Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-WLAN high availability configuration | 233.74 KB |
Restrictions and guidelines: Dual-link backup configuration
Dual-link backup tasks at a glance
Setting AP connection priority and specifying a backup AC
Configuring master CAPWAP tunnel preemption
Configuring configuration synchronization between ACs in a dual-link backup system
Modifying the password of the default user for members
Configuring synchronizing WLAN configuration between ACs in a dual-link backup system
Verifying and maintaining WLAN dual-link backup
Displaying SmartMC configuration
Displaying information about clients kept online by client persistence
Clearing clients kept online by client persistence
Dual-link backup configuration examples
Example: Configuring dual-link backup
Appendix A AC configuration synchronization
Restrictions and guidelines: Client backup configuration
Prerequisites for client backup
Setting the client backup delay
Display and maintenance commands for client backup
Configuring dual-link backup
About dual-link backup
Dual-link backup enables two ACs to back up each other to reduce risks of service interruption caused by single-AC failures.
With dual-link backup enabled, an AP establishes a master CAPWAP tunnel and a backup CAPWAP tunnel with the master AC and the backup AC, respectively. The master and backup ACs cannot detect each other's link state in real time. When the backup AC takes over traffic forwarding upon a master AC failure, temporary communication interruption occurs. When the failed master AC recovers, the master CAPWAP tunnel preemption feature determines the master CAPWAP tunnel based on the AP connection priority.
Dual-link backup is applicable to networks that are service continuity insensitive.
Figure 1 Network diagram for dual-link backup
Restrictions and guidelines: Dual-link backup configuration
For the dual-link backup feature to function correctly, configure auto AP or manual APs on the two ACs. The manual AP configuration must be identical on both ACs. For more information, see "Managing APs."
You can configure APs by using the following methods:
· Configure APs one by one in AP view.
· Assign APs to an AP group and configure the AP group in AP group view.
· Configure all APs in global configuration view.
For an AP, the settings made in these views for the same parameter take effect in descending order of AP view, AP group view, and global configuration view.
Dual-link backup is not supported in a cloud cluster.
Dual-link backup tasks at a glance
To configure dual-link backup, perform the following tasks:
1. Setting AP connection priority and specifying a backup AC
2. (Optional.) Configuring master CAPWAP tunnel preemption
3. (Optional.) Enabling client persistence
4. (Optional.) Configuring configuration synchronization between ACs in a dual-link backup system
Setting AP connection priority and specifying a backup AC
About this task
Set a higher AP connection priority for the master AC to ensure that APs can associate with the master AC first.
After an AP establishes a CAPWAP tunnel with the master AC, the AP will establish a backup CAPWAP tunnel with the specified backup AC.
Procedure
1. Enter system view.
system-view
2. Enter AP view, AP group view, or global configuration view.
¡ Enter AP view.
wlan ap ap-name
¡ Enter AP group view.
wlan ap-group group-name
¡ Enter global configuration view.
wlan global-configuration
3. Set the AP connection priority.
priority priority
By default:
¡ In AP view, an AP uses the configuration in AP group view. If the AP group does not have this configuration, the AP uses the global configuration.
¡ In AP group view, the global configuration is used.
¡ In global configuration view, the AP connection priority is 4.
4. Specify a backup AC.
backup-ac { ip ipv4-address | ipv6 ipv6-address }
By default:
¡ In AP view, an AP uses the configuration in AP group view. If the AP group does not have this configuration, the AP uses the global configuration.
¡ In AP group view, the global configuration is used.
¡ In global configuration view, no backup AC is specified.
Configuring master CAPWAP tunnel preemption
About this task
In a dual-link backup network, when the master AC of an AP fails, the backup AC takes over the master CAPWAP tunnel by default. To enable an active switch-back to the original master AC after its recovery, both of the following conditions must be met:
· The original master AC has CAPWAP tunnel preemption enabled.
· The AP connection priority of the original master AC is higher than that of the current master AC (the original backup AC).
Procedure
1. Enter system view.
system-view
2. Enter AP view, AP group view, or global configuration view.
¡ Enter AP view.
wlan ap ap-name
¡ Enter AP group view.
wlan ap-group group-name
¡ Enter global configuration view.
wlan global-configuration
3. Configure master CAPWAP tunnel preemption.
wlan tunnel-preempt { disable | enable }
By default:
¡ In AP view, an AP uses the configuration in AP group view. If no configuration exists in AP group view, the AP uses the configuration in global configuration view.
¡ In AP group view, an AP uses the configuration in global configuration view.
¡ In global configuration view, master CAPWAP tunnel preemption is disabled.
Enabling client persistence
About this task
In a dual-link network, when the backup AC becomes the master AC, it synchronizes all client entries with the master AC. During the synchronization, wireless clients will go offline simultaneously and it will take a long time for them to come online again. With this feature enabled, the backup AC synchronizes entries with the master AC slowly, allowing wireless clients to slowly go offline and come online, thereby keeping clients online.
To use this feature together with portal authentication, configure MAC-based quick portal authentication for users to complete authentication without awareness.
During master/backup switchover, the backup AC uses temporary client data to ensure that clients do not disconnect. After the switchover, you must execute the wlan persistent-client reconnect command on the new master AC to log off clients in batches and delete their temporary data. After the clients come online again, the new master AC regenerates normal client data.
Procedure
1. Enter system view.
system-view
2. Enter global configuration view.
wlan global-configuration
3. Enable client persistence.
client-persistence enable
By default, client persistence is disabled.
4. Return to system view.
quit
5. (Optional.) Configure delayed client reconnection for client persistence.
wlan persistent-client reconnect delay delay-minutes period period-minutes
Configuring configuration synchronization between ACs in a dual-link backup system
Tasks at a glance
To configure configuration synchronization between ACs, perform the following tasks:
2. (Optional.) Modifying the password of the default user for members
3. Configuring synchronizing WLAN configuration between ACs in a dual-link backup system
4. (Optional.) Triggering consistency check on the WLAN configuration between the two ACs in a dual-link backup system
Prerequisites
Before you configure SmartMC, perform the following tasks on the commander and members:
· Enable the Telnet service, and configure scheme authentication for VTY user lines. For information about Telnet service and VTY user lines, see CLI login configuration in Fundamentals Configuration Guide.
· Configure a local user.
¡ Specify the username and password.
- On the commander, make sure the username and password are the same as the username and password configured by using the smartmc tm username username password { cipher | simple } string enable command.
- On a member, set both the username and password to admin, and execute the password-control length 4, password-control composition type-number 1 type-length 1, and undo password-control complexity user-name check commands to lower the password complexity requirements.
This is because SmartMC requires that the commander use username admin and password admin to communicate with members, which does not meet the default password complexity requirements. For more information about these commands, see password control commands in Security Command Reference.
After the SmartMC network is established, you can increase the password complexity requirements and use the smartmc tc password command to modify the username and password.
¡ Specify the Telnet, SSH, HTTP, and HTTPS services for the user.
¡ Set the RBAC role of the local user to network-admin.
For information about local users, see AAA configuration in Security Configuration Guide. For information about user roles, see RBAC configuration in Fundamentals Configuration Guide.
· Enable NETCONF over SOAP over HTTP. For information about NETCONF over SOAP, see NETCONF configuration in Network Management and Monitoring Configuration Guide.
· Enable NETCONF over SSH. For more information about NETCONF over SSH, see "Configuring NETCONF."
· Configure public key management for SSH authentication. Execute the ssh user admin service-type netconf authentication-type publickey assign publickey -smartmc-publickey- command on the member to configure the authentication method for SSH users. Digital signature is supported. The username must be admin for an SSH user and the public key name must be -smartmc-publickey- for the SSH client. For more information about public key management, see Security Configuration Guide.
· Enable LLDP globally. For information about LLDP, see Layer 2—LAN Switching Configuration Guide.
· To manage the commander and members through a Web interface, you must enable the HTTP and HTTPS services, and set the service type to HTTP and HTTPS for the local user. For information about Web login, HTTP, and HTTPS, see Fundamentals Configuration Guide.
Restrictions and guidelines
To use this feature, first set up a SmartMC network. This feature is supported only on the AC with the TM role.
Enabling SmartMC
About this task
Smart Management Center (SmartMC) centrally manages and maintains dispersed network devices at network edges. In a SmartMC network, only one device acts as the commander and the remaining devices all act as members.
The SmartMC network contains the following elements:
· Commander—Also called topology master (TM), which manages all members in the SmartMC network.
· Member—Also called topology client (TC), which is managed by the commander.
Enable this feature on both the commander and members to enable management of members from the commander.
Restrictions and guidelines
A SmartMC network must have one and only one commander.
If you change the role of the commander to member or disable SmartMC on the commander, all SmartMC settings in its running configuration will be cleared.
SmartMC fails to be enabled if ACL resources are insufficient. If ACL resources are insufficient, use the undo acl command to delete unnecessary ACLs and then enable SmartMC. You can execute the display acl command to view ACL configuration and match statistics. For more information about ACLs, see ACL and QoS Configuration Guide.
SmartMC fails to be enabled if ports 80 and 443 have been used.
Procedure
1. Enter system view.
system-view
2. Enable SmartMC and set the device role.
smartmc { tc | tm username username password { cipher | simple } string } enable
By default, SmartMC is disabled.
Modifying the password of the default user for members
About this task
During SmartMC network establishment, the commander uses the default username and password to establish NETCONF sessions to members automatically added to the network. The default username and password of the members for NETCONF session establishment are admin and admin.
To enhance security, you can perform this task to change the password for the default user admin of the members after the commander adds the members to the network.
Restrictions and guidelines
Do not modify the password for members that are manually added to the SmartMC network. If you modify the password for a manually added member, you will not be able to manage that member from the commander.
You can use the display smartmc tc verbose command to identify the method used to add the members.
Procedure
1. Enter system view.
system-view
2. Modify the password of the default user for members.
smartmc tc password [ cipher ] string
By default, the password of the default user for members is admin.
Configuring synchronizing WLAN configuration between ACs in a dual-link backup system
About this task
As a best practice to ensure configuration consistency between the two ACs in a dual-link backup system, configure WLAN settings on the AC with the TM role and then use this function to synchronize the WLAN settings to the AC with the TC role.
WLAN settings include settings in AP view, AP group view, global configuration view, radio view, an AP group's radio view, and service template view, as well as settings related to authentication. For settings that can be synchronized, see "."
The following conditions might occur if you enable this feature:
· When the two ACs have the same WLAN settings, WLAN configuration synchronization is not performed.
· When the two ACs have different WLAN settings, the system generates a diff file named wlan_cfgsync.diff on the AC with the TM role and then automatically performs configuration synchronization. To view the WLAN configuration differences between the two ACs, use the more command.
Procedures
1. Enter system view.
system-view
2. Configure synchronizing WLAN configuration between ACs in a dual-link backup system.
wlan sync-configuration { from | to } peer-ac mac-address
Triggering consistency check on the WLAN configuration between the two ACs in a dual-link backup system
About this task
Perform this task to verify if the WLAN settings on the two ACs in a dual-link backup system are consistent. If an inconsistency is found, the AC with the TM role generates a diff file named wlan_cfgsync.diff. You can use the more command to view the diff file and determine whether to perform WLAN configuration synchronization and the synchronization direction.
Procedure
1. Enter system view.
system-view
2. Trigger consistency check on the WLAN configuration between the two ACs in a dual-link backup system.
wlan sync-configuration check peer-ac mac-address
Verifying and maintaining WLAN dual-link backup
Displaying SmartMC configuration
Perform display tasks in any view.
· Display configuration information for SmartMC.
display smartmc configuration
· Display member device information.
display smartmc tc [ tc-id ] [ verbose ]
Displaying information about clients kept online by client persistence
Perform display tasks in any view.
· Display information about clients kept online by client persistence.
display wlan persistent-client
· Display the history of configuration synchronization between ACs in a dual-link backup scenario.
display wlan sync-configuration history
Clearing clients kept online by client persistence
Perform clear tasks in any view.
· Clear clients kept online by client persistence.
reset wlan persistent-client
· Clear the history of configuration synchronization between ACs in a dual-link backup scenario.
reset wlan sync-configuration history
Dual-link backup configuration examples
Example: Configuring dual-link backup
Network configuration
As shown in Figure 2, configure AC 1 to act as the master AC and AC 2 as the backup AC. When AC 1 fails and AC 2 takes over, the AP can communicate through AC 2. Configure the master CAPWAP tunnel preemption feature on the two ACs so that the AP reconnects to AC 1 when AC 1 recovers.
Procedure
1. Configure AC 1:
# Create VLAN-interface 1 and assign an IP address to it.
<AC1> system-view
[AC1] interface vlan-interface 1
[AC1-Vlan-interface1] ip address 10.1.1.1 24
[AC1-Vlan-interface1] quit
# Create an AP named ap1, and specify the AP model and serial ID. Set the AP connection priority to 7.
[AC1] wlan ap ap1 model WA6520
[AC1-wlan-ap-ap1] serial-id 219801A28N819CE0002T
[AC1-wlan-ap-ap1] priority 7
[AC1-wlan-ap-ap1] backup-ac ip 11.1.1.1
# Enable master CAPWAP tunnel preemption.
[AC1-wlan-ap-ap1] wlan tunnel-preempt enable
[AC1-wlan-ap-ap1] quit
2. Configure AC 2:
# Create VLAN-interface 1 and assign an IP address to it.
<AC2> system-view
[AC2] interface Vlan-interface 1
[AC2-Vlan-interface1] ip address 11.1.1.1 24
[AC2-Vlan-interface1] quit
# Create an AP named ap1, and specify the AP model and serial ID. Set the AP connection priority to 5.
[AC2] wlan ap ap1 model WA6520
[AC2-wlan-ap-ap1] serial-id 219801A28N819CE0002T
[AC2-wlan-ap-ap1] priority 5
# Specify a backup AC.
[AC2-wlan-ap-ap1] backup-ac ip 10.1.1.1
# Enable master CAPWAP tunnel preemption.
[AC2-wlan-ap-ap1] wlan tunnel-preempt enable
[AC2-wlan-ap-ap1] quit
Verifying the configuration
# Get the AP online on AC 1. (Details not shown.)
# Shut down VLAN-interface 1 on AC 1 and wait no longer than 3 minutes, during which service interruption occurs. (Details not shown.)
# Verify that the AP comes online on AC 2 and the AP state is R/M on AC 2. (Details not shown.)
# Bring up VLAN-interface 1 on AC 1. (Details not shown.)
# Verify that the AP comes online on AC 1 again and the AP state is R/M on AC 1 and R/B in AC 2. (Details not shown.)
Appendix
Appendix A AC configuration synchronization
As a best practice to ensure configuration consistency between the two ACs in a dual-link backup system, configure WLAN settings on the AC with the TM role and then to synchronize the WLAN settings to the AC with the TC role.
WLAN settings include settings in AP view, AP group view, global configuration view, radio view, an AP group's radio view, and service template view, as well as settings related to authentication.
|
|
NOTE: The settings that can be synchronized depend on the device model and update as software versions update. |
Table 1 Synchronizable configuration list
|
View |
Command |
Description |
Remarks |
|
System view |
wlan global-configuration |
Use this command to enter global configuration view. |
Executing these commands will enter corresponding views. Commands in these views and their subviews will be synchronized, except the following commands: · control-address { ip ipv4-address | ipv6 ipv6-address } · priority priority · backup-ac { ip ipv4-address | ipv6 ipv6-address } · portal { bas-ip ipv4-address | bas-ipv6 ipv6-address } · nas-id nas-identifier · nas-port-id nas-port-id · nas-ip { ipv4-address | ipv6 ipv6-address } |
|
wlan ap |
Use this command to create a manual AP and enter its view, or enter the view of an existing manual AP. |
||
|
wlan ap-group |
Use this command to create an AP group and enter its view, or enter the view of an existing AP group. |
||
|
wlan service-template |
Use this command to create a service template and enter its view, or enter the view of an existing service template. |
||
|
user-profile |
Use this command to create a user profile and enter its view, or enter the view of an existing user profile. |
||
|
configuration profile |
Use this command to create a configuration profile, specify an AP model, and enter configuration profile view, or enter the view of an existing user profile. |
||
|
wlan accounting-policy |
Use this command to create an accounting policy and enter its view or enter the view of an existing accounting policy. |
||
|
radius dynamic-author server |
Use this command to enable the RADIUS DAS feature and enter RADIUS DAS view. |
||
|
radius scheme |
Use this command to create a RADIUS scheme and enter its view, or enter the view of an existing RADIUS scheme. |
||
|
vlan-group |
Use this command to create a VLAN group and enter its view, or enter the view of an existing VLAN group. |
||
|
vlan |
Use this command to create a VLAN and enter its view, or enter the view of an existing VLAN. |
||
|
portal server |
Use this command to create a portal authentication server and enter its view, or enter the view of an existing portal authentication server. |
||
|
domain |
Use this command to create an ISP domain and enter IPS domain view, or enter the view of an existing ISP domain. |
||
|
eap-profile |
Use this command to create an EAP scheme and enter its view, or enter the view of an existing EAP scheme. |
||
|
portal local-web-server |
Use this command enable HTTP- or HTTPS-based local portal Web service and enter its view. |
||
|
portal extend-auth-server |
Use this command to create a third-party authentication server and enter its view, or enter the view of an existing third-party authentication server. |
||
|
portal mac-trigger-server |
Use this command to create a MAC binding server and enter its view, or enter the view of an existing MAC binding server. |
||
|
System view |
acl logging interval |
Use this command to enable logging for packet filtering and set the interval. |
N/A |
|
acl trap interval |
Use this command to enable SNMP notifications for packet filtering and set the interval. |
||
|
wlan nas-port-id format |
Use this command to set the format of NAS port IDs for wireless clients. |
||
|
radius session-control enable |
Use this command to enable the RADIUS session-control feature. |
||
|
port-security enable |
Use this command to enable port security. |
||
|
wlan client-security authentication clear-previous-connection |
Use this command to enable the clear-previous-connection feature for WLAN authentication. |
||
|
wlan authentication optimization |
Use this command to configure a modifier to adjust the authentication success ratio and abnormal offline ratio for 802.1X authentication, MAC authentication, and Layer 2 portal authentication. |
||
|
wlan password-failure-limit enable |
Use this command to enable password failure limit. |
||
|
dot1x authentication-method |
Use this command to specify the 802.1X authentication method. |
||
|
dot1x domain-delimiter |
Use this command to specify a set of domain name delimiters supported by the device |
||
|
dot1x retry |
Use this command to set the maximum number of attempts to send an authentication request to a supplicant. |
||
|
dot1x timer |
Use this command to set an 802.1X timer. |
||
|
domain default enable |
Use this command to configure the system default ISP domain. All users that log in without an ISP domain name belong to this domain. |
||
|
domain if-unknown |
Use this command to specify an ISP domain that accommodates users that are assigned to nonexistent domains. |
||
|
mac-authentication access-user log enable |
Use this command to enable MAC authentication user logging. |
||
|
mac-authentication authentication-method |
Use this command to specify an authentication method for MAC authentication. |
||
|
mac-authentication timer |
Use this command to configure a MAC authentication timer. |
||
|
mac-authentication user-name-format |
Use this command to configure the type of user accounts for MAC authentication users. |
||
|
dns server |
Use this command to specify the IPv4 address of a DNS server. |
||
|
dns snooping enable |
Use this command to enable DNS snooping. |
Configuring AP backup
About AP backup
AP backup forms multiple ACs into a cloud cluster to ensure centralized AP management and avoid wireless service interruption in case of AC failures.
AC roles
An AC has the following roles:
|
Role |
Description |
|
Master AC |
Master in a cloud cluster. The master AC manages the entire cloud cluster. |
|
Subordinate AC |
Subordinate in a cloud cluster. A subordinate AC processes services, forwards packets, and acts as a backup for the master AC. When the master AC fails, the system automatically elects a new master AC from the subordinate ACs in the cloud cluster. |
|
Active AC |
An AC that can establish CAPWAP tunnels with APs. The master AC is always an active AC. |
|
Non-active AC |
An AC that cannot establish CAPWAP tunnels with APs. Non-active ACs can only be subordinate ACs. When an active AC fails, a non-active AC will be elected as an active AC. |
|
Directly connected AC |
An AC that receives the first packet from an AP when the AP launches a CAPWAP tunnel establishment process. |
|
Non-directly connected AC |
An AC that does not receive the first packet from an AP when the AP launches a CAPWAP tunnel establishment process. |
AP backup and recovery
AP backup enables the active AC (master AC) in a cloud cluster to synchronize information about connected APs to all the non-active ACs. When the active AC fails, one of the non-active ACs becomes active to provide services, ensuring service continuity.
Prerequisites for AP backup
Before configuring AP backup, set up a cloud cluster for the target ACs. For information about cloud cluster, see Virtualization Configuration Guide.
Enabling AP backup
About this task
This feature enables the active AC to synchronize information about connected APs to all the non-active ACs. When the active AC fails, one of the non-active AC becomes active to provide services.
Restrictions and guidelines
Disabling this feature removes backup AP information from all ACs.
Procedure
1. Enter system view.
system-view
2. Enable AP backup.
wlan ap-backup hot-backup enable
By default, AP backup is disabled.
Configuring client backup
About client backup
Client backup enables cloud cluster member ACs to backup client information with each other to keep clients online in case of AC failures. Client backup is triggered every time client information changes.
Client backup must work with AP backup. After both features are enabled, active ACs back up connected AP and client information to other member ACs. When an active AC fails, the master AC will select another AC in the IRF fabric to recover information of AP and clients connected to the failed AC.
Restrictions and guidelines: Client backup configuration
Active ACs back up client information only for clients that come online after client backup is enabled. Disabling client backup deletes client backup information from all member ACs.
In a cloud cluster, clients in a critical VLAN or fail VLAN do not support client backup.
Prerequisites for client backup
The client backup feature must be used in conjunction with the AP backup feature. Client backup takes effect only when both features are enabled.
After you enable AP backup and client backup, the active AC can back up all connected APs and client information to other ACs within the cloud cluster. If the active AC fails, the master AC selects another AC to restore the AP and client information from the failed AC. For more information about AP backup and the AC selection rules, see "Configuring AP backup."
Enabling client backup
1. Enter system view.
system-view
2. Enable client backup.
wlan client-backup hot-backup enable
By default, client backup is disabled.
Setting the client backup delay
Restrictions and guidelines
This feature takes effect only when client backup is enabled.
This feature takes effect only on clients that come online after the client backup delay is set.
If an active/standby switchover occurs during the delay time, online clients whose information has not been backed up will be logged off and need to come online again. An active/standby switchover can be triggered by a restart of the active AC process.
Procedure
1. Enter system view.
system-view
2. Set the client backup delay.
wlan client-backup hot-backup delay delay-time
By default, the client backup delay is 60 seconds.
Display and maintenance commands for client backup
Execute display commands in any view.
|
Task |
Command |
|
Display backup information about 802.1X clients associated with the specified cloud cluster member device. |
display dot1x connection-backup [ ap ap-name [ radio radio-id ] ] slot slot-number |
|
Display backup information about MAC authentication clients associated with the specified cloud cluster member device. |
display mac-authentication connection-backup [ ap ap-name [ radio radio-id ] ] slot slot-number |
|
Display client backup information for the specified cloud cluster member device. |
display wlan client-backup [ ap ap-name [ radio radio-id ] | mac-address mac-address ] [ verbose ] [ slot slot-number ] |