the AC performs the following operations to determine whether to permit the client:

1. Searches the whitelist:

? If the client MAC address does not match any entries in the whitelist, the client is rejected.

? If a match is found, the client is permitted.

2. Searches the static and dynamic blacklists if no whitelist entries exist:

? If the client MAC address matches an entry in either blacklist, the client is rejected.

? If no match is found, or no blacklist entries exist, the client is permitted.

Figure 17 Whitelist- and blacklist-based access control

ACL-based access control

This feature controls client access by using ACL rules bound to an AP or a service template.

Upon receiving an association request from a client, the AC performs the following actions:

· Allows the client to access the WLAN if a match is found and the rule action is permit.

· Denies the client's access to the WLAN if no match is found or the matched rule has a deny statement.

Feature and hardware compatibility

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

Configuration restrictions and guidelines

You can configure APs by using the following methods:

· Configure APs one by one in AP view.

· Assign APs to an AP group and configure the AP group in AP group view.

· Configure all APs in global configuration view.

For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.

WLAN access tasks at a glance

Tasks at a glance
Configuring wireless services: · (Required.) Configuring a service template · (Optional.) Configuring a description for a service template · (Required.) Setting an SSID · (Optional.) Setting the maximum number of associated clients for a service template · (Required.) Enabling a service template · (Required.) Binding a service template to a radio · (Optional.) Configuring an AP to not inherit the specified service template from the AP group
Configuring wireless client functions: · (Optional.) Setting the client idle timeout · (Optional.) Configuring client keepalive · (Optional.) Setting the VLAN allocation method for clients · (Optional.) Configuring clients to prefer the authorization VLAN after roaming · (Optional.) Setting the aging time for the cache of clients · (Optional.) Enabling client association at the AC or APs · (Optional.) Specifying the client traffic forwarder · (Optional.) Enabling client traffic forwarding · (Optional.) Setting the encapsulation format for client data frames · (Optional.) Enabling quick association · (Optional.) Setting the idle period before client reauthentication · (Optional.) Enabling immediate client association upon successful local authentication · (Optional.) Specifying the method for APs to process traffic from unknown clients · (Optional.) Performing a wireless link quality test · (Optional.) Specifying the Web server to which client information is reported · (Optional.) Enabling the device to generate client logs in the specified format · (Optional.) Configuring client statistics reporting
Configuring client access control: · (Optional.) Specifying a permitted AP group for client association · (Optional.) Specifying a permitted SSID for client association · (Optional.) Adding a client to the whitelist · (Optional.) Adding a client to the static blacklist · (Optional.) Configuring the dynamic blacklist · (Optional.) Configuring ACL-based access control
(Optional.) Specifying a region code
(Optional.) Disabling an AP from responding to broadcast probe requests
(Optional.) Setting the NAS ID
(Optional.) Configuring policy-based forwarding
(Optional.) Deploying a configuration file to an AP
(Optional.) Enabling SNMP notifications for WLAN access

Configuring wireless services

Configuring a service template

About service templates

A service template defines a set of wireless service attributes, such as SSID and authentication method.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a service template.	wlan service-template service-template-name	By default, no service template exists.
3. Assign clients coming online through the service template to the specified VLAN.	vlan vlan-id	By default, clients are assigned VLAN 1 after coming online through a service template.

Configuring a description for a service template

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure a description for the service template.	description text	By default, no description is configured for a service template.

Setting an SSID

About SSIDs

APs advertise SSIDs in beacon frames. If the number of clients in a BSS exceeds the limit or the BSS is unavailable, you can enable SSID-hidden to prevent clients from discovering the BSS. When SSID-hidden is enabled, the BSS hides its SSID in beacon frames and does not respond to broadcast probe requests. A client must send probe requests with the specified SSID to access the WLAN. This feature can protect the WLAN from being attacked.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set an SSID for the service template.	ssid ssid-name	By default, no SSID is set for a service template.
4. (Optional.) Enable SSID-hidden in beacon frames.	beacon ssid-hide	By default, beacon frames carry SSIDs.

Setting the maximum number of associated clients for a service template

About setting the client quantity limit for a service template

Perform this task to limit the associated client quantity to avoid overload. When this feature is configured, new clients cannot access the WLAN when the maximum number is reached.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the maximum number of associated clients for the service template.	client max-count max-number	By default, the number of associated clients for a service template is not limited.

Enabling a service template

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable the service template.	service-template enable	By default, a service template is disabled.

Binding a service template to a radio

About service template binding

If you bind a service template to a radio, the AP creates a BSS that can provide wireless services defined in the service template.

You can perform the following tasks when binding a service template to a radio:

· Bind a VLAN group to the radio so that clients associated with the BSS will be assigned evenly to all VLANs in the VLAN group.

· Bind the NAS port ID or the NAS ID to the radio to identify the network access server.

· Enable the AP to hide SSIDs in beacon frames.

Restrictions and guidelines

You can bind a maximum of 16 service templates to a radio.

Procedure

To bind a service template to a radio in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Bind a service template to the radio.	service-template service-template-name [ vlan vlan-id \| vlan-group vlan-group-name ] [ ssid-hide ] [ nas-id nas-id \| nas-port-id nas-port-id ]	By default, the configuration in AP group view is used.

To bind a service template to a radio in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Bind a service template to the radio.	service-template service-template-name [ vlan vlan-id \| vlan-group vlan-group-name ] [ ssid-hide ] [ nas-id nas-id \| nas-port-id nas-port-id ]	By default, a radio is not bound to any service templates.

Configuring an AP to not inherit the specified service template from the AP group

About service template inheritance

By default, APs in an AP group inherit the service template bound to the AP group and create BSSs. You can perform this task to configure an AP to not inherit the specified service template from the AP group to which it belongs.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure the AP to not inherit the specified service template from the AP group.	inherit exclude service-template service-template-name	By default, an AP inherits the service template bound to the AP group to which it belongs.

Configuring wireless client functions

Setting the client idle timeout

About the client idle timeout

If an online client does not send any frames to the associated AP before the client idle timeout timer expires, the AP logs off the client.

Procedure

To set the client idle timeout in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Set the client idle timeout.	client idle-timeout timeout	By default, an AP uses the configuration in AP group view.

To set the client idle timeout in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the client idle timeout.	client idle-timeout timeout	By default, the client idle timeout is 3600 seconds.

Configuring client keepalive

About client keepalive

This feature enables an AP to send keepalive packets to clients at the specified interval to determine whether the clients are online. If the AP does not receive any replies from a client within three keepalive intervals, it logs off the client.

Procedure

To configure client keepalive in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enable client keepalive.	client keep-alive enable	By default, an AP uses the configuration in AP group view.
4. (Optional.) Set the client keepalive interval.	client keep-alive interval interval	By default, an AP uses the configuration in AP group view.

To configure client keepalive in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enable client keepalive.	client keep-alive enable	By default, client keepalive is disabled.
4. (Optional.) Set the client keepalive interval.	client keep-alive interval interval	By default, the client keepalive interval is 300 seconds.

Setting the VLAN allocation method for clients

About VLAN allocation methods

When a client comes online for the first time, the radio assigns a random VLAN to it. When the client comes online again, the VLAN assigned to the client depends on the allocation method.

· Static allocation—The client inherits the VLAN that has been assigned to it. If the IP address lease has not expired, the client will use the same IP address. This method helps save IP addresses.

· Dynamic allocation—The radio re-assigns a VLAN to the client. This method balances clients in all VLANs.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the VLAN allocation method for clients.	client vlan-alloc { dynamic \| static }	By default, the VLAN allocation method for clients is dynamic.

Configuring clients to prefer the authorization VLAN after roaming

About VLAN allocation after client roaming

Typically, the VLAN of a client remains unchanged after client roaming. However, if the client triggers a security alert configured on IMC after roams to another AP, the issued authorization VLAN for user isolation takes effect.

Restrictions and guidelines

As a best practice, configure this feature on all ACs in a mobility group.

This feature takes effect only on 802.1X and MAC authentication clients.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure clients to prefer the authorization VLAN after roaming.	client preferred-vlan authorized	By default, clients prefer the authorization VLAN after roaming.

Setting the aging time for the cache of clients

About the aging time for the client cache

The cache of a client saves the PMK list, access VLAN, and other authorized information for the client. If an offline client comes online again within the aging time, it can inherit all information in its cache for fast roaming. If the client does not come online within the aging time, the AC clears the client cache.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the aging time for the cache of clients.	client cache aging-time aging-time	By default, the aging time for the cache of clients is 180 seconds.

Enabling client association at the AC or APs

About the client association position

If you enable client association at the AC, management frames are sent to the AC over the CAPWAP tunnel. This ensures security and facilitates management. As a best practice, enable client association at the APs when the network between AC and APs is complicated.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable client association at the AC or APs.	client association-location { ac \| ap }	By default, client association is performed at the AC.

Specifying the client traffic forwarder

About the client traffic forwarder

The AC (centralized forwarding) or APs (local forwarding) can forward client traffic. Using APs to forward client traffic releases the forwarding burden on the AC.

If APs forward client traffic, you can specify a VLAN or a VLAN range for the APs to forward traffic from the specified VLANs. The AC forwards data traffic from the other VLANs.

Restrictions and guidelines

For the configuration of using the AC to forward client traffic to take effect, make sure client traffic forwarding has been enabled.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify the client traffic forwarder.	client forwarding-location { ac \| ap [ vlan { start- vlan [ to end-vlan ] } ] }	By default, the client traffic forwarder is the AC.

Enabling client traffic forwarding

About client traffic forwarding

In an AC hierarchical network, disable this feature on the central AC and enable this feature on local ACs if the client traffic forwarder is the AC. This guarantees central AC's management performance in case a local AC is down.

For more information about AC hierarchy, see "Configuring AC hierarchy."

Restrictions and guidelines

You must enable this feature if you configure the AC as the client traffic forwarder.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable client traffic forwarding.	wlan client forwarding enable	By default, client traffic forwarding is enabled.

Setting the encapsulation format for client data frames

About the encapsulation format of client data frames

In the centralized forwarding infrastructure, an AP sends data frames from clients to the AC over the CAPWAP tunnel. You can set the encapsulation format for the client data frames to 802.3 or 802.11. As a best practice, set the format to 802.3 so the AC does not need to perform frame format conversion.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the encapsulation format for client data frames.	client frame-format { dot3 \| dot11 }	By default, client data frames are encapsulated in the 802.3 format.

Enabling quick association

About quick association

Enabling load balancing or band navigation might affect client association efficiency. For delay-sensitive services or in an environment where load balancing and band navigation is not needed, you can enable quick association for a service template.

Quick association disables load balancing or band navigation on clients associated with the service template. The device will not balance traffic or perform band navigation even if these two features are enabled in the WLAN.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable quick association.	quick-association enable	By default, quick association is disabled.

Setting the idle period before client reauthentication

About the idle period before client reauthentication

Set the idle period before client reauthentication to reduce reauthentication failures.

When URL redirection is enabled for WLAN MAC authentication clients, an AP logs off a client that has passed MAC authentication. At the next MAC authentication attempt, the client can pass MAC authentication and access the WLAN. With the idle period configured, the AP adds the client to the dynamic blacklist after logging off the client and the client entry ages out after the specified idle period.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the idle period before client reauthentication.	wlan client reauthentication-period [ period-value ]	By default, the idle period is not configured.

Enabling immediate client association upon successful local authentication

About immediate client association upon successful local authentication

By default, an AP reports information about locally authenticated clients that pass authentication to the AC, and the AC creates client entries and informs the AP to get the clients online. If the CAPWAP tunnel between the AC and the AP operates incorrectly, clients might fail to come online and are reauthenticated repeatedly.

To avoid this problem, you can allow clients to come online immediately after successful local authentication so that the AP can forward client traffic when the AC cannot be reached. The AP synchronizes client information to the AC when the tunnel recovers.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable clients to come online immediately upon successful local authentication.	undo client report-mandatory	By default, locally authenticated clients come online after successful client information reporting.

Specifying the method for APs to process traffic from unknown clients

About unknown client traffic processing

Perform this task to configure APs using the specified service template to drop data packets from unknown clients and deauthenticate these clients or to drop the packets only.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify the method for APs to process traffic from unknown clients.	unknown-client [ deauthenticate \| drop ]	By default, APs drop packets from unknown clients and deauthenticate these clients.

Performing a wireless link quality test

About wireless link quality tests

This feature enables an AP to test the quality of the link to a wireless client. The AP sends empty data frames to the client at each supported rate. Then it calculates link quality information such as RSSI, packet retransmissions, and RTT based on the responses from the client.

The timeout for a wireless link quality test is 10 seconds. If the wireless link test is not completed before the timeout expires, test results cannot be obtained.

Procedure

Task	Command
Perform wireless link quality test.	wlan link-test mac-address

Specifying the Web server to which client information is reported

About the Web server for client information reporting

Perform this task to enable the AC to report client information, such as client MAC address, associated AP, and association time, to the specified Web server through HTTP. The Web server accepts client information only when the server's host name, port number, and path are specified.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify the host name and port number of the Web server.	wlan web-server host host-name port port-number	By default, the host name and port number of the Web server are not specified.
3. Specify the path of the Web server.	wlan web-server api-path path	By default, the path of the Web server is not specified.
4. Set the maximum number of client entries that can be reported at a time.	wlan web-server max-client-entry number	By default, a maximum of ten client entries can be reported at a time.

Enabling the device to generate client logs in the specified format

About client log formats

The device supports client logs in the following formats:

· H3C—Logs AP name, radio ID, client MAC address, SSID, BSSID, and client online status. By default, the device generates client logs only in H3C format.

· normal—Logs AP MAC address, AP name, client IP address, client MAC address, SSID, and BSSID.

· sangfor—Logs AP MAC address, client IP address, and client MAC address.

This feature enables the device to generate client logs in normal or sangfor format and send the logs to the information center. Log destinations are determined by the information center settings. For more information about the information center, see Network Management and Monitoring Configuration Guide.

This feature does not affect generation of client logs in H3C format.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the device to generate client logs in the specified format.	customlog format wlan { normal \| sangfor }	By default, the device generates client logs only in the H3C format.

Configuring client statistics reporting

About client statistics reporting

This feature enables an AP to report client statistics to the AC at the specified intervals for client entry update. The AC informs the AP to log off a client if the client's information does not exist in the saved entries.

To avoid frequent client re-association, disable this feature when the network is in a bad condition.

Procedure

To configure client statistics reporting in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Configure client statistics reporting.	client-statistics-report { disable \| enable [ interval interval ] }	By default, an AP uses the configuration in AP group view.

To configure client statistics reporting in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Configure client statistics reporting.	client-statistics-report { disable \| enable [ interval interval ] }	By default, client statistics reporting is enabled.

Configuring client access control

Specifying a permitted AP group for client association

About AP group-based client access control

Perform this task to enable clients to associate with APs in the specified AP group.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter user profile view.	user-profile profile-name	N/A
3. Specify a permitted AP group for client association.	wlan permit-ap-group ap-group-name	By default, no permitted AP group is specified for client association.

Specifying a permitted SSID for client association

About SSID-based client access control

Perform this task to allow clients to associate with a WLAN through the specified SSID.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter user profile view.	user-profile profile-name	N/A
3. Specify a permitted SSID for client association.	wlan permit-ssid ssid-name	By default, no permitted SSID is specified for client association.

Adding a client to the whitelist

Restrictions and guidelines

When you add the first client to the whitelist, the system asks you whether to disconnect all online clients. Enter Y at the prompt to configure the whitelist.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Add a client to the whitelist.	wlan whitelist mac-address mac-address	By default, no clients exist in the whitelist.

Adding a client to the static blacklist

Restrictions and guidelines

You cannot add a client to both the whitelist and the static blacklist.

If the whitelist and blacklists are configured, only the whitelist takes effect.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Add a client to the static blacklist.	wlan static-blacklist mac-address mac-address	By default, no clients exist in the static blacklist.

Configuring the dynamic blacklist

About the dynamic blacklist

You can configure the dynamic blacklist to take effect on the AC or on APs.

If you configure the dynamic blacklist to take effect on the AC, all APs connected to the AC will reject the clients in the dynamic blacklist. If you configure the dynamic blacklist to take effect on APs, the AP associated with the clients in the dynamic blacklist will reject the clients, but the clients can still associate with other APs connected to the AC.

Restrictions and guidelines

As a best practice, configure the dynamic blacklist to take effect on the AC in high-density environments.

The configured aging time takes effect only on entries newly added to the dynamic blacklist.

If the whitelist and blacklists are configured, only the whitelist takes effect.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the dynamic blacklist to take effect on the AC or on APs.	· Configure the dynamic blacklist to take effect on APs: wlan dynamic-blacklist active-on-ap · Configure the dynamic blacklist to take effect on the AC: undo wlan dynamic-blacklist active-on-ap	By default, the dynamic blacklist takes effect on APs.
3. Set the aging time for dynamic blacklist entries.	wlan dynamic-blacklist lifetime lifetime	By default, the aging time is 300 seconds. The aging time for dynamic blacklist entries takes effect only on rogue client entries.

Configuring ACL-based access control

Restrictions and guidelines

The ACL-based access control configuration takes precedence over the whitelist and blacklist configuration. As a best practice, do not configure both ACL-based access control and whitelist- and blacklist-based access control on the same AC.

If the bound ACL contains a deny statement, configure a permit statement for the ACL to permit all clients. If you do not do so, no clients can come online through the AP or service template.

The configuration in AP view takes precedence over the configuration in service template view.

This feature supports only Layer 2 ACLs and can only use source MAC address as the match criterion. If you bind an ACL of another type, the configuration does not take effect.

Procedure

To configure ACL-based access control in service template view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Bind an ACL to the service template.	access-control acl acl-number	By default, no ACL is bound to a service template.

To configure ACL-based access control in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name [ model model-name ]	N/A
3. Bind an ACL to the AP.	access-control acl acl-number	By default, no ACL is bound to an AP.

Specifying a region code

About region codes

A region code determines characteristics such as available frequencies, available channels, and transmit power level. Set a valid region code before configuring an AP.

To prevent regulation violation caused by region code modification, lock the region code.

Procedure

To specify a region code in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Specify a region code.	region-code code	By default, an AP uses the configuration in AP group view. If no region code exists in AP group view, the AP uses the configuration in global configuration view.
4. Lock the region code.	region-code-lock enable	By default, an AP uses the configuration in AP group view. If no configuration exists in AP group view, the AP uses the configuration in global configuration view.

To specify a region code in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Specify a region code.	region-code code	By default, an AP group uses the configuration in global configuration view.
4. Lock the region code.	region-code-lock enable	By default, an AP group uses the configuration in global configuration view.

To specify a global region code:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Specify a region code.	region-code code	By default, the region code is CN.
4. Lock the region code.	region-code-lock enable	By default, region codes are not locked.

Disabling an AP from responding to broadcast probe requests

About broadcast probe request responses

Broadcast probe requests do not carry any SSIDs. Upon receiving a broadcast probe request, an AP responds with a probe response that carries service information for the AP.

This feature enables clients that send unicast probe requests to the AP to associate with the AP more easily.

Procedure

To disable an AP from responding to broadcast probe requests in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Disable the AP from responding to broadcast probe requests.	broadcast-probe reply disable	By default, an AP uses the configuration in AP group view.

To disable APs in an AP group from responding to broadcast probe requests in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Disable APs in the AP group from responding to broadcast probe requests.	broadcast-probe reply disable	By default, an AP responds to broadcast probe requests.

Setting the NAS ID

About NAS IDs

A network access server identifier (NAS ID), network access server port identifier (NAS port ID), or network access server VLAN identifier (NAS VLAN ID) identifies the network access server of a client and differentiates the source of client traffic.

Restrictions and guidelines

If you specify a NAS ID or NAS port ID when binding a service template to a radio, the radio uses the NAS ID or NAS port ID specified for the service template.

Procedure

To set the NAS ID in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Set the NAS ID.	nas-id nas-id	By default, an AP uses the configuration in AP group view. If no NAS ID is specified in AP group view, the AP uses the configuration in global configuration view.
4. Set the NAS port ID.	nas-port-id nas-port-id	By default, an AP uses the configuration in AP group view. If no NAS port ID is specified in AP group view, the AP uses the configuration in global configuration view.
5. Set the NAS VLAN ID and enable the AC to encapsulate the VLAN ID in RADIUS requests.	nas-vlan vlan-id	By default, no NAS VLAN ID is set. Authentication requests sent to the RADIUS server do not contain the NAS VLAN ID field. Set the NAS VLAN ID when a third-party Security Accounting Management (SAM) server is used as the RADIUS server.

To set the NAS ID in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Set the NAS ID.	nas-id nas-id	By default, an AP uses the configuration in global configuration view.
4. Set the NAS port ID.	nas-port-id nas-port-id	By default, an AP uses the configuration in global configuration view.

To set the global NAS ID:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter global configuration view.	wlan global-configuration	N/A
3. Set the global NAS ID.	nas-id nas-id	By default, no NAS ID is set.
4. Set the NAS port ID.	nas-port-id nas-port-id	By default, no NAS port ID is set.

Configuring policy-based forwarding

Restrictions and guidelines for policy-based forwarding

Make sure the AC and its associated APs are in different network segments.

You can apply a forwarding policy to a service template or user profile. The AC preferentially uses the forwarding policy applied to a user profile to direct client traffic forwarding. If the user profile of a client does not have a forwarding policy, the AC uses the forwarding policy applied to the service template.

Prerequisites for policy-based forwarding

Before configuring policy-based forwarding, you must specify the AC to perform authentication for clients. For more information about specifying the authentication location, see "Configuring WLAN authentication."

Configuring a forwarding policy

About forwarding policies

A forwarding policy contains one or multiple forwarding rules. Each forwarding rule specifies a traffic match criterion and the forwarding mode for matching traffic. The traffic match criterion can be a basic ACL, an advanced ACL, or a Layer 2 ACL. The forwarding mode can be local forwarding or centralized forwarding.

Actions defined in ACL rules do not take effect in wireless packet forwarding. All matched packets are forwarded based on the forwarding mode.

For more information about ACLs, see ACL and QoS Configuration Guide.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a forwarding policy and enter its view.	wlan forwarding-policy policy-name	By default, no forwarding policies are configured.
3. Configure a forwarding rule.	classifier acl { acl-number \| ipv6 ipv6-acl-number }	By default, no forwarding rules are configured. Repeat this command to configure more forwarding rules.

Applying a forwarding policy to a service template

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Apply a forwarding policy to the service template.	client forwarding-policy-name policy-name	By default, no forwarding policy is applied to a service template.
4. Enable policy-based forwarding.	client forwarding-policy enable	By default, policy-based forwarding is disabled for a service template. For the forwarding policy to take effect, you must enable policy-based forwarding for the service template.

Applying a forwarding policy to a user profile

About applying a forwarding policy to a user profile

For the AC to perform policy-based forwarding for clients that use a user profile, apply a forwarding policy to the user profile. After a client passes authentication, the authentication server sends the user profile name specified for the client to the AC. The AC will forward traffic of the client based on the forwarding policy applied to the user profile.

Restrictions and guidelines

If you modify or delete the applied forwarding policy, the change takes effect when the client comes online again.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter user profile view.	user-profile profile-name	N/A
3. Apply a forwarding policy to the user profile.	wlan client forwarding-policy-name policy-name	By default, no forwarding policy is applied to a user profile.
4. Return to system view.	quit	N/A
5. Enter service template view.	wlan service-template service-template-name	N/A
6. Enable policy-based forwarding.	client forwarding-policy enable	By default, policy-based forwarding is disabled for a service template. For the forwarding policy applied to the user profile to take effect, you must enable policy-based forwarding for the service template that the user profile uses.

Deploying a configuration file to an AP

About deploying the AP configuration file

Deploy a configuration file to an AP if you want to update its configuration file or configure features that require a configuration file. For example, to configure a user profile for an AP in local forwarding mode, you must write related commands to a configuration file and then deploy the configuration file to the AP. The configuration file takes effect when the CAPWAP tunnel to the AC is in Run state. It does not survive an AP reboot.

Restrictions and guidelines

Make sure the configuration file is stored in the storage medium of the AC. Contents in the configuration file must be complete commands.

This feature takes effect every time the specified AP comes online.

An AP can only use its main IP address to establish a CAPWAP tunnel to the AC if the AP is configured by using a configuration file.

In an IRF fabric, save the configuration file on each member ACs in case of master and backup AC switchover. The map-configuration command takes effect only on the master AC. If you specify a path when executing the command, make sure the path leads to the file on the master AC.

Procedure

To deploy a configuration file to an AP in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Deploy a configuration file to the AP.	map-configuration filename	By default, no configuration file is deployed to an AP.

To deploy a configuration file to an AP in AP group AP model view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Deploy a configuration file to the AP.	map-configuration filename	By default, no configuration file is deployed to an AP.

Enabling SNMP notifications for WLAN access

About SNMP notifications

To report critical WLAN access events to an NMS, enable SNMP notifications for WLAN access. For WLAN access event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notification for client access.	snmp-agent trap enable wlan client	By default, SNMP notifications are disabled for client access.
3. Enable SNMP notification for client audit.	snmp-agent trap enable wlan client-audit	By default, SNMP notifications are disabled for client audit.

Display and maintenance commands for WLAN access

Execute display commands in any view and the reset command in user view.

Task	Command
Display the number of online clients and channel information for each radio.	display wlan ap all radio client-number
Display the number of online clients in each AP group.	display wlan ap-group all client-number
Display the number of online clients at both 2.4 GHz and 5 GHz bands.	display wlan ap all client-number
Display blacklist entries.	display wlan blacklist { dynamic \| static }
Display basic service set (BSS) information.	display wlan bss { all \| ap ap-name \| bssid bssid } [ slot slot-number ] [ verbose ]
(Centralized devices in standalone mode.) Display client information.	display wlan client [ ap ap-name [ radio radio-id ] \| mac-address mac-address \| service-template service-template-name \| frequency-band { 2.4 \| 5 } ] [ verbose ]
(Centralized devices in IRF mode.) Display client information on the specified member device or the master device.	display wlan client distributed-sys [ slot slot-number ] [ verbose ]
Display information about client IPv6 addresses.	display wlan client ipv6
Display client online duration.	display wlan client online-duration [ ap ap-name ] [ verbose ]
Display client status information.	display wlan client status [ mac-address mac-address ] [ verbose ]
Display WLAN forwarding policy information.	display wlan forwarding-policy
Display region code information for APs.	display wlan ap { all \| name ap-name } region-code
Display service template information.	display wlan service-template [ service-template-name ] [ verbose ]
Display client statistics or service template statistics.	display wlan statistics { ap { all \| name ap-name } connect-history \| client [ mac-address mac-address ] \| service-template service-template-name [ connect-history ] }
Display whitelist entries.	display wlan whitelist
Remove the specified client or all clients from the dynamic blacklist.	reset wlan dynamic-blacklist [ mac-address mac-address ]
Log off the specified client or all clients.	reset wlan client { all \| mac-address mac-address }
Clear client statistics.	reset wlan statistics client { all \| mac-address mac-address }
Clear service template statistics.	reset wlan statistics service-template service-template-name

WLAN access configuration examples

Example: Configuring WLAN access

Network requirements

As shown in Figure 18, the switch acts as the DHCP server to assign IP addresses to the AP and the client. The AP provides wireless services with the SSID trade-off.

Figure 18 Network diagram

Configuration procedure

1. Create VLAN 100, and assign an IP address to VLAN-interface 100.

<AC> system-view

[AC] vlan 100

[AC-vlan100]quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 10.1.9.58 16

2. Create the manual AP ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454

3. Configure a service template and bind it to the AP radio:

# Create the service template service1, set the SSID to trade-off, assign clients coming online through the service template to VLAN 100, and enable the service template.

<AC> system-view

[AC] wlan service-template service1

[AC-wlan-st-service1] ssid trade-off

[AC-wlan-st-service1] vlan 100

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

# Set the working channel to channel 157 for radio 1 of the AP.

[AC] wlan ap ap1

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] channel 157

# Bind the service template service1 to radio 1.

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] service-template service1

Verifying the configuration

# Verify that the SSID is trade-off, and the service template is enabled.

[AC] display wlan service-template verbose

Service template name : service1

Description : Not configured

SSID : trade-off

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 100

AKM mode : Not configured

Security IE : Not configured

Cipher suite : Not configured

TKIP countermeasure time : 0 s

PTK life time : 43200 s

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 s

GTK rekey client-offline : Disabled

User authentication mode : Bypass

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : 1

Critical VLAN ID : Not configured

802.1X handshake : Enabled

802.1X handshake secure : Disabled

802.1X domain : my-domain

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Enabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : N/A

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

# Associate the client with the AP. (Details not shown.)

# Verify that the client can access the WLAN.

[AC] display wlan client service-template service1

Total number of clients: 1

MAC address Username AP name RID IP address IPv6 address VLAN

0023-8933-223b N/A ap1 1 3.0.0.3 100

Example: Configuring the whitelist

Network requirements

As shown in Figure 19, configure the whitelist to permit only the client whose MAC address is 0000-000f-1211 to access the WLAN.

Figure 19 Network diagram

Configuration procedure

# Add the MAC address 0000-000f-1211 to the whitelist.

<AC> system-view

[AC] wlan whitelist mac-address 0000-000f-1211

Verifying the configuration

# Verify that the MAC address 0000-000f-1211 is in the whitelist.

[AC] display wlan whitelist

Total number of clients: 1

MAC addresses:

0000-000f-1211

Example: Configuring the static blacklist

Network requirements

As shown in Figure 20, configure the static blacklist to forbid the client whose MAC address is 0000-000f-1211 to access the WLAN.

Figure 20 Network diagram

Configuration procedure

# Add the MAC address 0000-000f-1211 to the static blacklist.

<AC> system-view

[AC] wlan static-blacklist mac-address 0000-000f-1211

Verifying the configuration

# Verify that the MAC address 0000-000f-1211 is in the static blacklist.

[AC] display wlan blacklist static

Total number of clients: 1

MAC addresses:

0000-000f-1211

Example: Configuring ACL-based access control

Network configuration

As shown in Figure 21, configure ACL-based access control to allow Client 1 and clients with the same OUI as Client 2 to access the WLAN.

Figure 21 Network diagram

Procedure

# Create Layer 2 ACL 4000, and create ACL rules to permit Client 1 and clients with the same OUI as Client 2.

<Sysname> system-view

[Sysname] acl mac 4000

[Sysname -acl-mac-4000] rule 0 permit source-mac 0000-000f-1121 ffff-ffff-ffff

[Sysname -acl-mac-4000] rule 1 permit source-mac 000e-35b2-000e ffff-ff00-0000

[Sysname -acl-mac-4000] quit

# Bind ACL 4000 to service template service1.

[Sysname] wlan service service1

[Sysname-wlan-st-service1] access-control acl 4000

Verifying the configuration

Verify that only Client 1 and clients with the same OUI as Client 2 (including Client 2) can access the WLAN.

Configuring WLAN security

The term "AC" in this document refers to MSR routers that can function as ACs.

About WLAN security

WLAN security mechanisms include Pre Robust Security Network Association (Pre-RSNA), 802.11i, and 802.11w.

Pre-RSNA defines the original security mechanism, which is vulnerable to security attacks. To enhance WLAN security, 802.11i was introduced, but it encrypts only WLAN data traffic. Based on the 802.11i framework, 802.11w offers management frame protection to prevent attacks such as forged de-authentication and disassociation frames.

Pre-RSNA mechanism

The pre-RSNA mechanism uses the open system and shared key algorithms for authentication and uses WEP for data encryption. WEP uses the stream cipher RC4 for confidentiality and supports key sizes of 40 bits (WEP40), 104 bits (WEP104), and 128 bits (WEP128).

Open system authentication

Open system authentication is the default and simplest authentication algorithm. Any client that requests authentication by using this algorithm can pass the authentication.

Open system authentication uses the following process:

1. The client sends an authentication request to the AP.

2. The AP sends an authentication response to the client after the client passes the authentication.

Figure 22 Open system authentication process

Shared key authentication

Shared key authentication uses a WEP key for the AP and client to complete authentication.

Shared key authentication uses the following process:

1. The client sends an authentication request to the AP.

2. The AP randomly generates a challenge text and sends it to the client.

3. The client uses the WEP key to encrypt the challenge text and sends it to the AP.

4. The AP uses the WEP key to decrypt the challenge text and compares the decrypted challenge text with the original challenge text. If they are identical, the client passes the authentication. If they are not, the authentication fails.

Figure 23 Shared key authentication process

802.11i mechanism

IMPORTANT:

802.11i requires open system authentication for link layer authentication.

Security modes

The 802.11i mechanism (the RSNA mechanism) provides WPA and RSN security modes. WPA implements a subset of an 802.11i draft to provide enhanced security over WEP and RSN implements the full 802.11i.

AKM

The 802.11i mechanism uses the following authentication and key management (AKM) modes for authenticating user integrity and dynamically generating and updating keys:

· 802.1X—802.1X performs user authentication and generates the pairwise master key (PMK) during authentication. The client and AP use the PMK to generate the pairwise transient key (PTK).

· Private PSK—The MAC address of the client is used as the PSK to generate the PMK. The client and AP use the PMK to generate the PTK.

· PSK—The PSK is used to generate the PMK. The client and AP use the PMK to generate the PTK.

Authentication

802.1X authentication is more secure than PSK authentication. For more information about 802.1X authentication, see "Configuring WLAN user access authentication."

PSK authentication requires the same PSK to be configured for both an AP and a client. PSK integrity is verified during the four-way handshake. If PTK negotiation succeeds, the client passes the authentication.

Key management

Key management defines how to generate and update the PTK and group temporary key (GTK). The PTK is used in unicast and the GTK is used in multicast and broadcast.

PTK and GTK

· PTK structure

? EAPOL-Key Confirmation Key (KCK) is used to verify the integrity of an EAPOL-Key frame.

? EAPOL-Key Encryption Key (KEK) is used to encrypt the key data in the EAPOL-Key frame.

? Temporal Key (TK) is used to encrypt unicast packets.

· The GTK includes the TK and other fields. The TK is used to encrypt multicast and broadcast packets.

EAPOL-Key packet

The IEEE 802.11i protocol uses EAPOL-Key packets during key negotiation.

Figure 24 EAPOL-Key structure

Table 23 EAPOL-Key field description

Field	Description
Descriptor type	Specifies the network type: · WPA network. · RSN network.
Key information	For more information about this field, see Table 24.
Key length	Length of the key.
Key replay counter	Records the total number of GTK updates to prevent replay attacks. The AP sets this field to 0 at the beginning of the negotiation and increments the value on each successive EAPOL-Key frame. The client records this field from the last valid EAPOL-Key frame that it received if this field is greater than the field recorded previously. EAPOL-Key frame retransmission is required in the following situations: · The field received by the client is smaller than or equal to the field recorded by the client. · The field received by the AP is not equal to the field recorded on the AP. If the retransmission attempts exceed the maximum number, the AP disconnects the client.
Key nonce	Random value used to generate the PTK.
EAPOL Key IV	Encrypts the TKIP. This field is valid only when the encryption type is not CCMP.
Key RSC	Records the total number of multicast packets or broadcast packets to prevent replay attacks. The AP increments the value of this field on transmission of each multicast or broadcast packet.
Reserved	Reserved field.
Key MIC	Message integrity check.
Key data length	Length of the key data.
Key data	Data to be transmitted, such as the GTK and pairwise master key identifier (PMKID).

Figure 25 Key information structure

Table 24 Key information description

Field	Description
Key Descriptor Version	3-bit key version: · 1—Non-CCMP key. · 2—CCMP key.
Key Type	1-bit key type: · 0—Multicast negotiation key. · 1—Unicast negotiation key.
Reserved	2-bit field reserved. The sender sets this field to 0, and the receiver ignores this field.
Install	1-bit key installation field. If the Key Type field is 1, this field is 0 or 1. · 0—The AP does not request the client to install the TK. · 1—The AP requests the client to install the TK. If the Key type field is 0, the sender sets this field to 0, and the receiver ignores this field.
Key Ack	1-bit key acknowledgment field. The value 1 indicates that the AP requests an acknowledgement from the client.
Key MIC	Message integrity check. If this field is 1, the generated MIC must be included in the Key MIC field of the EAPOL-key frame.
Secure	1-bit key status. The value 1 indicates that the key has been generated.
Error	1-bit MIC check status. The value 1 indicates that a MIC failure has occurred. The client sets this field to 1 when the Request field is 1.
Request	1-bit request used by the client to request the AP to initiate the four-way handshake or multi-cast handshake in a MIC failure report.
Encrypted Key Data	1-bit key data encryption status. The value 1 indicates that the key data is encrypted.
Reserved	3-bit reserved field. The sender sets this field to 0, and the receiver ignores this field.

WPA key negotiation

WPA uses EAPOL-Key packets in the four-way handshake to negotiate the PTK, and in the two-way handshake to negotiate the GTK.

Figure 26 WPA key negotiation process

WPA key negotiation uses the following process:

1. The AP sends the client EAPOL-Key message 1 that contains a random value ANonce.

2. The client performs the following operations:

a. Uses the random value SNonce, ANonce, and PMK to generate a PTK by using the key derivation function (KDF).

b. Uses the KCK in the PTK to generate the MIC.

c. Returns EAPOL-Key message 2 that contains the SNonce and MIC.

3. The AP performs the following operations:

a. Uses the SNonce, ANonce, and PMK to generate a PTK by using the KDF.

b. Uses the KCK in the PTK to generate the MIC.

c. Compares the received MIC with the local MIC.

d. Returns EAPOL-Key message 3 that contains the PTK installation request tag and MIC if the two MICs are the same.

4. The client performs the following operations:

a. Compares the received MIC with the local MIC.

b. Installs the PTK and returns EAPOL-Key message 4 that contains the MIC if the two MICs are the same.

5. The AP performs the following operations:

a. Compares the received MIC with the local MIC.

b. Installs the PTK and generates a GTK with the GMK and MAC address of the AP by using the KDF if the two MICs are the same.

c. Returns EAPOL-Key group message 1 that contains the GTK and MIC.

6. The client performs the following operations:

a. Installs the GTK if the two MICs are the same.

b. Returns EAPOL-Key group message 2 that contains the MIC.

7. The AP performs the following operations:

a. Compares the received MIC with the local MIC.

b. Installs the GTK if the MICs are the same.

RSN key negotiation

RSN uses EAPOL-Key packets in the four-way handshake to negotiate the PTK and the GTK.

Figure 27 RSN key negotiation process

RSN key negotiation uses the following process:

1. The AP sends the client EAPOL-Key message 1 that contains a random value ANonce.

2. The client performs the following operations:

a. Uses the random value SNonce, ANonce, and PMK to generate a PTK by using the KDF.

b. Uses the KCK in the PTK to generate the MIC.

c. Returns EAPOL-Key message 2 that contains the SNonce and MIC.

3. The AP performs the following operations:

a. Uses the SNonce, ANonce, and PMK to generate a PTK by using the KDF.

b. Uses the KCK in the PTK to generate the MIC.

c. Compares the received MIC with the local MIC.

d. Generates a GTK with the random GMK and MAC address of the AP by using the KDF if the two MICs are the same.

e. Returns EAPOL-Key message 3 that contains the key installation request tag, MIC, and GTK.

4. The client performs the following operations:

a. Compares the received MIC with the local MIC.

b. Installs the PTK and GTK if the two MICs are the same.

c. Returns EAPOL-Key message 4 that contains the MIC.

5. The AP performs the following operations:

a. Compares the received MIC with the local MIC.

b. Installs the PTK and GTK if the two MICs are the same.

Key updates

Key updates enhance WLAN security. Key updates include PTK updates and GTK updates.

· PTK updates—Updates for the unicast keys using the four-way handshake negotiation.

· GTK updates—Updates for the multicast keys using the two-way handshake negotiation.

Cipher suites

TKIP

Temporal Key Integrity Protocol (TKIP) and WEP both use the RC4 algorithm. You can change the cipher suite from WEP to TKIP by updating the software without changing the hardware. TKIP has the following advantages over WEP:

· TKIP provides longer initialization vectors (IVs) to enhance encryption security. Compared with WEP encryption, TKIP encryption uses the 128-bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48 bits.

· TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP dynamic keys cannot be easily deciphered.

· TKIP offers MIC and countermeasures. If a packet has been tampered with, it will fail the MIC. If two packets fail the MIC in a period, the AP automatically takes countermeasures by stopping providing services in a period to prevent attacks.

CCMP

Counter mode with CBC-MAC Protocol (CCMP) is based on the Counter-Mode/CBC-MAC (CCM) of the Advanced Encryption Standard (AES) encryption algorithm.

CCMP contains a dynamic key negotiation and management method. Each client can dynamically negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP cipher suite. During the encryption process, CCMP uses a 48-bit packet number (PN) to make sure each encrypted packet uses a different PN. This improves WLAN security.

Dynamic WEP mechanism

IMPORTANT:

The dynamic WEP mechanism uses open system authentication for link layer authentication.

802.11 provides the dynamic WEP mechanism to ensure that each user uses a private WEP key.

· For unicast communications, the mechanism uses the WEP key negotiated by the client and server during 802.1X authentication.

· For multicast and broadcast communications, the mechanism uses the configured WEP key. If you do not configure a WEP key, the AP randomly generates a WEP key for broadcast and multicast communications.

After the client passes 802.1X authentication, the AP sends the client an RC4-EAPOL packet that contains the unicast WEP key ID, and the multicast and broadcast WEP key and key ID. The unicast WEP key ID is 4.

802.11w management frame protection

About 802.11w management frame protection

The management frame protection service protects a set of robust management frames, such as de-authentication, disassociation, and some robust action frames.

· For unicast management frames, it uses the PTK to encrypt the frames and provides secrecy, integrity, and replay protection.

· For broadcast and multicast management frames, it uses the Broadcast Integrity Protocol (BIP) to provide integrity and replay protection.

The security association (SA) query mechanism is used to enhance security if the AP and client negotiate to use management frame protection. SA queries include active SA queries and passive SA queries.

Active SA query

As shown in Figure 28, active SA query uses the following process:

1. The client sends an association or reassociation request to the AP.

2. Upon receiving the request, the AP sends a response to inform the client that the request is denied and the client can associate at a later time. The response contains the association comeback time.

3. The AP sends an SA query request to verify the status of the client:

? If the AP receives an SA query response within the timeout time, it considers the client online.

? If the AP does not receive an SA query response within the timeout time, it sends another SA query request. If the AP receives an SA query response within the retransmission time, it considers the client online. The AP does not respond to any association or reassociation requests from the client until the association comeback time times out.

? If the AP does not receive an SA query response within the retransmission time, it considers the client offline and allows the client to reassociate.

Figure 28 Active SA query process

Passive SA query

As shown in Figure 29, passive SA query uses the following process:

1. The client triggers the SA query process upon receiving an unencrypted disassociation or deauthentication frame.

2. The client sends an SA query request to the AP.

3. The AP sends an SA query response to the client:

? If the client receives the response, the client determines that the AP is online and does not process the disassociation or deauthentication frame.

? If the client does not receive a response, the client determines that the AP is offline and disassociates with the AP.

Figure 29 Passive SA query process

Protocols and standards

· IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements—2004

· WI-FI Protected Access—Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004

· Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements—802.11, 1999

· IEEE Standard for Local and metropolitan area networks "Port-Based Network Access Control" 802.1X™-2004

· 802.11i IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements

· 802.11w IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements

Feature and hardware compatibility

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

WLAN security tasks at a glance

Pre-RSNA tasks at a glance

Tasks at a glance
(Required.) Setting the cipher suite
(Required.) Setting the WEP key
(Optional.) Enabling SNMP notifications for WLAN security

802.11i tasks at a glance

IMPORTANT:

· 802.11i requires open system authentication for link layer authentication.

· The AKM mode, security IE, and cipher suite must be configured for 802.11i networks.

· Management frame protection takes effect only for a network that uses the 802.11i mechanism and is configured with the CCMP cipher suite and RSN security information element.

Tasks at a glance
(Required.) Configuring the AKM mode
(Required.) Setting the security information element
(Required.) Setting the cipher suite
(Optional.) Setting the PSK
(Optional.) Setting the KDF
(Optional.) Configuring GTK update
(Optional.) Configuring PTK update
(Optional.) Setting the TKIP MIC failure hold time
(Optional.) Setting the WEP key
(Optional.) Configuring 802.11w management frame protection
(Optional.) Enabling SNMP notifications for WLAN security

Dynamic WEP tasks at a glance

Tasks at a glance
(Optional.) Setting the cipher suite
(Optional.) Setting the WEP key
(Required.) Enabling the dynamic WEP mechanism
(Optional.) Enabling SNMP notifications for WLAN security

Configuring security features

Configuring the AKM mode

About AKM modes

Each of the following AKM modes must be used with a specific authentication mode:

· 802.1X AKM—802.1X authentication mode.

· Private PSK AKM—MAC authentication mode.

· PSK AKM—MAC or bypass authentication mode.

· WiFi alliance anonymous 802.1X AKM—802.1X authentication mode.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Configure the AKM mode.	akm mode { dot1x \| private-psk \| psk \| anonymous-dot1x }	By default, no AKM mode is configured.

Setting the security information element

About security information elements

Perform this task to enable an AP to set the security information element (security IE) bit in beacon and probe responses to notify clients of its security capabilities.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Set the security IE.	security-ie { osen \| rsn \| wpa }	By default, no security IE is set.

Setting the cipher suite

About cipher suites

The following cipher suites are available:

· WEP (WEP40, WEP104, or WEP128).

· CCMP.

· TKIP.

Restrictions and guidelines

You cannot set both WEP 128 and CCMP or both WEP 128 and TKIP.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Set the cipher suite.	cipher-suite { ccmp \| tkip \| wep40 \| wep104 \| wep128 }	By default, no cipher suite is set.

Setting the PSK

Restrictions and guidelines

The PSK must be set if the AKM mode is PSK. If you configure the PSK when the AKM mode is 802.1X, the WLAN service template can be enabled but the PSK configuration does not take effect.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Set the PSK.	preshared-key { pass-phrase \| raw-key } { cipher \| simple } string	By default, no PSK is set.

Setting the KDF

About KDFs

KDFs are used by 802.11i networks to generate PTKs and GTKs. KDFs include HMAC-SHA1 and HMAC-SHA256 algorithms. The HMAC-SHA256 algorithm is more secure than the HMAC-SHA1 algorithm.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Set the KDF.	key-derivation { sha1 \| sha256 \| sha1-and-sha256 }	By default, the HMAC-SHA1 algorithm is set.

Configuring GTK update

About GTK update

The system generates the GTK during key negotiation if the AKM, security IE, and cipher suite are configured. This feature updates the GTK to enhance key security based on the following updating modes:

· Time-based—The GTK is updated at the specified interval.

· Packet-based—The GTK is updated after the specified number of packets is sent.

· Offline-triggered—The GTK is updated when a client in the basic service set (BSS) goes offline.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Enable GTK update.	gtk-rekey enable	By default, GTK update is enabled.
4. (Optional.) Configure a GTK update method.	gtk-rekey method { packet-based [ packet ] \| time-based [ time ] }	By default, the GTK is updated at an interval of 85400 seconds. The default packet quantity is 10000000 for packet-based GTK update.
5. (Optional.) Enable the offline-triggered GTK update.	gtk-rekey client-offline enable	By default, offline-triggered GTK update is disabled.

Configuring PTK update

About PTK update

The system generates the PTK during key negotiation when the AKM, security IE, and cipher suite are configured. This feature updates the PTK after the PTK lifetime expires.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Enable PTK update.	ptk-rekey enable	By default, PTK update is enabled.
4. Set the PTK lifetime.	ptk-lifetime time	By default, the PTK lifetime is 43200 seconds.

Setting the TKIP MIC failure hold time

About the TKIP MIC failure hold time

After configuring the TKIP, you can configure the TKIP MIC failure hold time. If the AP detects two MIC failures within the MIC failure hold time, it disassociates all clients for 60 seconds.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Set the TKIP MIC failure hold time.	tkip-cm-time time	By default, the TKIP MIC failure hold time is 0. The AP does not take any countermeasures.

Setting the WEP key

Restrictions and guidelines

The WEP key can be used to encrypt all packets for pre-RSNA networks and encrypt multicast packets for 802.11i networks. If the WEP key is not set, a pre-RSNA network does not encrypt packets and an 802.11i network uses the negotiated GTK to encrypt multicast packets.

Do not apply WEP key 4 if the dynamic WEP mechanism is enabled.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Set the WEP key.	wep key key-id { wep40 \| wep104 \| wep128 } { pass-phrase \| raw-key } { cipher \| simple } string	By default, no WEP key is set.
4. (Optional.) Apply the WEP key.	wep key-id { 1 \| 2 \| 3 \| 4 }	By default, WEP key 1 is applied.

Configuring 802.11w management frame protection

About 802.11w management frame protection

When 802.11w management frame protection is disabled, network access is available for all clients, but management frame protection is not performed. When 802.11w management frame protection is enabled, network access and management frame protection availability varies by management frame protection mode.

· Optional mode—Network access is available for all clients, but management frame protection is performed only for clients that support management frame protection.

· Mandatory mode—Network access and management frame protection are available only for clients that support management frame protection.

Restrictions and guidelines

802.11w management frame protection takes effect only for a network that uses the 802.11i mechanism and is configured with the CCMP cipher suite and RSN security IE.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Enable management frame protection.	pmf { optional \| mandatory }	By default, management frame protection is disabled.
4. Set the interval for sending SA query requests.	pmf saquery retrytimeout timeout	By default, the interval for sending SA query requests is 200 milliseconds.
5. Set the maximum transmission attempts for SA query requests.	pmf saquery retrycount count	By default, the maximum retransmission attempt number is 4 for SA query requests.
6. Set the association comeback time.	pmf association-comeback time	By default, the association comeback time is 1 second.

Enabling the dynamic WEP mechanism

About dynamic WEP

If dynamic WEP is enabled, the keys used for packet encryption depend on whether a WEP key is configured.

· If a WEP key is configured, the dynamic WEP mechanism uses the configured WEP key as the multicast and broadcast WEP key. The negotiated unicast WEP has an ID of 4 and uses the cipher suite length setting.

· If no WEP key is configured, the length for both dynamic WEP keys is 104 bits. The negotiated unicast WEP key has an ID of 4. The generated multicast and broadcast WEP key has an ID of 1.

Restrictions and guidelines

The dynamic WEP mechanism must be used with the 802.1X authentication mode.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter WLAN service template view.	wlan service-template service-template-name	N/A
3. Enable the dynamic WEP mechanism.	wep mode dynamic	By default, the dynamic WEP mechanism is disabled.

Enabling SNMP notifications for WLAN security

About SNMP notifications

To report critical WLAN security events to an NMS, enable SNMP notifications for WLAN security. For WLAN security event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for WLAN security.	snmp-agent trap enable wlan usersec	By default, SNMP notifications are disabled for WLAN security.

Display and maintenance commands for WLAN security

Execute display commands in any view.

Task

Command

Display client information.

display wlan client [ ap ap-name [ radio radio-id ] | mac-address mac-address | service-template service-template-name ] [ verbose ]

For more information about this command, see "WLAN access commands."

Display WLAN service template information.

display wlan service-template [ service-template-name ] [ verbose ]

For more information about this command, see "WLAN access commands."

WLAN security configuration examples

Example: Configuring shared key authentication

Network requirements

As shown in Figure 30, the switch functions as a DHCP server to assign IP addresses to the AP and client. Configure shared key authentication to enable the client to access the network by using WEP key 12345.

Figure 30 Network diagram

Configuration procedure

# Create a WLAN service template named service1.

<AC> system-view

[AC] wlan service-template service1

# Specify an SSID of service for the service template.

[AC-wlan-st-service1] ssid service

# Configure a WEP40 plaintext key of 12345 as WEP key 2, and apply WEP key 2.

[AC-wlan-st-service1] cipher-suite wep40

[AC-wlan-st-service1] wep key 2 wep40 pass-phrase simple 12345

[AC-wlan-st-service1] wep key-id 2

# Enable service template service1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

# Create an AP named ap1 and specify the model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454

# Bind service template service1 to radio 1 of the AP and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

Verifying the configuration

# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.

<AC> display wlan service-template service1 verbose

Service template name : service1

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 1

AKM mode : Not configured

Security IE : Not configured

Cipher suite : WEP40

WEP key ID : 2

TKIP countermeasure time : 0

PTK lifetime : 43200 sec

PTK rekey : Enabled

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Enabled

User authentication mode : Bypass

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : N/A

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

Example: Configuring PSK authentication and bypass authentication

Network requirements

As shown in Figure 31, the switch functions as a DHCP server to assign IP addresses to the AP and client.

· Configure open system authentication and bypass authentication.

· Configure the client to use preshared key 12345678 to access the network.

Figure 31 Network diagram

Configuration procedure

1. Create a WLAN service template named service1.

<AC> system-view

[AC] wlan service-template service1

2. Specify an SSID of service for the service template.

[AC-wlan-st-service1] ssid service

3. Configure WLAN security for service template service1:

# Configure the PSK AKM mode and the 12345678 plaintext key.

[AC-wlan-st-service1] akm mode psk

[AC-wlan-st-service1] preshared-key pass-phrase simple 12345678

# Configure CCMP as the cipher suite and WPA as the security IE.

[AC-wlan-st-service1] cipher-suite ccmp

[AC-wlan-st-service1] security-ie wpa

4. Enable service template service1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

5. Create an AP named ap1 and specify the model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454

6. Bind service template service1 to radio 1 of the AP and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

Verifying the configuration

# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.

<AC> display wlan service-template service1 verbose

Service template name : service1

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 1

AKM mode : PSK

Security IE : WPA

Cipher suite : CCMP

TKIP countermeasure time : 0

PTK lifetime : 43200 sec

PTK rekey : Enabled

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Enabled

User authentication mode : Bypass

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : N/A

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

Example: Configuring PSK authentication and MAC authentication

Network requirements

As shown in Figure 32, the switch functions as a DHCP server to assign IP addresses to the AP and client.

· Configure open system authentication and MAC authentication so that the client can access the network by using login username abc and password 123.

· Configure the client to use preshared key 12345678 to access the network.

Figure 32 Network diagram

Configuration procedure

1. Configure a username of abc and a password of 123 on the RADIUS server and make sure the RADIUS server and AC can reach each other. (Details not shown.)

2. Create a WLAN service template named service1.

<AC> system-view

[AC] wlan service-template service1

3. Specify an SSID of service for the service template.

[AC-wlan-st-service1] ssid service

4. Configure WLAN security for service template service1:

# Configure the PSK AKM mode and the 12345678 plaintext key.

[AC-wlan-st-service1] akm mode psk

[AC-wlan-st-service1] preshared-key pass-phrase simple 12345678

# Configure CCMP as the cipher suite and WPA as the security IE.

[AC-wlan-st-service1] cipher-suite ccmp

[AC-wlan-st-service1] security-ie wpa

# Configure MAC authentication.

[AC-wlan-st-service1] client-security authentication-mode mac

5. Enable service template service1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

6. Configure a RADIUS scheme:

# Create a RADIUS scheme named radius1 and enter its view.

[AC] radius scheme radius1

# Specify the primary authentication server and accounting server.

[AC-radius-radius1] primary authentication 10.1.1.3 1812

[AC-radius-radius1] primary accounting 10.1.1.3 1813

# Set the shared keys for authentication and accounting to 12345678 in plaintext.

[AC-radius-radius1] key authentication simple 12345678

[AC-radius-radius1] key accounting simple 12345678

# Set the format for the usernames sent to the RADIUS server based on the RADIUS server configuration:

? Exclude domain names from the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format without-domain

[Device-radius-rs1] quit

? Include domain names in the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format with-domain

[Device-radius-rs1] quit

7. Create an ISP domain named dom1 and configure a RADIUS scheme for the ISP domain.

[AC] domain dom1

[AC-isp-dom1] authentication lan-access radius-scheme radius1

[AC-isp-dom1] authorization lan-access radius-scheme radius1

[AC-isp-dom1] accounting lan-access radius-scheme radius1

[AC-isp-dom1] quit

8. Configure an ISP domain of dom1, a username of abc, and password 123 for the user.

[AC] mac-authentication mac domain dom1

[AC] mac-authentication user-name-format fixed account abc password simple 123

9. Create an AP named ap1 and specify the model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454

10. Bind service template service1 to radio 1 of the AP and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

NOTE:

For more information about the AAA and RADIUS commands in this section, see Security Command Reference.

Verifying the configuration

# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.

<AC> display wlan service-template service1 verbose

Service template name : service1

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 1

AKM mode : PSK

Security IE : WPA

Cipher suite : CCMP

TKIP countermeasure time : 0

PTK lifetime : 43200 sec

PTK rekey : Enabled

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Enabled

User authentication mode : MAC

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : N/A

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

Example: Configuring 802.1X AKM

Network requirements

As shown in Figure 33, the switch functions as a DHCP server to assign IP addresses to the AP and client.

· Configure open system authentication and 802.1X authentication so that the client can access the network by using login username abcdef and password 123456.

· Configure 802.1X as the AKM mode.

Figure 33 Network diagram

Configuration procedure

1. Configure a username of abcdef and a password of 123456 on the RADIUS server and make sure the RADIUS server and AC can reach each other. (Details not shown.)

2. Configure the 802.1X client. (Details not shown.)

3. Create a WLAN service template named service1.

<AC> system-view

[AC] wlan service-template service1

4. Specify an SSID of service for the service template.

[AC-wlan-st-service1] ssid service

5. Configure WLAN security for service template service1:

# Configure 802.1X as the AKM mode.

[AC-wlan-st-service1] akm mode dot1x

# Configure CCMP as the cipher suite and WPA as the security IE.

[AC-wlan-st-service1] cipher-suite ccmp

[AC-wlan-st-service1] security-ie wpa

# Configure the 802.1X authentication mode.

[AC-wlan-st-service1] client-security authentication-mode dot1x

6. Enable service template service1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

7. Configure a RADIUS scheme:

# Create a RADIUS scheme named radius1 and enter its view.

[AC] radius scheme radius1

# Specify the primary authentication server and accounting server.

[AC-radius-radius1] primary authentication 10.1.1.3 1812

[AC-radius-radius1] primary accounting 10.1.1.3 1813

# Set the shared keys for authentication and accounting to 12345 in plaintext.

[AC-radius-radius1] key authentication simple 12345

[AC-radius-radius1] key accounting simple 12345

# Set the format for the usernames sent to the RADIUS server based on the RADIUS server configuration:

? Exclude domain names from the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format without-domain

[Device-radius-rs1] quit

? Include domain names in the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format with-domain

[Device-radius-rs1] quit

8. Create an ISP domain named dom1 and configure a RADIUS scheme for the ISP domain.

[AC] domain dom1

[AC-isp-dom1] authentication lan-access radius-scheme radius1

[AC-isp-dom1] authorization lan-access radius-scheme radius1

[AC-isp-dom1] accounting lan-access radius-scheme radius1

[AC-isp-dom1] quit

9. Configure ISP domain dom1 as the default ISP domain.

[AC] domain default enable dom1

10. Create an AP named ap1 and specify the model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454

11. Bind service template service1 to radio 1 of the AP and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

NOTE:

For more information about the AAA and RADIUS commands in this section, see Security Command Reference.

Verifying the configuration

# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.

<AC> display wlan service-template service1 verbose

Service template name : service1

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 1

AKM mode : dot1x

Security IE : WPA

Cipher suite : CCMP

TKIP countermeasure time : 0

PTK lifetime : 43200 sec

PTK rekey : Enabled

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Enabled

User authentication mode : 802.1X

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : N/A

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

Example: Configuring management frame protection

Network requirements

As shown in Figure 34, the switch functions as a DHCP server to assign IP addresses to the AP and client.

· Configure the client to use preshared key 12345678 to access the network.

· Configure the CCMP cipher suite, RSN security IE, and management frame protection.

Figure 34 Network diagram

Configuration procedure

1. Create a WLAN service template named service1.

<AC> system-view

[AC] wlan service-template service1

2. Specify an SSID of service for the service template.

[AC-wlan-st-service1] ssid service

3. Configure management frame protection:

# Enable management frame protection in optional mode.

[AC-wlan-st-service1] pmf optional

# Set the KDF to sha1-and-sha256.

[AC-wlan-st-service1] key-derivation sha1-and-sha256

4. Configure the 802.11i mechanism:

# Configure the PSK AKM mode and the 12345678 plaintext key.

[AC-wlan-st-service1] akm mode psk

[AC-wlan-st-service1] preshared-key pass-phrase simple 12345678

# Configure CCMP as the cipher suite and RSN as the security IE.

[AC-wlan-st-service1] cipher-suite ccmp

[AC-wlan-st-service1] security-ie rsn

5. Enable service template service1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

6. Create an AP named ap1 and specify the model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454

7. Bind service template service1 to radio 1 of the AP and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

Verifying the configuration

# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.

<AC> display wlan service-template service1 verbose

Service template name : service1

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 1

AKM mode : PSK

Security IE : RSN

Cipher suite : CCMP

TKIP countermeasure time : 0

PTK lifetime : 43200 sec

PTK rekey : Enabled

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Enabled

User authentication mode : Bypass

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : SHA1-AND-SHA256

PMF status : Optional

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

# Use the display wlan client verbose command to verify the management frame protection negotiation results after a 802.11w client comes online.

<AC> display wlan client verbose

Total number of clients: 1

MAC address : 5250-0012-0411

IPv4 address : 135.3.2.1

IPv6 address : N/A

Username : 11w

AID : 1

AP ID : 1

AP name : ap1

Radio ID : 1

SSID : service

BSSID : 1111-2222-3333

VLAN ID : 1

Sleep count : 147

Power save mode : Active

Wireless mode : 802.11a

Channel bandwidth : 20MHz

SM power save : Disabled

Short GI for 20MHz : Not supported

Short GI for 40MHz : Not supported

STBC RX capability : Not supported

STBC TX capability : Not supported

LDPC RX capability : Not supported

Block Ack : TID 0 In

Support HT-MCS set : 0, 1, 2, 3, 4, 5, 6, 7,

8, 9, 10, 11, 12, 13, 14,

Supported rates : 1, 2, 5.5, 6, 9, 11,

12, 18, 24, 36, 48, 54 Mbps

QoS mode : WMM

Listen interval : 10

RSSI : 46

Rx/Tx rate : 39/65

Authentication method : Open system

Security mode : RSN

AKM mode : 802.1X

Cipher suite : CCMP

User authentication mode : 802.1X

Authorization ACL ID : N/A

Authorization user profile : N/A

Roam status : N/A

Key derivation : SHA1

PMF status : Enabled

Forwarding policy name : N/A

Online time : 0days 0hours 2minutes 56seconds

FT status : Inactive

Example: Configuring dynamic WEP

Network requirements

As shown in Figure 35, the switch functions as a DHCP server to assign IP addresses to the AP and client.

· Configure open system authentication and 802.1X authentication so that the client can access the network by using login username abcdef and password 123456.

· Configure the dynamic WEP mechanism.

Figure 35 Network diagram

Configuration procedure

1. Configure a username of abcdef and a password of 123456 on the RADIUS server and make sure the RADIUS server and AC can reach each other. (Details not shown.)

2. Configure the 802.1X client. (Details not shown.)

3. Create a WLAN service template named service1.

<AC> system-view

[AC] wlan service-template service1

4. Specify an SSID of service for the service template.

[AC-wlan-st-service1] ssid service

5. Enable the dynamic WEP mechanism.

[AC-wlan-st-service1] wep mode dynamic

6. Configure the 802.1X authentication mode.

[AC-wlan-st-service1] client-security authentication-mode dot1x

7. Enable service template service1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

8. Configure a RADIUS scheme:

# Create a RADIUS scheme named radius1 and enter its view.

[AC] radius scheme radius1

# Specify the primary authentication server and accounting server.

[AC-radius-radius1] primary authentication 10.1.1.3 1812

[AC-radius-radius1] primary accounting 10.1.1.3 1813

# Set the shared keys for authentication and accounting to 12345 in plaintext.

[AC-radius-radius1] key authentication simple 12345

[AC-radius-radius1] key accounting simple 12345

# Set the format for the usernames sent to the RADIUS server based on the RADIUS server configuration:

? Exclude domain names from the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format without-domain

[Device-radius-rs1] quit

? Include domain names in the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format with-domain

[Device-radius-rs1] quit

9. Create an ISP domain named dom1 and configure a RADIUS scheme for the ISP domain.

[AC] domain dom1

[AC-isp-dom1] authentication lan-access radius-scheme radius1

[AC-isp-dom1] authorization lan-access radius-scheme radius1

[AC-isp-dom1] accounting lan-access radius-scheme radius1

[AC-isp-dom1] quit

10. Configure ISP domain dom1 as the default ISP domain.

[AC] domain default enable dom1

11. Create an AP named ap1 and specify the model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454

12. Bind service template service1 to radio 1 of the AP and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

NOTE:

For more information about the AAA and RADIUS commands in this section, see Security Command Reference.

Verifying the configuration

# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.

<AC> display wlan service-template service1 verbose

Service template name : service1

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 1

AKM mode : Not configured

Security IE : Not configured

Cipher suite : WEP104

WEP key ID : 1

TKIP countermeasure time : 0

PTK lifetime : 43200 sec

PTK rekey : Enabled

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Enabled

User authentication mode : 802.1X

Intrusionprotection : Disabled

Intrusionprotection mode : Temporary-block

Temporary block time : 180 sec

Temporaryservicestop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : N/A

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

Example: Configuring private PSK authentication and MAC authentication

Network requirements

As shown in Figure 36, the switch functions as a DHCP server to assign IP addresses to the AP and client.

· Configure the MAC authentication mode so that the client can access the network by using its MAC address as the login username and password.

· Configure the private PSK AKM mode so that the client can use its MAC address as the PSK.

Figure 36 Network diagram

Configuration procedure

1. Configure a username of 00-23-12-45-67-7a and a password of 00-23-12-45-67-7a on the RADIUS server and make sure the RADIUS server and AC can reach each other. (Details not shown.)

2. Create a WLAN service template named service1.

<AC> system-view

[AC] wlan service-template service1

3. Specify an SSID of service for the service template.

[AC-wlan-st-service1] ssid service

4. Configure WLAN security for service template service1:

# Configure private PSK as the AKM mode.

[AC-wlan-st-service1] akm mode psk

# Configure CCMP as the cipher suite and WPA as the security IE.

[AC-wlan-st-service1] cipher-suite ccmp

[AC-wlan-st-service1] security-ie wpa

# Configure MAC authentication.

[AC-wlan-st-service1] client-security authentication-mode mac

5. Enable service template service1.

[AC-wlan-st-service1] service-template enable

[AC-wlan-st-service1] quit

6. Configure a RADIUS scheme:

# Create a RADIUS scheme named radius1 and enter its view.

[AC] radius scheme radius1

# Specify the primary authentication server and accounting server.

[AC-radius-radius1] primary authentication 10.1.1.3 1812

[AC-radius-radius1] primary accounting 10.1.1.3 1813

# Set the shared keys for authentication and accounting to 12345678 in plaintext.

[AC-radius-radius1] key authentication simple 12345678

[AC-radius-radius1] key accounting simple 12345678

# Set the format for the usernames sent to the RADIUS server based on the RADIUS server configuration:

? Exclude domain names from the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format without-domain

[Device-radius-rs1] quit

? Include domain names in the usernames sent to the RADIUS server.

[Device-radius-rs1] user-name-format with-domain

[Device-radius-rs1] quit

7. Create an ISP domain named dom1 and configure a RADIUS scheme for the ISP domain.

[AC] domain dom1

[AC-isp-dom1] authentication lan-access radius-scheme radius1

[AC-isp-dom1] authorization lan-access radius-scheme radius1

[AC-isp-dom1] accounting lan-access radius-scheme radius1

[AC-isp-dom1] quit

8. Configure the MAC address as the username and password for ISP domain dom1.

[AC] mac-authentication domain dom1

[AC] mac-authentication user-name-format mac-address with-hyphen lowercase

9. Create an AP named ap1 and specify the model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454

10. Bind service template service1 to radio 1 of the AP and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

NOTE:

For more information about the AAA and RADIUS commands in this section, see Security Command Reference.

Verifying the configuration

# Use the display wlan service-template command to verify that the WLAN service template has been configured correctly.

<AC> display wlan service-template service1 verbose

Service template name : service1

Description : Not configured

SSID : service

SSID-hide : Disabled

User-isolation : Disabled

Service template status : Enabled

Maximum clients per BSS : 64

Frame format : Dot3

Seamless roam status : Disabled

Seamless roam RSSI threshold : 50

Seamless roam RSSI gap : 20

VLAN ID : 1

AKM mode : Private-PSK

Security IE : WPA

Cipher suite : CCMP

TKIP countermeasure time : 0

PTK lifetime : 43200 sec

PTK rekey : Enabled

GTK rekey : Enabled

GTK rekey method : Time-based

GTK rekey time : 86400 sec

GTK rekey client-offline : Enabled

User authentication mode : MAC

Intrusion protection : Disabled

Intrusion protection mode : Temporary-block

Temporary block time : 180 sec

Temporary service stop time : 20 sec

Fail VLAN ID : Not configured

802.1X handshake : Disabled

802.1X handshake secure : Disabled

802.1X domain : Not configured

MAC-auth domain : Not configured

Max 802.1X users per BSS : 4096

Max MAC-auth users per BSS : 4096

802.1X re-authenticate : Disabled

Authorization fail mode : Online

Accounting fail mode : Online

Authorization : Permitted

Key derivation : N/A

PMF status : Disabled

Hotspot policy number : Not configured

Forwarding policy status : Disabled

Forwarding policy name : Not configured

Forwarder : AC

FT status : Disabled

QoS trust : Port

QoS priority : 0

Configuring WLAN authentication

About WLAN authentication

The term "AC" in this document refers to MSR routers that can function as ACs.

This chapter describes H3C implementation of WLAN authentication. WLAN authentication performs MAC-based network access control for WLAN clients to ensure access security.

WLAN authentication includes the following authentication methods:

· 802.1X authentication—Uses Extensible Authentication Protocol (EAP) to transport authentication information for the client, the authenticator, and the authentication server.

· MAC authentication—Controls network access by authenticating source MAC addresses. The feature does not require any client software. Clients do not have to enter usernames or passwords for network access. The authenticator initiates a MAC authentication process when it detects an unknown source MAC address. If the MAC address passes authentication, the client can access authorized network resources. If the authentication fails, the authenticator marks the MAC address as a silent MAC address and rejects the client's access.

· OUI authentication—Examines the OUIs in the MAC addresses of clients. A client passes OUI authentication if the client's OUI matches one of the OUIs configured for the authenticator.

NOTE:

An OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In MAC addresses, the first three octets are the OUI.

Authentication modes

Authentication mode	Working mechanism	Whether intrusion protection can be triggered
bypass (the default)	Does not perform authentication.	No
dot1x	Performs 802.1X authentication only.	Yes
mac	Performs MAC authentication only.	Yes
mac-then-dot1x	Performs MAC authentication first, and then 802.1X authentication. If the client passes MAC authentication, 802.1X authentication is not performed.	Yes
dot1x-then-mac	Performs 802.1X authentication first, and then MAC authentication. If the client passes 802.1X authentication, MAC authentication is not performed.	Yes
oui-then-dot1x	Performs OUI authentication first, and then 802.1X authentication. If the client passes OUI authentication, 802.1X authentication is not performed.	Yes

802.1X authentication

For more information about 802.1X architecture, EAP relay, EAP termination, and EAP packet encapsulation, see Security Configuration Guide.

Authentication methods

You can perform 802.1X authentication on the authenticator (local authentication) or through a RADIUS server. For information about RADIUS authentication and local authentication, see AAA in Security Configuration Guide.

Authenticator

The authenticator authenticates the client to control access to the WLAN. Either the AC or AP can be specified as the authenticator by using the client-security authentication-location command.

EAP packet encapsulation

802.1X defines EAP over LAN (EAPOL) for passing EAP packets between the client and the authenticator over a WLAN. Between the authenticator and the authentication server, 802.1X delivers authentication information by using one of the following methods:

· Encapsulates EAP packets in RADIUS by using EAP over RADIUS (EAPOR), as described in "EAP relay."

· Extracts authentication information from the EAP packets and encapsulates the information in standard RADIUS packets, as described in "EAP termination."

For information about EAP packet encapsulation, see Security Configuration Guide.

EAP relay

In this mode, the authenticator uses EAPOR packets to send authentication information to the RADIUS server. The RADIUS server must support the EAP-Message and Message-Authenticator attributes.

Figure 37 shows the basic 802.1X authentication process in EAP relay mode. In this example, EAP-MD5 is used.

NOTE:

If the AP is specified as the authenticator, it uses the same authentication process as Figure 37 except that the AP handles the EAP and RADIUS packets.

Figure 37 802.1X authentication process in EAP relay mode

The following steps describe the 802.1X authentication process:

1. When a user launches the 802.1X client and enters a registered username and password, the 802.1X client sends an EAPOL-Start packet to the authenticator.

For information about the client and AP association, see "Configuring WLAN security."

2. The authenticator responds with an EAP-Request/Identity packet to request for the username.

3. The client sends the username in an EAP-Response/Identity packet to the authenticator.

4. The authenticator relays the EAP-Response/Identity packet in a RADIUS Access-Request packet to the authentication server.

5. The authentication server uses the username in the RADIUS Access-Request to search its user database. If a matching entry is found, the server uses a randomly generated challenge (EAP-Request/MD5-challenge) to encrypt the password in the entry. Then, the server sends the challenge in a RADIUS Access-Challenge packet to the authenticator.

6. The authenticator transmits the EAP-Request/MD5-Challenge packet to the client.

7. The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5-Challenge packet to the authenticator.

8. The authenticator relays the EAP-Response/MD5-Challenge packet in a RADIUS Access-Request packet to the authentication server.

9. The authentication server compares the received encrypted password with the encrypted password it generated at step 5. If the two passwords are identical, the server considers the client valid and sends a RADIUS Access-Accept packet to the authenticator.

10. Upon receiving the RADIUS Access-Accept packet, the authenticator allows the client to access the network.

11. After the client comes online, the authenticator periodically sends handshake requests to examine whether the client is still online.

12. Upon receiving a handshake request, the client returns a response. If the client fails to return a response after a number of consecutive handshake attempts (two by default), the authenticator logs off the client. This handshake mechanism enables timely release of the network resources used by 802.1X clients that have abnormally gone offline.

13. The client sends an EAPOL-Logoff packet to request a logoff from the authenticator.

14. In response to the EAPOL-Logoff packet, the authenticator sends an EAP-Failure packet to the client.

EAP termination

In this mode, the authenticator performs the following operations:

1. Terminates the EAP packets received from the client.

2. Encapsulates the client authentication information in standard RADIUS packets.

3. Uses PAP or CHAP to communicate with the RADIUS server.

Figure 38 shows the basic 802.1X authentication process in EAP termination mode. In this example, CHAP authentication is used.

NOTE:

If the AP is specified as the authenticator, it uses the same authentication process as Figure 38 except that the AP handles the EAP and RADIUS packets.

Figure 38 802.1X authentication process in EAP termination mode

In EAP termination mode, the authentication device rather than the authentication server generates an MD5 challenge for password encryption. The authentication device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

802.1X authentication initiation

Both the client and the authenticator can initiate 802.1X authentication.

· Client initiation—After the client is associated with the authenticator, it sends an EAPOL-Start packet to the authenticator to initiate 802.1X authentication.

· Authenticator initiation—After the client is associated with the authenticator, the authenticator sends an EAP-Request/Identity packet to initiate the authentication. The authenticator retransmits the packet if no response has been received within the client timeout timer.

MAC authentication

Authentication methods

You can perform MAC authentication on the authenticator (local authentication) or through a RADIUS server. For information about RADIUS authentication and local authentication, see AAA in Security Configuration Guide.

Authenticator

The authenticator authenticates the client to control access to the WLAN. Either the AC or AP can be specified as the authenticator by using the client-security authentication-location command.

User account policies

User accounts are required for identifying clients. MAC authentication supports the following user account policies:

· One MAC-based user account for each client. The authenticator uses the unknown source MAC addresses in packets as the usernames and passwords of clients for MAC authentication.

· One shared user account for all clients. You specify one username and password, which are not necessarily a MAC address, for all MAC authentication clients on the authenticator. The username is a case-sensitive string of 1 to 55 characters which cannot include the at sign (@). The password can be a plaintext string of 1 to 63 characters or ciphertext string of 1 to 117 characters.

MAC authentication procedures

RADIUS authentication:

· MAC-based accounts—The authenticator sends the source MAC address of the packet as the username and password to the RADIUS server for authentication.

· A shared account—The authenticator sends the shared account username and password to the RADIUS server for authentication.

Local authentication:

· MAC-based accounts—The authenticator uses the source MAC address of the packet as the username and password to search the local account database for a match.

· A shared account—The authenticator uses the shared account username and password to search the local account database for a match.

Intrusion protection

When the authenticator detects an association request from a client that fails authentication, intrusion protection is triggered. The feature takes one of the following predefined actions on the BSS where the request is received:

· temporary-block (default)—Adds the source MAC address of the request to the blocked MAC address list and drops the request packet. The client at a blocked MAC address cannot establish connections with the AP within a period. To set the period, use the client-security intrusion-protection timer temporary-block command.

· service-stop—Stops the BSS where the request is received until the BSS is enabled manually on the radio interface.

· temporary-service-stop—Stops the BSS where the request is received for a period. To set the period, use the client-security intrusion-protection timer temporary-service-stop command.

NOTE:

Intrusion protection action is not supported in bypass mode.

WLAN VLAN manipulation

VLAN authorization

You can specify authorization VLANs for a WLAN client to control the client's access to network resources. When the client passes 802.1X or MAC authentication, the authentication server assigns the authorization VLAN information to the authenticator. When the device acts as the authenticator, it can resolve server-assigned VLANs of the following formats:

· VLAN ID.

· VLAN name.

The VLAN name represents the VLAN description on the access device.

· VLAN group name.

For more information about VLAN groups, see Layer 2—LAN Switching Configuration Guide.

· Combination of VLAN IDs and VLAN names.

In the string, some VLANs are represented by their IDs, and some VLANs are represented by their names.

If the server assigns a group of VLANs, the access device selects and assigns a VLAN according to the VLAN ID format. Table 25 describes the VLAN selection and assignment rules for a group of authorization VLANs.

Table 25 VLAN selection and assignment for a group of authorization VLANs

Types of authorized VLANs

VLAN selection and assignment rules

· VLANs by IDs

· VLANs by names

· Combination of VLAN IDs and VLAN names

The device selects the VLAN with the lowest ID from the group of VLANs.

VLAN group name

1. The device selects the VLAN that has the fewest number of online users.

2. If multiple VLANs have the same number of online 802.1X users, the device selects the VLAN with the lowest ID.

NOTE:

The device converts VLAN names and VLAN group names into VLAN IDs before it assigns a VLAN to the client.

The device fails VLAN authorization for a client in the following situations:

· The device fails to resolve the authorization VLAN information.

· The server assigns a VLAN name to the device, but the device does not have any VLAN using the name.

· The server assigns a VLAN group name to the device, but the VLAN group does not exist or the VLAN group has not been assigned any VLAN.

Authorization VLAN information is used to control data forwarding, so they must be assigned by the device that forwards data traffic. VLAN assignment can be local VLAN assignment or remote VLAN assignment, depending on whether the authenticator and the forwarding device are the same device.

· Local VLAN assignment—The authenticator and the forwarding device are the same device. After the authenticator obtains the authorization VLAN information, it resolves the information and assigns the VLAN.

· Remote VLAN assignment—The authenticator and the forwarding device are different devices. After the authenticator obtains the authorization VLAN information, it sends the information to the remote forwarding device. The forwarding device then resolves the information and assigns the VLAN.

For more information about VLANs, see Layer 2—LAN Switching Configuration Guide.

Auth-Fail VLAN

The WLAN Auth-Fail VLAN accommodates clients that have failed WLAN authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates clients that have entered wrong passwords or usernames. The Auth-Fail VLAN does not accommodate WLAN clients that have failed authentication for authentication timeouts or network connection issues.

Clients in the Auth-Fail VLAN can access a limited set of network resources.

The authenticator reauthenticates a client in the Auth-Fail VLAN at the interval of 30 seconds.

· If the client passes the reauthentication, the authenticator assigns the client to the authorization VLAN. If no authorization VLAN is configured, the client is assigned to the initial VLAN.

· If the client fails the reauthentication, the client is still in the Auth-Fail VLAN.

Clients that use RSNA cannot be assigned to the Auth-Fail VLAN after they fail 802.1X authentication. The authenticator directly logs off the clients.

The Auth-Fail VLAN feature takes precedence over intrusion protection. When a client fails authentication, the Auth-Fail VLAN setting applies first. If no Auth-Fail VLAN is configured, the intrusion protection feature takes effect. If neither feature is configured, the authenticator directly logs off the client.

Critical VLAN

The WLAN critical VLAN accommodates clients that have failed WLAN authentication because all RADIUS servers in their ISP domains are unreachable. Clients in the critical VLAN can access a limited set of network resources depending on the configuration.

The authenticator reauthenticates a client in the critical VLAN at the interval of 30 seconds.

· If the client passes the reauthentication, the authenticator assigns the client to the authorization VLAN. If no authorization VLAN is configured, the client is assigned to the initial VLAN.

· If the client fails the reauthentication because all the RADIUS servers are unreachable, the client is still in the critical VLAN.

· If the client fails the reauthentication for any reason other than unreachable servers, the device assigns the client to the Auth-Fail VLAN. If no Auth-Fail VLAN is configured, the device handles the client depending on the intrusion protection setting. If the intrusion protection feature is not configured, the device logs off the client.

The critical VLAN feature does not take effect on clients that use RSNA. When these clients fail authentication because all the RADIUS servers are unreachable, the authenticator directly logs off the clients.

ACL assignment

You can specify an ACL for an 802.1X or MAC authentication client to control the client's access to network resources. After the client passes authentication, the authentication server assigns the ACL to the client for filtering traffic for this client. The authentication server can be on the local device that acts as the authenticator or on a RADIUS server. In either case, you must configure rules for the ACL on the authenticator. If the AP acts as the authenticator, you must configure the ACL rules on the AC.

To change the access control criteria for the client, you can use one of the following methods:

· Modify the ACL rules on the authenticator.

· Specify another ACL for the client on the authentication server.

For more information about ACLs, see ACL and QoS Configuration Guide.

User profile assignment

You can specify a user profile for a WLAN client to control the client's access to network resources. After the client passes 802.1X or MAC authentication, the authentication server assigns the user profile to the client for filtering traffic. The authentication server can be on the local device that acts as the authenticator or on a RADIUS server. In either case, you must configure the user profile on the authenticator. If the AP acts as the authenticator, you must configure the user profile on the AC.

To change the client's access permissions, you can use one of the following methods:

· Modify the user profile configuration on the authenticator.

· Specify another user profile for the client on the authentication server.

For more information about user profiles, see Security Configuration Guide.

BYOD access control

This feature allows the RADIUS server to push different register pages and assign different authorization attributes to clients on different endpoint devices.

NOTE:

This feature supports only IMC servers to act as the RADIUS server at the current version.

The following process illustrates the BYOD access control for a WLAN client that passes 802.1X or MAC authentication:

1. The authenticator performs the following operations:

a. Obtains the Option 55 attribute from DHCP packets.

b. Delivers the Option 55 attribute to the RADIUS server.

On an IMC server, the Option 55 attribute will be delivered to UAM.

2. The BYOD-capable RADIUS server performs the following operations:

a. Uses the Option 55 attribute to identify endpoint device information including endpoint type, operating system, and vendor.

b. Sends a register page and assigns authorization attributes to the client according to the device information.

Feature and hardware compatibility

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

WLAN authentication tasks at a glance

Tasks at a glance

(Optional.) Configuring global WLAN authentication parameters:

· Setting OUIs for OUI authentication

· Enabling EAP relay or EAP termination for 802.1X authentication

· Specifying 802.1X-supported domain name delimiters

· Setting the maximum number of 802.1X authentication request attempts

· Setting the 802.1X authentication timers

· Configuring the MAC authentication user account format

· Specifying a global MAC authentication domain

· Setting the MAC authentication server timeout timer

Configuring service-specific WLAN authentication parameters:

· (Required.) Setting the authentication mode

· (Optional.) Specifying the authenticator for WLAN clients

· (Optional.) Specifying an EAP mode for 802.1X authentication

· (Optional.) Ignoring 802.1X or MAC authentication failures

· (Optional.) Enabling URL redirection for WLAN MAC authentication clients

· (Optional.) Configuring a WLAN Auth-Fail VLAN

· (Optional.) Configuring a WLAN critical VLAN

· (Optional.) Ignoring authorization information from the server

· (Optional.) Enabling the authorization-fail-offline feature

· (Optional.) Configuring intrusion protection

· (Optional.) Configuring the online user handshake feature

· (Optional.) Configuring the online user handshake security feature

· (Optional.) Specifying an 802.1X authentication domain

· (Optional.) Setting the maximum number of concurrent 802.1X clients

· (Optional.) Enabling the periodic online user reauthentication feature

· (Optional.) Setting the maximum number of concurrent MAC authentication clients

· (Optional.) Specifying a service-specific MAC authentication domain

· (Optional.) Configuring the accounting-start trigger feature

· (Optional.) Configuring the accounting-update trigger feature

Prerequisites for WLAN authentication

802.1X configuration prerequisites

Before you configure 802.1X authentication, complete the following tasks:

· Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. For more information, see AAA in Security Configuration Guide.

· If RADIUS authentication is used, create user accounts on the RADIUS server.

· If local authentication is used, create local user accounts on the access device and set the service type to lan-access.

MAC authentication configuration prerequisites

Before you configure MAC authentication, configure an ISP domain and specify an AAA method. For more information, see AAA in Security Configuration Guide.

· For local authentication, you must also create local user accounts (including usernames and passwords) and specify the lan-access service for local users.

· For RADIUS authentication, make sure the device and the RADIUS server can reach each other and create user accounts on the RADIUS server. If you are using MAC-based accounts, make sure the username and password for each account are the same as the MAC address of each MAC authentication user.

Configuring global WLAN authentication parameters

Setting OUIs for OUI authentication

About setting OUI values for OUI authentication

Perform this task only for the oui-then-dot1x authentication mode.

Restrictions and guidelines

The device supports a maximum of 16 OUIs.

Procedure

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set OUI values for OUI authentication.

port-security oui index index-value mac-address oui-value

By default, no OUI values are set for OUI authentication.

For more information about this command, see Security Command Reference.

Enabling EAP relay or EAP termination for 802.1X authentication

Restrictions and guidelines

If EAP relay mode is used, the following restrictions and guidelines apply:

· The user-name-format command in RADIUS scheme view does not take effect. The device sends the authentication data from the client to the server without any modification. For information about the user-name-format command, see Security Command Reference.

· Make sure the RADIUS server use the same authentication method as the client. For the authenticator, you only need to use the dot1x authentication-method eap command to enable EAP relay.

Procedure

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable EAP relay or EAP termination.

dot1x authentication-method { chap | eap | pap }

By default, the device performs EAP termination and uses CHAP to communicate with the RADIUS server.

For more information about this command, see Security Command Reference.

Specifying 802.1X-supported domain name delimiters

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify a set of domain name delimiters for 802.1X clients.

dot1x domain-delimiter string

By default, only the at sign (@) delimiter is supported.

For more information about this command, see Security Command Reference.

Setting the maximum number of 802.1X authentication request attempts

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the maximum number of attempts for sending an 802.1X authentication request.

dot1x retry max-retry-value

The default setting is 2.

For more information about this command, see Security Command Reference.

Setting the 802.1X authentication timers

About 802.1X authentication timers

802.1X uses the following timers to control interactions with the client and the RADIUS server:

· Client timeout timer—Starts when the device sends an EAP-Request/MD5-Challenge packet to a client. If the device does not receive a response when this timer expires, it retransmits the request to the client. If the device has made the maximum transmission attempts without receiving a response, the client fails authentication. To set the maximum attempts, use the dot1x retry command.

· Server timeout timer—Starts when the device sends a RADIUS Access-Request packet to the authentication server. If the device does not receive a response when this timer expires, the device retransmits the request to the server.

· Handshake timer—Starts after a client passes authentication when the online user handshake is enabled. The device sends handshake messages to the client at every handshake interval. The device logs off the client if it does not receive any response from the client after the maximum handshake attempts. To set the maximum attempts, use the dot1x retry command.

· Periodic reauthentication timer—Starts after a client passes authentication when periodic online user reauthentication is enabled. The device reauthenticates the client at the configured interval. Any change to the timer takes effect only on clients that come online after the change.

Restrictions and guidelines

In most cases, the default settings are sufficient. You can edit the timers, depending on the network conditions. The following are two examples:

· In a low-speed network, increase the client timeout timer.

· In a network with authentication servers of different performances, adjust the server timeout timer.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the client timeout timer.	dot1x timer supp-timeout supp-timeout-value	The default setting is 30 seconds. For more information about this command, see Security Command Reference.
3. Set the server timeout timer.	dot1x timer server-timeout server-timeout-value	The default setting is 100 seconds. For more information about this command, see Security Command Reference.
4. Set the handshake timer.	dot1x timer handshake-period handshake-period-value	The default setting is 15 seconds. For more information about this command, see Security Command Reference.
5. Set the periodic reauthentication timer.	dot1x timer reauth-period reauth-period-value	The default setting is 3600 seconds. For more information about this command, see Security Command Reference.

Configuring the MAC authentication user account format

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure the MAC authentication user account format.

· Use one MAC-based user account for each client:
mac-authentication user-name-format mac-address [ { with-hyphen [ six-section | three-section ] | without-hyphen } [ lowercase | uppercase ] ]

· Use one shared user account for all clients:
mac-authentication user-name-format fixed [ account name ] [ password { cipher | simple } password ]

By default, the device uses the MAC address of a client as the username and password for MAC authentication. The MAC address is in the hexadecimal notation without hyphens, and letters are in lower case.

For more information about this command, see Security Command Reference.

Specifying a global MAC authentication domain

About MAC authentication domain selection

MAC authentication chooses an ISP domain for WLAN clients in the following order:

1. The domain specified on the service template.

2. The global MAC authentication domain specified in system view.

3. The default domain.

Procedure

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify an ISP domain for MAC authentication clients.

mac-authentication domain domain-name

By default, no ISP domain is specified for MAC authentication clients in system view.

For more information about this command, see Security Command Reference.

Setting the MAC authentication server timeout timer

About the MAC authentication server timeout timer

MAC authentication starts the server timeout timer when the device sends an authentication request to a RADIUS server. If the device does not receive any response from the RADIUS server within the timeout timer, the device regards the server unavailable. If the timer expires during MAC authentication, the client cannot access the network.

Procedure

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the MAC authentication server timeout timer.

mac-authentication timer server-timeout server-timeout-value

The default setting is 100 seconds.

For more information about this command, see Security Command Reference.

Configuring service-specific WLAN authentication parameters

Setting the authentication mode

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the authentication mode for WLAN clients.	client-security authentication-mode { dot1x \| dot1x-then-mac \| mac \| mac-then-dot1x \| oui-then-dot1x }	By default, the bypass mode applies. The device does not perform authentication. Clients can access the device directly.

Specifying the authenticator for WLAN clients

About specifying the authenticator for WLAN authentication

You can specify the AC or AP to act as the authenticator to perform local or RADIUS-based authentication for WLAN clients.

Restrictions and guidelines

For a successful authentication, the authenticator cannot be the AP if the AC is configured to forward client data traffic. For information about specifying the device for forwarding client data traffic, see "Configuring WLAN access."

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify the authenticator for WLAN clients.	client-security authentication-location { ac \| ap }	By default, the AC acts as the authenticator to authenticate WLAN clients.

Specifying an EAP mode for 802.1X authentication

About specifying an EAP mode for 802.1X authentication

The EAP mode determines the EAP protocol provisions and packet format that the device uses to interact with clients.

802.1X supports the following EAP modes:

· extended—Requires the device to interact with clients according to the provisions and packet format defined by the H3C proprietary EAP protocol.

· standard—Requires the device to interact with clients according to the provisions and packet format defined by the standard EAP protocol.

Restrictions and guidelines

Perform this task only when an IMC server is used as the RADIUS server. Specify the extended mode for iNode clients, and specify the standard mode for other clients.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify an EAP mode for 802.1X authentication.	dot1x eap { extended \| standard }	By default, the EAP mode is standard for 802.1X authentication.

Ignoring 802.1X or MAC authentication failures

About ignoring 802.1X or MAC authentication failures

This feature applies to the following clients:

· Clients that use 802.1X authentication.

This feature enables the device to ignore the 802.1X authentication failures and allow clients that have failed 802.1X authentication to come online.

· Clients that use both RADIUS-based MAC authentication and portal authentication.

Typically, a WLAN client must pass MAC authentication and portal authentication in turn to access network resources. The client provides username and password each time portal authentication is performed.

This feature simplifies the authentication process for a client as follows:

? If the RADIUS server already records the client's MAC authentication information, the client passes MAC authentication. The device allows the client to access network resources without performing portal authentication.

? If the RADIUS server does not record the client's MAC authentication information, the client fails MAC authentication. The device ignores the MAC authentication failure and performs portal authentication for the client. If the client passes portal authentication, it can access network resources. The MAC address of the portal authenticated client will be recorded as MAC authentication information on the RADIUS server.

Restrictions and guidelines

For 802.1X clients that use RSN to roam to a new AP, do not configure this feature.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure the device to ignore 802.1X or MAC authentication failures.	client-security ignore-authentication	By default, the device does not ignore the authentication failures for wireless clients that perform 802.1X authentication or perform RADIUS-based MAC authentication.

Enabling URL redirection for WLAN MAC authentication clients

About URL redirection

A client is allowed to pass RADIUS-based MAC authentication only when its credential information (username and password) and MAC address are recorded on the RADIUS server.

This feature facilitates MAC authentication for a client whose credential information and MAC address are not recorded on the RADIUS server. After this feature is enabled, RADIUS-based MAC authentication for the client proceeds as follows:

1. The RADIUS server assigns an authorization ACL and redirect URL after it receives the client's authentication request. The ACL denies the client's access to the external network.

2. The device redirects the client to the authentication page specified by the redirect URL when it receives the client's HTTP request.

3. On the authentication page, the client enters the username and password provided by the service provider to complete the Web authentication. The client's credential information and MAC address will be recorded.

4. After the client passes the Web authentication, the Web authentication server on the RADIUS server sends a DM request to log off the client.

For information about DMs, see AAA in Security Configuration Guide.

5. At the next MAC authentication attempt, the client can pass MAC authentication.

Restrictions and guidelines

This feature is applicable to scenarios where only RADIUS-based MAC authentication is used.

To cooperate with this feature, you must configure the authorization ACL and redirect URL for a client by following these restrictions and guidelines:

· The ACL must permit the client and the Web authentication server to exchange packets. For information about authorization ACLs, see MAC authentication in Security Configuration Guide.

· If the client uses DHCP to obtain a dynamic IP address, the ACL must permit the client and the DHCP server to exchange packets.

· You can configure other ACL rules as needed to filter packets.

· The redirect URL is the Web address that the client uses for Web authentication.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable URL redirection for WLAN authentication clients.	client url-redirect enable	By default, URL redirection is disabled for WLAN MAC authentication clients.

Configuring a WLAN Auth-Fail VLAN

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure a WLAN Auth-Fail VLAN.	client-security authentication fail-vlan vlan-id	By default, no WLAN Auth-Fail VLAN exists. You can configure only one Auth-Fail VLAN for the service template.

Configuring a WLAN critical VLAN

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure a WLAN critical VLAN.	client-security authentication critical-vlan vlan-id	By default, no WLAN critical VLAN exists. You can configure only one critical VLAN for the service template.

Ignoring authorization information from the server

About ignoring authorization information from the server

You can configure the device to ignore the authorization information received from the server (local or remote) after a client passes 802.1X or MAC authentication. Authorization information includes VLAN, ACL, and user profile information.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Ignore the authorization information received from the authentication server.	client-security ignore-authorization	By default, authorization information received from the authentication server is used.

Enabling the authorization-fail-offline feature

About the authorization-fail-offline feature

The authorization-fail-offline feature logs off WLAN clients that fail ACL or user profile authorization.

A client fails ACL or user profile authorization in the following situations:

· The device or server fails to authorize the specified ACL or user profile to the client.

· The authorized ACL or user profile does not exist.

Restrictions and guidelines

This feature does not apply to clients that fail VLAN authorization. The device always logs off these clients.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable the authorization-fail-offline feature.	client-security authorization-fail offline	By default, this feature is disabled. The device does not log off clients that fail ACL or user profile authorization, and it outputs system logs.

Configuring intrusion protection

About intrusion protection

This feature enables the device to take the predefined action on the BSS where an association request is received from a client that fails authentication. For more information, see "Intrusion protection."

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable the intrusion protection feature.	client-security intrusion-protection enable	By default, intrusion protection is disabled.
4. (Optional.) Configure the intrusion protection action.	client-security intrusion-protection action { service-stop \| temporary-block \| temporary-service-stop }	By default, temporary-block is used.
5. (Optional.) Set the blocking period for illegal clients.	client-security intrusion-protection timer temporary-block time	The default setting is 180 seconds.
6. (Optional.) Set the silence period during which the BSS remains disabled.	client-security intrusion-protection timer temporary-service-stop time	The default setting is 20 seconds.

Configuring the online user handshake feature

About the online user handshake feature

The online user handshake feature examines the connectivity status of online 802.1X clients. The device sends handshake messages to online clients at the interval specified by the dot1x timer handshake-period command. If the device does not receive any responses from an online client after it has made the maximum handshake attempts, the device sets the client to offline state.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable the online user handshake feature.	dot1x handshake enable	By default, this feature is disabled.

Configuring the online user handshake security feature

About the online user handshake security feature

The online user handshake security feature adds authentication information in the handshake messages. This feature can prevent illegal clients from forging legal 802.1X clients to exchange handshake messages with the device. With this feature, the device compares the authentication information in the handshake response message from a client with that assigned by the authentication server. If no match is found, the device logs off the client.

Restrictions and guidelines

To use the online user handshake security feature, make sure the online user handshake feature is enabled.

The online user handshake security feature protects only online authenticated 802.1X clients.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable the online user handshake feature.	dot1x handshake enable	By default, this feature is disabled.
4. Enable the online user handshake security feature.	dot1x handshake secure enable	By default, this feature is disabled.

Specifying an 802.1X authentication domain

About 802.1X authentication domain selection

802.1X authentication chooses an ISP domain for WLAN clients in the following order:

· The domain specified on the service template.

· The domain specified by username.

· The default domain.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify an 802.1X authentication domain for the service template.	dot1x domain domain-name	By default, no 802.1X authentication domain is specified for the service template.

Setting the maximum number of concurrent 802.1X clients

About the maximum number of concurrent 802.1X clients

When the maximum number of concurrent 802.1X clients is reached for a service template, new 802.1X clients are rejected.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the maximum number of concurrent 802.1X clients for a service template.	dot1x max-user count	The default setting is 4096.

Enabling the periodic online user reauthentication feature

About periodic online user reauthentication

Periodic online user reauthentication tracks the connection status of online clients, and updates the authorization attributes assigned by the server. The attributes include the ACL, VLAN, and user profile-based QoS. The reauthentication interval is user configurable.

The server-assigned session timeout timer (Session-Timeout attribute) and termination action (Termination-Action attribute) can affect the periodic online user reauthentication feature. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display dot1x connection command (see Security Command Reference).

· If the termination action is Default (logoff), periodic online user reauthentication on the device takes effect only when the periodic reauthentication timer is shorter than the session timeout timer.

· If the termination action is Radius-request, the periodic online user reauthentication configuration on the device does not take effect. The device reauthenticates the online 802.1X clients after the session timeout timer expires.

Support for the assignment of Session-Timeout and Termination-Action attributes depends on the server model.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable periodic online user reauthentication.	dot1x re-authenticate enable	By default, this feature is disabled.

Setting the maximum number of concurrent MAC authentication clients

About the maximum number of concurrent MAC authentication clients

When the maximum number of concurrent MAC authentication clients is reached for a service template, new MAC authentication clients are rejected.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the maximum number of concurrent MAC authentication clients for the service template.	mac-authentication max-user count	The default setting is 4096.

Specifying a service-specific MAC authentication domain

About MAC authentication domain selection

MAC authentication chooses an ISP domain for WLAN clients in the following order:

· The domain specified on the service template.

· The global MAC authentication domain specified in system view.

· The default domain.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify an ISP domain for MAC authentication clients.	mac-authentication domain domain-name	By default, no ISP domain is specified for MAC authentication clients.

Configuring the accounting-start trigger feature

About accounting-start trigger

This feature controls the device whether to send start-accounting requests to the accounting server for clients that use IP addresses of a specific type. The feature takes effect on clients that have passed 802.1X or MAC authentication. You can also set an accounting delay timer. The device can send start-accounting requests to the accounting server for 802.1X or MAC authenticated clients only when the delay timer expires for the clients. For more information about accounting, see AAA in Security Configuration Guide.

Restrictions and guidelines

To configure an IP address type to have the accounting-start qualification, you must enable learning for IP addresses of that type. For information about wireless client IP address learning, see "Configuring WLAN IP snooping."

If you configure the accounting-start trigger feature on a service template that has been enabled, the configuration takes effect only on subsequent clients. It does not affect clients that have been online since before the feature is configured.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify an IP address type to have the accounting-start qualification.	client-security accounting-start trigger { ipv4 \| ipv4-ipv6 \| ipv6 \| none }	By default, only IPv4 addresses have the accounting-start qualification.
4. (Optional.) Set the accounting delay.	client-security accounting-delay time time [ no-ip-logoff ]	By default, the device sends start-accounting requests for a client when it learns the required IP address of the client.

Configuring the accounting-update trigger feature

About accounting-update trigger

This feature enables the device to send update-accounting requests to the accounting server for a client when the learned IP address of the client changes. The IP change-triggered accounting update facilitates precise accounting.

Restrictions and guidelines

This feature takes effect only when the accounting-start trigger feature takes effect.

This feature is independent of the periodic realtime accounting feature. For example, if you configure the accounting-update trigger as client IP addresses changing to IPv6 addresses and set the realtime accounting interval to 12 minutes, both settings take effect. For a client that uses the settings, the device sends update-accounting requests every 12 minutes and triggers accounting update whenever the client IP address changes to an IPv6 address. For more information about the realtime accounting interval, see AAA in Security Configuration Guide.

If you configure the accounting-update trigger feature on a service template that has been enabled, the configuration takes effect only on subsequent clients. It does not affect clients that have been online since before the feature is configured.

Procedure

To configure the accounting-update trigger feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify an IP address type to have the accounting-update qualification.	client-security accounting-update trigger { ipv4 \| ipv4-ipv6 \| ipv6 }	By default, the device sends update-accounting requests to the accounting server at the server-assigned or user-defined realtime accounting interval.

Display and maintenance commands for WLAN authentication settings

Execute display commands in any view and reset commands in user view.

Task	Command
Display online 802.1X client information.	display dot1x connection [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number \| user-mac mac-address \| user-name name-string ]
Display 802.1X session connection information, statistics, or configuration information.	display dot1x [ sessions \| statistics ] [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number ]
Display MAC authentication connections.	display mac-authentication connection [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number \| user-mac mac-address \| user-name name-string ]
Display MAC authentication information.	display mac-authentication [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number ]
Display blocked MAC address information.	display wlan client-security block-mac [ ap ap-name [ radio radio-id ] ]
Clear 802.1X statistics.	reset dot1x statistics [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number ]
Clear MAC authentication statistics.	reset mac-authentication statistics [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number ]

NOTE:

For more information about the display dot1x connection, display dot1x, reset dot1x statistics, display mac-authentication connection, display mac-authentication, and reset mac-authentication statistics commands, see Security Command Reference.

WLAN authentication configuration examples

Example: Configuring 802.1X CHAP local authentication

Network configuration

As shown in Figure 39, configure the AC to use CHAP to perform 802.1X local authentication for the client.

Figure 39 Network diagram

Procedure

1. Configure 802.1X and the local client:

# Configure the AC to perform EAP termination and use CHAP.

<AC> system-view

[AC] dot1x authentication-method chap

# Add a local network access user with username chap1 and password 123456 in plain text.

[AC] local-user chap1 class network

[AC-luser-network-chap1] password simple 123456

# Set the service type to lan-access.

[AC-luser-network-chap1] service-type lan-access

[AC-luser-network-chap1] quit

2. Configure AAA methods for the ISP domain:

# Create an ISP domain named local.

[AC] domain local

# Configure the ISP domain to use local authentication, local authorization, and local accounting for LAN clients.

[AC-isp-local] authentication lan-access local

[AC-isp-local] authorization lan-access local

[AC-isp-local] accounting lan-access local

[AC-isp-local] quit

3. Configure a service template:

# Create a service template named wlas_local_chap.

[AC] wlan service-template wlas_local_chap

# Set the authentication mode to 802.1X.

[AC-wlan-st-wlas_local_chap] client-security authentication-mode dot1x

# Specify ISP domain local for the service template.

[AC-wlan-st-wlas_local_chap] dot1x domain local

# Set the SSID to wlas_local_chap.

[AC-wlan-st-wlas_local_chap] ssid wlas_local_chap

# Enable the service template.

[AC-wlan-st-wlas_local_chap] service-template enable

[AC-wlan-st-wlas_local_chap] quit

4. Configure manual AP ap1, and bind the service template to the AP radio:

# Create ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050

# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] channel 149

[AC-wlan-ap-ap1-radio-1] radio enable

# Bind service template wlas_local_chap to radio 1.

[AC-wlan-ap-ap1-radio-1] service-template wlas_local_chap

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

Verifying the configuration

# Verify the 802.1X configuration.

[AC] display wlan service-template

[AC] display dot1x

# Display the client connection information after an 802.1X client passes authentication.

[AC] display dot1x connection

Example: Configuring 802.1X EAP-PEAP RADIUS authentication

Network configuration

As shown in Figure 40, configure the AC to perform 802.1X RADIUS authentication for the client by using EAP-PEAP.

Figure 40 Network diagram

Procedure

1. Configure the AC:

a. Configure 802.1X and the RADIUS scheme:

# Configure the AC to use EAP relay to authenticate 802.1X clients.

<AC> system-view

[AC] dot1x authentication-method eap

# Create a RADIUS scheme.

[AC] radius scheme imcc

# Specify the primary authentication server and the primary accounting server.

[AC-radius-imcc] primary authentication 10.18.1.88 1812

[AC-radius-imcc] primary accounting 10.18.1.88 1813

# Set the shared key for secure communication with the server to 12345678 in plain text.

[AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

# Exclude domain names in the usernames sent to the RADIUS server.

[AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

b. Configure AAA methods for the ISP domain:

# Create an ISP domain named imc.

[AC] domain imc

# Configure the ISP domain to use RADIUS scheme imcc for authentication, authorization, and accounting of LAN clients.

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit

c. Configure a service template:

# Create a service template named wlas_imc_peap.

[AC] wlan service-template wlas_imc_peap

# Set the authentication mode to 802.1X.

[AC-wlan-st-wlas_imc_peap] client-security authentication-mode dot1x

# Specify ISP domain imc for the service template.

[AC-wlan-st-wlas_imc_peap] dot1x domain imc

# Set the SSID to wlas_imc_peap.

[AC-wlan-st-wlas_imc_peap] ssid wlas_imc_peap

# Set the AKM mode to 802.1X.

[AC-wlan-st-wlas_imc_peap] akm mode dot1x

# Set the CCMP cipher suite.

[AC-wlan-st-wlas_imc_peap] cipher-suite ccmp

# Enable the RSN-IE in the beacon and probe responses.

[AC-wlan-st-wlas_imc_peap] security-ie rsn

# Enable the service template.

[AC-wlan-st-wlas_imc_peap] service-template enable

[AC-wlan-st-wlas_imc_peap] quit

d. Configure manual AP ap1, and bind the service template to an AP radio:

# Create ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050

# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] channel 149

[AC-wlan-ap-ap1-radio-1] radio enable

# Bind service template wlas_imc_peap to radio 1.

[AC-wlan-ap-ap1-radio-1] service-template wlas_imc_peap

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

2. Configure the RADIUS server:

In this example, the RADIUS server runs IMC PLAT 7.1 and IMC UAM 7.1, and the EAP-PEAP certificate has been installed.

# Add an access device:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Device Management > Access Device.

c. Click Add.

The Add Access Device page appears.

d. In the Access Configuration area, configure the following parameters, as shown in Figure 41:

- Enter 12345678 in the Shared Key and Confirm Shared Key fields.

- Use the default values for other parameters.

e. In the Device List area, click Select or Add Manually to add the device at 10.18.1.1 as an access device.

f. Click OK.

Figure 41 Adding an access device

英文增加接入设备图.jpg

# Add an access policy:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Policy.

c. Click Add.

d. On the Add Access Policy page, configure the following parameters, as shown in Figure 42:

- Enter dot1x in the Access Policy Name field.

- Select EAP for the Certificate Authentication field.

- Select EAP-PEAP Auth from the Certificate Type list, and select MS-CHAPV2 Auth from the Certificate Sub-Type list.

The certificate sub-type on the IMC server must be the same as the identity authentication method configured on the client.

e. Click OK.

Figure 42 Adding an access policy

英文增加接入策略.jpg

# Add an access service:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Service.

c. Click Add.

d. On the Add Access Service page, configure the following parameters, as shown in Figure 43:

- Enter dot1x in the Service Name field.

- Select dot1x from the Default Access Policy list.

e. Click OK.

Figure 43 Adding an access service

英文增加接入服务.jpg

# Add an access user:

a. Click the User tab.

b. From the navigation tree, select Access User > All Access Users.

The access user list appears.

c. Click Add.

The Add Access User page appears.

d. In the Access Information area, configure the following parameters, as shown in Figure 44:

- Click Select or Add User to associate the user with IMC Platform user user.

- Enter user in the Account Name field.

- Enter dot1x in the Password and Confirm Password fields.

e. In the Access Service area, select dot1x from the list.

f. Click OK.

Figure 44 Adding an access user account

3. Configure the WLAN client:

The WLAN client has been installed with the EAP-PEAP certificate.

To configure the WLAN client, perform the following tasks (details not shown):

? Select PEAP for identity authentication.

? Disable the client from verifying the server certificate.

? Disable the client from automatically using the Windows login name and password.

Verifying the configuration

1. On the client, verify that you can use username user and password dot1x to access the network. (Details not shown.)

2. On the AC, perform the following tasks to verify that the user has passed authentication and come online:

# Display online 802.1X client information.

[AC] display dot1x connection

User MAC address : 0023-8933-2090

AP name : ap1

Radio ID : 1

SSID : wlas_imc_peap

BSSID : 000f-e201-0003

User name : user

Authentication domain : imc

Authentication method : EAP

Initial VLAN : 1

Authorization VLAN : N/A

Authorization ACL number : N/A

Authorization user profile : N/A

Termination action : Default

Session timeout period : 6001 s

Online from : 2014/04/18 09:25:18

Online duration : 0h 1m 1s

Total connections: 1.

# Display WLAN client information.

[AC] display wlan client

Total number of clients : 1

MAC address Username AP name RID IP address IPv6 address VLAN

0023-8933-2090 user ap1 1 10.18.1.100 1

Example: Configuring RADIUS-based MAC authentication

Network configuration

As shown in Figure 45, configure the AC to use the RADIUS server to perform MAC authentication for the client.

Figure 45 Network diagram

Procedure

Make sure the RADIUS server, AC, AP, and client can reach each other. (Details not shown.)

1. Configure the AC:

a. Configure the RADIUS scheme:

# Create a RADIUS scheme.

<AC> system-view

[AC] radius scheme imcc

# Specify the primary authentication server and the primary accounting server.

[AC-radius-imcc] primary authentication 10.18.1.88 1812

[AC-radius-imcc] primary accounting 10.18.1.88 1813

# Set the shared key for secure communication with the server to 12345678 in plain text.

[AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

# Exclude domain names in the usernames sent to the RADIUS server.

[AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

b. Configure AAA methods for the ISP domain:

# Create an ISP domain named imc.

[AC] domain imc

# Configure the ISP domain to use RADIUS scheme imcc for authentication, authorization, and accounting of LAN clients.

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit

c. Specify username 123 and password aaa_maca in plain text for the account shared by MAC authentication clients.

[AC] mac-authentication user-name-format fixed account 123 password simple aaa_maca

d. Configure a service template:

# Create a service template named maca_imc.

[AC] wlan service-template maca_imc

# Set the SSID to maca_imc.

[AC-wlan-st-maca_imc] ssid maca_imc

# Set the authentication mode to MAC authentication.

[AC-wlan-st-maca_imc] client-security authentication-mode mac

# Specify ISP domain imc for the service template.

[AC-wlan-st-maca_imc] mac-authentication domain imc

# Enable the service template.

[AC-wlan-st-maca_imc] service-template enable

[AC-wlan-st-maca_imc] quit

e. Configure manual AP ap1, and bind the service template to an AP radio:

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050

# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] channel 149

[AC-wlan-ap-ap1-radio-1] radio enable

# Bind service template maca_imc to radio 1.

[AC-wlan-ap-ap1-radio-1] service-template maca_imc

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

2. Configure the RADIUS server:

In this example, the RADIUS server runs IMC PLAT 7.1 and IMC UAM 7.1.

# Add an access device:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Device Management > Access Device.

c. Click Add.

The Add Access Device page appears.

d. In the Access Configuration area, configure the following parameters, as shown in Figure 46:

- Enter 12345678 in the Shared Key and Confirm Shared Key fields.

- Use the default values for other parameters.

e. In the Device List area, click Select or Add Manually to add the device at 10.18.1.1 as an access device.

f. Click OK.

Figure 46 Adding an access device

英文增加接入设备图.jpg

# Add an access policy:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Policy.

c. Click Add.

d. On the Add Access Policy page, configure the following parameters, as shown in Figure 47:

- Enter aaa_maca in the Access Policy Name field.

- Use the default values for other parameters.

e. Click OK.

Figure 47 Adding an access policy

英文增加接入策略截图.jpg

# Add an access service:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Service.

c. Click Add.

d. On the Add Access Service page, configure the following parameters, as shown in Figure 48:

- Enter aaa_maca in the Service Name field.

- Select aaa_maca from the Default Access Policy list.

e. Click OK.

Figure 48 Adding an access service

英文增加接入服务截图.jpg

# Add an access user:

a. Click the User tab.

b. From the navigation tree, select Access User > All Access Users.

The access user list appears.

c. Click Add.

The Add Access User page appears.

d. In the Access Information area, configure the following parameters, as shown in Figure 49:

- Click Select or Add User to associate the user with IMC Platform user 123.

- Enter 123 in the Account Name field.

- Enter aaa_maca in the Password and Confirm Password fields.

e. In the Access Service area, select aaa_maca from the list.

f. Click OK.

Figure 49 Adding an access user account

Verifying the configuration

1. On the client, verify that you can use username 123 and password aaa_maca to access the network. (Details not shown.)

2. On the AC, perform the following tasks to verify that the user has passed authentication and come online:

# Display online MAC authentication client information.

[AC] display mac-authentication connection

User MAC address : 0023-8933-2098

AP name : ap1

Radio ID : 1

SSID : maca_imc

BSSID : 000f-e201-0001

User name : 123

Authentication domain : imc

Initial VLAN : 1

Authorization VLAN : N/A

Authorization ACL number : N/A

Authorization user profile : N/A

Termination action : Default

Session timeout period : 6001 s

Online from : 2014/04/17 17:21:12

Online duration : 0h 0m 30s

Total connections: 1.

# Display WLAN client information.

[AC] display wlan client

Total number of clients : 1

MAC address Username AP name RID IP address IPv6 address VLAN

0023-8933-2098 123 ap1 1 10.18.1.100 1

WIPS overview

The term "AC" in this document refers to MSR routers that can function as ACs.

About WIPS

Wireless Intrusion Prevention System (WIPS) helps you monitor your WLAN, detect attacks and rogue devices, and take countermeasures. WIPS provides a complete solution for WLAN security.

WIPS components

WIPS contains the network management module, ACs, and sensors (APs enabled with WIPS).

· The sensors monitor the WLAN, collect channel information, and report the information to the AC for further analysis.

· The AC determines attacks and rogue devices, takes countermeasures, and triggers alarms.

· The network management module allows you to configure WIPS in the Web interface. It provides configuration management, report generation, and alarm management functions.

WIPS features

WIPS provides the following features:

· Attack detection—WIPS detects attacks by listening for 802.11 frames and triggers alarms to notify the administrator.

· Signature-based attack detection—WIPS provides signature-based attack detection. A signature contains a packet identification method and actions to take on the matching packets.

· Device classification—WIPS identifies wireless devices by listening for 802.11 frames and classifies the devices based on the classification rules.

· Countermeasures—WIPS enables you to take countermeasures against rogue devices.

Attack detection

Flood attack detection

An AP might be facing a flood attack if it receives a large number of same-type frames within a short period of time. To prevent the AP from being overwhelmed, WIPS periodically examines incoming packet statistics, and triggers an alarm when it detects a suspicious flood attack. WIPS can detect the following flood attacks:

· Authentication request flood attack—Floods the association table of an AP by imitating many clients sending authentication requests to the AP.

· Probe request/association request/reassociation request flood attack—Floods the association table of an AP by imitating many clients sending probe requests/association requests/reassociation requests to the AP.

· EAPOL-start flood attack—Exhausts the AP's resources by imitating many clients sending EAPOL-start frames defined in IEEE 802.1X to the AP.

· Broadcast/unicast deauthentication flood attack—Spoofs deauthentication frames from the AP to the associated clients to disassociate the clients from the AP. This attack can rapidly terminate wireless services to multiple clients.

· Broadcast/unicast disassociation flood attack—Spoofs disassociation frames from the AP to the associated clients to disassociate the clients from the AP. This attack can rapidly terminate wireless services to multiple clients.

· RTS/CTS flood attack—Floods RTS/CTS frames to reserve the RF medium and force other wireless devices sharing the RF medium to hold back their transmissions. This attack takes advantage of vulnerabilities of the virtual carrier mechanism.

· Block Ack flood attack—Floods Block Ack frames to the AP to interrupt the operation of the Block Ack mechanism.

· Null data flood attack—Spoofs null data frames with a power management bit of 1 from a client to the AP. The AP determines that the client is in power save mode and buffers frames for the client. When the aging time of the buffered frames expires, the AP discards the frames. This interrupts the client's communication with the AP.

· Beacon flood attack—Floods beacon frames imitating a large number of fake APs to interrupt client association.

· EAPOL-logoff flood attack—The IEEE 802.1X standard defines the authentication protocol using Extensible Authentication Protocol over LANs (EAPOL). A client needs to send an EAPOL-logoff frame to terminate the session with an AP. The EAPOL-logoff frames are not authenticated, and an attacker can spoof EAPOL-logoff frames to disassociate a client.

· EAP-success/failure flood attack—In a WLAN using 802.1X authentication, an AP sends an EAP-success or EAP-failure frame to a client to inform the client of authentication success or failure. An attacker can spoof the MAC address of an AP to send EAP-success or EAP-failure frames to a client to disrupt the authentication process.

Malformed packet detection

WIPS determines that a frame is malformed if the frame matches the criteria shown in Table 26, and it then triggers alarms and logs.

Table 26 Malformed frame match criteria

Detection type	Applicable frames	Match criteria
Invalid IE length detection	All management frames	The IE length does not conform to the 802.11 protocol. The remaining length of the IE is not zero after the packet is resolved.
Duplicate IE detection	All management frames	Duplicate IE. This type of detection is not applicable to vendor-defined IEs.
Redundant IE detection	All management frames	The IE is not a necessary IE to the frame and is not a reserved IE.
Invalid packet length detection	All management frames	The remaining length of the IE is not zero after the packet payload is resolved.
Abnormal IBSS and ESS setting detection	· Beacon frames · Probe response frames	Both IBSS and ESS are set to 1.
Malformed authentication request frame detection	Authentication request frames	· The authentication algorithm number does not conform to the 802.11 protocol and is larger than 3. · The authentication transaction sequence number is 1 and the status code is not 0. · The authentication transaction sequence number is larger than 4.
Malformed association request frame detection	Association request frames	The frame length is 0.
Malformed HT IE detection	· Beacon frames · Probe responses · Association responses · Reassociation requests	· The SM power save value for the HT capabilities IE is 2. · The secondary channel offset value for the HT operation IE is 2.
Oversized duration detection	· Unicast management frames · Unicast data frames · RTS, CTS, and ACK frames	The packet duration value is larger than the specified threshold.
Malformed probe response frame detection	Probe response frames	The frame is not a mesh frame and its SSID length is 0.
Invalid deauthentication code detection	Deauthentication frames	The reason code is 0 or is in the range of 67 to 65535.
Invalid disassociation code detection	Disassociation frames	The reason code is 0 or is in the range of 67 to 65535.
Oversized SSID detection	· Beacon frames · Probe requests · Probe responses · Association request frames	The SSID length is larger than 32.
FATA-Jack detection	Authentication frames	The value of the authentication algorithm number is 2.
Invalid source address detection	All management frames	· The TO DS is 1, indicating that the frame is sent to the AP by a client. · The source MAC address of the frame is a multicast or broadcast address.
Oversized EAPOL key detection	EAPOL-Key frames	The TO DS is 1 and the length of the key is larger than 0.

Spoofing attack detection

In a spoofing attack, the attacker sends frames on behalf of another device to threaten the network. WIPS supports detection of the following spoofing attacks:

· Frame spoofing—A fake AP spoofs an authorized AP to send beacon or probe response frames to induce clients to associate with it.

· AP MAC address spoofing—A client spoofs an authorized AP to send deauthentication or disassociation frames to other clients. This can cause the clients to go offline and affect the correct operation of the WLAN.

· Client MAC address spoofing—A fake AP spoofs an authorized client to associate with an authorized AP.

Frame spoofing attack detection

WIPS calculates the startup time of an AP by using the frame receiving time and timestamp. If the calculated startup time of the AP is not the same as the startup time recorded in WIPS, WIPS determines that this is a spoofing attack.

AP MAC address spoofing attack detection

WIPS examines the MAC address of the sender. If the MAC address of the sender already exists in the AP MAC address table, WIPS determines that this is a spoofing attack.

Client MAC address spoofing attack detection

WIPS examines the MAC address of the sender. If the MAC address of the sender already exists in the client MAC address table, WIPS determines that this is a spoofing attack.

Weak IV detection

When the RC4 encryption algorithm, used by the WEP security protocol, uses an insecure IV, the WEP key is more likely to be cracked. An IV is a weak IV if its first byte is smaller than 16 (decimal) and its second byte is FF. WIPS prevents this kind of attack by detecting the IV in each WEP packet.

Omerta attack detection

Omerta is a DoS attack tool based on the 802.11 protocol. It sends disassociation frames with the reason code 0x01 to disassociate clients. Reason code 0x01 indicates an unknown disassociation reason. WIPS detects Omerta attacks by detecting the reason code of each disassociation frame.

Broadcast disassociation/deauthentication attack detection

An attacker spoofs a legitimate AP to send a broadcast disassociation or deauthentication frame to log off all clients associated with the AP.

Detection on clients with the 40 MHz bandwidth mode disabled

802.11n devices support both the 20 MHz and 40 MHz bandwidth modes. If the 40 MHz bandwidth mode is disabled on a client, other clients associated with the same AP as the client must also use the 20 MHz bandwidth. This affects network throughput and efficiency.

WIPS detects such clients by detecting probe request frames sent by the clients.

Power save attack detection

An attacker spoofs the MAC address of a client to send power save on frames to an AP. The AP caches the frames for the client. The attacked client cannot receive data frames because the AP determines that the client is still in power save mode. When the aging time of the cached frames expires, the AP discards the frames. WIPS detects power save attacks by determining the ratio of power save on frames to power save off frames.

Prohibited channel detection

After you configure a permitted channel list and enable prohibited channel detection, WIPS determines that channels that are not in the permitted channel list are prohibited channels.

Soft AP detection

A soft AP refers to a client that acts as an AP and provides wireless services. An attacker can access the internal network through a soft AP and then initiate further attacks. WIPS detects soft APs by detecting the interval at which a device switches its roles between client and AP. WIPS does not perform soft AP detection on unassociated clients.

Windows bridge detection

When a wireless client connected to a wired network establishes a Windows bridge through the wired NIC, the client can bridge an external AP with the internal network. This might bring security problems to the internal network. WIPS detects Windows bridges by analyzing data frames sent by associated clients.

Unencrypted device detection

An authorized AP or client that is transmitting unencrypted frames might bring security problems to the network. WIPS detects unencrypted devices by analyzing the frames sent the by authorized APs or clients.

Hotspot attack detection

An attacker sets up a rogue AP with the same SSID as a hotspot to lure the clients to associate with it. After the clients associate with the malicious AP, the attacker initiates further attacks to obtain client information.

You can configure a hotspot file to enable WIPS to detect hotspot attacks.

AP impersonation attack detection

In an AP impersonation attack, a malicious AP that has the same BSSID and ESSID as a legitimate AP lures the clients to associate with it. Then this impersonating AP initiates hotspot attacks or fools the detection system.

WIPS detects AP impersonation attacks by detecting the interval at which an AP sends beacon frames.

HT-greenfield AP detection

An AP operating in HT-greenfield mode might cause collisions, errors, and retransmissions because it cannot communicate with 802.11a/b/g devices. WIPS detects HT-greenfield APs by analyzing the beacon frames or probe response frames sent by APs.

Honeypot AP detection

In a honeypot AP attack, the attacker sets up a malicious AP to lure clients to associate with it. The SSID of the malicious AP is similar to the SSID of a legitimate AP. After a client associates with a honeypot AP, the honeypot AP initiates further attacks such as port scanning or fake authentication to obtain client information.

WIPS detects honeypot APs by detecting SSIDs of external APs. If the similarity between the SSID of an external AP and the SSID of a legitimate AP reaches the specified threshold, WIPS generates an alarm.

MITM attack detection

In an MITM attack, the attacker sets up a rogue AP and lures a client to associate with it. Then the rogue AP spoofs the MAC address of the client to associate with the authorized AP. When the client and the authorized AP communicate, the rogue AP captures packets from both the client and the authorized AP. The rogue AP might modify the frames and obtain the frame information. WIPS detects MITM attacks by detecting clients that are disassociated from an authorized AP and associated with a honeypot AP. WIPS can detect MITM attacks only when you enable both honeypot AP detection and MITM attack detection.

Wireless bridge detection

An attacker might intrude on the internal networks through a wireless bridge. When detecting a wireless bridge, WIPS generates an alarm. If the wireless bridge is in a mesh network, WIPS records the mesh link.

Association/reassociation DoS attack detection

An association/reassociation DoS attack floods the association table of an AP by imitating many clients sending association requests to the AP. When the number of entries in the table reaches the upper limit, the AP cannot process requests from legitimate clients.

AP flood attack detection

WIPS detects the number of APs in the WLAN and triggers an alarm for an AP flood attack when the number of APs exceeds the specified threshold.

Device entry attack detection

Attackers can send invalid packets to WIPS to increase processing costs. WIPS periodically examines the learned device entries to determine whether to rate limit device entry learning. If the number of AP or client entries learned within the specified interval exceeds the threshold, WIPS triggers an alarm and stops learning new entries.

Signature-based attack detection

WIPS provides signature-based attack detection. A signature contains a packet identification method and actions to take on the matching packets. The sensor matches the detected packets against the signature, and takes actions defined in the signature if a packet matches the signature.

A signature can contain a maximum of six subsignatures, which can be defined based on the frame type, MAC address, serial ID, SSID length, SSID, and frame pattern. A packet matches a signature only when it matches all the subsignatures in the signature.

Device classification

AP classification

AP categories

As shown in Table 27, WIPS classifies detected APs according to the predefined classification rules.

Table 27 AP classification

Category	Description	Classification rule
Authorized AP	An AP that is permitted in the WLAN.	· Has been connected to the AC and not in the prohibited device list. · Configured as an authorized AP. · In the permitted device list. · Classified as an authorized AP by a user-defined AP classification rule.
Rogue AP	An AP that cannot be used in the WLAN.	· In the prohibited device list. · Not in the OUI configuration file. · Configured as a rogue AP. · Classified as a rogue AP by a user-defined AP classification rule. If the wired port on an AP has been connected to the network and the AP is not connected to the AC, the AP might be a rogue AP.
Misconfigured AP	An AP that can be used in the WLAN but has incorrect configuration.	· Configured as a misconfigured AP. · Classified as a misconfigured AP by a user-defined AP classification rule.
External AP	An AP that is in an adjacent WLAN.	· Configured as an external AP. · Classified as an external AP by a user-defined AP classification rule.
Ad hoc	An AP operating in Ad hoc mode. WIPS detects Ad hoc APs by listening to beacon frames.	N/A
Mesh AP	An AP in a WLAN mesh network.	WIPS identifies mesh APs through beacon frames.
Potential-authorized AP	An AP that is possibly authorized.	An AP is a potential-authorized AP if it meets all the following conditions: · Not in the permitted device list. · Not in the prohibited device list. · Not in the trusted SSID list. · Not in the trusted OUI list. · Has been connected to the AC. · Not manually classified. · Does not match any user-defined AP classification rules.
Potential-rogue AP	An AP that is possibly a rogue AP.	Has incorrect wireless configuration and is not in any one of the following lists: · Permitted device list. · Prohibited device list. · Trusted OUI list. If the wired port on an AP has been connected to the network, the AP is a rogue AP.
Potential-external AP	An AP that is possibly an external AP.	· Has incorrect wireless service configuration. · The wired port has not been connected to the network. · Not in any one of the following lists: ? Permitted device list. ? Prohibited device list. ? Trusted OUI list.
Uncategorized AP	An AP whose category cannot be determined.	N/A

AP classification flow

WIPS classifies detected APs by following the process shown in Figure 50.

Figure 50 AP classification flow

Client classification

As shown in Table 28, WIPS classifies detected clients based on the predefined classification rules.

Client categories

Table 28 Client classification

Category	Description	Classification rule
Authorized client	A client that is permitted in the WLAN.	· In the prohibited device list and associated with an authorized AP. · Has passed authentication and is associated with an authorized AP.
Unauthorized client	A client that cannot be used in the WLAN.	· In the prohibited device list. · Associated with a rogue AP. · Not in the OUI configuration file.
Misassociated client	A client that is associated with an unauthorized AP.	In the permitted device list but associated with an unauthorized AP. A misassociated client might introduce security threats to the network.
Uncategorized client	A client whose category cannot be determined.	N/A

Client classification flow

WIPS classifies detected clients by following the process shown in Figure 51.

Figure 51 Client classification flow

Countermeasures

Rogue devices are susceptible to attacks and might bring security problems to the WLAN. WIPS enables you to take countermeasures against rogue devices.

Configuring WIPS

Feature and hardware compatibility

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

WIPS tasks at a glance

Tasks at a glance
(Required.) Enabling WIPS
(Optional.) Configuring attack detection: · Configuring an attack detection policy · Applying an attack detection policy
(Optional.) Configuring signature-based attack detection: · Configuring a signature · Configuring a signature policy · Applying a signature policy
(Optional.) Configuring device classification: · Configuring an automatic device classification policy · Configuring a manual AP classification policy · Applying a classification policy
(Optional.) Configuring countermeasures: · Configuring a countermeasure policy · Applying a countermeasure policy
(Optional.) Detecting clients with NAT configured
(Optional.) Configuring the alarm-ignoring feature
(Optional.) Configuring APs to perform WIPS scanning while providing access services
(Optional.) Configuring OUIs

Enabling WIPS

About enabling WIPS

You can divide a wireless network into multiple virtual security domains (VSDs) and apply different policies to these VSDs.

Before configuring WIPS for a radio of an AP, you must add the AP to a VSD.

Procedure

To enable WIPS in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Add the AP to a VSD.	wips virtual-security-domain vsd-name	By default, an AP uses the configuration in AP group view.
4. Enter radio view.	radio radio-id	N/A
5. Enable WIPS.	wips enable	By default, an AP uses the configuration in AP group view.

To enable WIPS in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
6. Enter AP group view.	wlan ap-group group-name	N/A
7. Add the AP group to a VSD.	wips virtual-security-domain vsd-name	By default, an AP group is not in any VSD.
8. Enter AP model view.	ap-model ap-model	N/A
9. Enter radio view.	radio radio-id	N/A
10. Enable WIPS.	wips enable	By default, WIPS is disabled.

Configuring attack detection

Configuring an attack detection policy

Configuring a flood attack detection policy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
11. Enter WIPS view.	wips	By default, the WIPS view is not configured.
12. Create an attack detection policy and enter its view.	detect policy policy-name	By default, no attack detection policies exist.
13. Configure association request flood attack detection.	flood association-request [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, association request flood attack detection is disabled.
14. Configure authentication request flood attack detection.	flood authentication [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, authentication request flood attack detection is disabled.
15. Configure beacon flood attack detection.	flood beacon [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, beacon flood attack detection is disabled.
16. Configure Block Ack flood attack detection.	flood block-ack [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, Block Ack flood attack detection is disabled.
17. Configure RTS flood attack detection.	flood rts [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, RTS flood attack detection is disabled.
18. Configure CTS flood attack detection.	flood cts [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, CTS flood attack detection is disabled.
19. Configure deauthentication flood attack detection.	flood deauthentication [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, deauthentication flood attack detection is disabled.
20. Configure disassociation flood attack detection.	flood disassociation [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, disassociation flood attack detection is disabled.
21. Configure EAPOL-start flood attack detection.	flood eapol-start [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, EAPOL-start flood attack detection is disabled.
22. Configure null data flood attack detection.	flood null data [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, null data flood attack detection is disabled.
23. Configure probe request flood attack detection.	flood probe-request [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, probe request flood attack detection is disabled.
24. Configure reassociation request flood attack detection.	flood reassociation-request [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, reassociation request flood attack detection is disabled.
25. Configure EAPOL-logoff flood attack detection.	flood eapol-logoff [ interval interval-value \| quiet quiet-value \| threshold threshold-value ]*	By default, EAPOL-logoff flood attack detection is disabled.
26. Configure EAP-failure flood attack detection.	flood eap-failure [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, EAP-failure flood attack detection is disabled.
27. Configure EAP-success flood attack detection.	flood eap-success [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, EAP-success flood attack detection is disabled.

Configuring a malformed packet detection policy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
28. Enter WIPS view.	wips	N/A
29. Create an attack detection policy and enter its view.	detect policy policy-name	By default, no attack detection policies exist.
30. Configure duplicated IE detection.	malformed duplicated-ie [ quiet quiet-value ]	By default, duplicated IE detection is disabled.
31. Configure FATA-Jack detection.	malformed fata-jack [ quiet quiet-value ]	By default, FATA-Jack detection is disabled.
32. Configure abnormal IBSS or ESS setting detection.	malformed illegal-ibss-ess [ quiet quiet-value ]	By default, abnormal IBSS or ESS setting detection is disabled.
33. Configure invalid source address detection.	malformed invalid-address-combination [ quiet quiet-value ]	By default, invalid source address detection is disabled.
34. Configure malformed association request frame detection.	malformed invalid-assoc-req [ quiet quiet-value ]	By default, malformed association request frame detection is disabled.
35. Configure malformed authentication request frame detection.	malformed invalid-auth [ quiet quiet-value ]	By default, malformed authentication request frame detection is disabled.
36. Configure invalid deauthentication code detection.	malformed invalid-deauth-code [ quiet quiet-value ]	By default, invalid deauthentication code detection is disabled.
37. Configure invalid disassociation code detection.	malformed invalid-disassoc-code [ quiet quiet-value ]	By default, invalid disassociation code detection is disabled.
38. Configure invalid IE length detection.	malformed invalid-ie-length [ quiet quiet-value ]	By default, invalid IE length detection is disabled.
39. Configure malformed HT IE detection.	malformed invalid-ht-ie [ quiet quiet-value ]	By default, malformed HT IE detection is disabled.
40. Configure invalid packet length detection.	malformed invalid-pkt-length [ quiet quiet-value ]	By default, invalid packet length detection is disabled.
41. Configure oversized duration detection.	malformed large-duration [ quiet quiet-value \| threshold value ]	By default, oversized duration detection is disabled.
42. Configure malformed probe response frame detection.	malformed null-probe-resp [ quiet quiet-value ]	By default, malformed probe response frame detection is disabled.
43. Configure oversized EAPOL key detection.	malformed overflow-eapol-key [ quiet quiet-value ]	By default, oversized EAPOL key detection is disabled.
44. Configure oversized SSID detection.	malformed overflow-ssid [ quiet quiet-value ]	By default, oversized SSID detection is disabled.
45. Configure redundant IE detection.	malformed redundant-ie [ quiet quiet-value ]	By default, redundant IE detection is disabled.

Configuring an attack detection policy for other attacks

Step	Command	Remarks
1. Enter system view.	system-view	N/A
46. Enter WIPS view.	wips	N/A
47. Create an attack detection policy and enter its view.	detect policy policy-name	By default, no attack detection policies exist.
48. Configure client MAC address spoofing attack detection.	client-spoofing [ quiet quiet-value ]	By default, client MAC address spoofing attack detection is disabled.
49. Configure AP MAC address spoofing attack detection.	ap-spoofing [ quiet quiet-value ]	By default, AP MAC address spoofing attack detection is disabled.
50. Configure weak IV detection.	weak-iv [ quiet quiet-value ]	By default, weak IV detection is disabled.
51. Configure Omerta attack detection.	omerta [ quiet quiet-value ]	By default, Omerta attack detection is disabled.
52. Configure broadcast disassociation attack detection.	disassociation-broadcast [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, broadcast disassociation attack detection is disabled.
53. Configure spoof deauthentication frame detection.	deauth-spoofing [ quiet quiet ]	By default, spoof deauthentication frame detection is disabled.
54. Configure broadcast deauthentication attack detection.	deauthentication-broadcast [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, broadcast deauthentication attack detection is disabled.
55. Configure detection on clients with the 40 MHz bandwidth mode disabled.	ht-40mhz-intolerance [ quiet quiet-value ]	By default, detection on clients with the 40 MHz bandwidth mode disabled is disabled.
56. Configure power saving attack detection.	power-save [ interval interval-value \| minoffpacket packet-value \| onoffpercent percent-value \| quiet quiet-value ] *	By default, power saving attack detection is disabled.
57. Configure the permitted channel list.	permit-channel channel-id-list	By default, no channel is added to the permitted channel list.
58. Configure prohibited channel detection.	prohibited-channel [ quiet quiet-value ]	By default, prohibited channel detection is disabled.
59. Configure Windows bridge detection.	windows-bridge [ quiet quiet-value ]	By default, Windows bridge detection is disabled.
60. Configure unencrypted authorized AP detection.	unencrypted-authorized-ap [ quiet quiet-value ]	By default, unencrypted authorized AP detection is disabled.
61. Configure unencrypted authorized client detection.	unencrypted-trust-client [ quiet quiet-value ]	By default, unencrypted authorized client detection is disabled.
62. Configure soft AP detection.	soft-ap [ convert-time time-value ]	By default, soft AP detection is disabled.
63. Configure AP impersonation attack detection.	ap-impersonation [ quiet quiet-value ]	By default, AP impersonation attack detection is disabled.
64. Configure HT-greenfield AP detection.	ht-greenfield [ quiet quiet-value ]	By default, HT-greenfield AP detection is disabled.
65. Configure association/reassociation DoS attack detection.	association-table-overflow [ quiet quiet-value ]	By default, association/reassociation DoS attack detection is disabled.
66. Configure wireless bridge detection.	wireless-bridge [ quiet quiet-value ]	By default, wireless bridge detection is disabled.
67. Configure AP flood attack detection.	ap-flood [ apnum apnum-value \| exceed exceed-value \| quiet quiet-value ] *	By default, AP flood attack detection is disabled.
68. Configure honeypot AP detection.	honeypot-ap [ similarity similarity-value \| quiet quiet-value ] *	By default, honeypot AP detection is disabled.
69. Configure MITM attack detection.	man-in-the-middle [ quiet quiet-value ]	By default, MITM attack detection is disabled.
70. Configure channel change detection.	ap-channel-change [ quiet quiet-value ]	By default, channel change detection is disabled.
71. Return to WIPS view.	quit	N/A
72. Import hotspot information from a configuration file.	import hotspot file-name	By default, no hotspot information is imported.
73. Create an attack detection policy and enter its view.	detect policy policy-name	By default, no attack detection policies exist.
74. Configure hotspot attack detection.	hotspot-attack [ quiet quiet-value ]	By default, hotspot attack detection is disabled.

Configuring a device entry attack detection policy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
75. Enter WIPS view.	wips	N/A
76. Create an attack detection policy and enter its view.	detect policy policy-name	By default, no attack detection policies exist.
77. Rate limit client entry learning.	client-rate-limit [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, the statistics collection interval is 60 seconds, the quiet time is 1200 seconds, and the client entry threshold is 512.
78. Set a client entry timer.	client-timer inactive inactive-value aging aging-value	By default, the inactive time is 300 seconds, and the aging time is 600 seconds. When a client does not receive or send packets within the inactive time, WIPS sets the client to inactive state. When a client does not receive or send frames within the aging time, WIPS deletes the entry.
79. Rate limit AP entry learning.	ap-rate-limit [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, the statistics collection interval is 60 seconds, the quiet time is 1200 seconds, and the AP entry threshold is 64.
80. Set an AP entry timer.	ap-timer inactive inactive-value aging aging-value	By default, the inactive time for APs is 300 seconds, and the aging time is 600 seconds. When an AP does not receive or send packets within the inactive time, WIPS sets the AP to inactive state. When an AP does not receive or send frames within the aging time, WIPS deletes the entry.

Applying an attack detection policy

About applying an attack detection policy

Applying an attack detection policy to a VSD enables the attack detection policy to take effect on all radios in the VSD.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
81. Enter WIPS view.	wips	N/A
82. Create a VSD and enter its view.	virtual-security-domain vsd-name	By default, no VSDs exist.
83. Apply an attack detection policy to the VSD.	apply detect policy policy-name	By default, no attack detection policy is applied to a VSD.

Configuring signature-based attack detection

Configuring a signature

About signatures

If you configure multiple signatures, WIPS matches detected packets against the configured signatures in ascending order of ID until a match is found.

You can configure one or multiple subsignatures for a signature. A packet matches a signature only when it matches all the subsignatures of the signature.

Restrictions and guidelines

You can configure a maximum of six subsignatures for a signature to match different attributes of packets.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
84. Enter WIPS view.	wips	N/A
85. Create a signature and enter its view.	signature rule rule-id	By default, no signatures exist.
86. Configure a subsignature to match the frame type of a frame.	frame-type { control \| data \| management [ frame-subtype { association-request \| association-response \| authentication \| beacon \| deauthentication \| disassociation \| probe-request } ] }	By default, no subsignature is configured to match the frame type of a frame.
87. Configure a subsignature to match the MAC address of a frame.	mac-address { bssid \| destination \| source } mac-address	By default, no subsignature is configured to match the MAC address of a frame.
88. Configure a subsignature to match the sequence number of a frame.	seq-number seq-value1 [ to seq-value2 ]	By default, no subsignature is configured to match the sequence number of a frame.
89. Configure a subsignature to match the SSID length of a frame.	ssid-length length-value1 [ to length-value2 ]	By default, no subsignature is configured to match the SSID length of a frame.
90. Configure a subsignature to match the SSID of a frame.	ssid [ case-sensitive ] [ not ] { equal \| include } string	By default, no subsignature is configured to match the SSID of a frame.
91. Configure a subsignature to match the specified bits of a frame.	pattern pattern-number offset offset-value mask hex-value value1 [ to value2 ] [ from-payload ]	By default, no subsignature is configured to match the specified bits of a frame.
92. Configure the subsignatures to be in logical AND relationship.	match all	By default, the subsignatures are in logical OR relationship. A packet matches a signature if it matches any of the subsignatures of the signature. After you configure this command, a packet matches a signature only when it matches all the subsignatures of the signature.

Configuring a signature policy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
93. Enter WIPS view.	wips	N/A
94. Create a signature policy and enter its view.	signature policy policy-name	By default, no signature policies exist.
95. Bind the specified signature to the signature policy.	apply signature rule rule-id	By default, no signature is bound to a signature policy.
96. Enable WIPS to detect packets that match the signature.	detect signature [ interval interval-value \| quiet quiet-value \| threshold threshold-value ] *	By default, detection on packets that match a signature is enabled. The statistics collection interval is 60 seconds, the quiet interval is 600 seconds, and the alarm threshold is 50.

Applying a signature policy

About applying a signature policy

Applying a signature policy to a VSD enables the signature policy to take effect on all radios in the VSD.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
97. Enter WIPS view.	wips	N/A
98. Create a VSD and enter its view.	virtual-security-domain vsd-name	By default, no VSDs exist.
99. Apply the specified signature policy to the VSD.	apply signature policy policy-name	By default, no signature policy is applied to a VSD.

Configuring device classification

Configuring a classification policy

About classification policies

You can enable WIPS to classify devices by using the following methods:

· Automatic classification—WIPS automatically classifies devices by adding MAC addresses, OUIs, or SSIDs to the specified lists. WIPS also allows you to classify APs by using user-defined AP classification rules.

· Manual classification—You manually specify a category for a device. Manual classification is applicable only to APs.

If you configure both automatic classification and manual classification, manual classification takes effect.

Configuring an automatic device classification policy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
100. Enter WIPS view.	wips	N/A
101. Create a classification policy and enter its view.	classification policy policy-name	By default, no classification policies exist.
102. Configure WIPS to classify devices with invalid OUIs as rogue devices.	invalid-oui-classify illegal	By default, WIPS does not classify devices with invalid OUIs as rogue devices.
103. Add a MAC address to the permitted device list.	trust mac-address mac-address	By default, no MAC address exists in the permitted device list.
104. Add an OUI to the trusted OUI list.	trust oui oui	By default, no OUIs exist in the trusted OUI list. This command is applicable only to AP classification.
105. Add an SSID to the trusted SSID list.	trust ssid ssid-name	By default, no SSIDs exist in the trusted SSID list.
106. Add a MAC address to the static prohibited device list.	block mac-address mac-address	By default, no MAC addresses exist in to the static prohibited device list.
107. Bind the specified AP classification rule to the classification policy.	apply ap-classification rule rule-id { authorized-ap \| { { external-ap \| misconfigured-ap \| rogue-ap } [ severity-level level ] } }	By default, no AP classification rule is bound to a classification policy.
108. Configure the AP classification rule criteria to be in logical AND relationship.	match all	By default, the AP classification rule criteria are in logical OR relationship. An AP matches an AP classification rule if it matches any of the criteria of the AP classification rule. After you configure this command, an AP matches an AP classification rule only when it matches all criteria of the AP classification rule.

Configuring an AP classification rule

Step	Command	Remarks
1. Enter system view.	system-view	N/A
109. Enter WIPS view.	wips	N/A
110. Create an AP classification rule and enter its view.	ap-classification rule rule-id	By default, no AP classification rules exist.
111. Configure the AP classification rule to match the RSSI of an AP.	rssi value1 [ to value2 ]	By default, an AP classification rule does not match the RSSI of an AP.
112. Configure the AP classification rule to match the SSID of the wireless service for an AP.	ssid [ case-sensitive ] [ not ] { equal \| include } ssid-string	By default, an AP classification rule does not match the SSID of the wireless service for an AP.
113. Configure the AP classification rule to match the running time of an AP.	up-duration value1 [ to value2 ]	By default, an AP classification rule does not match the running time of an AP.
114. Configure the AP classification rule to match the number of associated clients for an AP.	client-online value1 [ to value2 ]	By default, an AP classification rule does not match the number of associated clients for an AP.
115. Configure the AP classification rule to match the number of sensors that detect an AP.	discovered-ap value1 [ to value2 ]	By default, an AP classification rule does not match the number of sensors that detect an AP.
116. Configure the AP classification rule to match the security mode used by an AP.	security { equal \| include } { clear \| wep \| wpa \| wpa2 }	By default, an AP classification rule does not match the security mode used by an AP.
117. Configure the AP classification rule to match the authentication mode used by an AP.	authentication { equal \| include } { 802.1x \| none \| other \| psk }	By default, an AP classification rule does not match the authentication mode used by an AP.
118. Configure the AP classification rule to match the OUI information of an AP.	oui oui-info	By default, an AP classification rule does not match the OUI information of an AP.

Configuring a manual AP classification policy

Step	Command	Remarks
1. Enter system view.	system-view	N/A
119. Enter WIPS view.	wips	N/A
120. Create a classification policy and enter its view.	classification policy policy-name	By default, no classification policies exist.
121. Specify a category for the specified AP.	manual-classify mac-address mac-address { authorized-ap \| external-ap \| misconfigured-ap \| rogue-ap }	By default, no category is specified for an AP.

Applying a classification policy

About applying a classification policy

Applying a classification policy to a VSD enables the classification to take effect on all radios in the VSD.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
122. Enter WIPS view.	wips	N/A
123. Enter VSD view.	virtual-security-domain vsd-name	By default, no VSDs exist.
124. Apply a classification policy to the VSD.	apply classification policy policy-name	By default, no classification policy is applied to a VSD.

Configuring countermeasures

Configuring a countermeasure policy

Applying a countermeasure policy

About applying a countermeasure policy

Applying a countermeasure policy to a VSD enables the countermeasure policy to take effect on all radios in the VSD.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
154. Enter WIPS view.	wips	N/A
155. Create a VSD and enter its view.	virtual-security-domain vsd-name	By default, no VSDs exist.
156. Apply a countermeasure policy to the VSD.	apply countermeasure policy policy-name	By default, no countermeasure policy is applied on a VSD.

Detecting clients with NAT configured

About detecting clients with NAT configured

Perform this task to enable an AP to detect clients with NAT configured to prevent network sharing among clients.

Procedure

To detect clients with NAT configured in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
157. Create an AP and enter AP view.	wlan ap ap-name [ model model-name ]	You must specify the name and model when you create an AP.
158. Enable the AP to detect clients with NAT configured.	wlan nat-detect enable	By default, an AP uses the configuration in AP group view.

To detect clients with NAT configured in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
159. Create an AP group and enter AP group view.	wlan ap-group group-name	By default, a system-defined AP group exists. This AP group is named default-group and cannot be deleted.
160. Enable APs in the AP group to detect clients with NAT configured.	wlan nat-detect enable	By default, APs do not detect clients with NAT configured.

Configuring the alarm-ignoring feature

About the alarm-ignoring feature

With this feature configured, WIPS does not trigger any alarms for wireless devices in the alarm-ignored device list and devices that use a random MAC address.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
161. Enter WIPS view.	wips	N/A
162. Add the MAC address of a device to the alarm-ignored device list.	ignorelist mac-address mac-address	By default, no MAC address is added to the alarm-ignored device list.
163. Configure WIPS to not trigger alarms for devices that use a random MAC address.	random-mac-scan enable	By default, WIPS triggers alarms for devices that use a random MAC address.

Configuring APs to perform WIPS scanning while providing access services

About configuring APs to perform WIPS scanning while providing access services

This feature enhances the WIPS detection and protection capabilities but decreases the access service capability.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
164. Enter WIPS view.	wips	N/A
165. Configure APs to perform WIPS scanning while providing access services.	access-scan enable	By default, APs do not perform WIPS scanning while they are providing access services.

Configuring OUIs

About OUIs

An Organizational Unique Identifier (OUI) is the first three bytes of a device's MAC address and is used to identify the vendor of the device.

After the AC starts, it automatically imports OUIs in the default OUI configuration file to the OUI library.

You can also manually configure the OUI library as follows:

· Use the import oui command to import OUIs from an OUI configuration file to the OUI library.

The system will display the numbers of imported OUIs, updated OUIs, existing OUIs, and OUIs failed to be imported.

· Use the export oui command to export OUIs in the OUI library to an OUI configuration file.

The system will display the number of OUIs successfully exported and the number of OUIs failed to be exported.

Procedure

Step	Command
1. Enter system view.	system-view
166. Enter WIPS view.	wips
167. Import OUIs from an OUI configuration file to the OUI library.	import oui file-name
168. Export OUIs in the OUI library to an OUI configuration file.	export oui file-name
169. Enter user view.	return
170. Delete all embedded OUIs in the OUI library.	reset wips embedded-oui

Display and maintenance commands for WIPS

Execute display commands in any view and reset commands in user view.

Task	Command
Display information about all sensors.	display wips sensor
Display attack detection information collected by sensors.	display wips statistics [ receive \| virtual-security-domain vsd-name ]
Display information about countermeasures that WIPS has taken against rogue devices.	display wips virtual-security-domain vsd-name countermeasure record
Display information about wireless devices detected in a VSD.	display wips virtual-security-domain vsd-name device [ ap [ adhoc \| authorized \| external \| mesh \| misconfigured \| potential-authorized \| potential-external \| potential-rogue \| rogue \| uncategorized ] \| client [ [ dissociative-client ] [ authorized \| misassociation \| unauthorized \| uncategorized ] ] \| mac-address mac-address ] [ verbose ]
Display information about detected NAT-configured clients.	display wlan nat-detect [ mac-address mac-address ]
Clear information received from all sensors.	reset wips statistics
Clear information about countermeasures that WIPS has taken against rogue devices.	reset wips virtual-security-domain vsd-name countermeasure record
Clear learned AP or client entries for a VSD.	reset wips virtual-security-domain vsd-name { ap { all \| mac-address mac-address} \| client { all \| mac-address mac-address } \| all }
Clear information about detected NAT-configured clients.	reset wlan nat-detect

WIPS configuration examples

Example: Configuring device classification and countermeasures

Network configuration

As shown in Figure 52, the sensor connects to the AC through the switch. AP 1 and AP 2 provide wireless services to clients through SSID abc. Perform the following tasks:

· Enable WIPS for the sensor.

· Configure wireless device classification to add MAC address 000f-1c35-12a5 to the static prohibited device list and SSID abc is added to the trusted SSID list.

· Configure countermeasures to enable WIPS to take countermeasures against potential-external APs and unauthorized clients.

Figure 52 Network diagram

Procedure

# Configure wireless services on the AC. (Details not shown.)

For more information about wireless service configuration, see "Configuring WLAN access."

# Create a VSD named vsd1.

<AC> system-view

[AC] wips

[AC-wips] virtual-security-domain vsd1

[AC-wips-vsd-vsd1] quit

[AC-wips] quit

# Create an AP named Sensor and enable WIPS for the AP.

[AC] wlan ap Sensor model WA2620-WiNet

[AC-wlan-ap-Sensor] serial-id 210235A1GQB139000435

[AC-wlan-ap-Sensor] radio 1

[AC-wlan-ap-Sensor-radio-1] radio enable

[AC-wlan-ap-Sensor-radio-1] wips enable

[AC-wlan-ap-Sensor-radio-1] quit

#Add AP Sensor to VSD vsd1.

[AC-wlan-ap-Sensor] wips virtual-security-domain vsd1

[AC-wlan-ap-Sensor] quit

# Create a classification policy named class1, add the MAC address of Client 2 to the prohibited device list, and add SSID abc to the trusted SSID list.

[AC] wips

[AC-wips] classification policy class1

[AC-wips-cls-class1] block mac-address 000f-1c35-12a5

[AC-wips-cls-class1] trust ssid abc

[AC-wips-cls-class1] quit

# Apply classification policy class1 to VSD vsd1.

[AC-wips] virtual-security-domain vsd1

[AC-wips-vsd-vsd1] apply classification policy class1

[AC-wips-vsd-vsd1] quit

# Create a countermeasure policy named protect, and enable WIPS to take countermeasures against unauthorized clients and potential-external APs.

[AC-wips] countermeasure policy protect

[AC-wips-cms-protect] countermeasure unauthorized-client

[AC-wips-cms-protect] countermeasure potential-external-ap

[AC-wips-cms-protect] quit

# Apply countermeasure policy protect to VSD vsd1.

[AC-wips] virtual-security-domain vsd1

[AC-wips-vsd-vsd1] apply countermeasure policy protect

[AC-wips-vsd-vsd1] quit

[AC-wips] quit

Verifying the configuration

# Display wireless device classification information for VSD vsd1.

[AC] display wips virtual-security-domain vsd1 device

Total 3 detected devices in virtual-security-domain vsd1

Class: Auth - authorization; Ext - extern; Mis - mistake;

Unauth - unauthorized; Uncate - uncategorized;

(A) - associate; (C) - config; (P) - potential

MAC address Type Class Duration Sensors Channel Status

00e0-fc00-5829 AP Auth 00h 10m 24s 1 149 Active

000f-e228-2528 AP Auth 00h 10m 04s 1 149 Active

000f-e223-1616 AP Ext(P) 00h 10m 46s 1 149 Active

000f-1c35-12a5 Client Unauth 00h 10m 02s 1 149 Active

000f-e201-0102 Client Auth 00h 10m 02s 1 149 Active

The output shows that the AP with MAC address 000f-e223-1616 is classified as a potential-external AP and the client with MAC address 000f-1c35-12a5 is classified as an unauthorized client.

# Display information about countermeasures that WIPS has taken against the devices.

[AC] display wips virtual-security-domain vsd1 countermeasure record

Total 2 times countermeasure, current 2 countermeasure record in virtual-security-domain vsd1

Reason: Attack; Ass - associated; Black - blacklist;

Class - classification; Manu - manual;

MAC address Type Reason Countermeasure AP Radio ID Time

00e0-fc00-5829 AP Class Sensor 1 2014-06-03/09:30:25

000f-e228-2528 AP Class Sensor 1 2014-06-03/19:31:56

000f-e223-1616 AP Class Sensor 1 2014-06-03/10:30:36

000f-1c35-12a5 Client Class Sensor 1 2014-06-03/09:13:26

000f-e201-0102 Client Class Sensor 1 2014-06-03/09:33:46

The output shows that WIPS has taken countermeasures against the unauthorized client with MAC address 000f-1c35-12a5 and the potential-external AP with MAC address 000f-e223-1616.

Example: Configuring malformed packet and flood attack detection

Network configuration

As shown in Figure 53, configure the two APs that connect to the AC through the switch as sensors. Add Sensor 1 and Sensor 2 to VSD VSD_1. Configure malformed packet detection and flood attack detection to enable WIPS to trigger an alarm when it detects beacon flood attacks or malformed packets with duplicated IE.

Figure 53 Network diagram

Procedure

# Configure wireless services on the AC. (Details not shown.)

For more information about wireless service configuration, see "Configuring WLAN access."

# Create an AP named sensor1 and enable WIPS for the AP.

<AC> system-view

[AC] wlan ap sensor1 model WA2620-WiNet

[AC-wlan-ap-sensor1] serial-id 210235A1GQB139000435

[AC-wlan-ap-sensor1] radio 1

[AC-wlan-ap-sensor1-radio-1] radio enable

[AC-wlan-ap-sensor1-radio-1] wips enable

[AC-wlan-ap-sensor1-radio-1] return

# Create an AP named sensor2 and enable WIPS for the AP.

<AC> system-view

[AC] wlan ap sensor2 model WA2620-WiNet

[AC-wlan-ap-sensor2] serial-id 210235A1GQB139000436

[AC-wlan-ap-sensor2] radio 1

[AC-wlan-ap-sensor2-radio-1] radio enable

[AC-wlan-ap-sensor2-radio-1] wips enable

[AC-wlan-ap-sensor2-radio-1] quit

[AC-wlan-ap-sensor2] quit

# Create a VSD named VSD_1.

[AC] wips

[AC-wips] virtual-security-domain VSD_1

[AC-wips-vsd-VSD_1] quit

# Create an attack detection policy named dtc1.

[AC-wips] detect policy dtc1

# Enable detection on malformed packets with duplicated IE, and set the quiet time to 50 seconds.

[AC-wips-dtc-dtc1] malformed duplicated-ie quiet 50

# Enable beacon flood attack detection, and set the statistics interval, threshold, and quiet time to 100 seconds, 200, and 50 seconds, respectively.

[AC-wips-dtc-dtc1] flood beacon interval 100 quiet 50 threshold 200

[AC-wips-dtc-dtc1] quit

# Apply attack detection policy dtc1 to VSD VSD_1.

[AC-wips] virtual-security-domain VSD_1

[AC-wips-vsd-VSD_1] apply detect policy dtc1

[AC-wips-vsd-VSD_1] quit

[AC-wips] quit

# Add AP sensor1 to VSD VSD_1.

[AC] wlan ap sensor1

[AC-wlan-ap-sensor1] wips virtual-security-domain VSD_1

[AC-wlan-ap-sensor1] quit

# Add AP sensor2 to VSD VSD_1.

[AC] wlan ap sensor2

[AC-wlan-ap-sensor2] wips virtual-security-domain VSD_1

[AC-wlan-ap-sensor2] return

Verifying the configuration

# Display packet statistics when WIPS does not detect any attacks in the WLAN. The output shows that no malformed packet or flood attack message exists.

<AC> display wips statistics receive

Information from sensor 1

Information about attack statistics:

Detected association-request flood messages: 0

Detected authentication flood messages: 0

Detected beacon flood messages: 0

Detected block-ack flood messages: 0

Detected cts flood messages: 0

Detected deauthentication flood messages: 0

Detected disassociation flood messages: 0

Detected eapol-start flood messages: 0

Detected null-data flood messages: 0

Detected probe-request flood messages: 0

Detected reassociation-request flood messages: 0

Detected rts flood messages: 0

Detected duplicated-ie messages: 0

Detected fata-jack messages: 0

Detected illegal-ibss-ess messages: 0

Detected invalid-address-combination messages: 0

Detected invalid-assoc-req messages: 0

Detected invalid-auth messages: 0

Detected invalid-deauth-code messages: 0

Detected invalid-disassoc-code messages: 0

Detected invalid-ht-ie messages: 0

Detected invalid-ie-length messages: 0

Detected invalid-pkt-length messages: 0

Detected large-duration messages: 0

Detected null-probe-resp messages: 0

Detected overflow-eapol-key messages: 0

Detected overflow-ssid messages: 0

Detected redundant-ie messages: 0

Detected AP spoof AP messages: 0

Detected AP spoof client messages: 0

Detected AP spoof ad-hoc messages: 0

Detected ad-hoc spoof AP messages: 0

Detected client spoof AP messages: 0

Detected weak IV messages: 0

Detected excess AP messages: 0

Detected excess client messages: 0

Detected sig rule messages: 0

Information from sensor 2

Information about attack statistics:

Detected association-request flood messages: 0

Detected authentication flood messages: 0

Detected beacon flood messages: 0

Detected block-ack flood messages: 0

Detected cts flood messages: 0

Detected deauthentication flood messages: 0

Detected disassociation flood messages: 0

Detected eapol-start flood messages: 0

Detected null-data flood messages: 0

Detected probe-request flood messages: 0

Detected reassociation-request flood messages: 0

Detected rts flood messages: 0

Detected duplicated-ie messages: 0

Detected fata-jack messages: 0

Detected illegal-ibss-ess messages: 0

Detected invalid-address-combination messages: 0

Detected invalid-assoc-req messages: 0

Detected invalid-auth messages: 0

Detected invalid-deauth-code messages: 0

Detected invalid-disassoc-code messages: 0

Detected invalid-ht-ie messages: 0

Detected invalid-ie-length messages: 0

Detected invalid-pkt-length messages: 0

Detected large-duration messages: 0

Detected null-probe-resp messages: 0

Detected overflow-eapol-key messages: 0

Detected overflow-ssid messages: 0

Detected redundant-ie messages: 0

Detected AP spoof AP messages: 0

Detected AP spoof client messages: 0

Detected AP spoof ad-hoc messages: 0

Detected ad-hoc spoof AP messages: 0

Detected client spoof AP messages: 0

Detected weak IV messages: 0

Detected excess AP messages: 0

Detected excess client messages: 0

Detected sig rule messages: 0

# Display packet statistics when WIPS detects beacon flood attacks and malformed packets with duplicated IE. The output shows that the number of detected messages is 28 for malformed packets with duplicated IE and the number of detected messages is 18 for beacon flood attacks.

<AC> display wips statistics receive

Information from sensor 1

Information about attack statistics:

Detected association-request flood messages: 0

Detected authentication flood messages: 0

Detected beacon flood messages: 18

Detected block-ack flood messages: 0

Detected cts flood messages: 0

Detected deauthentication flood messages: 0

Detected disassociation flood messages: 0

Detected eapol-start flood messages: 0

Detected null-data flood messages: 0

Detected probe-request flood messages: 0

Detected reassociation-request flood messages: 0

Detected rts flood messages: 0

Detected duplicated-ie messages: 0

Detected fata-jack messages: 0

Detected illegal-ibss-ess messages: 0

Detected invalid-address-combination messages: 0

Detected invalid-assoc-req messages: 0

Detected invalid-auth messages: 0

Detected invalid-deauth-code messages: 0

Detected invalid-disassoc-code messages: 0

Detected invalid-ht-ie messages: 0

Detected invalid-ie-length messages: 0

Detected invalid-pkt-length messages: 0

Detected large-duration messages: 0

Detected null-probe-resp messages: 0

Detected overflow-eapol-key messages: 0

Detected overflow-ssid messages: 0

Detected redundant-ie messages: 0

Detected AP spoof AP messages: 0

Detected AP spoof client messages: 0

Detected AP spoof ad-hoc messages: 0

Detected ad-hoc spoof AP messages: 0

Detected client spoof AP messages: 0

Detected weak IV messages: 0

Detected excess AP messages: 0

Detected excess client messages: 0

Detected sig rule messages: 0

Information from sensor 2

Information about attack statistics:

Detected association-request flood messages: 0

Detected authentication flood messages: 0

Detected beacon flood messages: 0

Detected block-ack flood messages: 0

Detected cts flood messages: 0

Detected deauthentication flood messages: 0

Detected disassociation flood messages: 0

Detected eapol-start flood messages: 0

Detected null-data flood messages: 0

Detected probe-request flood messages: 0

Detected reassociation-request flood messages: 0

Detected rts flood messages: 0

Detected duplicated-ie messages: 28

Detected fata-jack messages: 0

Detected illegal-ibss-ess messages: 0

Detected invalid-address-combination messages: 0

Detected invalid-assoc-req messages: 0

Detected invalid-auth messages: 0

Detected invalid-deauth-code messages: 0

Detected invalid-disassoc-code messages: 0

Detected invalid-ht-ie messages: 0

Detected invalid-ie-length messages: 0

Detected invalid-pkt-length messages: 0

Detected large-duration messages: 0

Detected null-probe-resp messages: 0

Detected overflow-eapol-key messages: 0

Detected overflow-ssid messages: 0

Detected redundant-ie messages: 0

Detected AP spoof AP messages: 0

Detected AP spoof client messages: 0

Detected AP spoof ad-hoc messages: 0

Detected ad-hoc spoof AP messages: 0

Detected client spoof AP messages: 0

Detected weak IV messages: 0

Detected excess AP messages: 0

Detected excess client messages: 0

Detected sig rule messages: 0

Example: Configuring signature-based attack detection

Network configuration

As shown in Figure 54, AP 1 and AP 2 provide wireless services for clients through SSID abc. Enable WIPS for the sensor, and configure a signature to enable WIPS to trigger an alarm when it detects beacon frames whose SSIDs are not abc.

Figure 54 Network diagram

Procedure

# Configure wireless services on the AC. (Details not shown.)

For more information about wireless service configuration, see "Configuring WLAN access."

# Create an AP named sensor1 and enable WIPS for the AP.

<AC> system-view

[AC] wlan ap sensor1 model WA2620-WiNet

[AC-wlan-ap-sensor1] serial-id 210235A1GQB139000435

[AC-wlan-ap-sensor1] radio 1

[AC-wlan-ap-sensor1-radio-1] radio enable

[AC-wlan-ap-sensor1-radio-1] wips enable

[AC-wlan-ap-sensor1-radio-1] quit

[AC-wlan-ap-sensor1 ] quit

# Create a VSD named vsd1.

[AC] wips

[AC-wips] virtual-security-domain vsd1

[AC-wips] quit

# Add the AP sensor1 to the VSD vsd1.

[AC] wlan ap sensor1

[AC-wlan-ap-sensor1] wips virtual-security-domain vsd1

[AC-wlan-ap-sensor1] quit

# Create signature 1, and configure a subsignature to match beacon frames and a subsignature to match frames whose SSIDs are not abc.

[AC] wips

[AC-wips] signature rule 1

[AC-wips-sig-rule-1] frame-type management frame-subtype beacon

[AC-wips-sig-rule-1] ssid not equal abc

[AC-wips-sig-rule-1] quit

# Create a signature policy named sig1, and bind signature 1 to signature policy sig1.

[AC-wips] signature policy sig1

[AC-wips-sig-sig1] apply signature rule 1

# Enable WIPS to detect packets that match the signature, and set the statistics collection interval, quiet time, and alarm threshold to 5 seconds, 60 seconds, and 60, respectively.

[AC-wips-sig-sig1] detect signature interval 5 quiet 60 threshold 60

[AC-wips-sig-sig1] quit

# Apply signature policy sig1 to VSD vsd1.

[AC] wips

[AC-wips] virtual-security-domain vsd1

[AC-wips-vsd-vsd1] apply signature policy sig1

[AC-wips-vsd-vsd1] quit

Verifying the configuration

# Verify that the AC receives an alarm from the sensor when the sensor detects the wireless service with SSID free_wlan.

WIPS/5/WIPS_SIGNATURE: -VSD=vsd1-RuleID=1; Signature rule matched.

# Display attack detection information collected from sensors. The output shows that the number of detected messages is 26 for packets that match the signature.

[AC] display wips statistics receive

Information from sensor

Information about attack statistics:

Detected association-request flood messages: 0

Detected authentication flood messages: 0

Detected beacon flood messages: 0

Detected block-ack flood messages: 0

Detected cts flood messages: 0

Detected deauthentication flood messages: 0

Detected disassociation flood messages: 0

Detected eapol-start flood messages: 0

Detected null-data flood messages: 0

Detected probe-request flood messages: 0

Detected reassociation-request flood messages: 0

Detected rts flood messages: 0

Detected duplicated-ie messages: 0

Detected fata-jack messages: 0

Detected illegal-ibss-ess messages: 0

Detected invalid-address-combination messages: 0

Detected invalid-assoc-req messages: 0

Detected invalid-auth messages: 0

Detected invalid-deauth-code messages: 0

Detected invalid-disassoc-code messages: 0

Detected invalid-ht-ie messages: 0

Detected invalid-ie-length messages: 0

Detected invalid-pkt-length messages: 0

Detected large-duration messages: 0

Detected null-probe-resp messages: 0

Detected overflow-eapol-key messages: 0

Detected overflow-ssid messages: 0

Detected redundant-ie messages: 0

Detected AP spoof AP messages: 0

Detected AP spoof client messages: 0

Detected AP spoof ad-hoc messages: 0

Detected ad-hoc spoof AP messages: 0

Detected client spoof AP messages: 0

Detected weak IV messages: 0

Detected excess AP messages: 0

Detected excess client messages: 0

Detected sig rule messages: 26

Configuring WLAN QoS

The term "AC" in this document refers to MSR routers that can function as ACs.

About WLAN QoS

An 802.11 network provides contention-based wireless access. To provide applications with QoS services, IEEE developed 802.11e for 802.11-based WLANs.

WLAN QoS features include WMM, SVP, bandwidth guaranteeing, and client rate limiting.

WMM protocol

About WMM

Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM) standard to allow QoS provision devices of different vendors to interoperate. WMM enables a WLAN to provide QoS services, so that audio and video applications can have better performance in WLANs.

The Distributed Coordination Function (DCF) in 802.11 requires APs and clients to use the carrier sense multiple access with collision avoidance (CSMA/CA) access mechanism. APs or clients listen to the channel before they hold the channel for data transmission. When the specified idle duration of the channel times out, APs or clients randomly select a backoff slot within the contention window to perform backoff. The device that finishes backoff first gets the channel. With 802.11, all devices have the same idle duration and contention window. Therefore, they are equal when contending for a channel.

To provide QoS services, WMM divides data traffic into four ACs that have different priorities. Traffic in an AC with a high priority has a better chance to use the channel.

Terminology

· Enhanced distributed channel access—EDCA is a channel contention mechanism defined by WMM to preferentially transmit packets with high priority and allocate more bandwidth to such packets.

· Access category—WMM defines the following ACs: AC-VO for voice traffic, AC-VI for video traffic, AC-BE for best effort traffic, and AC-BK for background traffic. The priorities of the four ACs are in descending order.

· Connect Admission Control—CAC limits the number of clients that can use high-priority ACs (AC-VO and AC-VI) to make sure there is enough bandwidth for these clients.

· Unscheduled automatic power save delivery—U-APSD is a power saving method defined by WMM to save client power.

EDCA parameters

· Arbitration inter-frame spacing number—In 802.11-based WLAN, each client has the same idle duration (DIFS), but WMM defines an idle duration for each AC. The idle duration increases as the AIFSN increases.

· Exponent form of CWmin/Exponent form of CWmax—ECWmin/ECWmax determines the backoff slots, which increase as the two values increase.

· Transmission opportunity limit—TXOP limit specifies the maximum time that a client can hold the channel after a successful contention. A larger value represents a longer time. If the value is 0, a client can send only one packet each time it holds the channel.

Figure 55 EDCA parameters

CAC admission policies

CAC requires a client to obtain permission from an AP before it can use a high-priority AC for transmission. This guarantees bandwidth for the clients that have gained access. CAC controls real time traffic (AC-VO and AC-VI traffic) but not common data traffic (AC-BE and AC-BK traffic).

If a client wants to use a high-priority AC (AC-VO or AC-VI), it must send a request to the AP. The AP returns a positive or negative response based on either of the following admission control policies:

· Channel usage-based admission policy—The AP calculates the total time that the existing high-priority AC queues occupy the channel per unit time, and then calculates the time that the requesting traffic will occupy the channel per unit time. If the sum of the two values is smaller than or equal to the maximum hold time of the channel, the client can use the requested AC queue. If it is not, the request is rejected.

· Client-based admission policy—If the number of clients using high-priority AC queues is smaller than the maximum number of high-priority AC clients, the request is accepted. If it is not, the request is rejected. During calculation, a client is counted as one client if it is using both the AC-VO and AC-VI queues.

If the request is rejected because of lack of media resources, the AP assigns AC-BE to the client. Clients that already use high-priority AC queues will not be affected.

When calculating media resources, the AP takes requests before CAC is enabled into account. Whether subsequent requests for high-priority AC queues will be accepted is greatly restricted by the resource usage.

U-APSD power-save mechanism

U-APSD enables clients in sleep mode to wake up and receive the specified number of packets only after receiving a trigger packet. U-APSD improves the 802.11 APSD power saving mechanism.

U-APSD is automatically enabled after you enable WMM.

ACK policy

WMM defines the following ACK policies:

· Normal ACK—The recipient acknowledges each received unicast packet.

· No ACK—The recipient does not acknowledge received packets during wireless packet exchange. This policy improves the transmission efficiency in an environment where communication quality is strong and interference is weak. If communication quality deteriorates, this policy might increase the packet loss rate. For A-MPDU packets sent by 802.11n clients, the No ACK policy does not take effect.

SVP

SpectraLink Voice Priority (SVP) is developed by SpectraLink to provide QoS services for voice traffic.

Bandwidth guaranteeing

This feature provides the following functions:

· Ensures that traffic from all BSSs can pass through freely when the network is not congested.

· Ensures that each BSS can get the guaranteed bandwidth when the network is congested.

This feature improves bandwidth efficiency and maintains fair use of bandwidth among WLAN services. For example, you assign SSID1, SSID2, and SSID3 25%, 25%, and 50% of the total bandwidth. When the network is not congested, SSID1 can use all idle bandwidth in addition to its guaranteed bandwidth. When the network is congested, SSID1 is guaranteed with 25% of the bandwidth.

This feature applies only to AP-to-client traffic.

Client rate limiting

This feature prevents aggressive use of bandwidth by one client and ensures fair use of bandwidth among clients associated with the same AP.

You can configure either of the following modes for client rate limiting:

· Dynamic mode—Sets the total bandwidth shared by all clients. The rate limit for each client is the total rate divided by the number of online clients. For example, if the total rate is 10 Mbps and five clients are online, the rate limit for each client is 2 Mbps.

· Static mode—Sets the bandwidth that can be used by each client. When the rate limit multiplied by the number of associated clients exceeds the available bandwidth provided by the AP, the clients might not get the set bandwidth.

Protocols and standards

· 802.11e-2005, Amendment 8: Medium Access Control (MAC) Quality of Service Enhancements, IEEE Computer Society, 2005

· Wi-Fi, WMM Specification version 1.1, Wi-Fi Alliance, 2005

Feature and hardware compatibility

Only the following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC/3610/3620/3620-DP/3640/3660.

Restrictions and guidelines: WLAN QoS configuration

You can configure APs by using the following methods:

· Configure APs one by one in AP view.

· Assign APs to an AP group and configure the AP group in AP group view.

· Configure all APs in global configuration view.

For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.

Configuring WMM

WMM tasks at a glance

Tasks at a glance
(Required.) Enabling WMM
(Optional.) Setting EDCA parameters
(Optional.) Setting EDCA parameters of AC-BE or AC-BK queues for clients
(Optional.) Setting EDCA parameters of AC-VI or AC-VO queues for clients
(Optional.) Configuring a port to trust packet priority for priority mapping

Enabling WMM

To enable WMM in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable WMM.	wmm enable	By default, an AP uses the configuration in AP group radio view. The 802.11n protocol requires all 802.11n clients to support WLAN QoS. For 802.11n clients to communicate with the associated AP, enable WMM when the radio operates in 802.11an or 802.11gn mode.

To enable WMM in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable WMM.	wmm enable	By default, WMM is enabled. The 802.11n protocol requires all 802.11n clients to support WLAN QoS. For 802.11n clients to communicate with the associated AP, enable WMM when the radio operates in 802.11an or 802.11gn mode.

Setting EDCA parameters

To set EDCA parameters in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set EDCA parameters.	edca radio { ac-be \| ac-bk \| ac-vi \| ac-vo } { ack-policy { noack \| normalack } \| aifsn aifsn-value \| ecw ecwmin ecwmin-value ecwmax ecwmax-value \| txoplimit txoplimit-value } *	By default, an AP uses the configuration in AP group radio view.

To set EDCA parameters in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set EDCA parameters.	edca radio { ac-be \| ac-bk \| ac-vi \| ac-vo } { ack-policy { noack \| normalack } \| aifsn aifsn-value \| ecw ecwmin ecwmin-value ecwmax ecwmax-value \| txoplimit txoplimit-value } *	The default values for EDCA parameters are shown in Table 29.

Table 29 Default EDCA parameter values

AC	AIFSN	ECWmin	ECWmax	TXOP Limit
AC-BK	7	4	10	0
AC-BE	3	4	6	0
AC-VI	1	3	4	94
AC-VO	1	2	3	47

Setting EDCA parameters of AC-BE or AC-BK queues for clients

To set EDCA parameters of AC-BE or AC-BK queues for clients in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set EDCA parameters of AC-BE or AC-BK queues for clients.	edca client { ac-be \| ac-bk } { aifsn aifsn-value \| ecw ecwmin ecwmin-value ecwmax ecwmax-value \| txoplimit txoplimit-value } *	By default, an AP uses the configuration in AP group radio view.

To set EDCA parameters of AC-BE or AC-BK queues for clients in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set EDCA parameters of AC-BE or AC-BK queues for clients.	edca client { ac-be \| ac-bk } { aifsn aifsn-value \| ecw ecwmin ecwmin-value ecwmax ecwmax-value \| txoplimit txoplimit-value } *	The default values are shown in Table 30.

Table 30 Default EDCA parameter values of AC-BE or AC-BK queues for clients

AC	AIFSN	ECWmin	ECWmax	TXOP Limit
AC-BK	7	4	10	0
AC-BE	3	4	10	0

Setting EDCA parameters of AC-VI or AC-VO queues for clients

To set EDCA parameters of AC-VI or AC-VO queues for clients in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set EDCA parameters of AC-VI or AC-VO queues for clients.	edca client { ac-vi \| ac-vo } { aifsn aifsn-value \| cac { disable \| enable } \| ecw ecwmin ecwmin-value ecwmax ecwmax-value \| txoplimit txoplimit-value } *	By default, an AP uses the configuration in AP group radio view.
5. (Optional.) Configure the CAC policy.	cac policy { channelutilization [ channelutilization-value ] \| client [ client-number ] }	By default, an AP uses the configuration in AP group radio view.

To set EDCA parameters of AC-VI or AC-VO queues for clients in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set EDCA parameters of AC-VI or AC-VO queues for clients.	edca client { ac-vi \| ac-vo } { aifsn aifsn-value \| cac { disable \| enable } \| ecw ecwmin ecwmin-value ecwmax ecwmax-value \| txoplimit txoplimit-value } *	The default values are shown in Table 31.
6. (Optional.) Configure the CAC policy.	cac policy { channelutilization [ channelutilization-value ] \| client [ client-number ] }	By default, the client-based admission policy is used, and the maximum number of admitted clients is 20.

Table 31 Default EDCA parameter values of AC-VI or AC-VO queues for clients

AC	AIFSN	ECWmin	ECWmax	TXOP Limit
AC-VI	2	3	4	94
AC-VO	2	2	3	47

Configuring a port to trust packet priority for priority mapping

About priority mapping

When the packet trust mode is disabled, an AP assigns the port priority to all packets for the service template.

Restrictions and guidelines

This feature takes effect only on uplink packets.

The port priority setting does not take effect if the trusted packet priority type is configured.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure the trusted packet priority type.	qos trust { dot11e \| dscp }	By default, the port priority is trusted.
4. Set the port priority.	qos priority priority	By default, the port priority is 0.

Configuring SVP mapping

About SVP mapping

This feature assigns packets that have the protocol ID 119 in the IP header to the AC-VI or AC-VO queue to provide SVP packets with the specified priority. SVP does not require random backoff for SVP packets. Therefore, you can set both ECWmin and ECWmax to 0 when there are only SVP packets in the AC-VI or AC-VO queue.

When SVP mapping is disabled, SVP packets are assigned to the AC-BE queue.

Restrictions and guidelines

SVP mapping takes effect only on non-WMM clients.

Procedure

To configure SVP mapping in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable SVP mapping.	svp map-ac { ac-vi \| ac-vo }	By default, an AP uses the configuration in AP group radio view. To disable SVP mapping, use the svp map-ac disable command.

To configure SVP mapping in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable SVP mapping.	svp map-ac { ac-vi \| ac-vo }	By default, SVP mapping is disabled. To disable SVP mapping, use the svp map-ac disable command.

Configuring bandwidth guaranteeing

To configure bandwidth guaranteeing in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the maximum bandwidth for the specified radio mode.	wlan max-bandwidth { dot11a \| dot11ac \| dot11an \| dot11b \| dot11g \| dot11gac \| dot11gn } bandwidth	The following default settings apply: · 30000 Kbps for dot11a and dot11g. · 250000 Kbps for dot11an, dot11gn, and dot11gac. · 500000 Kbps for dot11ac. · 7000 Kbps for dot11b.
3. Enter AP view.	wlan ap ap-name	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure bandwidth guaranteeing.	bandwidth-guarantee { disable \| enable }	The following default settings apply: · If the service template setting in AP group view is used, the AP uses the configuration in AP group radio view. · If a service template is manually bound to the radio, bandwidth guaranteeing is disabled.
6. Set a guaranteed bandwidth percentage for the specified service template.	bandwidth-guarantee service-template service-template-name percent percent	The following default settings apply: · If the service template setting in AP group view is used, the AP uses the configuration in AP group radio view. · If a service template is manually bound to the radio, a service template does not have a guaranteed bandwidth.

To configure bandwidth guaranteeing in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the maximum bandwidth for the specified radio mode.	wlan max-bandwidth { dot11a \| dot11ac \| dot11an \| dot11b \| dot11g \| dot11gac \| dot11gn } bandwidth	The following default settings apply: · 30000 Kbps for dot11a and dot11g. · 250000 Kbps for dot11an, dot11gn, and dot11gac. · 500000 Kbps for dot11ac. · 7000 Kbps for dot11b.
3. Enter AP group view.	wlan ap-group group-name	N/A
4. Enter AP model view.	ap-model ap-model	N/A
5. Enter radio view.	radio radio-id	N/A
6. Configure bandwidth guaranteeing.	bandwidth-guarantee { disable \| enable }	By default, bandwidth guaranteeing is disabled.
7. Set a guaranteed bandwidth percentage for the specified service template.	bandwidth-guarantee service-template service-template-name percent percent	By default, a service template does not have a guaranteed bandwidth.

Configuring client rate limiting

About client rate limiting

By rate limit method, you can configure service-template-based, radio-based, or client-type-based client rate limiting. By rate limit mode, you can configure the dynamic or static mode for client rate limiting.

If more than one method and mode are configured, all settings take effect. The rate for a client will be limited to the minimum value among all the client rate limiting settings.

Restrictions and guidelines

Service-template-based client rate limiting takes effect on all clients associated with the same service template.

Radio-based client rate limiting takes effect on all clients associated with the same radio.

Client-type-based client rate limiting takes effect on all clients of the specified protocol.

Procedure

To configure service-template-based client rate limiting:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable service-template-based client rate limiting.	client-rate-limit enable	By default, service-template-based client rate limiting is disabled.
4. Configure service-template-based client rate limiting.	client-rate-limit { inbound \| outbound } mode { dynamic \| static } cir cir	By default, service-template-based client rate is not limited.

To configure radio-based client rate limiting in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable or disable radio-based client rate limiting.	client-rate-limit { disable \| enable }	By default, an AP uses the configuration in AP group radio view.
5. Configure radio-based client rate limiting.	client-rate-limit { inbound \| outbound } mode { dynamic \| static } cir cir	By default, an AP uses the configuration in AP group radio view.

To configure radio-based client rate limiting in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable or disable radio-based client rate limiting.	client-rate-limit { disable \| enable }	By default, radio-based client rate limiting is disabled.
6. Configure radio-based client rate limiting.	client-rate-limit { inbound \| outbound } mode { dynamic \| static } cir cir	By default, radio-based client rate is not limited.

To configure client-type-based client rate limiting:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure client-type-based client rate limiting.	wlan client-rate-limit { dot11a \| dot11ac \| dot11an \| dot11b \| dot11g \| dot11gac \| dot11gn } { inbound \| outbound } cir cir [ cbs cbs ]	By default, client-type-based client rate is not limited.

Display and maintenance commands for WMM

Execute display commands in any view and reset commands in user view.

Task	Command
Display WMM statistics for radios.	display wlan wmm radio [ ap ap-name ]
Display WMM statistics for clients.	display wlan wmm client [ ap ap-name \| mac-address mac-address ]
Clear WMM statistics for radios.	reset wlan wmm radio [ ap ap-name ]
Clear WMM statistics for clients.	reset wlan wmm client [ ap ap-name \| mac-address mac-address ]

WLAN QoS configuration examples

Example: Configuring basic WMM

Network configuration

As shown in Figure 56, enable WMM on the AC so that the AP and the client can prioritize the traffic.

Figure 56 Network diagram

Procedure

# Create a service template named market, set the SSID to market, and enable the service template.

<AC> system-view

[AC] wlan service-template market

[AC-wlan-st-market] ssid market

[AC-wlan-st-market] service-template enable

[AC-wlan-st-market] quit

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A29G007C000020

# Enable WMM, bind service template market to radio 1, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] wmm enable

[AC-wlan-ap-ap1-radio-1] service-template market

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

Verifying the configuration

# Display WMM statistics for radios.

[AC] display wlan wmm radio

AP ID : 1 AP Name : ap1

Radio : 1

Client EDCA updates : 0

QoS mode : WMM

WMM status : Enabled

Radio max AIFSN : 15 Radio max ECWmin : 10

Radio max TXOPLimit : 32767 Radio max ECWmax : 10

CAC information

Clients accepted : 0

Voice : 0

Video : 0

Total request medium time(μs) : 0

Voice(μs) : 0

Video(μs) : 0

Calls rejected due to insufficient resources : 0

Calls rejected due to invalid parameters : 0

Calls rejected due to invalid medium time : 0

Calls rejected due to invalid delay bound : 0

Radio : 2

Client EDCA updates : 0

QoS mode : WMM

WMM status : Enabled

Radio max AIFSN : 15 Radio max ECWmin : 10

Radio max TXOPLimit : 32767 Radio max ECWmax : 10

CAC information

Clients accepted : 0

Voice : 0

Video : 0

Total request medium time(μs) : 0

Voice(μs) : 0

Video(μs) : 0

Calls rejected due to insufficient resources : 0

Calls rejected due to invalid parameters : 0

Calls rejected due to invalid medium time : 0

Calls rejected due to invalid delay bound : 0

Example: Configuring CAC

Network configuration

As shown in Figure 57, configure CAC to allow a maximum of 10 clients to use the AC-VO and AC-VI queues.

Figure 57 Network diagram

Procedure

1. Create a service template named market, set the SSID to market, and enable the service template.

<AC> system-view

[AC] wlan service-template market

[AC-wlan-st-market] ssid market

[AC-wlan-st-market] service-template enable

[AC-wlan-st-market] quit

2. Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A29G007C000020

3. Configure WMM:

# Bind service template market to radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template market

# Enable WMM for AC-VO and AC-VI queues, and configure a CAC policy to limit the number of clients to 10.

[AC-wlan-ap-ap1-radio-1] wmm enable

[AC-wlan-ap-ap1-radio-1] edca client ac-vo cac enable

[AC-wlan-ap-ap1-radio-1] edca client ac-vi cac enable

[AC-wlan-ap-ap1-radio-1] cac policy client 10

# Enable radio 1.

[AC-wlan-ap-ap1-radio-1] radio enable

Verifying the configuration

# Assume that a client requests to use a high-priority AC queue (AC-VO or AC-VI). Verify the following information:

· If the number of clients using high-priority AC queues is smaller than the maximum number of high-priority AC clients (10 in this example), the request is accepted.

· If the number of clients using high-priority AC queues is equal to the maximum number of high-priority AC clients (10 in this example), the request is rejected. The AP decreases the priority of packets from the client.

Example: Configuring SVP mapping

Network configuration

As shown in Figure 58, configure SVP mapping on the AC to assign SVP packets to the AC-VO queue. Set ECWmin and ECWmax to 0 for the AC-VO queue of the AP.

Figure 58 Network diagram

Procedure

1. Create a service template named market, set the SSID to market, and enable the service template.

<AC> system-view

[AC] wlan service-template market

[AC-wlan-st-market] ssid market

[AC-wlan-st-market] service-template enable

[AC-wlan-st-market] quit

2. Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A29G007C000020

3. Configure SVP mapping:

# Enable WMM.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] wmm enable

# Assign SVP packets to the AC-VO queue, and set EDCA parameters of AC-VO queues for clients.

[AC-wlan-ap-ap1-radio-1] svp map-ac ac-vo

[AC-wlan-ap-ap1-radio-1] edca client ac-vo ecw ecwmin 0 ecwmax 0

# Bind service template market to radio 1, and enable the radio.

[AC-wlan-ap-ap1-radio-1] service-template market

[AC-wlan-ap-ap1-radio-1] radio enable

Verifying the configuration

# Verify that the AC assigns SVP packets to the AC-VO queue if a non-WMM client comes online and sends SVP packets to the AC.

Example: Configuring traffic differentiation

Network configuration

As shown in Figure 59, configure priority mapping on the AC to add 802.11 packets from the client to the AC-VO queue.

Figure 59 Network diagram

Procedure

# Create a service template named market, and set the SSID to market.

<AC> system-view

[AC] wlan service-template market

[AC-wlan-st-market] ssid market

# Configure priority mapping, and enable the service template.

[AC-wlan-st-market] qos priority 7

[AC-wlan-st-market] service-template enable

[AC-wlan-st-market] quit

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A29G007C000020

# Enable WMM.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] wmm enable

# Bind service template market to radio 1, and enable radio 1.

[AC-wlan-ap-ap1-radio-1] service-template market

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

Verifying the configuration

# Verify that packets from the client have been added to the AC-VO queue.

[AC] display wlan statistics client

MAC address : 0015-005e-97cc

AP name : ap1

Radio ID : 1

SSID : market

BSSID : 5866-ba74-e570

RSSI : 27

Sent frames:

Back ground : 0/0 (frames/bytes)

Best effort : 0/0 (frames/bytes)

Video : 0/0 (frames/bytes)

Voice : 14/1092 (frames/bytes)

Received frames:

Back ground : 0/0 (frames/bytes)

Best effort : 66/8177 (frames/bytes)

Video : 0/0 (frames/bytes)

Voice : 0/0 (frames/bytes)

Discarded frames:

Back ground : 0/0 (frames/bytes)

Best effort : 0/0 (frames/bytes)

Video : 0/0 (frames/bytes)

Voice : 0/0 (frames/bytes)

Example: Configuring bandwidth guaranteeing

Network configuration

As shown in Figure 60, Clients 1, 2, and 3 access the network through SSIDs research, office, and entertain, respectively.

For the network to operate correctly, guarantee 20% of the bandwidth for SSID office, 80% for research, and none for entertain.

Figure 60 Network diagram

Procedure

# Create a service template named office, set the SSID to office, and enable the service template.

<AC> system-view

[AC] wlan service-template office

[AC-wlan-st-office] ssid office

[AC-wlan-st-office] service-template enable

[AC-wlan-st-office] quit

# Create a service template named research, set the SSID to research, and enable the service template.

[AC] wlan service-template research

[AC-wlan-st-research] ssid research

[AC-wlan-st-research] service-template enable

[AC-wlan-st-research] quit

# Create a service template named entertain, set the SSID to entertain, and enable the service template.

[AC] wlan service-template entertain

[AC-wlan-st-entertain] ssid entertain

[AC-wlan-st-entertain] service-template enable

[AC-wlan-st-entertain] quit

# Set the maximum bandwidth to 10000 Kbps for the 802.11ac radio.

[AC] wlan max-bandwidth dot11ac 10000

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050

# Set the radio mode to dot11ac for radio 1, bind the service templates office, research, and entertain to radio 1, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] type dot11ac

[AC-wlan-ap-ap1-radio-1] service-template office

[AC-wlan-ap-ap1-radio-1] service-template research

[AC-wlan-ap-ap1-radio-1] service-template entertain

[AC-wlan-ap-ap1-radio-1] radio enable

# Enable bandwidth guaranteeing.

[AC-wlan-ap-ap1-radio-1] bandwidth-guarantee enable

# Set the guaranteed bandwidth percentage to 20% for the service template office and 80% for service template research.

[AC-wlan-ap-ap1-radio-1] bandwidth-guarantee service-template office percent 20

[AC-wlan-ap-ap1-radio-1] bandwidth-guarantee service-template research percent 80

[AC-wlan-ap-ap1-radio-1] return

Verifying the configuration

# Verify that the rate of traffic from the AP to any client is not limited when the total traffic rate is lower than 10000 Kbps.

# Send traffic from the AP to Client 1 and Client 2 at a rate of over 2000 Kbps and over 8000 Kbps, respectively, to verify the following items:

· The AP sends traffic to Client 1 at 2000 Kbps.

· The AP sends traffic to Client 2 at 8000 Kbps.

· The rate of traffic from the AP to Client 3 is limited.

Example: Configuring client rate limiting

Network configuration

As shown in Figure 61, the AC is in the same network as the AP. Perform the following tasks on the AC:

· Configure static mode client rate limiting to limit the rate of incoming client traffic.

· Configure dynamic mode client rate limiting to limit the rate of outgoing client traffic.

Figure 61 Network diagram

Procedure

# Create a service template named service, and set its SSID to service.

<AC> system-view

[AC] wlan service-template service

[AC-wlan-st-service] ssid service

# Enable client rate limiting for service template service, and configure client rate limiting as follows:

· Limit the rate of incoming traffic to 8000 Kbps in static mode.

· Limit the rate of outgoing traffic to 8000 Kbps in dynamic mode.

[AC-wlan-st-service] client-rate-limit enable

[AC-wlan-st-service] client-rate-limit inbound mode static cir 8000

[AC-wlan-st-service] client-rate-limit outbound mode dynamic cir 8000

[AC-wlan-st-service] service-template enable

[AC-wlan-st-service] quit

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050

# Bind service template service to radio 1, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

Configuring WLAN roaming

The term "AC" in this document refers to MSR routers that can function as ACs.

About WLAN roaming

WLAN roaming enables clients to seamlessly roam among APs in an ESS while retaining their IP address and authorization information during the roaming process.

Intra-AC roaming enables clients to roam among APs that are managed by the same AC.

Figure 62 Intra-AC roaming

As shown in Figure 62, intra-AC roaming uses the following procedure:

1. The client comes online from AP 1, and the AC creates a roaming entry for the client.

2. The client roams to AP 2. The AC examines the roaming entry for the client and determines whether to perform fast roaming.

If the client is an RSN + 802.1X client, fast roaming is used, and the client can be associated with AP 2 without reauthentication. If it is not, the client needs to be reauthenticated before being associated with AP 2.

Feature and hardware compatibility

Only the following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC/3610/3620/3620-DP/3640/3660.

Restrictions and guidelines: WLAN roaming configuration

For a service template where an AP is configured as the client authenticator, WLAN roaming is not supported. For more information about client authentication, see "WLAN authentication overview" and "Configuring WLAN authentication."

Enabling SNMP notifications for WLAN roaming

About enabling SNMP notifications for WLAN roaming

To report critical WLAN roaming events to an NMS, enable SNMP notifications for WLAN roaming. For WLAN roaming event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see the network management and monitoring configuration guide for the device.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for WLAN roaming.	snmp-agent trap enable wlan mobility	By default, SNMP notifications for WLAN roaming are disabled.

Display and maintenance commands for WLAN roaming

Execute display commands in any view.

Task	Command
Display roam-track information for a client on the AC.	display wlan mobility roam-track mac-address mac-address

WLAN roaming configuration examples

Example: Configuring intra-AC roaming

Network configuration

As shown in Figure 63, configure intra-AC roaming to enable the client to roam from AP 1 to AP 2. The two APs are managed by the same AC.

Figure 63 Network diagram

Procedure

# Create a service template named service, set the SSID to 1, and enable the service template.

<AC> system-view

[AC] wlan service-template service

[AC-wlan-st-service] ssid 1

[AC-wlan-st-service] service-template enable

[AC-wlan-st-service] quit

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 219801A0CNC13C004126

# Bind the service template to radio 1 of AP 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] service-template service

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

# Create a manual AP named ap2, and specify the AP model and serial ID.

[AC] wlan ap ap2 model WA2620-WiNet

[AC-wlan-ap-ap2] serial-id 219801A0CNC125002216

# Bind the service template to radio 1 of AP 2.

[AC-wlan-ap-ap2] radio 1

[AC-wlan-ap-ap2-radio-1] radio enable

[AC-wlan-ap-ap2-radio-1] service-template service

[AC-wlan-ap-ap2-radio-1] quit

[AC-wlan-ap-ap2] quit

Verifying the configuration

# Enable the client to come online from AP 1. (Details not shown.)

# Verify that the client associates with AP 1, and the roaming status is N/A, which indicates that the client has not performed any roaming.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : 000f-e265-6400

IPv4 address : 10.1.1.114

IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 1

AP name : ap1

Radio ID : 1

SSID : 1

BSSID : 000f-e200-4444

VLAN ID : 1

Sleep count : 242

Wireless mode : 802.11ac

Channel bandwidth : 80MHz

SM power save : Enabled

SM power save mode : Dynamic

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160/80+80MHz : Not supported

STBC RX capability : Not supported

STBC TX capability : Not supported

LDPC RX capability : Not supported

SU beamformee capability : Not supported

MU beamformee capability : Not supported

Beamformee STS capability : N/A

Block Ack : TID 0 In

Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8

NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8

Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,

8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM

Listen interval : 10

RSSI : 62

Rx/Tx rate : 130/11

Authentication method : Open system

Security mode : PRE-RSNA

AKM mode : Not configured

Cipher suite : N/A

User authentication mode : Bypass

Authorization ACL ID : 3001(Not effective)

Authorization user profile : N/A

Roam status : N/A

Key derivation : SHA1

PMF status : Enabled

Forward policy name : Not configured

Online time : 0days 0hours 1minutes 13seconds

FT status : Inactive

# Verify that the AC has a roaming entry for the client.

[AC] display wlan mobility roam-track mac-address 9cd3-6d9e-6778

Total entries: 1

BSSID Created at Online time AC IP address RID AP name

000f-e200-4444 2016-06-14 11:12:28 00hr 01min 16sec 127.0.0.1 1 ap1

# Enable the client roam to AP 2. (Details not shown.)

# Verify that the client has associated with AP 2, and the roaming status is Intra-AC roam.

[AC] display wlan client verbose

Total number of clients: 1

MAC address : 000f-e265-6400

IPv4 address : 10.1.1.114

IPv6 address : N/A

Username : N/A

AID : 1

AP ID : 2

AP name : ap2

Radio ID : 1

SSID : 1

BSSID : 000f-e203-7777

VLAN ID : 1

Sleep count : 242

Wireless mode : 802.11ac

Channel bandwidth : 80MHz

SM power save : Enabled

SM power save mode : Dynamic

Short GI for 20MHz : Supported

Short GI for 40MHz : Supported

Short GI for 80MHz : Supported

Short GI for 160/80+80MHz : Not supported

STBC RX capability : Not supported

STBC TX capability : Not supported

LDPC RX capability : Not supported

SU beamformee capability : Not supported

MU beamformee capability : Not supported

Beamformee STS capability : N/A

Block Ack : TID 0 In

Supported VHT-MCS set : NSS1 0, 1, 2, 3, 4, 5, 6, 7, 8

NSS2 0, 1, 2, 3, 4, 5, 6, 7, 8

Supported HT MCS set : 0, 1, 2, 3, 4, 5, 6, 7,

8, 9, 10, 11, 12, 13, 14,

15, 16, 17, 18, 19, 20,

21, 22, 23

Supported rates : 6, 9, 12, 18, 24, 36,

48, 54 Mbps

QoS mode : WMM

Listen interval : 10

RSSI : 62

Rx/Tx rate : 130/11

Authentication method : Open system

Security mode : PRE-RSNA

AKM mode : Not configured

Cipher suite : N/A

User authentication mode : Bypass

Authorization ACL ID : 3001(Not effective)

Authorization user profile : N/A

Roam status : Intra-AC roam

Key derivation : SHA1

PMF status : Enabled

Forward policy name : Not configured

Online time : 0days 0hours 5minutes 13seconds

FT status : Inactive

# Verify that the AC has updated the roaming entry for the client.

[AC] display wlan mobility roam-track mac-address 9cd3-6d9e-6778

Total entries: 2

BSSID Created at Online time AC IP address RID AP name

000f-e203-7777 2016-06-14 11:12:28 00hr 01min 02sec 127.0.0.1 1 ap2

000f-e200-4444 2016-06-14 11:12:04 00hr 03min 51sec 127.0.0.1 1 ap2

Configuring WLAN radio resource measurement

The term "AC" in this document refers to MSR routers that can function as ACs.

About WLAN radio resource measurement

WLAN radio resource measurement measures channel qualities and radio performance. It enables client and APs to learn the wireless environment and use wireless resources such as spectrum, power, and bandwidth more effectively.

WLAN radio resource measurement includes 802.11h measurement and 802.11k measurement.

802.11h measurement

802.11h measurement measures channels in the 5 GHz band. Table 32 lists the measurement types it supports.

Table 32 802.11h measurement

Type		Description
Spectrum management measurement	Basic	Measures whether a client has detected any of the following: · Packets from other BSSs. · OFDM preambles. · Radar signals. · Unknown signals.
	Clear Channel Assessment (CCA)	Percentage of time that the channel was busy during the measurement period.
	Receive Power Indication (RPI)	Percentage of time that each RPI was used during the measurement period.
Transmit Power Control (TPC) measurement		Measures the link redundancy and transmission power for clients.

802.11h measurement operates in the following procedure:

1. An AP sets the Spectrum Mgmt field to 1 in beacons, probe responses, association responses, or reassociation responses to notify the clients that they can send 802.11h measurement requests.

2. Upon receiving a measurement request from a client, the AP performs the required measurement and sends a report to the client.

The AP can also send measurement requests periodically to clients and collect measurement reports from clients.

802.11k measurement

802.11k measurement measures channels in both the 2.4 GHz and 5 GHz bands. Table 33 lists the measurement types it supports.

Table 33 802.11k measurement

Type		Description
Radio measurement	Beacon	Measures the Received Channel Power Indicator (RCPI) and Received Signal to Noise Indicator (RSNI) of beacons, measurement pilot packets, and probe responses.
	Frame	Measures the number of frames transmitted and the average RCPI for these frames.
	Station statistics	Measures the received and transmitted fragment counts, received and transmitted multicast frame counts, failed counts, retry counts, ACK failure counts.
	Transmit stream	Measures the frame of a specific transmit stream.
	Channel load	Measures the channel usage.
	Location	Measures the relative locations of a requester and the requested.
	Noise histogram	Measures the distribution of noise in different decibel ranges.
Link measurement		Measures RCPI, RSNI, and link redundancy for a requested link.
Neighbor measurement		Measures the channel and BSSID of neighbor APs.

802.11k measurement operates in the following procedure:

1. An AP sets the Radio Measurement field to 1 in beacons, probe responses, association responses, or reassociation responses to notify the clients that they can send 802.11k measurement requests.

These frames also carry measurement capabilities of the AP to inform clients of measurement types that the AP supports.

The AP periodically sends Measurement Pilot frames to help clients fast discover the AP. Measurement Pilot frames are sent more frequently than beacons and carry less information.

2. Upon receiving a measurement request from a client, the AP performs the required measurement and sends a report to the client.

The AP can also send measurement requests periodically to clients and collect measurement reports from clients.

Feature and hardware compatibility

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

Restrictions and guidelines: Radio resource measurement configuration

You can configure APs by using the following methods:

· Configure APs one by one in AP view.

· Assign APs to an AP group and configure the AP group in AP group view.

· Configure all APs in global configuration view.

For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.

WLAN radio resource measurement tasks at a glance

Tasks at a glance
(Required.) Enabling radio resource management
(Optional.) Setting the measurement duration and interval
(Optional.) Setting the match mode for client radio resource measurement capabilities

Enabling radio resource management

To enable radio resource measurement in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable a measurement type.	measure { all \| link \| neighbor \| radio \| spectrum \| tpc } enable	By default, the configuration in AP group view is used. The spectrum and tpc keywords are available only for 5 GHz radios.
5. Enable radio resource measurement.	resource-measure enable	By default, the configuration in AP group view is used. You must enable radio resource measurement if you enable link, neighbor, or radio measurement.
6. Enable spectrum management.	spectrum-management enable	By default, the configuration in AP group view is used. Spectrum or TPC measurement takes effect only after you enable spectrum management. For more information about this command, see WLAN Command Reference (AC).

To enable radio resource measurement in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter AP group radio view.	radio radio-id	N/A
5. Enable a measurement type.	measure { all \| link \| neighbor \| radio \| spectrum \| tpc } enable	By default, measurement is disabled. The spectrum and tpc keywords are available only for 5 GHz radios.
6. Enable radio resource measurement.	resource-measure enable	By default, radio resource measurement is disabled. You must enable radio resource measurement if you enable link, neighbor, or radio measurement.
7. Enable spectrum management.	spectrum-management enable	By default, spectrum management is disabled. Spectrum or TPC measurement takes effect only after you enable spectrum management. For more information about this command, see WLAN Command Reference (AC).

Setting the measurement duration and interval

About radio resource measurement

When radio resource measurement is enabled for an AP, the AP sends measurement requests that carry the measurement duration to clients at the specified interval.

Procedure

To set the measurement duration and interval in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the measurement duration.	measure-duration time	By default, the configuration in AP group view is used.
5. Set the measurement interval.	measure-interval value	By default, the configuration in AP group view is used.

To set the measurement duration and interval in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter AP group radio view.	radio radio-id	N/A
5. Set the measurement duration.	measure-duration time	By default, the measurement duration is 500 TUs.
6. Set the measurement interval.	measure-interval value	By default, the measurement interval is 30 seconds.

Setting the match mode for client radio resource measurement capabilities

About the match modes for client radio resource measurement capabilities

Set the match mode to allow a client to associate with an AP based on the predefined match criteria. Radio resource measurement capability refers to the radio resource measurement types supported by the AP and client. The device supports the following match modes for client radio resource measurement capabilities:

· All—A client is allowed to associate with an AP only when all of its radio resource measurement capabilities match the AP's radio resource measurement capabilities.

· None—Client radio resource measurement capabilities are not checked.

· Partial—A client is allowed to associate with an AP as long as one of its radio resource measurement capabilities matches any of the AP's radio resource measurement capabilities.

Procedure

To set the match mode for client radio resource measurement capabilities in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the match mode for client radio resource measurement capabilities.	rm-capability mode { all \| none \| partial }	By default, the configuration in AP group view is used.

To set the match mode for client radio resource measurement capabilities in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter AP group radio view.	radio radio-id	N/A
5. Set the match mode for client radio resource measurement capabilities.	rm-capability mode { all \| none \| partial }	By default, an AP does not check the radio resource measurement capabilities of a client.

Display and maintenance commands for WLAN radio resource measurement

Execute display commands in any view.

Task	Command
Display client measurement reports.	display wlan measure-report ap ap-name radio radio-id [ client mac-address mac-address ]

Radio resource measurement configuration examples

Example: Configuring radio resource measurement

Network requirements

As shown in Figure 64, configure radio resource measurement to meet the following requirements:

· The client can come online only when all its radio resource measurement capabilities match the AP's.

· The client can perform all types of measurements.

Figure 64 Network diagram

Configuration procedures

# Create service template 1.

<AC> system-view

[AC] wlan service-template 1

# Set the SSID to resource-measure, and enable the service template.

[AC-wlan-st-1] ssid resource-measure

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create manual AP ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454

# Enter radio view of radio 1.

[AC-wlan-ap-ap1] radio 1

# Enable spectrum management.

[AC-wlan-ap-ap1-radio-1] spectrum-management enable

# Enable radio resource measurement.

[AC-wlan-ap-ap1-radio-1] resource-measure enable

# Enable all measurement features.

[AC-wlan-ap-ap1-radio-1] measure all enable

# Set the match mode for client radio resource measurement capabilities to All.

[AC-wlan-ap-ap1-radio-1] rm-capability mode all

# Bind the service template to radio 1, and enable the radio.

[AC-wlan-ap-ap1-radio-1] service-template 1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

Verifying the configuration

# Verify that the client has come online.

[AC] display wlan client

Total number of clients: 1

MAC address Username AP name RID IP address VLAN ID

00ee-bd44-557f N/A ap1 1 1.1.1.1 1

# Display measurement reports from the client.

[AC] display wlan measure-report ap ap1 radio 1

Total number of clients: 1

Client MAC address : 00ee-bd44-557f

Link measurement:

Link margin : 2 dBm

RCPI : -85 dBm

RSNI : 53 dBm

Noise histogram:

Antenna ID : 3

ANPI : -56 dBm

IPI0 to IPI10 density : 5 12 16 13 8 5 5 15 17 1 3

Spectrum measurement:

Transmit power : 20 dBm

BSS : Detected

OFDM preamble : Detected

Radar : Detected

Unidentified signal : Undetected

CCA busy fraction : 60

RPI0 to RPI7 density : 3 7 11 19 15 23 15 7

Frame report entry:

BSSID : a072-2351-e253

PHY type : fhss

Average RCPI : -10 dBm

Last RSNI : 2 dBm

Last RCPI : -20 dBm

Frames : 1

Dot11BSSAverageAccessDelay group:

Average access delay : 32 ms

BestEffort average access delay : 1 ms

Background average access delay : 1 ms

Video average access delay : 1 ms

Voice average access delay : 1 ms

Clients : 32

Channel utilization rate : 11

Transmit stream:

Traffic ID : 0

Sent MSDUs : 60

Discarded MSDUs : 5

Failed MSDUs : 3

MSDUs resent multiple times : 3

Lost QoS CF-Polls : 2

Average queue delay : 2 ms

Average transmit delay : 1 ms

Bin0 range : 0 to 10 ms

Bin0 to Bin5 : 5 10 10 5 10 10

Configuring channel scanning

The term "AC" in this document refers to MSR routers that can function as ACs.

About channel scanning

Channel scanning enables APs to scan channels and capture wireless packets. The AC analyzes the captured wireless packets to obtain wireless service information, including interferences, error bit rate, and wireless signal strength. Channel scanning provides data for WLAN RRM and WIPS, and enhances wireless service quality.

Basic concepts

· Scanning period—In this period, an AP only scans a channel and does not provide wireless services.

· Service period—In this period, an AP scans its working channel and provides wireless services simultaneously for a time period that is the same as the scanning period. After that, the AP only provides wireless services.

Work mechanism

An AP scans each channel on the channel scanning list in turn regardless of whether the AP provides wireless services, and each channel is scanned for a scanning period. If the AP does not provide wireless services, it starts scanning periods consecutively. If the AP provides wireless services, it starts service periods and scanning periods alternatively.

For example, Figure 65 shows the channel scanning mechanism for an AP when the AP works on channel 6 and the channel scanning list contains channels 1, 6, and 11.

Figure 65 Channel scanning mechanism

Feature and hardware compatibility

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

Restrictions and guidelines: Channel scanning configuration

You can configure APs by using the following methods:

· Configure APs one by one in AP view.

· Assign APs to an AP group and configure the AP group in AP group view.

· Configure all APs in global configuration view.

For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.

Channel scanning tasks at a glance

Tasks at a glance
(Required.) Setting the scanning period
(Required.) Setting the maximum service period
(Required.) Setting the service idle timeout timer
(Optional.) Configuring the channel scanning blacklist or whitelist
(Optional.) Configuring all-channel scanning

Setting the scanning period

About the scanning period

The scanning period defines the time period in which an AP scans a channel. In a service period, an AP scans its working channel and provides wireless services simultaneously for a time period that is the same as the scanning period.

Restrictions and guidelines

The scanning period cannot be greater than the maximum service period.

Procedure

To set the scanning period in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the scanning period.	scan scan-time scan-time	By default, a radio uses the configuration in AP group radio view.

To set the scanning period in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
5. Enter AP group view.	wlan ap-group group-name	N/A
6. Enter AP model view.	ap-model ap-model	N/A
7. Enter radio view.	radio radio-id	N/A
8. Set the scanning period.	scan scan-time scan-time	By default, the scanning period is 100 milliseconds.

Setting the maximum service period

About the maximum service period

To ensure both scanning and service quality, you can set the maximum service period. When the maximum service period is reached, the AP starts a scanning period regardless of whether it has traffic to forward. To ensure wireless service quality, you can configure the AP to not limit the service period. The AP does not start a scanning period unless the service idle timeout timer expires.

Procedure

To set the maximum service period in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
9. Enter AP view.	wlan ap ap-name	N/A
10. Enter radio view.	radio radio-id	N/A
11. Set the maximum service period.	scan max-service-time { max-service-time \| no-limit }	By default, a radio uses the configuration in AP group radio view.

To set the maximum service period in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the maximum service period.	scan max-service-time { max-service-time \| no-limit }	By default, the maximum service period is 5000 milliseconds.

Setting the service idle timeout timer

About the service idle timeout timer

During a service period, an AP does not begin a new scanning period until the current service period exceeds the scanning period even if the specified service idle timeout timer expires.

Restrictions and guidelines

The service idle timeout timer cannot be greater than the maximum service period.

Procedure

To set the service idle timeout timer in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
12. Enter AP view.	wlan ap ap-name	N/A
13. Enter radio view.	radio radio-id	N/A
14. Set the service idle timeout timer.	scan idle-time idle-time	By default, a radio uses the configuration in AP group radio view.

To set the service idle timeout timer in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the service idle timeout timer.	scan idle-time idle-time	By default, the service idle timeout timer is 100 milliseconds.

Configuring the channel scanning blacklist or whitelist

About the channel scanning blacklist or whitelist

If you configure the blacklist for an AP, the AP will not scan non-working channels in the blacklist. If you configure the whitelist for an AP, the AP will scan only channels in the whitelist and the working channel.

Restrictions and guidelines

You cannot configure both the channel scanning blacklist and whitelist for the same AP.

Procedure

To configure the channel scanning blacklist or whitelist in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Add the specified channels to the channel scanning blacklist.	scan channel blacklist channel-list	Choose either task. By default, a radio uses the configuration in AP group radio view.
5. Add the specified channels to the channel scanning whitelist.	scan channel whitelist channel-list

To configure the channel scanning blacklist or whitelist in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Add the specified channels to the channel scanning blacklist.	scan channel blacklist channel-list	Choose either task. By default, no channel scanning blacklist or whitelist exists.
6. Add the specified channels to the channel scanning whitelist.	scan channel whitelist channel-list

Configuring all-channel scanning

About all-channel scanning

An AP alternatively scans 2.4 GHz channels and 5 GHz channels at the specified interval when all-channel scanning is enabled. When all-channel scanning is disabled, an AP scans only channels of the configured band.

Restrictions and guidelines

This feature is applicable only to dual-band radios.

Procedure

To configure all-channel scanning in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Configure all-channel scanning.	scan mode all { disable \| enable }	By default, a radio uses the configuration in AP group radio view.
5. Set the interval for the radio to scan all channels.	scan mode all interval interval-value	By default, a radio uses the configuration in AP group radio view.

To configure all-channel scanning in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Configure all-channel scanning.	scan mode all { disable \| enable }	By default, all-channel scanning is disabled.
6. Set the interval for the radio to scan all channels.	scan mode all [ interval interval-value ]	By default, the interval for an AP to scan all channels is 3000 milliseconds.

Channel scanning configuration examples

Example: Configuring relative forwarding preferred channel scanning

Network configuration

To ensure both channel scanning and wireless service quality, configure channel scanning and set the maximum service period for AP 1, as shown in Figure 66.

Figure 66 Network diagram

Procedure

# Create a manual AP and specify the model and serial ID.

<AC> system-view

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454

# Enter radio view of radio 1.

[AC-wlan-ap-ap1] radio 1

# Set the scanning period to 200 milliseconds.

[AC-wlan-ap-ap1-radio-1] scan scan-time 200

# Set the maximum service period to 5000 milliseconds.

[AC-wlan-ap-ap1-radio-1] scan max-service-time 5000

# Set the service idle timeout timer to 100 milliseconds.

[AC-wlan-ap-ap1-radio-1] scan idle-time 100

Example: Configuring absolute forwarding preferred channel scanning

Network configuration

To ensure wireless service quality, configure channel scanning and configure AP 1 to not limit the service period, as shown in Figure 67.

Figure 67 Network diagram

Procedure

# Create a manual AP and specify the model and serial ID.

<AC> system-view

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 219801A0CNC138011454

# Enter radio view.

[AC-wlan-ap-ap1] radio 1

# Set the scanning period to 100 milliseconds.

[AC-wlan-ap-ap1-radio-1] scan scan-time 100

# Configure the radio to not limit the service period.

[AC-wlan-ap-ap1-radio-1] scan max-service-time no-limit

# Set the service idle timeout timer to 100 milliseconds.

[AC-wlan-ap-ap1-radio-1] scan idle-time 100

Configuring band navigation

The term "AC" in this document refers to MSR routers that can function as ACs.

About band navigation

Band navigation enables an AP to direct dual-band clients (2.4 GHz and 5 GHz) to the 5 GHz radio whenever possible to avoid congestion in the 2.4 GHz band. This can load balance the radios and improve network performance.

As shown in Figure 68, band navigation is enabled in the WLAN. Client 1 and Client 2 are associated with the 2.4 GHz radio. When the dual-band client Client 3 requests to associate with the 2.4 GHz radio, the AP rejects Client 3 and directs it to the 5 GHz radio.

Figure 68 Band navigation

Feature and hardware compatibility

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

Restrictions and guidelines: Band navigation configuration

You can configure APs by using the following methods:

· Configure APs one by one in AP view.

· Assign APs to an AP group and configure the AP group in AP group view.

· Configure all APs in global configuration view.

For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.

Do not enable band navigation in a WLAN where most clients in the WLAN support only the 2.4 GHz band or in a WLAN that is sensitive to traffic delay.

Band navigation tasks at a glance

Tasks at a glance
(Required.) Enabling band navigation globally
(Required.) Enabling AP-based band navigation
(Optional.) Configuring load balancing for band navigation
(Optional.) Configuring band navigation parameters

Prerequisites for band navigation

Complete the following tasks before configuring band navigation:

· Disable quick association. For more information about quick association, see "Configuring WLAN access."

· Enable both the 5 GHz and 2.4 GHz radios and bind the radios to the same service template.

Enabling band navigation globally

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable band navigation globally.	wlan band-navigation enable	By default, band navigation is disabled globally.

Enabling AP-based band navigation

Restrictions and guidelines

Band navigation takes effect on an AP only when you enable band navigation both globally and for the AP.

Procedure

To enable AP-based band navigation in AP view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enable band navigation for the AP.	band-navigation enable	By default, an AP uses the configuration in AP group view.

To enable AP-based band navigation in AP group view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enable band navigation for APs in the AP group.	band-navigation enable	By default, band navigation is enabled.

Configuring load balancing for band navigation

About load balancing for band navigation

An AP rejects the 5 GHz association request of a client when the following conditions are met:

· The number of clients on the 5 GHz radio reaches the specified threshold.

· The client number gap between the 5 GHz radio and the radio that has the fewest clients reaches the specified threshold.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure load balancing for band navigation.	wlan band-navigation balance session session [ gap gap ]	By default, load balancing is disabled for band navigation.

Configuring band navigation parameters

About band navigation parameters

The following parameters affect band navigation:

· Maximum number of denials for 5 GHz association requests—If the number of times that a 5 GHz radio rejects a client reaches the specified maximum number, the radio accepts the association request of the client.

· Band navigation RSSI threshold—A client might be detected by multiple radios. A 5 GHz radio rejects the association request of a client if the client's RSSI is lower than the band navigation RSSI threshold.

· Client information aging time—When an AP receives an association request from a client, the AP records the client's information and starts the client information aging timer. If the AP does not receive any probe requests or association requests from the client before the aging timer expires, the AP deletes the client's information.

Configure an appropriate client information aging time to ensure both client association and system resource efficiency.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the maximum number of denials for 5 GHz association requests.	wlan band-navigation balance access-denial access-denial	By default, the maximum number of denials for 5 GHz association requests is 1.
3. Set the band navigation RSSI threshold.	wlan band-navigation rssi-threshold rssi-threshold	By default, the band navigation RSSI threshold is 15.
4. Set the client information aging time.	wlan band-navigation aging-time aging-time	By default, the client information aging time is 180 seconds.

Band navigation configuration examples

Example: Configuring band navigation

Network configuration

As shown in Figure 69, both the 5 GHz radio and the 2.4 GHz radio are enabled on the AP. Configure band navigation and load balancing for band navigation to load balance the radios.

Figure 69 Network diagram

Procedure

# Create service template 1 and set its SSID to band-navigation.

<AC> system-view

[AC] wlan service-template 1

[AC-wlan-st-1] ssid band-navigation

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create AP template ap1, and specify the model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A29G007C000020

# Enter radio view of radio 1, and configure radio 1 to operate in 802.11n (5 GHz) mode.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] type dot11an

# Bind service template 1 to radio 1 of AP 1, and enable radio 1.

[AC-wlan-ap-ap1-radio-1] service-template 1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

# Enter radio view of radio 2, and configure radio 2 to operate in 802.11n (2.4 GHz) mode.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] type dot11gn

# Bind service template 1 to radio 2 of AP 1, and enable radio 2.

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Enable band navigation globally.

[AC] wlan band-navigation enable

# Enable band navigation for AP 1.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] band-navigation enable

[AC-wlan-ap-ap1] quit

# Enable load balancing for band navigation, and set the client number threshold and client number gap threshold to 5 and 2, respectively.

[AC] wlan band-navigation balance session 5 gap 2

# Set the maximum number of denials for 5 GHz association requests to 3.

[AC] wlan band-navigation balance access-denial 3

# Set the band navigation RSSI threshold to 30.

[AC] wlan band-navigation rssi-threshold 30

# Set the client information aging time to 160 seconds.

[AC] wlan band-navigation aging-time 160

Verifying the configuration

1. Verify that a dual-band client is associated with the 5 GHz radio when it requests to associate with the AP. (Details not shown.)

2. Verify that a dual-band client is associated with the 2.4 GHz radio when the following conditions are met:

? The number of clients on the 5 GHz radio reaches 5.

? The client number gap between the 5 GHz radio and the 2.4 GHz radio reaches 2. (Details not shown.)

Configuring WLAN multicast optimization

The term "AC" in this document refers to MSR routers that can function as ACs.

About WLAN multicast optimization

Multicast transmission in a wireless network has the following limitations:

· Great packet loss upon poor link quality—Multicast packets do not require acknowledgments and lost packets are not retransmitted.

· Low transmission efficiency—The device sends multicast packets at the lowest mandatory rate.

With these limitations, multicast transmission cannot meet the requirements for applications that are not sensitive to time delay but sensitive to data integrity. To address this issue, you can configure WLAN multicast optimization.

WLAN multicast optimization mechanism

WLAN multicast optimization enables an AP to convert multicast packets to unicast packets.

Figure 70 Data transmission with WLAN multicast optimization enabled

WLAN multicast optimization entries

WLAN multicast optimization uses multicast optimization entries to manage traffic forwarding. The multicast optimization entries use the clients' MAC addresses as indexes. A multicast optimization entry records information about multicast groups that clients join, multicast sources from which clients receive traffic, multicast group version, and multicast optimization mode.

After you enable WLAN multicast optimization, an AP creates or updates multicast optimization entries for a client according to the IGMP reports received from the client. If IGMPv3 or MLDv2 is used, the AP can also update the multicast sources allowed by the client. The AP removes a multicast optimization entry if it receives a leave message from the client or when the aging time for the entry expires. If you disable WLAN multicast optimization for the service template that an AP uses, the AP removes all multicast optimization entries.

When an AP receives a non-IGMP or non-MLD packet from a multicast source, the AP matches the multicast group address in the packet against the multicast optimization entries. If a match is found, the AP converts the multicast packet to unicast packets and sends the unicast packets to all clients in the multicast group. If no match is found, the AP discards the packet.

Feature and hardware compatibility

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

WLAN multicast optimization tasks at a glance

Tasks at a glance
(Required.) Enabling WLAN multicast optimization
(Optional.) Configuring a multicast optimization policy
(Optional.) Setting rate limits for IGMP/MLD packets from clients
(Optional.) Setting the limit for multicast optimization entries
(Optional.) Setting the limit for multicast optimization entries per client
(Optional.) Setting the aging time for multicast optimization entries

Enabling WLAN multicast optimization

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable WLAN multicast optimization.	· Enable IPv4 WLAN multicast optimization: multicast-optimization enable · Enable IPv6 WLAN multicast optimization: ipv6 multicast-optimization enable	By default, WLAN multicast optimization is disabled.

Configuring a multicast optimization policy

About multicast optimization policies

A multicast optimization policy defines the maximum number of clients that WLAN multicast optimization supports and defines the following actions an AP takes when the limit is reached:

· Unicast forwarding—Sends unicast packets converted from a multicast packet to only n (n equal to the specified threshold) clients that are randomly selected.

· Multicast forwarding—Forwards the multicast packet to all clients.

· Packet dropping—Drops the multicast packet.

Procedure

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure a multicast optimization policy.

· Configure an IPv4 WLAN multicast optimization policy:
wlan multicast-optimization entry client-limit [ limit-value ] [ drop | multicast | unicast ]

· Configure an IPv6 WLAN multicast optimization policy:
wlan ipv6 multicast-optimization entry client-limit [ limit-value ] [ drop | multicast | unicast ]

By default, no multicast optimization policies exist and an AP performs multicast optimization for all clients.

If you do not specify an action, an AP performs unicast forwarding.

Setting rate limits for IGMP/MLD packets from clients

About rate limits for IGMP/MLD packets from clients

Perform this task to configure the maximum number of IGMP or MLD packets that an AP can receive from clients within the specified interval. The AP discards the excessive IGMP or MLD packets. For more information about IGMP or MLD, see IP Multicast Configuration Guide.

Procedure

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the rate limit for IGMP or MLD packets from clients.

· Set the rate limit for IGMP packets from clients:
wlan multicast-optimization packet-rate-limit [ interval interval-value | threshold threshold-value ] *

· Set the rate limit for MLD packets from clients:
wlan ipv6 multicast-optimization packet-rate-limit [ interval interval-value | threshold threshold-value ] *

By default, no rate limit is set for IGMP or MLD packets from clients.

Setting the limit for multicast optimization entries

About the limit for multicast optimization entries

Each time a client joins a multicast group, the AP creates a multicast optimization entry for the multicast group. If multicast sources have been specified for a client when the client joins the multicast group, the AP also creates a multicast optimization entry for each multicast source. When a client leaves a multicast group or rejects a multicast source, the AP deletes the relevant multicast optimization entry for the client. These might consume system resources.

Perform this task to limit the number of multicast optimization entries to save system resources.

When the number of multicast optimization entries reaches the limit, the AP stops creating new entries until the number falls below the limit.

Procedure

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the limit for multicast optimization entries.

· Set the limit for IPv4 multicast optimization entries:
wlan multicast-optimization global entry-limit [ limit-value ]

· Set the limit for IPv6 multicast optimization entries:
wlan ipv6 multicast-optimization global entry-limit [ limit-value ]

By default, no limit is set for multicast optimization entries.

Setting the limit for multicast optimization entries per client

About the limit for multicast optimization entries per client

Perform this task to limit the number of multicast optimization entries that an AP maintains for each client to prevent a client from occupying excessive system resources.

Procedure

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the limit for multicast optimization entries per client.

· Set the limit for IPv4 multicast optimization entries per client:
wlan multicast-optimization client entry-limit [ limit-value ]

· Set the limit for IPv6 multicast optimization entries per client:
wlan ipv6 multicast-optimization client entry-limit [ limit-value ]

By default, no limit is set for multicast optimization entries per client.

Setting the aging time for multicast optimization entries

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the aging time for multicast optimization entries.

· Set the aging time for IPv4 multicast optimization entries:
wlan multicast-optimization aging-time aging-value

· Set the aging time for IPv6 multicast optimization entries:
wlan ipv6 multicast-optimization aging-time aging-value

By default, the aging time is 260 seconds for multicast optimization entries.

Display and maintenance commands for WLAN multicast optimization

Execute display commands in any view and reset commands in user view.

Tasks	Command
Display IPv6 multicast optimization entry information.	display wlan ipv6 multicast-optimization entry [ client mac-address [ group group-ip [ source source-ip ] ] ]
Display IPv4 multicast optimization entry information.	display wlan multicast-optimization entry [ client mac-address [ group group-ip [ source source-ip ] ] ]
Clear IPv6 multicast optimization entries.	reset wlan ipv6 multicast-optimization entry { all \| client mac-address [ group group-ip [ source source-ip ] ] }
Clear IPv6 multicast optimization entries for the specified multicast group.	reset wlan ipv6 multicast-optimization entry group group-ip [ source source-ip ]
Clear IPv4 multicast optimization entries.	reset wlan multicast-optimization entry { all \| client mac-address [ group group-ip [ source source-ip ] ] }
Clear IPv4 multicast optimization entries for the specified multicast group.	reset wlan multicast-optimization entry group group-ip [ source source-ip ]

WLAN multicast optimization configuration examples

Example: Configuring basic WLAN multicast optimization

Network configuration

As shown in Figure 71, the switch acts as the DHCP server to assign IP addresses to the AP and clients, and the AP provides wireless services to the clients through the SSID service. Configure WLAN multicast optimization to manage multicast packet forwarding.

Figure 71 Network diagram

Procedure

# Enable IGMP snooping both globally and for VLAN 1.

<AC> system-view

[AC] igmp-snooping

[AC-igmp-snooping] quit

[AC] vlan 1

[AC-vlan1] igmp-snooping enable

[AC-vlan1] quit

# Create service template 1, set its SSID to service, and enable WLAN multicast optimization for it.

[AC] wlan service-template 1

[AC-wlan-st-1] ssid service

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] multicast-optimization enable

[AC-wlan-st-1] quit

# Create an AP named ap1, specify its model and serial ID, and bind radio 1 of the AP to service template 1.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A29G007C000021

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] service-template 1

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

# Set the aging time to 300 seconds for IPv4 multicast optimization entries.

[AC] wlan multicast-optimization aging-time 300

# Configure the AP to receive a maximum of 100 IGMP packets from clients every 60 seconds.

[AC] wlan multicast-optimization packet-rate-limit interval 60 threshold 100

# Set the limit for IPv4 multicast optimization entries to 100.

[AC] wlan multicast-optimization global entry-limit 100

# Set the limit for IPv4 multicast optimization entries per client to 10.

[AC] wlan multicast-optimization client entry-limit 10

# Set the maximum number of clients that WLAN multicast optimization supports to 2, and configure the AP to drop multicast packets when the number of clients reaches the threshold.

[AC] wlan multicast-optimization entry client-limit 2 drop

Verifying the configuration

# Verify the following information after Client 1 and Client 2 join the multicast group with the address 230.1.1.1 and the multicast source address 1.1.1.1 has been specified. (Details not shown.):

· The AP has created multicast optimization entries for Client 1 and Client 2.

· Client 1 and Client 2 can receive traffic from the multicast source.

# Display information about multicast optimization entries after Client 3 joins the multicast group with the address 230.1.1.1 and the multicast source address 1.1.1.1 has been specified.

[AC] display wlan multicast-optimization entry

Total 3 clients reported

Client: 0001-0001-0001

Reported from AP 1 on radio 1

Total number of groups: 1

Group: 230.1.1.1

Version: IGMPv3

Mode: Include

Duration: 00h 00m 30s

Sources: 1

Source: 1.1.1.1

Duration: 00h 00m 30s

Client: 0001-0001-0002

Reported from AP 1 on radio 1

Total number of groups: 1

Group: 230.1.1.1

Version: IGMPv3

Mode: Include

Duration: 00h 00m 15s

Sources: 1

Source: 1.1.1.1

Duration: 00h 00m 15s

Client: 0001-0001-0003

Reported from AP 1 on radio 1

Total number of groups: 1

Group: 230.1.1.1

Version: IGMPv3

Mode: Include

Duration: 00h 00m 10s

Sources: 1

Source: 1.1.1.1

Duration: 00h 00m 10s

The output shows that the AP has created multicast optimization entries for Client 3.

# Verify that Client 1, Client 2, and Client 3 cannot receive traffic from the multicast source because the number of clients that WLAN multicast optimization supports exceeds the limit. (Details not shown.)

Configuring cloud connections

The term "AC" in this document refers to MSR routers that can function as ACs.

About cloud connections

A cloud connection is a management tunnel established between a local device and the H3C Oasis server. It enables you to manage the local device from the H3C Oasis server without accessing the network where the device resides.

Multiple subconnections

After a local device establishes a connection with the H3C Oasis server, service modules on the local device can establish multiple subconnections with the microservices on the H3C Oasis server. These subconnections are independent from each other and provide separate communication channels for different services. This mechanism avoids interference among different services.

Cloud connection establishment

This section uses an AC and the H3C Oasis server as an example. The cloud connection is established as follows:

1. The AC sends an authentication request to the H3C Oasis server.

2. The H3C Oasis server sends an authentication success packet to the AC.

The AC passes the authentication only if the serial number of the AC has been added to the H3C Oasis server. If the authentication fails, the H3C Oasis server sends an authentication failure packet to the AC.

3. The AC sends a registration request to the H3C Oasis server.

4. The H3C Oasis server sends a registration response to the AC.

The registration response contains the uniform resource locator (URL) used to establish a cloud connection.

5. The AC uses the URL to send a handshake request (changing the protocol from HTTP to WebSocket) to the H3C Oasis server.

6. The H3C Oasis server sends a handshake response to the AC to finish establishing the cloud connection.

7. After the cloud connection is established, the AC automatically obtains the subconnection URLs and establishes subconnections with the H3C Oasis server based on the service needs.

Figure 72 Establishing a cloud connection

Feature and hardware compatibility

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

Configuring a cloud connection

Configuring the H3C Oasis server

For a successful cloud connection establishment, add the serial number of the device to be managed to the H3C Oasis server.

Configuring the local device

About configuring the local device

You can specify a domain name for the H3C Oasis server and log in to the server through the domain name on a remote PC to manage the local device.

If the local device does not receive a response from the H3C Oasis server within three keepalive intervals, the device sends a registration request to re-establish the cloud connection.

To prevent NAT entry aging, the local device sends ping packets to the H3C Oasis server periodically.

Restrictions and guidelines

Reduce the ping interval value if the network condition is poor or the NAT entry aging time is short.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the domain name of the H3C Oasis server.	cloud-management server domain domain-name	By default, the domain name of the H3C Oasis server is not configured.
3. (Optional.) Set the keepalive interval.	cloud-management keepalive interval	By default, the keepalive interval is 180 seconds.
4. (Optional.) Set the ping interval.	cloud-management ping interval	By default, the ping interval is 60 seconds.

Display and maintenance commands for cloud connections

Execute display commands in any view.

Task	Command
Display cloud connection state information.	display cloud-management state

Cloud connection configuration examples

Example: Configuring a cloud connection

Network configuration

As shown in Figure 73, configure the AC to establish a cloud connection with the H3C Oasis server.

Figure 73 Network diagram

Procedure

1. Configure IP addresses for interfaces as shown in Figure 73, and configure a routing protocol to make sure the devices can reach each other. (Details not shown.)

2. Log in to the H3C Oasis server to add the serial number of the AC to the server. (Details not shown.)

3. Configure the domain name of the H3C Oasis server as lvzhouv3.h3c.com.

<AC> system-view

[AC] cloud-management server domain lvzhouv3.h3c.com

NOTE:

The DNS service is provided by the ISP DNS server.

Verifying the configuration

# Verify that the AC and the H3C Oasis server have established a cloud connection.

[AC] display cloud-management state

Cloud connection state : Established

Device state : Request_success

Cloud server address : 10.1.1.1

Cloud server domain name : lvzhouv3.h3c.com

Local port : 443

Connected at : Wed Jan 27 14:18:40 2016

Duration : 00d 00h 02m 01s

Configuring WLAN RRM

The term "AC" in this document refers to MSR routers that can function as ACs.

About WLAN RRM

WLAN Radio Resource Management (RRM) provides an intelligent and scalable radio management solution to allow a WLAN to adapt to environment changes and maintain the optimal radio resource condition.

Operating mechanism

RRM enables the AC to monitor and analyze its associated radios, and optimize radio resources with features such as dynamic frequency selection (DFS), transmit power control (TPC), and spectrum analysis.

Dynamic frequency selection

Two adjacent radios on the same channel might cause signal collision, and other radio sources such as radar signals and microwave ovens might interfere with the operation of radios. With DFS, the AC selects an optimal channel for each radio in real time to avoid co-channel interference and interference from other radio sources.

The following factors will trigger DFS:

· Error code rate—Physical layer error code rate and CRC error rate. CRC error rate shows the proportion of packets with CRC errors among all 802.11 packets.

· Interference rate—Proportion of interference packets among all data packets. Interference packets are packets destined for other radios.

· Retransmission count—Data retransmissions caused by failure to receive ACK messages.

· Radar signal—Radar signals detected on the current channel. In this case, the AC selects a new channel and immediately notifies the radio to change its working channel.

The AC uses the following procedure to perform DFS for a radio:

1. Detects the current channel and selects an optimal channel when the CRC error threshold, the interference threshold, or the system-defined retransmission threshold is reached on the current channel.

2. Compares the quality between the current channel and the optimal channel. The radio does not use the optimal channel until the quality gap between the two channels exceeds the tolerance level.

Figure 74 shows a DFS example. When the quality of the channels for BSS 1, BSS 3, and BSS 5 reaches a DFS threshold, the AC selects an optimal channel for each of them. This ensures wireless service quality.

Figure 74 Dynamic frequency selection

Transmit power control

TPC enables the AC to dynamically control access point transmit power based on real-time WLAN conditions. It can achieve desired RF coverage while avoiding channel interference between radios.

The AC maintains a neighbor report for each radio on its associated APs to record information about other radios detected by this radio. The AC can manage only radios associated with it.

The AC uses the following procedure to perform TPC for a radio:

1. Determines whether the number of manageable radios (all-channel radios or overlapping-channel radios) that can detect this radio has reached the adjacency factor.

If the number has not reached the adjacency factor, the radio uses the maximum transmit power.

If the number has reached the adjacency factor, the AC goes to step 2:

2. Ranks the radio's RSSIs detected by these manageable radios in descending order.

3. Compares the RSSI specified by the adjacency factor with the power adjustment threshold and takes one of the following actions:

? Decreases the radio's transmit power when the RSSI rises above the threshold.

? Increases the radio's transmit power when the RSSI drops below the threshold.

Radios that can participate in TPC calculation for a radio include the following types:

· All-channel radios—Include all manageable radios that detect the radio. TPC based on all-channel radios can better control the signal coverage.

· Overlapping-channel radios—Include manageable radios that detect the radio on a channel overlapping with the radio's transmit channel. TPC based on overlapping-channel radios can expand signal coverage without increasing interference.

As shown in Figure 75, each AP has only one radio enabled. Before AP 4 joins, the number of manageable radios detected by each radio does not reach the adjacency factor 3. The radios use the maximum transmit power. After AP 4 joins, the number of manageable radios detected by each radio reaches the adjacency factor 3. The AC uses TPC to adjust the transmit powers for all radios.

Figure 75 Transmit power control

Spectrum management

Spectrum management is 802.11h compliant. It is used on 5 GHz WLANs to ensure that clients meet the regulatory requirements for operation in the 5 GHz band. It enables an AP to notify its associated clients of the allowed maximum transmit power. The AP can deny the association request from a client if the power and channel of the client do not meet the regulatory requirements.

Feature and hardware compatibility

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

Restrictions and guidelines: WLAN RRM

You can configure APs by using the following methods:

· Configure APs one by one in AP view.

· Assign APs to an AP group and configure the AP group in AP group view.

· Configure all APs in global configuration view.

For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.

WLAN RRM tasks at a glance

Tasks at a glance	Remarks
Configuring DFS: · (Optional.) Setting the DFS sensitivity mode · (Optional.) Configuring DFS trigger parameters · (Required.) Choose one of the following tasks: ? Configuring periodic auto-DFS ? Configuring scheduled auto-DFS ? Configuring on-demand DFS · (Optional.) Configuring an RRM holddown group	You can set DFS trigger parameters only when the DFS sensitivity mode is custom.
Configuring TPC: · (Optional.) Setting the TPC mode · (Optional.) Configuring TPC trigger parameters · (Optional.) Setting the minimum transmit power · (Required.) Choose either of the following tasks: ? Configuring periodic auto-TPC ? Configuring on-demand TPC · (Optional.) Configuring an RRM holddown group	N/A
Configuring spectrum management: · (Required.) Enabling spectrum management · (Optional.) Setting the power constraint mode · (Optional.) Setting the channel switch mode · (Optional.) Setting the transmit power capability match mode · (Optional.) Setting the channel capability match mode	N/A
(Optional.) Configuring a radio baseline	N/A
(Optional.) Enabling radio scanning	N/A
(Optional.) Enabling SNMP notifications for WLAN RRM	N/A

Configuring DFS

About DFS

The AC supports the following DFS methods:

· Periodic auto-DFS—The AC automatically performs DFS for a radio at the channel calibration interval.

· Scheduled auto-DFS—The AC performs DFS at the specified time in a time range. Use this method when interference is severe to avoid affecting ongoing wireless services.

· On-demand DFS—The AC waits for a channel calibration interval and then performs DFS for all radios. You must perform this task every time you want the AC to perform DFS for radios.

Configuration prerequisites

For DFS to work, configure the AC to automatically select a channel for a radio and not lock the channel by using the channel auto unlock command. For more information about the channel { channel-number | auto { lock | unlock } } command, see WLAN Command Reference (AC).

Setting the DFS sensitivity mode

About DFS sensitivity modes

DFS supports the following sensitivity modes: low, medium, high, and custom. DFS configured with a higher sensitivity can be triggered more easily.

Restrictions and guidelines

DFS trigger parameters will be restored to the default if you change the sensitivity mode. The default settings vary by sensitivity mode. Record the configured DFS trigger parameters if necessary before you change the sensitivity mode from custom to low, medium, or high.

You can configure DFS trigger parameters only when the sensitivity mode is custom.

Procedure

To set the DFS sensitivity mode in RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enter RRM view.	rrm	N/A
5. Set the DFS sensitivity mode.	calibrate-channel self-decisive sensitivity { custom \| high \| low \| medium }	By default, the configuration in AP group RRM view is used.

To set the DFS sensitivity mode in AP group RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Set the DFS sensitivity mode.	calibrate-channel self-decisive sensitivity { custom \| high \| low \| medium }	By default, the DFS sensitivity mode is custom.

Configuring DFS trigger parameters

Restrictions and guidelines

As a best practice for accurate channel adjustment, configure the same DFS trigger parameters for all radios enabled with DFS.

You can configure DFS trigger parameters only when the DFS sensitivity mode is custom.

Procedure

To configure DFS trigger parameters in RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enter RRM view.	rrm	N/A
5. Set the CRC error threshold.	crc-error-threshold percent	By default, the configuration in AP group RRM view is used.
6. Set the interference threshold.	interference-threshold percent	By default, the configuration in AP group RRM view is used.
7. Set the tolerance level.	tolerance-level percent	By default, the configuration in AP group RRM view is used.

To configure DFS trigger parameters in AP group RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Set the CRC error threshold.	crc-error-threshold percent	By default, the CRC error threshold is 20.
7. Set the interference threshold.	interference-threshold percent	By default, the interference threshold is 50.
8. Set the tolerance level.	tolerance-level percent	By default, the tolerance level is 20.

Configuring periodic auto-DFS

Restrictions and guidelines

For wireless service stability, you can configure DFS suppression to suppress periodic auto-DFS when the online client quantity reaches the specified threshold.

Procedure

To configure periodic auto-DFS in RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Set the channel calibration interval.	wlan rrm calibration-channel interval minutes	By default, the channel calibration interval is 8 minutes.
3. Enter AP view.	wlan ap ap-name	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Enable auto-DFS.	calibrate-channel self-decisive enable	By default, the configuration in AP group RRM view is used.
7. Set the auto-DFS mode to periodic.	calibrate-channel mode periodic	By default, the configuration in AP group RRM view is used.
8. (Optional.) Configure DFS suppression.	calibrate-channel suppression { disable \| enable [ client-number number ] }	By default, the configuration in AP group RRM view is used.

To configure periodic auto-DFS in AP group RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Set the channel calibration interval.	wlan rrm calibration-channel interval minutes	By default, the channel calibration interval is 8 minutes.
3. Enter AP group view.	wlan ap-group group-name	N/A
4. Enter AP model view.	ap-model ap-model	N/A
5. Enter radio view.	radio radio-id	N/A
6. Enter RRM view.	rrm	N/A
7. Enable auto-DFS.	calibrate-channel self-decisive enable	By default, auto-DFS is disabled.
8. Set the auto-DFS mode to periodic.	calibrate-channel mode periodic	By default, the auto-DFS mode is periodic.
9. (Optional.) Configure DFS suppression.	calibrate-channel suppression { disable \| enable [ client-number number ] }	By default, DFS suppression is disabled.

Configuring scheduled auto-DFS

About configuring scheduled auto-DFS

Scheduled auto-DFS enables the AC to collect statistics to generate channel reports and neighbor reports within the specified time range.

Restrictions and guidelines

Perform the following tasks to configure scheduled auto-DFS:

1. Create a time range.

2. Configure a job and schedule.

a. Create a job and assign commands to the job.

b. Create a schedule and assign the job, a user role, and an execution time to the schedule.

3. Enable auto-DFS.

4. Set the auto-DFS mode to scheduled.

5. Specify a time range for channel monitoring. For more information about creating a time range, see time range in ACL and QoS configuration Guide.

Procedure

To configure scheduled auto-DFS in RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a time range.	time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] \| from time1 date1 [ to time2 date2 ] \| to time2 date2 }	By default, no time range exists.
3. Create a job and enter its view.	scheduler job job-name	By default, no job exists.
4. Assign commands to the job.	command 1 system-view	By default, no command is assigned to a job.
	command 2 wlan ap ap-name [ model model-name ]
	command 3 radio radio-id
	command 4 rrm
	command 5 calibrate-channel pronto
5. Return to system view.	quit	N/A
6. Create a schedule and enter its view.	scheduler schedule schedule-name	By default, no schedule exists.
7. Assign a job to the schedule.	job job-name	By default, no job is assigned to a schedule.
8. Assign a user role to the schedule.	user-role role-name	By default, the user role of the schedule creator is assigned to the schedule.
9. Specify an execution date and time for the schedule.	time at time date	Execute one of the three commands. By default, no execution time is specified for a schedule.
10. Specify one or more execution days and the execution time for the schedule.	time once at time [ month-date month-day \| week-day week-day&<1-7> ]
11. Specify the delay time for executing the schedule.	time once delay time
12. Return to system view.	quit	N/A
13. Enter AP view.	wlan ap ap-name	N/A
14. Enter radio view.	radio radio-id	N/A
15. Enter RRM view.	rrm	N/A
16. Enable auto-DFS.	calibrate-channel self-decisive enable	By default, the configuration in AP group RRM view is used.
17. Set the auto-DFS mode to scheduled.	calibrate-channel mode scheduled	By default, the configuration in AP group RRM view is used.
18. Specify a time range for channel monitoring.	calibrate-channel monitoring time-range time-range-name	By default, the configuration in AP group RRM view is used.

To configure scheduled auto-DFS in AP group RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a time range.	time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] \| from time1 date1 [ to time2 date2 ] \| to time2 date2 }	By default, no time range exists.
3. Create a job and enter its view.	scheduler job job-name	By default, no job exists.
4. Assign commands to the job.	command 1 system-view	By default, no command is assigned to a job.
	command 2 wlan ap-group group-name
	command 3 ap-model ap-model
	command 4 radio radio-id
	command 5 rrm
	command 6 calibrate-channel pronto
5. Return to system view.	quit	N/A
6. Create a schedule and enter its view.	scheduler schedule schedule-name	By default, no schedule exists.
7. Assign a job to the schedule.	job job-name	By default, no job is assigned to a schedule.
8. Assign a user role to the schedule.	user-role role-name	By default, the user role of the schedule creator is assigned to the schedule.
9. Specify an execution date and time for the schedule.	time at time date	Execute one of the three commands. By default, no execution time is specified for a schedule.
10. Specify one or more execution days and the execution time for the schedule.	time once at time [ month-date month-day \| week-day week-day&<1-7> ]
11. Specify the delay time for executing the schedule.	time once delay time
12. Return to system view.	quit	N/A
13. Enter AP group view.	wlan ap-group group-name	N/A
14. Enter AP model view.	ap-model ap-model	N/A
15. Enter radio view.	radio radio-id	N/A
16. Enter RRM view.	rrm	N/A
17. Enable auto-DFS.	calibrate-channel self-decisive enable	By default, auto-DFS is disabled.
18. Set the auto-DFS mode to scheduled.	calibrate-channel mode scheduled	By default, the auto-DFS mode is periodic.
19. Specify a time range for channel monitoring.	calibrate-channel monitoring time-range time-range-name	By default, no time range is specified for channel monitoring.

Configuring on-demand DFS

Restrictions and guidelines

This feature consumes system resources. Use it with caution.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable on-demand DFS for radios of all APs.	wlan calibrate-channel pronto ap all	N/A
3. (Optional.) Set the channel calibration interval.	wlan rrm calibration-channel interval minutes	By default, the channel calibration interval is 8 minutes.

Configuring an RRM holddown group

About RRM holddown groups

To prevent frequent channel adjustments from affecting wireless services, you can add the specified radios to an RRM holddown group. Each time the channel of a radio in the RRM holddown group changes, the system starts a channel holddown timer for the radio. The channel for the radio does not change until the channel holddown timer expires.

If you execute on-demand DFS, the system performs DFS when the calibration interval expires regardless of whether the channel holddown time expires.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an RRM holddown group and enter its view.	wlan rrm-calibration-group group-id	By default, no RRM holddown group exists.
3. (Optional.) Set a description for the RRM holddown group.	description text	By default, no description is set for the RRM holddown group.
4. Add a radio to the RRM holddown group.	ap ap-name radio radio-id	By default, no radio exists in the RRM holddown group.
5. (Optional.) Set the channel holddown time.	channel holddown-time minutes	By default, the channel holddown time is 720 minutes.

Configuring TPC

About TPC

The AC supports the following TPC methods:

· Periodic auto-TPC—The AC automatically performs TPC for a radio at the power calibration interval.

· On-demand TPC—The AC waits for a power calibration interval and then performs TPC for all radios. You must perform this task every time you want the AC to perform TPC for radios.

Configuration prerequisites

Make sure the power lock feature is disabled before configuring TPC. For more information about power lock, see "Configuring radio management."

Setting the TPC mode

About TPC modes

The AC supports the density, coverage, and custom TPC modes. To avoid interference among APs, use the density mode. To increase signal coverage performance, use the coverage mode. If these two modes cannot meet your network requirements, use the custom mode to customize power adjustment settings.

Restrictions and guidelines

In either density or coverage mode, power adjustment settings are defined by the system and cannot be changed.

Procedure

To set the TPC mode in RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enter RRM view.	rrm	N/A
5. Set the TPC mode.	calibrate-power mode { coverage \| custom \| density }	By default, the configuration in AP group RRM view is used.

To set the TPC mode in AP group RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Set the TPC mode.	calibrate-power mode { coverage \| custom \| density }	By default, the TPC mode is custom.

Configuring TPC trigger parameters

Restrictions and guidelines

The adjacency factor and power adjustment threshold determine TPC for a radio. The adjacency factor defines the quantity of manageable detected radios that trigger TPC and the ranking of the RSSI used for comparison with the power adjustment threshold. Set an appropriate adjacency factor as needed.

As a best practice for accurate power adjustment, configure the same TPC trigger parameters for all radios enabled with TPC.

Procedure

To configure TPC trigger parameters in RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enter RRM view.	rrm	N/A
5. Set the adjacency factor.	adjacency-factor neighbor	By default, the configuration in AP group RRM view is used.
6. Set the power adjustment threshold.	calibrate-power threshold value	By default, the configuration in AP group RRM view is used.
7. Specify the type of radios to participate in TPC calculation.	adjacency-factor radio-selection { all-channel \| overlapping-channel }	By default, the configuration in AP group RRM view is used.

To configure TPC trigger parameters in AP group RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Set the adjacency factor.	adjacency-factor neighbor	By default, the adjacency factor is 3.
7. Set the power adjustment threshold.	calibrate-power threshold value	By default, the power adjustment threshold is 65 dBm.
8. Specify the type of radios to participate in TPC calculation.	adjacency-factor radio-selection { all-channel \| overlapping-channel }	By default, all-channel radios participate in TPC calculation.

Setting the minimum transmit power

About the minimum transmit power

This feature ensures that a radio can still be detected after TPC is performed.

Procedure

To set the minimum transmit power in RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enter RRM view.	rrm	N/A
5. Set the minimum transmit power.	calibrate-power min tx-power	By default, the configuration in AP group RRM view is used.

To set the minimum transmit power in AP group RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Set the minimum transmit power.	calibrate-power min tx-power	By default, the minimum transmit power is 1 dBm.

Configuring periodic auto-TPC

To configure periodic auto-TPC in RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Set the power calibration interval.	wlan rrm calibration-power interval minutes	By default, the power calibration interval is 8 minutes.
3. Enter AP view.	wlan ap ap-name	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Enable periodic auto-TPC.	calibrate-power self-decisive enable	By default, the configuration in AP group RRM view is used.

To configure periodic auto-TPC in AP group RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Set the power calibration interval.	wlan rrm calibration-power interval minutes	By default, the power calibration interval is 8 minutes.
3. Enter AP group view.	wlan ap-group group-name	N/A
4. Enter AP model view.	ap-model ap-model	N/A
5. Enter radio view.	radio radio-id	N/A
6. Enter RRM view.	rrm	N/A
7. Enable periodic auto-TPC.	calibrate-power self-decisive enable	By default, periodic auto-TPC is disabled.

Configuring on-demand TPC

Restrictions and guidelines

This feature consumes system resources. Use it with caution.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable on-demand TPC for radios of all APs.	wlan calibrate-power pronto ap all	N/A
3. (Optional.) Set the power calibration interval.	wlan rrm calibration-power interval minutes	By default, the power calibration interval is 8 minutes.

Configuring an RRM holddown group

About RRM holddown groups

To prevent frequent power adjustments from affecting wireless services, you can add the specified radios to an RRM holddown group. Each time the power of a radio in the RRM holddown group changes, the system starts a power holddown timer for the radio. The power for the radio does not change until the power holddown timer expires.

If you execute on-demand DFS, the system performs DFS when the calibration interval expires regardless of whether the power holddown time expires.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an RRM holddown group and enter its view.	wlan rrm-calibration-group group-id	By default, no RRM holddown group exists.
3. (Optional.) Set a description for the RRM holddown group.	description text	By default, no description is set for the RRM holddown group.
4. Add a radio to the RRM holddown group.	ap ap-name radio radio-id	By default, no radio exists in the RRM holddown group.
5. (Optional.) Set the power holddown time.	power holddown-time minutes	By default, the power holddown time is 60 minutes.

Configuring spectrum management

Enabling spectrum management

Restrictions and guidelines

This feature is available only for 5 GHz radios.

Procedure

To enable spectrum management in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable spectrum management.	spectrum-management enable	By default, the configuration in AP group radio view is used.

To enable spectrum management in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Specify an AP model.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable spectrum management.	spectrum-management enable	By default, spectrum management is disabled.

Setting the power constraint mode

About power constraint modes

This feature enables a radio to restrict the transmit power of its associated clients to avoid interference with other wireless devices. Upon receiving a beacon frame or probe response that contains the power constraint value from the radio, a client uses its new local maximum transmit power to transmit traffic. The new local maximum transmit power is the maximum transmit power level specified for the channel minus the power constraint value.

You can set the following power constraint modes for a radio:

· Manual—You specify a power constraint value.

· Auto—The radio automatically calculates the power constraint value.

Restrictions and guidelines

This feature is available only for 5 GHz radios.

Power constraint takes effect only when you enable spectrum management or radio resource measurement. For more information about radio resource management, see "Configuring WLAN radio resource measurement."

Procedure

To set the power constraint mode in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the power constraint mode.	power-constraint mode { auto [ anpi-interval anpi-interval-value ] \| manual power-constraint }	By default, the configuration in AP group radio view is used.

To set the power constraint mode in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Specify an AP model.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the power constraint mode.	power-constraint mode { auto [ anpi-interval anpi-interval-value ] \| manual power-constraint }	By default, the power constraint mode is auto.

Setting the channel switch mode

About setting the channel switch mode

This feature enables a radio to send a channel switch announcement to the associated clients when the radio is changing to a new channel. The announcement contains the new channel number and information about whether the clients can continue sending frames.

Restrictions and guidelines

This feature is available only for 5 GHz radios.

Procedure

To set the channel switch mode in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the channel switch mode.	channel-switch mode { continuous \| suspend }	By default, the configuration in AP group radio view is used.

To set the channel switch mode in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Specify an AP model.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the channel switch mode.	channel-switch mode { continuous \| suspend }	By default, the channel switch mode is suspend. Online clients stop sending frames during channel switch.

Setting the transmit power capability match mode

About transmit power capability match modes

This feature allows clients to associate with a radio based on the predefined match criteria. Transmit power capability refers to the minimum and maximum powers with which a client and a radio can transmit frames in the current channel. The device supports the following client power capability match modes:

· All—A client is allowed to associate with a radio only when each of its transmit power capabilities matches each of the radio's transmit power capabilities.

· None—Client transmit power capabilities are not checked.

· Partial—A client is allowed to associate with a radio as long as one of its transmit power capabilities matches any transmit power capabilities of the radio.

Restrictions and guidelines

The transmit power capability match mode takes effect only when you enable spectrum management or radio resource measurement. For more information about radio resource management, see "Configuring WLAN radio resource measurement."

Procedure

To set the transmit power capability match mode in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the transmit power capability match mode.	power-capability mode { all \| none \| partial }	By default, the configuration in AP group radio view is used.

To set the transmit power capability match mode in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Specify an AP model.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the power capability match mode.	power-capability mode { all \| none \| partial }	By default, client transmit power capabilities are not checked.

Setting the channel capability match mode

About channel capability match modes

This feature allows clients to associate with a radio based on the predefined match criteria. Channel capability refers to the channels a client and a radio each support. The device provides the following client channel capability match modes:

· All—A client is allowed to associate with a radio only when each of its supported channels match each of the radio's supported channels.

· None—Client channel capabilities are not checked.

· Partial—A client is allowed to associate with a radio as long as one of its supported channels matches any supported channels of the radio.

Restrictions and guidelines

This feature is available only for 5 GHz radios.

Procedure

To set the client channel capability match mode in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Set the client channel capability match mode.	power-capability mode { all \| none \| partial }	By default, the configuration in AP group radio view is used.

To set the client channel capability match mode in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Specify an AP model.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Set the channel capability match mode.	power-capability mode { all \| none \| partial }	By default, client channel capabilities are not checked.

Configuring a radio baseline

About radio baselines

A radio baseline saves the working channel, transmit rate, and other radio attributes for radios. You can create a radio baseline by saving the current radio settings and apply the baseline to use these settings as needed.

A radio baseline is saved in a .csv file in the file system on the AC.

A radio baseline cannot be applied to a radio when one of the following conditions is met:

· The radio is down.

· No service template is bound to the radio or the bound service template is disabled.

· The channel in the baseline is illegal.

· The radio uses a manually specified channel.

· The working channel or the transmit power of the radio is locked.

· The channel or power holddown timer for the radio has not expired.

· The channel in the baseline does not match the specified channel gap.

· The transmit power in the baseline is lower than the specified minimum transmit power for the radio.

· The transmit power in the baseline is higher than the specified maximum transmit power for the radio.

· The radio mode, location identifier, or bandwidth in the baseline does not match the radio mode, location identifier, or bandwidth of the radio.

Procedure

Step	Command
1. Enter system view.	system-view
2. Create a radio baseline by saving the current radio settings.	wlan rrm baseline save name baseline-name { ap ap-name [ radio radio-id ] \| ap-group group-name [ ap-model ap-model ] [ radio radio-id ] \| global }
3. Apply the baseline.	wlan rrm baseline apply name baseline-name
4. (Optional.) Delete a radio baseline.	wlan rrm baseline remove name baseline-name

Enabling radio scanning

About radio scanning

This feature enables APs to scan the WLAN environment and report collected statistics to the AC at the specified interval. The AC uses the statistics to generate channel reports and neighbor reports.

To view the channel reports and neighbor reports, use the display wlan rrm-status ap command.

Restrictions and guidelines

This feature will be automatically enabled if you have configured periodic auto-DFS, scheduled auto-DFS, or periodic auto-TPC.

Procedure

To enable radio scanning in RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enter RRM view.	rrm	N/A
5. Enable radio scanning.	scan-only enable	By default, the configuration in AP group RRM view is used.

To enable radio scanning in AP group RRM view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enter RRM view.	rrm	N/A
6. Enable radio scanning.	scan-only enable	By default, radio scanning is disabled.

Enabling SNMP notifications for WLAN RRM

About SNMP notifications for WLAN RRM

To report critical WLAN RRM events to an NMS, enable SNMP notifications for WLAN RRM. For WLAN RRM event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for WLAN RRM.	snmp-agent trap enable wlan rrm	By default, SNMP notifications are disabled for WLAN RRM.

Display and maintenance commands for WLAN RRM

Execute display commands in any view.

Task	Command
Display radio baseline information.	display wlan rrm baseline { all \| name baseline-name } [ verbose ]
Display the history records of radio baseline application.	display wlan rrm baseline apply-history [ verbose ]
Display the channel and power adjustment history.	display wlan rrm-history ap { all \| name ap-name }
Display WLAN RRM information.	display wlan rrm-status ap { all \| name ap-name }
Display RRM holddown group information.	display wlan rrm-calibration-group { all \| group-id }

WLAN RRM configuration examples

Example: Configuring periodic auto-DFS

Network requirements

As shown in Figure 76, configure periodic auto-DFS to adjust channels for radios of the APs when a channel adjustment trigger condition is met. Add radio 1 of AP 1 to an RRM holddown group to avoid frequent channel adjustments.

Figure 76 Network diagram

Configuration procedure

# Establish a CAPWAP tunnel between the AC and each AP. For more information, see "Managing APs." (Details not shown.)

# Enable auto-DFS for AP ap1 and set the auto-DFS mode to periodic.

<AC> system-view

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] rrm

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel self-decisive enable

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel mode periodic

# Configure DFS trigger parameters.

[AC-wlan-ap-ap1-radio-1-rrm] crc-error-threshold 20

[AC-wlan-ap-ap1-radio-1-rrm] interference-threshold 50

[AC-wlan-ap-ap1-radio-1-rrm] tolerance-level 20

[AC-wlan-ap-ap1-radio-1-rrm] quit

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

# Create RRM holddown group 10.

[AC] wlan rrm-calibration-group 10

# Add radio 1 of AP ap1 to RRM holddown group 10.

[AC-wlan-rc-group-10] ap name ap1 radio 1

# Set the channel holddown time to 600 minutes.

[AC-wlan-rc-group-10] channel holddown-time 600

# Configure auto-DFS for AP 2 and AP 3 in the same way auto-DFS is configured for AP 1. (Details not shown.)

Verifying the configuration

# Execute the display wlan rrm-status ap all command. Verify that the working channels for radios of the APs change when a channel adjustment trigger condition is met and the calibration interval is reached. (Details not shown.)

Use the display wlan rrm-history ap all command to view the channel adjustment reason. (Details not shown.)

# Verify that the channel for radio 1 on AP 1 remains unchanged within 600 minutes after the first DFS. (Details not shown.)

Example: Configuring scheduled auto-DFS

Network requirements

As shown in Figure 77, configure scheduled auto-DFS to adjust channels for radios of the APs when a channel adjustment trigger condition is met.

Figure 77 Network diagram

Configuration procedure

# Establish a CAPWAP tunnel between the AC and each AP. For more information, see "Managing APs." (Details not shown.)

# Create a time range.

<AC> system-view

[AC] time-range time1 from 15:20 2015/04/17 to 18:20 2015/04/17

# Create a job and assign commands to the job.

[AC] scheduler job calibratechannel

[AC-job-calibratechannel] command 1 system-view

[AC-job-calibratechannel] command 2 wlan ap ap1

[AC-job-calibratechannel] command 3 radio 1

[AC-job-calibratechannel] command 4 rrm

[AC-job-calibratechannel] command 5 calibrate-channel pronto

[AC-job-calibratechannel] quit

# Create a schedule and assign the job to the schedule.

[AC] scheduler schedule schedule1

[AC-schedule-schedule1] job calibratechannel

# Specify an execution date and time for the schedule.

[AC-schedule-schedule1] time at 20:20 2015/04/17

[AC-schedule-schedule1] quit

# Enable auto-DFS on AP ap1 and set the auto-DFS mode to scheduled.

[AC] wlan ap ap1

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] rrm

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel self-decisive enable

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel mode scheduled

# Configure AP ap1 to perform channel monitoring during time range time1.

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-channel monitoring time-range time1

# Configure auto-DFS attributes.

[AC-wlan-ap-ap1-radio-1-rrm] crc-error-threshold 10

[AC-wlan-ap-ap1-radio-1-rrm] interference-threshold 40

[AC-wlan-ap-ap1-radio-1-rrm] tolerance-level 15

[AC-wlan-ap-ap1-radio-1-rrm] quit

# Configure auto-DFS for AP 2 and AP 3 in the same way auto-DFS is configured for AP 1. (Details not shown.)

Verifying the configuration

Use the display wlan rrm-history ap all command to view the channel adjustment reason. (Details not shown.)

Example: Configuring periodic auto-TPC

Network requirements

As shown in Figure 78, configure periodic auto-TPC and set the adjacency factor to 3 to enable the AC to perform periodic auto-TPC when AP 4 joins. Add radio 1 of AP 1 to an RRM holddown group to avoid frequent power adjustments.

Figure 78 Network diagram

Configuration procedure

# Establish a CAPWAP tunnel between the AC and each AP. For more information, see "Managing APs." (Details not shown.)

# Enable periodic auto-TPC for AP ap1.

<AC> system-view

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] rrm

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-power self-decisive enable

# Configure TPC trigger parameters.

[AC-wlan-ap-ap1-radio-1-rrm] adjacency-factor 3

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-power threshold 80

[AC-wlan-ap-ap1-radio-1-rrm] calibrate-power min 1

[AC-wlan-ap-ap1-radio-1-rrm] quit

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

# Create RRM holddown group 10.

[AC] wlan rrm-calibration-group 10

# Add radio 1 of AP ap1 to RRM holddown group 10.

[AC-wlan-rc-group-10] ap name ap1 radio 1

# Set the power holddown time to 100 minutes.

[AC-wlan-rc-group-10] power holddown-time 100

# Configure periodic auto-TPC for AP 2, AP 3, and AP 4 in the same way periodic auto-TPC is configured for AP 1. (Details not shown.)

Verifying the configuration

# Use the display wlan rrm-status ap all command to verify the following information:

· AP 1 increases its transmit power when AP 4 detects that the power of AP 1 is lower than the power adjustment threshold.

· AP 1 decreases its transmit power when AP 4 detects that the power of AP 1 is higher than the power adjustment threshold.

· The adjusted power of AP 1 is not lower than the minimum transmit power (1 dBm in this example).

# Verify that the power of radio 1 on AP 1 remains unchanged within 100 minutes after the first TPC. (Details not shown.)

Example: Configuring spectrum management

Network requirements

As shown in Figure 79, configure spectrum management to restrict the transmit power of the client and allow the client to continue sending frames during channel switch.

Figure 79 Network diagram

Configuration procedure

# Enable spectrum management.

<AC> system-view

[AC] wlan ap officeap model WA2620-WiNet

[AC-wlan-ap-officeap] radio 1

[AC-wlan-ap-officeap-radio-1] spectrum-management enable

# Set the channel capability match mode to all.

[AC-wlan-ap-officeap-radio-1] channel-capability mode all

# Set the transmit power capability match mode to all.

[AC-wlan-ap-officeap-radio-1] power-capability mode all

# Set the power constraint mode to manual and set the power constraint value to 5 dBm.

[AC-wlan-ap-officeap-radio-1] power-constraint mode manual 5

# Set the channel switch mode to continuous.

[AC-wlan-ap-officeap-radio-1] channel-switch mode continuous

Verifying the configuration

# Execute the display wlan client command to verify that the client can successfully associate with the radio. (Details not shown.)

Configuring WLAN IP snooping

The term "AC" in this document refers to MSR routers that can function as ACs.

About WLAN IP snooping

WLAN IP snooping enables an AP to learn clients' IP addresses through snooping ARP, DHCP, ND, and HTTP packets and generate snooping entries that record client IP address, MAC address, and learning method. The entries will be used by AAA for 802.1X and MAC authentication client accounting or by IP Source Guard to determine whether to forward client packets. For more information about IP Source Guard, see Security Configuration Guide.

In an AP+AC network, APs report snooping entries to the AC.

Client IPv4 address learning

An AP learns client IPv4 addresses by using the following methods:

· Snooping ARP packets sent by clients.

For more information about ARP, see Layer 3—IP Services Configuration Guides.

· Snooping DHCPv4 packets exchanged between client and server.

For more information about DHCP, see Layer 3—IP Services Configuration Guides.

· Snooping HTTP requests redirected to the portal server.

For more information about portal authentication, see Security Configuration Guides.

The priorities for learning IP addresses through snooping DHCPv4 packets, ARP packets, and HTTP requests are in descending order.

Client IPv6 address learning

An AP learns client IPv6 addresses by using the following methods:

· Snooping DHCPv6 packets exchanged between client and server.

For more information about DHCPv6, see Layer 3—IP Services Configuration Guides.

· Snooping ND packets, including Router Advertisement (RA) packets, Neighbor Solicitation (NS) packets, and Neighbor Advertisement (NA) packets sent by clients.

For more information about ND, see Layer 3—IP Services Configuration Guides.

· Snooping HTTP requests redirected to the portal server.

For more information about portal authentication, see Security Configuration Guides.

The priorities for learning IPv6 addresses through snooping DHCPv6 packets, ND packets, and HTTP requests are in descending order.

Feature and hardware compatibility

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

WLAN IP snooping tasks at a glance

Tasks at a glance
(Optional.) Disabling snooping ARP packets
(Optional.) Disabling snooping DHCPv4 packets
(Optional.) Enabling snooping DHCPv6 packets
(Optional.) Enabling snooping ND packets
(Optional.) Disabling SNMP from getting client IPv6 addresses learned from ND packets
(Optional.) Enabling snooping HTTP requests redirected to the portal server

Disabling snooping ARP packets

About ARP packet snooping

By default, an AP learns client IPv4 addresses by snooping ARP and DHCPv4 packets. Perform this task to disable client IPv4 address learning from ARP packets.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a service template and enter its view.	wlan service-template service-template-name	N/A
3. Disable snooping ARP packets.	undo client ipv4-snooping arp-learning enable	By default, snooping ARP packets is enabled.

Disabling snooping DHCPv4 packets

About DHCPv4 packet snooping

By default, an AP learns client IPv4 addresses by snooping ARP and DHCPv4 packets. Perform this task to disable client IPv4 address learning from DHCPv4 packets.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a service template and enter its view.	wlan service-template service-template-name	N/A
3. Disable snooping DHCPv4 packets.	undo client ipv4-snooping dhcp-learning enable	By default, snooping DHCPv4 packets is enabled.

Enabling snooping DHCPv6 packets

About DHCPv6 packet snooping

By default, an AP does not learn client IPv6 addresses. Perform this task to enable client IPv6 address learning from DHCPv6 packets.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a service template and enter its view.	wlan service-template service-template-name	N/A
3. Enable snooping DHCPv6 packets.	client ipv6-snooping dhcpv6-learning enable	By default, snooping DHCPv6 packets is disabled.

Enabling snooping ND packets

About ND packet snooping

By default, an AP does not learn client IPv6 addresses. Perform this task to enable client IPv6 address learning from ND packets.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a service template and enter its view.	wlan service-template service-template-name	N/A
3. Enable snooping ND packets.	client ipv6-snooping nd-learning enable	By default, snooping ND packets is disabled.

Disabling SNMP from getting client IPv6 addresses learned from ND packets

About client IPv6 address obtaining for SNMP

By default, SNMP obtains client IPv6 addresses learned from both DHCPv6 and ND packets. Perform this task to enable SNMP to obtain only client IPv6 addresses learned from DHCPv6 packets.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a service template and enter its view.	wlan service-template service-template-name	N/A
3. Disable SNMP from getting client IPv6 addresses learned from ND packets.	undo client ipv6-snooping snmp-nd-report enable	By default, SNMP obtains client IPv6 addresses learned from both DHCPv6 and ND packets.

Enabling snooping HTTP requests redirected to the portal server

About HTTP requests redirected to the portal server

Before a client passes portal authentication, all of its HTTP requests are redirected to the portal server. Perform this task to enable an AP to snoop the redirected HTTP requests and learn client IPv4 addresses.

For more information about portal authentication, see portal in Security Configuration Guide.

Restrictions and guidelines

This feature can only be used to learn IP addresses of portal-authenticated clients.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a service template and enter its view.	wlan service-template service-template-name	N/A
3. Enable snooping HTTP requests redirected to the portal server.	client ip-snooping http-learning enable	By default, snooping HTTP requests is disabled.

WLAN IP snooping configuration examples

Example: Configuring WLAN IP snooping

Network requirements

As shown in Figure 80, configure the AP to learn the client's IPv6 address from DHCPv6 packets.

Figure 80 Network diagram

Configuration procedure

# Configure wireless services. (Details not shown.)

For more information, see "Managing APs" and "Configuring WLAN access."

# Enable snooping DHCPv6 packets.

<AC> system-view

[AC] wlan service-template service

[AC-wlan-st-service] client ipv6-snooping dhcpv6-learning enable

Configuring WLAN load balancing

The term "AC" in this document refers to MSR routers that can function as ACs.

This chapter assumes that an AP has only one radio enabled.

About WLAN load balancing

WLAN load balancing dynamically loads balance clients across APs to ensure wireless service quality and adequate bandwidth for clients in high-density WLANs.

Networking scheme

To configure WLAN load balancing among specific APs, the APs must be managed by the same AC, and the clients can discover the APs. As shown in Figure 81, AP 1, AP 2, and AP 3 are managed by the same AC. Load balancing is enabled on AP 1, AP 2, and AP 3. AP 3 has reached its maximum load. When Client 5 tries to associate with AP 3, the AC rejects the association request and directs Client 5 to AP 1 or AP 2.

Figure 81 Network diagram

Work mechanism

The AC performs load balancing when the following conditions are met:

· The load of an AP reaches the threshold.

· The load gap between the AP and the AP that has the lightest load reaches the load gap threshold.

When the load and load gap for the AP reach their respective threshold, the AP rejects the association request of a client. If the number of times that the AP rejects the client reaches the specified maximum number of denials for association requests, the AP accepts the client's association request.

Load balancing modes

The AC supports session-mode, traffic-mode, and bandwidth-mode load balancing. It performs load balancing of a specific mode when the following conditions are met:

· The specified session/traffic/bandwidth threshold is reached.

· The specified session/traffic/bandwidth gap threshold is reached.

Session-mode load balancing

As shown in Figure 82, Client 1 associates with AP 1, and Client 2 through Client 4 associate with AP 2. The session threshold and session gap threshold are set to 3 and 2, respectively. When Client 5 tries to associate with AP 2, AP 2 rejects the request because both the session threshold and session gap threshold are reached.

Figure 82 Session-mode load balancing

Traffic-mode load balancing

As shown in Figure 83, Client 1 associates with AP 1, and Client 2 associates with AP 2. When the traffic of AP 1 and the traffic gap between AP 1 and AP 2 reach their respective threshold, AP 1 rejects the association request from Client 3.

Figure 83 Traffic-mode load balancing

Bandwidth-mode load balancing

As shown in Figure 84, Client 1 associates with AP 1, and Client 2 associates with AP 2. When the bandwidth of AP 1 and the bandwidth gap between AP 1 and AP 2 reach their respective thresholds, AP 1 rejects the association request from Client 3.

Figure 84 Bandwidth-mode load balancing

Load balancing types

The AC supports the following load balancing types:

· Radio based—The AC determines the APs that will participate in load balancing based on the neighbor reports of the APs. The neighbor report of an AP records the MAC address and RSSI value of each client that is detected by the AP. The AC determines that an AP will participate in load balancing when either of the following conditions is met:

? A client requests to associate with the AP.

? The AP detects that a client's RSSI has reached the RSSI threshold but the client does not request to associate with the AP.

· Load balancing group based—You add the radios of desired APs to a load balancing group. The AC does not perform load balancing only on radios in this load balancing group.

Feature and hardware compatibility

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

Restrictions and guidelines: WLAN load balancing configuration

When a client requests to access the WLAN, the system performs load balancing only among APs that are managed by the same AC and can be detected by the client.

WLAN load balancing tasks at a glance

Tasks at a glance	Remarks
(Required.) Enabling WLAN load balancing	N/A
(Required.) Setting a load balancing mode	N/A
(Optional.) Configuring a load balancing group	If you do not create any load balancing groups, the AC performs radio-based load balancing.
(Optional.) Configuring load balancing parameters	N/A
(Optional.) Enabling SNMP notifications for WLAN load balancing	N/A

Prerequisites for WLAN load balancing

Before you configure load balancing, make sure the quick association function is disabled. For more information about quick association, see "Enabling quick association."

Enabling WLAN load balancing

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable WLAN load balancing.	wlan load-balance enable	By default, WLAN load balancing is disabled.

Setting a load balancing mode

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set a load balancing mode.

· Set session-mode load balancing:
wlan load-balance mode session value [ gap gap-value ]

· Set traffic-mode load balancing:
wlan load-balance mode traffic value [ gap gap-value ]

· Set bandwidth-mode load balancing:
wlan load-balance mode bandwidth value [ gap gap-value ]

By default, session-mode load balancing is used.

Configuring a load balancing group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a load balancing group and enter its view.	wlan load-balance group group-id	By default, no load balancing groups exist. The AC performs radio-based load balancing.
3. Add a radio of an AP to the load balancing group.	ap name ap-name radio radio-id	By default, no radios exist in the load balancing group.
4. (Optional.) Set a description for the load balancing group.	description text	By default, no description is set for the load balancing group.

Configuring load balancing parameters

About load balancing parameters

The following parameters affect load balancing calculation:

· Load balancing RSSI threshold—If an AP detects that the RSSI of a client is lower than the specified RSSI threshold, the AP performs either of the following operations:

? If multiple APs can detect the client, the AP participates in load balancing only when the client requests to associate with the AP.

? If only this AP can detect the client, the AP decreases the maximum number of denials to 1 so that the client has more chances to associate with the AP.

· Maximum number of denials for association requests—If the number of times that an AP rejects a client reaches the specified maximum number of denials for association requests, the AP accepts the association request of the client.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the RSSI threshold.	wlan load-balance rssi-threshold rssi-threshold	By default, the RSSI threshold is 25.
3. Set the maximum number of denials for association requests.	wlan load-balance access-denial access-denial	By default, the maximum number of denials is 10 for association requests.

Enabling SNMP notifications for WLAN load balancing

About SNMP notifications for WLAN load balancing

To report critical WLAN load balancing events to an NMS, enable SNMP notifications for WLAN load balancing. For WLAN load balancing event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for WLAN load balancing.	snmp-agent trap enable wlan load-balance	By default, SNMP notifications for WLAN load balancing are disabled.

Display and maintenance commands for WLAN load balancing

Execute the display command in any view.

Task	Command
Display load balancing group information.	display wlan load-balance group { group-id \| all }
Display load balancing information for radios that are bound to a service template.	display wlan load-balance status service-template template-name { client mac-address \| group group-id }

WLAN load balancing configuration examples (on radios)

Example: Configuring session-mode load balancing

Network configuration

As shown in Figure 85, AP 1 and AP 2 are managed by the AC and the clients can discover the APs. Client 1 associates with AP 1, and Client 2 through Client 4 associate with AP 2.

Configure the AC to perform session-mode load balancing on AP 1 and AP 2 when the following conditions are met:

· The number of sessions on one AP reaches 3.

· The session gap between the APs reaches 2.

Figure 85 Network diagram

Procedure

# Create wireless service template 1, and set its SSID to session-balance.

<AC> system-view

[AC] wlan service-template 1

[AC-wlan-st-1] ssid session-balance

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create AP template ap1, and specify the model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A29G007C000020

# Bind service template 1 to radio 2 of AP 1.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Create AP template ap2, and specify the model and serial ID.

[AC] wlan ap ap2 model WA2620-WiNet

[AC-wlan-ap-ap2] serial-id 210235A29G007C000021

# Bind service template 1 to radio 2 of AP 2.

[AC-wlan-ap-ap2] radio 2

[AC-wlan-ap-ap2-radio-2] service-template 1

[AC-wlan-ap-ap2-radio-2] radio enable

[AC-wlan-ap-ap2-radio-2] quit

[AC-wlan-ap-ap2] quit

# Set the load balancing mode to session mode, and set the session threshold and session gap threshold to 3 and 2, respectively.

[AC] wlan load-balance mode session 3 gap 2

# Enable WLAN load balancing.

[AC] wlan load-balance enable

Verifying the configuration

# Verify that the AC performs session-mode load balancing for AP 1 and AP 2 when the following conditions are met:

· The number of sessions on AP 2 reaches 3.

· The session gap between the APs reaches 2. (Details not shown.)

# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)

Example: Configuring traffic-mode load balancing

Network configuration

As shown in Figure 86, AP 1 and AP 2 are managed by the AC and the clients can discover the APs. The maximum bandwidth for each AP is 150 Mbps.

Configure the AC to perform traffic-mode load balancing on AP 1 and AP 2 when the following conditions are met:

· The traffic of one AP reaches 30 Mbps (20% of the maximum bandwidth).

· The traffic gap between the APs reaches 15 Mbps (10% of the maximum bandwidth).

Figure 86 Network diagram

Procedure

# Create wireless service template 1, and set its SSID to traffic-balance.

<AC> system-view

[AC] wlan service-template 1

[AC-wlan-st-1] ssid traffic-balance

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create AP template ap1, and specify the model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A29G007C000020

# Bind service template 1 to radio 2 of AP 1.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Create AP template ap2, and specify the model and serial ID.

[AC] wlan ap ap2 model WA2620-WiNet

[AC-wlan-ap-ap2] serial-id 210235A29G007C000021

# Bind service template 1 to radio 2 of AP 2.

[AC-wlan-ap-ap2] radio 2

[AC-wlan-ap-ap2-radio-2] service-template 1

[AC-wlan-ap-ap2-radio-2] radio enable

[AC-wlan-ap-ap2-radio-2] quit

[AC-wlan-ap-ap2] quit

# Set the load balancing mode to traffic mode, and set the traffic threshold and traffic gap threshold to 20% and 10%, respectively.

[AC] wlan load-balance mode traffic 10 gap 10

# Enable WLAN load balancing.

[AC] wlan load-balance enable

Verifying the configuration

# Verify that the AC performs traffic-mode load balancing for AP 1 and AP 2 when the following conditions are met:

· The traffic of AP 2 reaches 30 Mbps.

· The traffic gap between the APs reaches 15 Mbps. (Details not shown.)

# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)

Example: Configuring bandwidth-mode load balancing

Network configuration

As shown in Figure 87, AP 1 and AP 2 are managed by the AC and the clients can discover the APs.

Configure the AC to perform bandwidth-mode load balancing on AP 1 and AP 2 when the following conditions are met:

· The bandwidth of one AP reaches 12 Mbps.

· The bandwidth gap between the APs reaches 3 Mbps.

Figure 87 Network diagram

Procedure

# Create wireless service template 1, and set its SSID to bandwidth-balance.

<AC> system-view

[AC] wlan service-template 1

[AC-wlan-st-1] ssid bandwidth-balance

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create AP template ap1, and specify the model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A29G007C000020

# Bind service template 1 to radio 2 of AP 1.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Create AP template ap2, and specify the model and serial ID.

[AC] wlan ap ap2 model WA2620-WiNet

[AC-wlan-ap-ap2] serial-id 210235A29G007C000021

# Bind service template 1 to radio 2 of AP 2.

[AC-wlan-ap-ap2] radio 2

[AC-wlan-ap-ap2-radio-2] service-template 1

[AC-wlan-ap-ap2-radio-2] radio enable

[AC-wlan-ap-ap2-radio-2] quit

[AC-wlan-ap-ap2] quit

# Set the load balancing mode to bandwidth mode, and set the bandwidth threshold and bandwidth gap threshold to 12 Mbps and 3 Mbps, respectively.

[AC] wlan load-balance mode bandwidth 12 gap 3

# Enable WLAN load balancing.

[AC] wlan load-balance enable

Verifying the configuration

# Verify that the AC performs bandwidth-mode load balancing for AP 1 and AP 2 when the following conditions are met:

· The bandwidth of AP 2 reaches 12 Mbps.

· The bandwidth gap between the APs reaches 3 Mbps. (Details not shown.)

# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)

WLAN load balancing configuration examples (on a load balancing group)

Example: Configuring session-mode load balancing

Network configuration

As shown in Figure 88, AP 1, AP 2, and AP 3 are managed by the AC and the clients can discover the APs. Client 1 associates with radio 2 of AP 1. Client 3 through Client 5 associate with radio 2 of AP 2.

Configure the AC to perform session-mode load balancing on radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:

· The number of sessions on one radio reaches 3.

· The session gap between the radios reaches 2.

Figure 88 Network diagram

Procedure

# Create wireless service template 1, and set its SSID to session-balance.

<AC> system-view

[AC] wlan service-template 1

[AC-wlan-st-1] ssid session-balance

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create AP template ap1, and specify the model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A29G007C000020

# Bind service template 1 to radio 2 of AP 1.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Create AP template ap2, and specify the model and serial ID.

[AC] wlan ap ap2 model WA2620-WiNet

[AC-wlan-ap-ap2] serial-id 210235A29G007C000021

# Bind service template 1 to radio 2 of AP 2.

[AC-wlan-ap-ap2] radio 2

[AC-wlan-ap-ap2-radio-2] service-template 1

[AC-wlan-ap-ap2-radio-2] radio enable

[AC-wlan-ap-ap2-radio-2] quit

[AC-wlan-ap-ap2] quit

# Create AP template ap3, and specify the model and serial ID.

[AC] wlan ap ap3 model WA2620-WiNet

[AC-wlan-ap-ap3] serial-id 210235A29G007C000022

# Bind service template 1 to radio 2 of AP 3.

[AC-wlan-ap-ap3] radio 2

[AC-wlan-ap-ap3-radio-2] service-template 1

[AC-wlan-ap-ap3-radio-2] radio enable

[AC-wlan-ap-ap3-radio-2] quit

[AC-wlan-ap-ap3] quit

# Set the load balancing mode to session mode, and set the session threshold and session gap threshold to 3 and 2, respectively.

[AC] wlan load-balance mode session 3 gap 2

# Create load balancing group 1.

[AC] wlan load-balance group 1

# Add radio 2 of AP 1 and radio 2 of AP 2 to load balancing group 1.

[AC-wlan-lb-group-1] ap name ap1 radio 2

[AC-wlan-lb-group-1] ap name ap2 radio 2

# Enable WLAN load balancing.

[AC] wlan load-balance enable

Verifying the configuration

# Verify that the AC performs session-mode load balancing for radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:

· The number of sessions on either radio reaches 3.

· The session gap between the radios reaches 2. (Details not shown.)

# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)

Example: Configuring traffic-mode load balancing

Network configuration

As shown in Figure 89, AP 1, AP 2, and AP 3 are managed by the AC and the clients can discover the APs. The maximum bandwidth for each AP is 150 Mbps.

Configure the AC to perform traffic-mode load balancing on radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:

· The traffic of one radio reaches 30 Mbps (20% of the maximum bandwidth).

· The traffic gap between the radios reaches 15 Mbps (10% of the maximum bandwidth).

Figure 89 Network diagram

Procedure

# Create wireless service template 1, and set its SSID to traffic-balance.

<AC> system

[AC] wlan service-template 1

[AC-wlan-st-1] ssid traffic-balance

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create AP template ap1, and specify the model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A29G007C000020

# Bind service template 1 to radio 2 of AP 1.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Create AP template ap2, and specify the model and serial ID.

[AC] wlan ap ap2 model WA2620-WiNet

[AC-wlan-ap-ap2] serial-id 210235A29G007C000021

# Bind service template 1 to radio 2 of AP 2.

[AC-wlan-ap-ap2] radio 2

[AC-wlan-ap-ap2-radio-2] service-template 1

[AC-wlan-ap-ap2-radio-2] radio enable

[AC-wlan-ap-ap2-radio-2] quit

[AC-wlan-ap-ap2] quit

# Create AP template ap3, and specify the model and serial ID.

[AC] wlan ap ap3 model WA2620-WiNet

[AC-wlan-ap-ap3] serial-id 210235A29G007C000022

# Bind service template 1 to radio 2 of AP 3.

[AC-wlan-ap-ap3] radio 2

[AC-wlan-ap-ap3-radio-2] service-template 1

[AC-wlan-ap-ap3-radio-2] radio enable

[AC-wlan-ap-ap3-radio-2] quit

[AC-wlan-ap-ap3] quit

# Set the load balancing mode to traffic mode, and set the traffic threshold and traffic gap threshold to 20% and 10%, respectively.

[AC] wlan load-balance mode traffic 20 gap 10

# Create load balancing group 1.

[AC] wlan load-balance group 1

# Add radio 2 of AP 1 and radio 2 of AP 2 to load balancing group 1.

[AC-wlan-lb-group-1] ap name ap1 radio 2

[AC-wlan-lb-group-1] ap name ap2 radio 2

[AC-wlan-lb-group-1] quit

# Enable WLAN load balancing.

[AC] wlan load-balance enable

Verifying the configuration

# Verify that the AC performs traffic-mode load balancing for radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:

· The traffic of either radio reaches 30 Mbps.

· The traffic gap between the radios reaches 15 Mbps. (Details not shown.)

# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)

Example: Configuring bandwidth-mode load balancing

Network configuration

As shown in Figure 90, AP 1, AP 2, and AP 3 are managed by the AC and the clients can discover the APs.

Configure the AC to perform bandwidth-mode load balancing on radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:

· The bandwidth of one radio reaches 12 Mbps.

· The bandwidth gap between the radios reaches 3 Mbps.

Figure 90 Network diagram

Procedure

# Create wireless service template 1, and set its SSID to bandwidth-balance.

<AC> system

[AC] wlan service-template 1

[AC-wlan-st-1] ssid bandwidth-balance

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

# Create AP template ap1, and specify the model and serial ID.

[AC] wlan ap ap1 model WA2620-WiNet

[AC-wlan-ap-ap1] serial-id 210235A29G007C000020

# Bind service template 1 to radio 2 of AP 1.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

# Create AP template ap2, and specify the model and serial ID.

[AC] wlan ap ap2 model WA2620-WiNet

[AC-wlan-ap-ap2] serial-id 210235A29G007C000021

# Bind service template 1 to radio 2 of AP 2.

[AC-wlan-ap-ap2] radio 2

[AC-wlan-ap-ap2-radio-2] service-template 1

[AC-wlan-ap-ap2-radio-2] radio enable

[AC-wlan-ap-ap2-radio-2] quit

[AC-wlan-ap-ap2] quit

# Create AP template ap3, and specify the model and serial ID.

[AC] wlan ap ap3 model WA2620-WiNet

[AC-wlan-ap-ap3] serial-id 210235A29G007C000022

# Bind service template 1 to radio 2 of AP 3.

[AC-wlan-ap-ap3] radio 2

[AC-wlan-ap-ap3-radio-2] service-template 1

[AC-wlan-ap-ap3-radio-2] radio enable

[AC-wlan-ap-ap3-radio-2] quit

[AC-wlan-ap-ap3] quit

# Set the load balancing mode to bandwidth mode, and set the bandwidth threshold and bandwidth gap threshold to 12 Mbps and 3 Mbps, respectively.

[AC] wlan load-balance mode bandwidth 12 gap 3

# Create load balancing group 1.

[AC] wlan load-balance group 1

# Add radio 2 of AP 1 and radio 2 of AP 2 to load balancing group 1.

[AC-wlan-lb-group-1] ap name ap1 radio 2

[AC-wlan-lb-group-1] ap name ap2 radio 2

[AC-wlan-lb-group-1] quit

# Enable WLAN load balancing.

[AC] wlan load-balance enable

Verifying the configuration

# Verify that the AC performs bandwidth-mode load balancing for radio 2 of AP 1 and radio 2 of AP 2 when the following conditions are met:

· The bandwidth of either radio reaches 12 Mbps.

· The bandwidth gap between the radios reaches 3 Mbps. (Details not shown.)

# Verify that AP 1 and AP 2 are load balanced by using the display wlan client command. (Details not shown.)

WLAN probe

The term "AC" in this document refers to MSR routers that can function as ACs.

About WLAN probe

WLAN probe enables APs to monitor the WLAN and collect information about wireless devices in the WLAN. Then, the APs send the collected information to the specified server for further analysis.

WLAN probe system

As shown in Figure 91, a WLAN probe system contains the following devices:

· Sensors—APs enabled with WLAN probe. They scan the channels, collect wireless device information, and report the information to the server.

· AC—Manages sensors and reports information received from sensors to the server.

· Server—Analyzes the information received from sensors and the AC.

Figure 91 WLAN probe system

Work mechanism

A WLAN probe system operates as follows:

1. Wireless devices send 802.11 packets.

2. Sensors collect wireless device information, such as MAC address, device type, RSSI, and time stamp from the packets.

3. Sensors send collected device information to the AC or server.

4. The server analyzes the received information.

Feature and hardware compatibility

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

WLAN probe tasks at a glance

Tasks at a glance
(Required.) Enabling WLAN probe
(Required.) Specifying a server to receive wireless device information
(Optional.) Configuring sensors to report wireless device information to the AC
(Optional.) Enabling real-time reporting of wireless device information to the UDP server
(Optional.) Setting the coordinates and timezone offset for a sensor
(Optional.) Reporting wireless device information to the Oasis platform
(Optional.) Configuring wireless device filtering
(Optional.) Setting device entry timers

Enabling WLAN probe

To enable WLAN probe in radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Enter radio view.	radio radio-id	N/A
4. Enable WLAN probe.	client-proximity-sensor enable	By default, a radio uses the configuration in AP group radio view.

To enable WLAN probe in AP group radio view:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP group view.	wlan ap-group group-name	N/A
3. Enter AP model view.	ap-model ap-model	N/A
4. Enter radio view.	radio radio-id	N/A
5. Enable WLAN probe.	client-proximity-sensor enable	By default, WLAN probe is disabled.

Specifying a server to receive wireless device information

About specifying a server to receive wireless device information

Perform this task to specify a server for a sensor or the AC to report wireless device information.

Restrictions and guidelines

For the AC to report device information to the server, you must enable sensors to report information about detected devices to the AC.

Procedure

To specify an HTTPS server:

Step	Command	Remarks
1. Enter system view	system-view	N/A
2. Specify an HTTPS server to receive wireless device information.	client-proximity-sensor server string [ window-time window-time-value \| partner partner-value ] *	By default, no HTTPS server is specified.

To specify a UDP server for the AC:

Step	Command	Remarks
1. Enter system view	system-view	N/A
2. Specify a UDP server to receive wireless device information.	client-proximity-sensor udp-server ip-address port port-number [ interval interval \| preshared-key [ cipher \| simple ] key-string ] *	By default, no UDP server is specified.

To specify a UDP server for a sensor:

Step	Command	Remarks
1. Enter system view	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Specify a UDP server to receive wireless device information.	client-proximity-sensor udp-server ip-address port port-number [ interval interval \| preshared-key [ cipher \| simple ] key-string ] *	By default, no UDP server is specified.

Configuring sensors to report wireless device information to the AC

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable sensors to report information about detected devices to the AC.	client-proximity-sensor report-ac enable	By default, sensors do not report information about detected devices to the AC.
3. (Optional.) Set the interval at which sensors report information about detected devices to the AC.	client-proximity-sensor report-ac-interval interval	By default, sensors report information about detected devices to the AC every 3000 milliseconds.

Enabling real-time reporting of wireless device information to the UDP server

About real-time reporting of wireless device information to the UDP server

After you enable this feature, the device information is reported to the UDP server in real time, rather than at the specified intervals.

Procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable real-time reporting of wireless device information to the UDP server.	client-proximity-sensor rt-report enable	By default, real-time reporting of wireless device information to the UDP server is disabled.

Setting the coordinates and timezone offset for a sensor

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter AP view.	wlan ap ap-name	N/A
3. Set the longitude and latitude of the sensor.	client-proximity-sensor coordinates longitude longitude-value latitude latitude-value	By default, the longitude and latitude are not set.
4. Set the timezone offset between the AC and the sensor.	client-proximity-sensor timezone-offset { add \| minus } timevalue	By default, the timezone offset between the AC and the sensor is not set.

Reporting wireless device information to the Oasis platform

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the AC to report wireless device information to the Oasis platform.	undo client-proximity-sensor report-oasis disable	By default, the AC reports wireless device information to the Oasis platform.
3. (Optional.) Set the number of client entries that the AC reports to the Oasis platform each time and the report interval.	client-proximity-sensor report-oasis client interval interval number number	By default, the AC reports 10 client entries to the Oasis platform every 1000 milliseconds.
4. (Optional.) Set the RSSI difference threshold for reporting client information to the Oasis platform.	client-proximity-sensor report-oasis rssi-change-threshold threshold-value	By default, the RSSI difference threshold is 100.

Configuring wireless device filtering

About wireless device filtering

Perform this task to configure whether the information about the specified devices is reported or not.

Procedure

Step	Command	Remarks
1. Enter system view	system-view	N/A
2. Configure the MAC address filtering list.	client-proximity-sensor filter-list list	By default, the MAC address filtering list is not configured.
3. Set the RSSI threshold for clients or APs.	client-proximity-sensor rssi-threshold { ap ap-rssi-value \| client client-rssi-value }	By default, the RSSI thresholds for clients and APs are not set.
4. Enable reporting of information about Apple terminals that use a random MAC address.	client-proximity-sensor random-mac-report enable	By default, information about Apple terminals that use a random MAC address is not reported.
5. Enable reporting of AP information to the UDP server.	client-proximity-sensor report-ap enable	By default, the information about APs is not reported to the UDP server.

Setting device entry timers

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the AP entry timers.	client-proximity-sensor ap-timer inactive inactive-value aging aging-value	By default, the inactive time and aging time for AP entries are 300 seconds and 600 seconds, respectively.
3. Set the client entry timers.	client-proximity-sensor client-timer inactive inactive-value aging aging-value	By default, the inactive time and aging time for client entries are 300 seconds and 600 seconds, respectively.

Display and maintenance commands for WLAN probe

Execute display commands in any view and reset commands in user view.

Step	Command
Display information about wireless devices detected by sensors.	display client-proximity-sensor device [ ap \| client \| mac-address mac-address ] [ verbose ]
Display information about sensors.	display client-proximity-sensor sensor
Display information received from sensors.	display client-proximity-sensor statistics receive
Clear wireless device information.	reset client-proximity-sensor device { ap \| client \| mac-address mac-address \| all }
Clear information received from sensors.	reset client-proximity-sensor statistics

WLAN probe configuration examples

Example: Configuring WLAN probe

Network configuration

As shown in Figure 92, AP 1 and AP 2 provide wireless services for clients through SSID abc.

Enable WLAN probe on the sensor, and configure the AC to report the received wireless device information to the server.

Figure 92 Network diagram

Procedure

# Configure wireless service settings on the AC. (Details not shown.)

For more information, see "Configuring WLAN access."

# Create AP Sensor, and enable WLAN probe for the AP.

<AC> system-view

[AC] wlan ap Sensor model WA5320-WiNet

[AC-wlan-ap-Sensor] serial-id 210235A1GQB139000435

[AC-wlan-ap-Sensor] radio 1

[AC-wlan-ap-Sensor-radio-1] radio enable

[AC-wlan-ap-Sensor-radio-1] client-proximity-sensor enable

[AC-wlan-ap-Sensor-radio-1] quit

[AC-wlan-ap-Sensor] radio 2

[AC-wlan-ap-Sensor-radio-2] radio enable

[AC-wlan-ap-Sensor-radio-2] client-proximity-sensor enable

[AC-wlan-ap-Sensor-radio-1] quit

[AC-wlan-ap-Sensor] quit

# Configure the sensor to report wireless device information to the AC.

[AC] client-proximity-sensor report-ac enable

# Configure the AC to report wireless device information to the UDP server with IP address 192.168.1.123 and port number 1234, and set the report interval to 20 seconds.

[AC] client-proximity-sensor udp-server 192.168.1.123 port 1234 interval 20

Verifying the configuration

# Display wireless device information detected by the sensor.

[AC] display client-proximity-sensor device

Total 3 detected devices

MAC address Type Duration Sensors Channel Status

0021-632F-E9E5 Client 00h 10m 46s 1 11 Active

0021-6330-148B Client 00h 10m 46s 1 6 Active

0212-34B8-A8E0 Client 00h 10m 46s 1 1 Active

# On the management console of the server, view the wireless device information received from the AC. (Details not shown.)

Index

A B C D E F M P R S U W

About AP management,1

About band navigation,277

About channel scanning,270

About cloud connections,290

About radio management,51

About WIPS,201

About WLAN access,101

About WLAN authentication,165

About WLAN IP snooping,319

About WLAN load balancing,323

About WLAN multicast optimization,282

About WLAN probe,340

About WLAN QoS,238

About WLAN radio resource measurement,262

About WLAN roaming,256

About WLAN RRM,294

About WLAN security,131

AP management configuration examples,32

AP management tasks at a glance,4

Attack detection,201

Band navigation configuration examples,280

Band navigation tasks at a glance,278

Channel scanning configuration examples,275

Channel scanning tasks at a glance,271

Client access control,103

Cloud connection configuration examples,292

Configuration restrictions and guidelines,106

Configuring 802.11ac functions,87

Configuring 802.11n functions,78

Configuring a CAPWAP tunnel,18

Configuring a cloud connection,291

Configuring a load balancing group,327

Configuring a multicast optimization policy,283

Configuring a radio baseline,312

Configuring AC request retransmission,21

Configuring advanced features for AP management,27

Configuring all-channel scanning,274

Configuring an AP group,13

Configuring APs to perform WIPS scanning while providing access services,226

Configuring attack detection,213

Configuring band navigation parameters,279

Configuring bandwidth guaranteeing,246

Configuring basic radio functions,64

Configuring CAPWAP tunnel establishment,4

Configuring client access control,117

Configuring client rate limiting,247

Configuring countermeasures,222

Configuring device classification,220

Configuring DFS,298

Configuring global WLAN authentication parameters,175

Configuring load balancing for band navigation,279

Configuring load balancing parameters,327

Configuring OUIs,226

Configuring policy-based forwarding,123

Configuring security features,141

Configuring sensors to report wireless device information to the AC,342

Configuring service-specific WLAN authentication parameters,178

Configuring signature-based attack detection,218

Configuring spectrum management,308

Configuring SVP mapping,245

Configuring the alarm-ignoring feature,225

Configuring the channel scanning blacklist or whitelist,273

Configuring the smart antenna feature,92

Configuring TPC,304

Configuring VLANs for APs,14

Configuring wireless client functions,110

Configuring wireless device filtering,344

Configuring wireless services,107

Configuring WMM,241

Countermeasures,211

Deploying a configuration file to an AP,125

Detecting clients with NAT configured,225

Device classification,206

Disabling an AP from responding to broadcast probe requests,121

Disabling SNMP from getting client IPv6 addresses learned from ND packets,321

Disabling snooping ARP packets,320

Disabling snooping DHCPv4 packets,320

Display and maintenance commands for AP management,31

Display and maintenance commands for cloud connections,292

Display and maintenance commands for radio management,93

Display and maintenance commands for WIPS,227

Display and maintenance commands for WLAN access,126

Display and maintenance commands for WLAN authentication settings,187

Display and maintenance commands for WLAN load balancing,328

Display and maintenance commands for WLAN multicast optimization,286

Display and maintenance commands for WLAN probe,345

Display and maintenance commands for WLAN radio resource measurement,267

Display and maintenance commands for WLAN roaming,257

Display and maintenance commands for WLAN RRM,313

Display and maintenance commands for WLAN security,146

Display and maintenance commands for WMM,248

Enabling AP-based band navigation,278

Enabling band navigation globally,278

Enabling or disabling radios,62

Enabling radio resource management,264

Enabling radio scanning,312

Enabling real-time reporting of wireless device information to the UDP server,343

Enabling service anomaly detection,31

Enabling SNMP notifications,27

Enabling SNMP notifications for WLAN access,125

Enabling SNMP notifications for WLAN load balancing,328

Enabling SNMP notifications for WLAN roaming,257

Enabling SNMP notifications for WLAN RRM,313

Enabling SNMP notifications for WLAN security,145

Enabling snooping DHCPv6 packets,321

Enabling snooping HTTP requests redirected to the portal server,322

Enabling snooping ND packets,321

Enabling WIPS,212

Enabling WLAN load balancing,327

Enabling WLAN multicast optimization,283

Enabling WLAN probe,341

Feature and hardware compatibility,296

Feature and hardware compatibility,319

Feature and hardware compatibility,277

Feature and hardware compatibility,340

Feature and hardware compatibility,212

Feature and hardware compatibility,326

Feature and hardware compatibility,270

Feature and hardware compatibility,173

Feature and hardware compatibility,3

Feature and hardware compatibility,256

Feature and hardware compatibility,139

Feature and hardware compatibility,291

Feature and hardware compatibility,60

Feature and hardware compatibility,240

Feature and hardware compatibility,283

Feature and hardware compatibility,106

Feature and hardware compatibility,263

Maintaining APs,22

Preprovisioning APs,24

Prerequisites for band navigation,278

Prerequisites for WLAN authentication,174

Prerequisites for WLAN load balancing,326

Pre-RSNA mechanism,131

Protocols and standards,139

Radio management configuration examples,93

Radio management tasks at a glance,61

Radio resource measurement configuration examples,267

Reporting wireless device information to the Oasis platform,344

Restrictions and guidelines: AP management configuration,4

Restrictions and guidelines: Band navigation configuration,277

Restrictions and guidelines: Channel scanning configuration,271

Restrictions and guidelines: Radio management configuration,60

Restrictions and guidelines: Radio resource measurement configuration,263

Restrictions and guidelines: WLAN load balancing configuration,326

Restrictions and guidelines: WLAN QoS configuration,241

Restrictions and guidelines: WLAN roaming configuration,257

Restrictions and guidelines: WLAN RRM,297

Setting a load balancing mode,327

Setting device entry timers,344

Setting rate limits for IGMP/MLD packets from clients,284

Setting the aging time for multicast optimization entries,286

Setting the coordinates and timezone offset for a sensor,343

Setting the limit for multicast optimization entries,285

Setting the limit for multicast optimization entries per client,285

Setting the match mode for client radio resource measurement capabilities,266

Setting the maximum service period,272

Setting the measurement duration and interval,265

Setting the NAS ID,122

Setting the scanning period,271

Setting the service idle timeout timer,272

Setting the statistics report interval,22

Signature-based attack detection,206

Specifying a radio mode,63

Specifying a region code,120

Specifying a server to receive wireless device information,342

Upgrading APs' software,11

WIPS components,201

WIPS configuration examples,227

WIPS features,201

WIPS tasks at a glance,212

WLAN access configuration examples,127

WLAN access tasks at a glance,106

WLAN authentication configuration examples,188

WLAN authentication tasks at a glance,173

WLAN IP snooping configuration examples,322

WLAN IP snooping tasks at a glance,320

WLAN load balancing configuration examples (on a load balancing group),333

WLAN load balancing configuration examples (on radios),329

WLAN load balancing tasks at a glance,326

WLAN multicast optimization configuration examples,286

WLAN multicast optimization tasks at a glance,283

WLAN probe configuration examples,345

WLAN probe tasks at a glance,341

WLAN QoS configuration examples,248

WLAN radio resource measurement tasks at a glance,264

WLAN roaming configuration examples,257

WLAN RRM configuration examples,314

WLAN RRM tasks at a glance,297

WLAN security configuration examples,146

WLAN security tasks at a glance,140

15-WLAN AC Configuration Guide

About manual APs

Procedure

About the auto AP feature

Restrictions and guidelines

Prerequisites

Tasks at a glance

About the discovery-response timeout timer

Restrictions and guidelines

Procedure

About responding only to unicast discovery requests

Procedure

About AC rediscovery

Procedure

About configuring software and hardware version mapping for an AP model

Restrictions and guidelines

Procedure

About specifying the preferred location for the AC to obtain an AP image file

Restrictions and guidelines

Procedure

About AP groups

Restrictions and guidelines

Procedure

Configuring VLANs for APs

Assigning an access port to a VLAN

Assigning a trunk port to VLANs

About assigning VLAN settings to APs

Procedure

About CAPWAP tunnel encryption

Restrictions and guidelines

Procedure

About CAPWAP tunnel latency detection

Procedure

About setting the echo interval

About setting the maximum fragment size for CAPWAP packets

Procedure

Setting the TCP MSS for CAPWAP tunnels

About setting the TCP MSS

Procedure

About AC request retransmission

Procedure

About setting the statistics report interval

Procedure

About file system management for an AP

Restrictions and guidelines

Procedure

About LED lighting modes

Restrictions and guidelines

Procedure

Preprovisioning APs

About assigning preprovisioned settings to APs

Restrictions and guidelines

Saving the network settings to the configuration file on an AP

About auto loading of preprovisioned settings

Procedure

About SNMP notifications

Procedure

About remote AP

Restrictions and guidelines

Procedure

About configuring the default input power level

Restrictions and guidelines

Procedure

About configuring USB interfaces

Procedure

About APDB user script loading

Restrictions and guidelines

Procedure

About service anomaly detection

Procedure

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration