advertisement
H3C WX Series Access Controllers
Web-Based Configuration Guide
Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com
Software version: WX3000-CMW520-R3308 (WX3024E)
WX5004-CMW520-R2308 (WX5000 series)
WX6103-CMW520-R2308 (WX6000 series)
Document version: 6W106-20120824
Copyright © 2008-2012, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C, , Aolynk, , H
3
Care, , TOP G, , IRF, NetPilot, Neocean, NeoVTL,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V 2 G, V n G, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C WX Series Access Controllers Web-Based Configuration Guide describes the web functions of the WX series, such as quick start, web overview, wireless service configuration, security and authentication related configurations, QoS configuration, and advanced settings.
NOTE:
•
Support of the H3C WX series access controllers for features may vary by device model. For the feature matrixes, see the chapter “Feature Matrixes”.
• The interface types and output information may vary by device model.
•
The grayed-out functions and parameters on the web interface are unavailable or not configurable.
This preface includes:
•
•
•
About the H3C WX Series documentation set
•
•
•
Audience
This documentation is intended for:
•
Network planners
• Field technical support and servicing engineers
• Network administrators working with the WX series
Conventions
This section describes the conventions used in this documentation set.
GUI conventions
Convention Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention Description
WARNING
An alert that calls attention to important information that if not understood or followed can result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
An alert that calls attention to essential information.
NOTE
An alert that contains additional or supplementary information.
An alert that provides helpful information.
TIP
Network topology icons
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Represents an access controller, an access controller module, or a switching engine on a unified switch.
Represents an access point.
Represents a mesh access point.
Represents omnidirectional signals.
Represents directional signals.
Port numbering in examples
The port numbers in this document are for illustration only and might be unavailable on your device.
About the H3C WX Series documentation set
The H3C WX series documentation set includes:
Category Documents Purposes
Marketing brochures Describe product specifications and benefits.
Product description and specifications
Technology white papers
Provide an in-depth description of software features and technologies.
Category Documents
Card manuals
Hardware specifications and installation
Installation guide
Software configuration
Operations and maintenance
Getting started guide
Configuration guides
Command references
Web-based configuration guide
Release notes
Purposes
Provide the hardware specifications of cards and describe how to install and remove the cards.
Provides a complete guide to hardware installation and hardware specifications.
Guides you through the main functions of your device, and describes how to install and log in to your device, perform basic configurations, maintain software, and troubleshoot your device.
Describe software features and configuration procedures.
Provide a quick reference to all available commands.
Describes configuration procedures through the web interface.
Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading.
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com
.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with the software version.
Technical support
[email protected] http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to [email protected].
We appreciate your comments.
Contents
i
ii
iii
iv
v
vi
vii
viii
ix
x
xi
Models of WX series access controllers
H3C WX series access controllers include the WX3000E series wireless switches, and WX5000 and
WX6000 series access controllers.
shows the models of WX series.
Table 1 Models of WX series access controllers
Product Model
WX3000E series wireless switches
WX5000 series access controllers
WX6000 series access controllers
WX3024E wireless switch
•
WX5002V2 access controller
•
WX5004 access controller
•
LSWM1WCM10 access controller module
•
LSWM1WCM20 access controller module
•
WX6103 access controller
•
LSQM1WCMB0 access controller module
•
LSQM1WCMD0 access controller module
•
LSBM1WCM2A0 access controller module
•
LSRM1WCM2A1 access controller module
•
LSRM1WCM3A1 access controller module
NOTE:
The WX6103 access controller supports EWPX1WCMB0 and EWPX1WCMD0 main control boards.
1
Typical network scenarios
Access controller network scenario
As shown in
Figure 1 , the AC connects to a Layer 2 or Layer 3 switch through GE1/0/1, the switch is
connected to APs directly or over an IP network, and clients access the network through the APs.
Figure 1 AC networking
Access controller module network scenario
, the AC is installed on a Layer 2 or Layer 3 switch, the switch is connected to APs directly or over an IP network, and clients access the network through the APs.
2
Figure 2 Access controller module networking
Scheme 2
Access controller module
Switch
Server
IP network
AP 1 AP 2
Client A Client B
Wireless switch network scenario
As shown in
, the wireless switch that has both AC and switch functions is connected to APs directly or over an IP network, and clients access the network through the APs.
Figure 3 Unified switch networking diagram
Scheme 3
Server
Wireless switch
IP network
AP 1
AP 2
Client A Client B
3
Feature matrixes
In this document, Yes means a feature is supported, and No means not supported.
Feature matrix for the WX5000 series
NOTE:
The LSWM1WCM10 and LSWM1WCM20 access controller modules of the WX5000 series adopt the OAP architecture. They work as OAP cards to exchange data and status and control information with the switch through their internal interfaces. Do not configure services such as QoS rate limiting and
802.1X authentication on XGE 1/0/1 of the LSWM1WCM10, and the logical aggregate interface BAGG1 formed by GE 1/0/1 and GE 1/0/2 of the
LSWM1WCM20.
Table 2 Feature matrix for the WX5000 series
Module Feature
Device
License management
File management
Port mirroring
Loopback test
WX5002V2
Supports 32 concurrent
APs by default, and can be extended to support
64 concurrent APs.
CF Yes
Yes
Yes on GE interfaces
The maximum number of from 1 to 256 and defaults to 256.
WX5004 LSWM1WCM10
Supports 64 concurrent
APs by default, and can be extended to support
256 concurrent APs.
Supports 64 concurrent
APs by default, and can be extended to support
256 concurrent APs.
CF Yes CF Yes
Yes
Yes on GE interfaces
The maximum number of multicast groups ranges from 1 to 256 and defaults to 256.
No
Internal loopback testing
Yes on XGE interfaces only
The maximum number of multicast groups ranges from 1 to 256 and defaults to 256.
LSWM1WCM20
Supports 32 concurrent
APs by default, and can be extended to support
128 concurrent APs.
Flash Yes
No
Internal loopback testing
Yes on GE interfaces only
The maximum number of multicast groups ranges from 1 to 256 and defaults to 256.
4
Module Feature
AP
AP group (Licenses must be fully configured to reach the maximum number of group IDs)
Wireless Service
Advanced settings
High availability
WX5002V2
The number of group IDs ranges from 1 to 64.
WX5004 LSWM1WCM10
The number of group IDs ranges from 1 to 256.
The number of group IDs ranges from 1 to 256.
LSWM1WCM20
The number of group IDs ranges from 1 to 128.
Access service
AC hot backup
The maximum number of associated users per
SSID is 124 and defaults to 64.
Yes
The maximum number of associated users per
SSID is 124 and defaults to 64.
Yes
The maximum number of associated users per
SSID is 124 and defaults to 64.
Yes
Fast backup (Hello interval)
Yes (The hello interval ranges from 100 to
2000 and defaults to
2000.)
Yes (The hello interval ranges from 100 to
2000 and defaults to
2000.)
Yes (The hello interval ranges from 100 to
2000 and defaults to
2000.)
No
1+1 AC backup Yes Yes Yes No
1+1 Yes Yes Yes No
Stateful failover Yes Yes Yes No
The maximum number of associated users per
SSID is 124 and defaults to 64.
No
Feature matrix for the WX6000 series
NOTE:
•
The switch interface board of the WX6103 adopts OAP architecture and is installed on the slot with purple paint at slot sides. The WX6103 supports
EWPX1WCMB0 and EWPX1WCMD0 main control boards. The switch interface board exchanges data, and state and control information with the main control board through internal interfaces. Do not configure services such as QoS rate limiting and 802.1X authentication on the internal interfaces.
•
For configuration information about the switch interface board of the WX6103, see the
H3C WX6103 Access Controller Switch Interface Board
Configuration Guide and H3C WX6103 Access Controller Switch Interface Board Command Reference.
• The LSQM1WCMB0/LSQM1WCMD0/LSBM1WCM2A0/LSRM1WCM2A1/LSRM1WCM3A1 of the WX6000 series are OAP cards. Each OAP card is installed on the expansion slot of the switch and exchanges data and status and control information with the switch through internal interfaces. Do not configure services such as QoS rate limiting and 802.1X authentication on the internal interfaces.
5
Table 3 Feature matrix for the WX6000 series
Device
LSRM1WCM2A
1
LSRM1WCM3A
1
License management
EWPX1WCMB0 supports 128 concurrent APs by default, and can be extended to support 640 concurrent APs.
EWPX1WCMD0 supports 128 concurrent APs by default, and can be extended to support 1024 concurrent APs.
CF and USB supported
Supports 128 concurrent APs by default, and can be extended to support 640 concurrent APs.
Supports 128 concurrent APs by default, and can be extended to support 1024 concurrent APs.
Supports 128 concurrent APs by default, and can be extended to support 640 concurrent APs.
Supports 128 concurrent APs by default, and can be extended to support 640 concurrent APs.
Supports 128 concurrent APs by default, and can be extended to support 1024 concurrent APs.
File management
CF and USB supported
CF and USB supported
CF and USB supported
CF and USB supported
CF and USB supported
Port No No No No No No
Loopback test
Internal loopback testing supported on XGE interfaces only
Internal loopback testing supported on XGE interfaces only
Internal loopback testing supported on XGE interfaces only
Internal loopback testing supported on XGE interfaces only
Internal loopback testing supported on XGE interfaces only
Internal loopback testing supported on XGE interfaces only
The maximum number of multicast groups ranges from 1 to
256 and defaults to 256.
The maximum number of multicast groups ranges from 1 to
256 and defaults to 256.
The maximum number of multicast groups ranges from 1 to
256 and defaults to 256.
The maximum number of multicast groups ranges from 1 to
256 and defaults to 256.
The maximum number of multicast groups ranges from 1 to
256 and defaults to 256.
The maximum number of multicast groups ranges from 1 to
256 and defaults to 256.
6
LSRM1WCM2A
1
LSRM1WCM3A
1
AP
Wireless Service
AP group
(Licenses must be fully configured to reach the maximum number of group IDs)
Access service
On
EWPX1WCMB0, the number of group IDs ranges from 1 to 640.
On
EWPX1WCMD0, the number of group IDs ranges from 1 to 1024.
The maximum number of associated users per SSID is 124 and defaults to
64.
The number of group IDs ranges from 1 to 640.
The maximum number of associated users per SSID is 124 and defaults to
64.
The number of group IDs ranges from 1 to 1024.
The maximum number of associated users per SSID is 124 and defaults to
64.
The number of group IDs ranges from 1 to 640.
The maximum number of associated users per SSID is 124 and defaults to
64.
The number of group IDs ranges from 1 to 640.
The maximum number of associated users per SSID is 124 and defaults to
64.
The number of group IDs ranges from 1 to 1024.
The maximum number of associated users per SSID is 124 and defaults to
64.
Advanced settings
Fast backup
(Hello interval)
Yes (The hello interval ranges from 30 to 2000 and defaults to
2000.)
Yes (The hello interval ranges from 30 to 2000 and defaults to
2000.)
Yes (The hello interval ranges from 30 to 2000 and defaults to
2000.)
Yes (The hello interval ranges from 30 to 2000 and defaults to
2000.)
Yes (The hello interval ranges from 30 to 2000 and defaults to
2000.)
Yes (The hello interval ranges from 30 to 2000 and defaults to
2000.)
1+1 Yes Yes Yes Yes Yes Yes
High availability Stateful failover
7
Feature matrix for the WX3024E
NOTE:
•
The access controller engine and switching engine of the WX3024E adopt the OAP architecture. The switching engine is integrated on the access controller engine and adopts OAP architecture. You actually log in to the access controller engine when you log in to the switch by default. The GE 1/0/1 and GE
1/0/2 interfaces of the access controller engine form a logical interface BAGG1, and the GE1/0/29 and GE1/0/30 interfaces of the switching engine form a logical interface BAGG1. The two BAGG1 interfaces exchange data, status, and control information. Do not configure services such as QoS rate limiting and 802.1X authentication on these internal interfaces.
•
For configuration information about the switching engine of the WX3024E, see the
H3C WX3024E Wireless Switch Switching Engine Configuration Guide and
H3C WX3024E Wireless Switch Switching Engine Command Reference.
Table 4 Feature matrix for the WX3024E
Module Feature
License management
Device
File management
Port mirroring
Loopback test
IGMP Snooping Network
AP
AP group (Licenses must be fully configured to reach the maximum number of group IDs)
Wireless Service Access service
Advanced settings
AC backup
Fast backup (Hello interval)
1+1 AC backup
High availability Stateful failover
WX3024E
Supports 24 concurrent APs by default, and can be extended to support 60 concurrent APs.
Flash supported
No
Internal loopback testing supported on GE interfaces only
The maximum number of multicast groups ranges from 1 to 64 and defaults to 64.
The number of group IDs ranges from 1 to 60.
The maximum number of associated users per SSID is 124, and defaults to 64.
No
No
No
No
8
Quick Start
Quick start wizard home page
From the navigation tree, select Quick Start to enter the home page of the Quick Start wizard, as shown
.
Figure 4 Home page of the quick start wizard
Basic configuration
On the home page of the Quick Start wizard, click start to enter the basic configuration page, as shown
9
Figure 5 Basic configuration page
Table 5 Configuration items
Item Description
System Name
Specify the name of the current device.
By default, the system name of the device is H3C.
Country/Region Code
Time Zone
Time
Select the code of the country where you are. This field defines the radio frequency characteristics such as the power and the total number of channels for frame transmission. Before configuring the device, you need to configure the country code correctly. If the Country Code field is grayed out, it cannot be modified.
Select a time zone for the system.
Specify the current time and date.
Admin configuration
On the basic configuration page, click Next to enter the admin configuration page, as shown in
10
Figure 6 Admin configuration page
Table 6 Configuration items
Item Description
Password Specify the password for user Admin to use to log into the device, in cipher text.
Confirm Password Enter the password again to confirm the password.
IP configuration
On the Admin Configuration page, click Next to enter the IP configuration page, as shown in
11
Figure 7 IP configuration page
Table 7 Configuration items
Item Description
IP Address
Specify the IP address of VLAN-interface 1. This IP address is used for logging into the device.
The default is 192.168.0.100.
Mask
Default Gateway
Specify the IP address mask of VLAN-interface 1.
By default, the mask is 24-bit long.
Specify the IP address of the default gateway that connects the device to the network.
By default, the IP address of the default gateway is not specified.
Wireless configuration
.
12
Figure 8 Wireless configuration page
Table 8 Configuration items
Item Description
Primary Service
Authentication type
Select the authentication type for the wireless service, which can be:
•
None: Performs no authentication.
•
User authentication (802.1X): Performs 802.1X authentication.
•
Portal: Performs Portal authentication.
Wireless Service
Encrypt
Specify the Service Set Identifier (SSID).
Select this box to go to the 7/13: Encryption Configuration step.
By default, no encryption is performed. If this option is not selected, the 7/13:
Encryption Configuration step is skipped.
RADIUS configuration
On the wireless configuration page, select User authentication (802.1X) or Portal for the Primary Service
Authentication Type field, and then click Next to enter the RADIUS configuration page, as shown
13
Figure 9 RADIUS configuration page
Table 9 Configuration items
Item Description
Service Type
Select the type of the RADIUS server.
Two types are available: standard and enhanced:
• extended—Specifies extended RADIUS server, which is usually an IMC server.
In this case, the RADIUS client (access device) and the RADIUS server exchange packets based on the specifications and packet format definitions of a private
RADIUS protocol.
• standard—Specifies the standard RADIUS server. In this case, the RADIUS client (access device) and the RADIUS server exchange packets based on the specifications and packet format definitions of the standard RADIUS protocols
(RFC 2138, RFC 2139, and the updates).
Authentication IP Enter the IP address of the RADIUS authentication server.
Authentication UDP Port Enter the port number of the RADIUS authentication server.
Authentication Key Enter the shared key of the RADIUS authentication server.
Accounting IP
Accounting UDP Port
Enter the IP address of the RADIUS accounting server.
Enter the port number of the RADIUS accounting server.
Accounting Key Enter the shared key of the RADIUS accounting server.
14
Portal configuration
On the wireless configuration page, select Portal for the Primary Service Authentication Type field, and then click Next to enter the RADIUS configuration page. After you complete RADIUS configuration, click
Next to enter the portal configuration page, as shown in
.
Figure 10 Portal configuration page
Table 10 Configuration items
Item Description
Server-name Specify the system name of the portal server.
Server-IP Enter the IP address of the portal server.
Port
Redirect-URL
Enter the port number of the portal server.
Enter the URL of the portal authentication server.
15
Item Description
Method
Specify the portal authentication method to be used, which can be:
•
Direct—Before authentication, a user manually configures an IP address or directly obtains a public IP address through DHCP, and can access only the portal server and predefined free websites. After passing authentication, the user can access the network resources. The authentication process of direct authentication is relatively simple than that of the re-DHCP authentication.
•
Layer3—Layer 3 authentication is similar to direct authentication but allows
Layer 3 forwarding devices to be present between the authentication client and the access device.
•
Redhcp—Before authentication, a user gets a private IP address through DHCP and can access only the portal server and predefined free websites. After passing authentication, the user is allocated a public IP address and can access the network resources.
Encryption configuration
On the wireless configuration page, select User authentication (802.1X) for Primary Service
Figure 11 Encryption configuration page
16
Table 11 Configuration items
Item Description
Provide Key
Automatically
Specify whether to use WEP keys provided automatically or use static WEP keys.
•
Enable: Use WEP keys provided automatically.
•
Disable: Use static WEP keys.
By default, static WEP keys are used.
After you select Enable, WEP104 is displayed for WEP.
WEP
IMPORTANT:
Automatically provided WEP keys must be used together with 802.1X authentication.
Therefore, This option is available only after you select User authentication (802.1X) for Primary Service Authentication type on the wireless configuration page.
Select the key type of the WEP encryption mechanism, which can be WEP40,
WEP104 and WEP 128.
Select the WEP key index, which can be 1, 2, 3, or 4. Each number represents one of the four static keys of WEP. The selected key index will be used for frame encryption and decryption.
Key ID
Key Length
WEP Key
IMPORTANT:
If you select to enable Provide Key Automatically, only 1, 2, and 3 are available for the Key ID option.
Select the key length.
•
When the key type is WEP40, the key length can be five alphanumeric characters or ten hexadecimal characters.
•
When the key type is WEP104, the key length can be 13 alphanumeric characters or 26 hexadecimal characters.
•
When the key type is WEP128, the key length can be 16 alphanumeric characters or 32 hexadecimal characters.
Enter the WEP key.
AP configuration
On the guest service configuration page, click Next to enter the AP configuration page, as shown
. You can configure an AP and click Add. You can configure multiple APs on the page. The section at the bottom of the page displays all existing APs.
17
Figure 12 AP configuration page
Table 12 Configuration items
Item Description
AP Name Enter the name of the AP.
Model Select the model of the AP.
Serial ID
Specify the serial ID of the AP.
•
If the Auto box is not selected, you need to manually enter a serial ID.
•
If the Auto box is selected, the AC automatically searches the serial ID of the AP.
This option needs to cooperate with the auto AP function to implement automatic AP discovery so that the AP can connect with the AC automatically.
If there are a large number of APs, the automatic AP discovery function can avoid repeated configuration of AP serial numbers. For how to configure auto
AP, see "AP configuration."
Country/Region Code
Radio
Mode
Select a country/region code for the AP.
By default, no country/region code is configured for the AP and the AP uses the global country/region code (which is configured on the AC). If the country/region code is specified on this page, the AP uses this configuration. For information about the country/region code configured on the AC, see "Advanced settings."
Radio unit of the AP.
Select the radio mode. The radio mode depends on the AP model.
18
Item Description
Channel
Select the working channel.
The channel list for the radio depends on the country/region code and radio mode, and varies with device models.
Auto: Specifies the automatic channel mode. With Auto specified, the AC evaluates the quality of channels in the wireless network, and selects the best channel as the working channel.
After the channel is changed, the power list is refreshed.
Power
Select the transmission power.
The maximum power of the radio depends on the country/region code, working channel, AP model, radio mode, and antenna type. If 802.11n is specified as the radio mode, the maximum power of the radio also depends on the bandwidth mode.
Configuration summary
On the AP configuration page, click Next to enter the configuration summary page, as shown in
. The configuration summary page displays all configurations you have made. Click finish to save your configurations.
Figure 13 Configuration summary page
19
Web overview
The device provides Web-based configuration interfaces for visual device management and maintenance.
Figure 14 Web-based network management operating environment
Logging in to the Web interface
You can use the following default settings to log in to the Web interface through HTTP:
•
Username—admin
•
Password—admin
•
IP address of VLAN-interface 1 of the device—192.168.0.100.
To log in to the Web interface of the device from a PC:
1.
Connect the Ethernet port of the device to the PC by using a crossover Ethernet cable.
By default, all ports belong to VLAN 1.
2.
Configure an IP address for the PC and make sure that the PC and the device can reach each other.
For example, assign the PC an IP address (for example, 192.168.0.2) within the network segment
192.168.0.0/24 (except for 192.168.0.100).
3.
Open the browser and input the login information: a. b.
Type the IP address http://192.168.0.100 in the address bar and press Enter.
The login page of the Web interface (see
) appears.
Enter the username and password admin, and the verification code, select the language
(English and Chinese are supported at present), and click Login.
Figure 15 Login page of the Web interface
20
c.
After you click Login, you will enter the following page. Select a country/region code from the
Country/Region list, and click Apply.
Figure 16 Selecting a country/region code
The PC where you configure the device is not necessarily the Web-based network management terminal.
A Web-based network management terminal is a PC (or another terminal) used to log in to the Web interface and is required to be reachable to the device.
After logging in to the Web interface, you can create a new user and configure the IP address of the interface connecting the user and the device.
If you click the verification code displayed on the Web login page, you can get a new verification code.
Up to 24 users can concurrently log in to the device through the Web interface.
Logging out of the Web interface
As shown in
Figure 17 , click Logout in the upper-right corner of the Web interface to quit Web-based
network management.
The system does not save the current configuration before you log out of the Web interface. H3C recommends you to save the current configuration before logout.
CAUTION:
A logged-in user cannot automatically log out by directly closing the browser.
Introduction to the Web interface
The Web interface comprises three parts: navigation tree, title area, and body area.
21
Figure 17 Web-based configuration interface
(1) Navigation area (2) Body area (3) Title area
• Navigation area—Organizes the Web-based NM function menus in the form of a navigation tree, where you can select function menus as needed. The result is displayed in the body area. The Web network management functions not supported by the device are not displayed in the navigation area.
• Body area—The area where you can configure and display a function.
•
Title area—On the left, displays the path of the current configuration interface in the navigation area; on the right, provides the Save button to quickly save the current configuration, the Help button to display the Web related help information, and the Logout button to log out of the Web interface.
Web user level
Web user levels, ranging from low to high, are visitor, monitor, configure, and management. A user with a higher level has all the operating rights of a user with a lower level.
•
Visitor—Users of this level can perform the ping and traceroute operations, but they can neither access the device data nor configure the device.
• Monitor—Users of this level can only access the device data but cannot configure the device.
• Configure—Users of this level can access data from the device and configure the device, but they cannot upgrade the host software, add/delete/modify users, or back up/restore the application file.
• Management—Users of this level can perform any operations for the device.
22
Introduction to the Web-based NM functions
NOTE:
•
Support for the configuration items depends on the device model. For more information, see "Feature matrixes."
•
indicates that users of this level or users of a higher level can perform the corresponding operations.
Table 13 Description for Web-based NM functions
Function menu
Quick Start
Summary
Device
Device Info
Wireless Service
AP
Client
License
Basic
Device
Maintenance
License
Enhanced License
System Name
Web Idle Timeout
Software Upgrade
Description
Perform quick configuration of the device.
Display and refresh system resource state, device information, device interface information, and recent system operation logs.
Display the information of the queried
WLAN service, including the detailed information, statistics, and connection history.
User level
Configure
Monitor
Monitor
Display the information of the queried
AP, including wireless service, connection history, radio, and detailed information.
Reboot an AP.
Display the detailed information, statistics, and roaming information of the client.
Clear statistics of the client, disconnect the connection, and add the client into the blacklist.
Display license information.
Register enhanced licenses.
Display and configure the system name.
Configure
Monitor
Configure
Monitor
Add licenses. Configure
Display enhanced license information. Monitor
Configure
Configure
Display and configure the idle timeout period for a logged-in user.
Upload the file to be upgraded from the local host to upgrade the system software.
Monitor
Configure
Management
23
Function menu
Diagnostic
Information
System Time
System Time
Net Time
Syslog
Configuration
Restore
Save
Initialize
File management
Interface
Users
Loglist
Loghost
Log Setup
Backup
Port
Mirroring
Summary
Add
Remove
Modify Port
Summary
Super Password
Create
24
Description
Generate a diagnostic information file, view the file, or save the file to the local host.
Display the system date and time.
User level
Management
Manually set the system time.
Set local and external clock sources and system time zone.
Set the network time.
Display and refresh system logs.
Clear system logs.
Display and configure the loghost.
Monitor
Configure
Monitor
Configure
Monitor
Configure
Configure
Display and configure the buffer capacity, and refresh interval for displaying system logs.
Back up the configuration file for the next startup to the host of the current user.
Upgrade the configuration file on the host of the current user to the device for the next startup.
Save the current configuration to the configuration file for the next startup.
Configure
Management
Management
Configure
Restore the system to factory defaults. Configure
Manage files on the device, including displaying file list, downloading a file, uploading a file, removing a file, and setting the main boot file.
Management
Display interface information and statistics.
Monitor
Create, modify, and delete an interface, and clear interface statistics. Configure
Display the configuration information of a port mirroring group.
Create a port mirroring group.
Monitor
Configure
Remove a port mirroring group. Configure
Configure ports for a mirroring group. Configure
Display brief information of FTP and
Telnet users.
Monitor
Configure the password for a lower-level user to switch from the current access level to the management level.
Create an FTP or Telnet user.
Management
Management
Function menu
Community
Group
SNMP
User
View
Loopback
MAC
MAC
Setup
VLAN
Network
VLAN
Port
ARP
Management ARP Table
Modify
Remove
Switch To
Management
Setup
Trap
25
Description User level
Modify FTP or Telnet user information. Management
Remove an FTP or a Telnet user.
Switch the current user level to the management level.
Management
Monitor
Display and refresh SNMP configuration and statistics information.
Create, modify, and delete an SNMP community.
Monitor
Configure SNMP. Configure
Display SNMP community information. Monitor
Configure
Display SNMP group information. Monitor
Create, modify, and delete an SNMP group.
Configure
Monitor Display SNMP user information.
Create, modify, and delete an SNMP user.
Display the status of the SNMP trap function and information about target hosts.
Enable or disable the SNMP trap function, or create, modify, and delete a target host.
Configure
Monitor
Configure
Monitor Display SNMP view information.
Create, modify, and delete an SNMP view.
Perform the loopback test on Ethernet interfaces.
Display MAC address information.
Create or remove MAC addresses.
Display and configure MAC address aging time.
Configure
Configure
Monitor
Configure
Configure
Display all VLANs on the device and information about their member ports.
Create, modify, and delete VLANs.
Display VLANs to which a port on the device belongs.
Monitor
Configure
Monitor
Modify the VLANs to which a port belongs.
Configure
Display ARP table information. Monitor
Add, modify, or delete an ARP entry. Configure
Function menu
ARP
Anti-Attack
Advanced
Configuration
IGMP
Snooping
Gratuitous ARP
ARP Detection
Basic
Advance
IPv4 Routing
IPv6 Routing
Summary
Create
Remove
Summary
Create
Remove
Description
Display configuration information of gratuitous ARP.
User level
Monitor
Configure gratuitous ARP.
Display the configuration information of ARP detection.
Configure ARP detection.
Display the configuration information of source MAC address based ARP attack detection, ARP active acknowledgement, and ARP packet source MAC address consistency check.
Configure source MAC address based
ARP attack detection, ARP active acknowledgement, and ARP packet source MAC address consistency check.
Configure
Monitor
Configure
Monitor
Configure
Display global IGMP Snooping configuration information and the
IGMP Snooping configuration information in a VLAN, and view the
IGMP Snooping multicast entry information.
Configure IGMP Snooping globally and in a VLAN.
Display the IGMP Snooping configuration information on a port.
Monitor
Configure
Monitor
Configure IGMP Snooping on a port. Configure
Display the IPv4 active route table. Monitor
Create an IPv4 static route. Configure
Delete the selected IPv4 static routes. Configure
Display the IPv6 active route table.
Create an IPv6 static route.
Monitor
Configure
Delete the selected IPv6 static routes. Configure
Display the DHCP service status, the
DHCP address pool information, the
DHCP server status on an interface, and addresses in use.
Monitor
Set the DHCP service status, add, modify, or delete a DHCP address pool, and modify the DHCP server status on an interface.
Configure
26
Function menu
AP
DNS
Service
AP Setup
Auto AP
DHCP Relay
DHCP Snooping
Static
Dynamic
IPv4 Ping
Diagnostic
Tools
IPv6 Ping
Trace Route
Description
Display the status of a DHCP service and advanced configuration information of DHCP relay, display information of a DHCP group, and status of the DHCP relay agent on an interface, and view the DHCP relay user information.
Configure the status of a DHCP service and advanced configuration information of DHCP relay, add or delete a DHCP group, and modify the status of the DHCP relay agent on an interface.
Display the status of the DHCP
Snooping function, and the trusted and untrusted attributes of a port, and view the DHCP Snooping user information.
Configure the status of the DHCP
Snooping function, and modify the trusted and untrusted attributes of a port.
Display, create, modify, or delete a static host name-to-IP address mapping.
Display and configure related parameters for dynamic domain name resolution. Display, create, or delete an
IP address and the domain name suffix.
Display the states of the services: enabled or disabled.
Specify whether to enable various services, and set related parameters.
Ping an IPv4 address or host and display the result.
Ping an IPv6 address or host and display the result.
Perform trace route operations and display the result.
Display AP-related information, including AP name, AP IP address, serial ID, model and status.
Add an AP and modify the AP configuration.
Display auto AP information after auto
AP is enabled, including AP name, model, serial ID and IP address.
Enable auto AP.
User level
Monitor
Configure
Monitor
Configure
Configure
Configure
Configure
Management
Visitor
Visitor
Visitor
Monitor
Configure
Monitor
Configure
27
Function menu
WLAN
Service
Roam
Radio
AP Group
Access Service
Mesh
Service
Roam Group
Roam Client
Radio
Rate
Mesh Service
Mesh Policy
Global Setup
Mesh Channel
Optimize
Mesh Link Info
Mesh Link Test
28
Description User level
Display AP group information. Monitor
Configure Create and configure an AP group.
Display an access service, including security type, detailed information, service status and binding status.
Create and configure an access service, map an access service to an
AP radio, and add a MAC authentication list.
Display a mesh service, including its detailed information, status, and binding information.
Create and configure a mesh service, including security settings.
Display mesh policies.
Monitor
Configure
Monitor
Configure
Monitor
Create and configure a mesh policy. Configure
Display mesh global setting, including basic setting, mesh DFS, and mesh portal service.
Configure mesh global setting, including basic setting, mesh DFS, and mesh portal service.
Monitor
Configure
Display radio information and channel switch information in a mesh network. Monitor
Configure mesh channel optimization. Configure
Monitor Display mesh link status information.
Monitor mesh link status and refresh mesh link status information.
Display mesh link test results.
Test mesh links and refresh mesh link test results.
Display a roaming group and its members.
Configure
Monitor
Configure
Monitor
Configure a roaming group and add a group member.
Display client information, including
MAC address, BSSID, VLAN ID, home
AC and roaming direction.
Display radio status, including radio mode and radio status.
Configure radio parameters, including
802.11n settings.
Display rate settings.
Configure
Monitor
Monitor
Configure
Monitor
Function menu
Authenticat ion
Channel Scan
Antenna Switch
Radio Group
802.1X
Portal
AAA
Operation
Calibration
Parameters
Portal Server
Free Rule
Domain Setup
Authentication
Authorization
29
Description
Configure 802.11n rates, including
MCS index.
Display channel scanning, including scanning mode, scanning type and scanning interval.
Configure channel scanning, including scanning mode and scanning type.
Display or refresh AP status, including channel status, neighbor information, and history information.
Manual calibration
Display basic setup, channel setup and power setup.
Configure channel calibration parameters.
Display radio group configuration.
Configure a radio group.
Configure the antenna of an AP.
Display the global 802.1X information and 802.1X information of a port.
User level
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Configure
Monitor
Display the global 802.1X features and 802.1x features of a port.
Configure
Display configuration information about the portal server and advanced parameters for portal authentication.
Add and delete a portal server, and modify advanced parameters for portal authentication.
Display the portal-free rule configuration information.
Add and delete a portal-free rule.
Display ISP domain configuration information.
Add and remove ISP domains.
Display the authentication method configuration information of an ISP domain.
Specify authentication methods for an
ISP domain.
Display the authorization method configuration information of an ISP domain.
Monitor
Configure
Monitor
Configure
Monitor
Management
Monitor
Management
Monitor
Function menu
RADIUS
Accounting
Local EAP Server
Users
Local User
User Group
Guest
User Profile
Entity
Domain
Certificate
Management
Certificate
CRL
Description
Specify authorization methods for an
ISP domain.
Display the accounting method configuration information of an ISP domain.
Specify accounting methods for an ISP domain.
User level
Management
Monitor
Management
Display and add, modify, and delete a
RADIUS scheme.
Management
Display the configuration information of the local EAP service.
Configure the local EAP service.
Display user groups' configuration information.
Monitor
Configure
Display local users' configuration information.
Monitor
Add, modify, and remove local users. Management
Monitor
Add, modify, and remove user groups. Management
Display guest users' configuration information.
Monitor
Add, modify, and remove guest users. Management
Display user profile configuration information.
Monitor
Add, modify, remove, enable, and disable user profiles.
Configure
Display information about PKI entities. Monitor
Add, modify, and delete a PKI entity. Configure
Display information about PKI domains.
Monitor
Add, modify, and delete a PKI domain. Configure
Display the certificate information of
PKI domains and view the contents of a certificate.
Generate a key pair, destroy a key pair, retrieve a certificate, request a certificate, and delete a certificate.
Display the contents of the CRL.
Receive the CRL of a domain.
Monitor
Configure
Monitor
Configure
30
Function menu
Rogue detection
Security
WIDS
Filter
AP Monitor
Rule List
Monitor Record
History Record
WIDS Setup
History Record
Statistics
Blacklist
White List
Authorized IP
Summary
Setup
User Isolation
Description
Display AP operating mode.
User level
Monitor
Configure AP operating mode.
Display list types for the rogue device detection and the detection rules.
Configure list types for rogue device detection and the rules.
Display monitor record of rogue device detection.
Clear monitor record of rogue device detection, and add rogue devices to blacklist.
Monitor
Configure
Display rogue device detection history. Monitor
Clear history of rogue device detection and add rogue devices to blacklist.
Configure
Display IDS configuration.
Configure IDS detection, including flood attack detection, spoofing attack detection, and weak IV detection.
Display IDS attack detection history.
Configure
Monitor
Configure
Monitor
Configure
Monitor
Clear history record of IDS attack detection and add the detected devices that initiate attacks to blacklist.
Display statistics of IDS attack detection.
Clear the statistics.
Configure
Monitor
Configure
Display dynamic and static blacklists. Monitor
Clear dynamic blacklist and static blacklist; enable dynamic blacklist; add entries to the static blacklist.
Display white list.
Configure
Monitor
Clear white list and add entries to the white list.
Display the configurations of the authorized IP, the associated IPv4 ACL rule list, and the associated IPv6 ACL rule list.
Configure the authorized IP.
Display, add, modify, and remove user isolation configuration.
Configure
Management
Configure
Management
31
Function menu
Summary
Time Range
Add
Remove
Summary
ACL IPv4
Add
Basic Setup
Advanced Setup
QoS
ACL IPv6
Link Setup
Remove
Summary
Add
Basic Setup
Advanced Setup
Remove
Wireless QoS
Wireless
QoS
Radio Statistics
Client Statistics
Client Rate Limit
Description
Display time range configuration information.
User level
Monitor
Create a time range.
Delete a time range.
Display IPv4 ACL configuration information.
Configure
Configure
Monitor
Create an IPv4 ACL. Configure
Configure a rule for a basic IPv4 ACL. Configure
Configure a rule for an advanced IPv4
ACL.
Create a rule for an Ethernet frame header ACL.
Delete an IPv4 ACL or its rules.
Configure
Configure
Configure
Display IPv6 ACL configuration information.
Create an IPv6 ACL.
Monitor
Configure
Configure a rule for a basic IPv6 ACL. Configure
Configure a rule for an advanced IPv6
ACL.
Delete an IPv6 ACL or its rules.
Configure
Configure
Display wireless QoS, including SVP mapping, CAC admission policy, radio EDCA and client EDCA.
Configure wireless QoS, including SVP mapping, CAC admission policy, radio EDCA and client EDCA.
Display radio statistics, including
WMM status and detailed radio information.
Display radio statistics, including
WMM status and detailed radio information, and clear the radio statistics.
Display client statistics, including
WMM status and detailed client information.
Display client statistics, including
WMM status and detailed client information, and clear the client statistics.
Display the configured client rate limit information.
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
32
Function menu
Line Rate
Summary
Setup
Port Priority
Bandwidth
Guarantee
Trust Mode
Classifier
Behavior
QoS Policy
Summary
Add
Setup
Remove
Summary
Add
Setup
Remove
Summary
Add
Setup
Remove
Port Policy
Service Policy
Summary
Setup
Remove
33
Description
Configure and modify client rate limiting mode, direction and rate.
Display bandwidth settings for different radio types.
User level
Configure
Monitor
Configure bandwidth guarantee settings.
Display line rate configuration information.
Configure the line rate.
Display the priority and trust mode of a port.
Modify the priority and trust mode of a port.
Display priority trust mode configuration information.
Configure
Monitor
Configure
Monitor
Configure
Management
Configure the priority trust mode.
Display classifier configuration information.
Create a class.
Management
Monitor
Configure
Configure the classification rules for a class.
Configure
Delete a class or its classification rules. Configure
Display traffic behavior configuration information.
Create a traffic behavior.
Configure actions for a traffic behavior.
Delete a traffic behavior.
Display QoS policy configuration information.
Monitor
Configure
Configure
Configure
Monitor
Create a QoS policy.
Configure the classifier-behavior associations for a QoS policy.
Delete a QoS policy or its classifier-behavior associations.
Display the QoS policy applied to a port.
Configure
Configure
Configure
Monitor
Apply a QoS policy to a port. Configure
Remove the QoS policy from the port. Configure
Display the QoS policy applied to a
WLAN-ESS port.
Monitor
Function menu
Country/Region Code
AC Backup
Setup
Description
Configure the QoS policy applied to a
WLAN-ESS port.
User level
Configure
Display the country/region code.
Modify the country/region code.
Monitor
Configure
Display the address of the backup AC. Monitor
Configure the address of the backup
AC.
Configure
Display the status of the AC. Monitor Status
Continuous Transmit
Display the continuous transmitting mode of an AP.
Switch the continuous transmitting mode of an AP.
Monitor
Configure
Advanced
Display channel busy rate test results. Monitor
Channel Busy Test
Load
Balancing
AP
Wireless Sniffer
Load Balance
Load Balance Group
AP Module
Switch to fat AP
Wireless Location
Test busy rate of channels, and output test results.
Configure
Display the load balancing mode and the current connection status.
Configure the load balancing mode and refresh the current connection status.
Display load balancing group configuration.
Configure a load balancing group.
Display the AP version, including the
AP model and software version.
Upgrade the software.
Monitor
Configure
Monitor
Configure
Monitor
Configure
Display the model and IP address of the
AP.
Switch to fat AP.
Monitor
Configure, enable, and disable wireless sniffer parameters.
Configure
Display wireless location settings.
Configure, enable, and disable wireless location.
Monitor
Configure
Display wireless sniffer configuration. Monitor
Configure
34
Function menu
High
Reliability
Stateful Failover
Description
Display stateful failover information.
User level
Monitor
Modify stateful failover configuration. Configure
Common Web interface elements
Common buttons and icons
Table 14 Common buttons and icons
Button and icon Description
Bring the configuration on the current page into effect.
Cancel the configuration on the current page, and go to the corresponding display page or device information page.
Refresh the information on the current page.
Clear all statistics or items in a list.
Enter the page for adding an entry.
Delete entries on a list.
Select all the entries on a list or all ports on a device panel.
Clear all the entries on a list or all ports on a device panel.
Restore the values of all the entries on the current page to the default.
Typically locating at a configuration procedure page of the configuration wizard, it allows you to save the configuration of the current configuration procedure (not bring it into effect) and go to the page of the next configuration procedure.
Typically locating at a configuration procedure page of the configuration wizard, it allows you to save the configuration of the current configuration procedure (not bring it into effect) and return to the page of the previous configuration procedure.
Typically locating at a configuration procedure page of the configuration wizard, it allows you to bring all configurations into effect.
Typically locating at the Operation column of a display page, it allows you to enter the modify page of a corresponding entry so as to display or modify the configurations of the entry.
Typically locating at the Operation column of a display page, it allows you to remove an entry.
Content display by pages
The Web interface can display contents by pages, as shown in
. You can set the number of entries displayed per page, and view the contents on the first, previous, next, and last pages, or go to any page that you want to check.
35
Figure 18 Content display by pages
Searching function
The Web interface provides you with the basic and advanced searching functions to display only the entries that match specific searching criteria.
•
Basic search—As shown in
, input the keyword in the text box above the list, select a
search item from the list and click Search to display the entries that match the criteria. Figure 19
shows an example of searching for entries with 00e0 included in the MAC address.
Figure 19 Basic search function example
36
•
Advanced search—Advanced search function: As shown in Figure 18
, you can click the Advanced
Search link to open the advanced search page, as shown in
. Specify the search criteria, and click Apply to display the entries that match the criteria.
Figure 20 Advanced search
Take the ARP table shown in
as an example. If you want to search for the ARP entries with 000f at the beginning of the MAC address, and IP address range being 192.168.1.50 to 192.168.1.59, follow these steps:
1.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 21 , and click Apply. The ARP entries with 000f at the beginning of the MAC address are
displayed.
Figure 21 Advanced search function example (I)
2.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
, and click Apply. The ARP entries with 000f at the beginning of the MAC address and
IP address range 192.168.1.50 to 192.168.1.59 are displayed as shown in Figure 23 .
37
Figure 22 Advanced search function example (II)
Figure 23 Advanced search function example (III)
Sorting function
The Web interface provides you with the basic functions to display entries in certain orders.
On a list page, you can click the blue heading item of each column to sort the entries based on the heading item you selected. After your clicking, the heading item is displayed with an arrow beside it as
. The upward arrow indicates the ascending order, and the downward arrow indicates the descending order.
38
Figure 24 Basic sorting function example (based on IP address in the descending order)
Configuration guidelines
•
The Web-based configuration interface supports the operating systems of Windows XP, Windows
2000, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition,
Windows Vista, Linux, and MAC OS.
• The Web-based configuration interface supports the browsers of Microsoft Internet Explorer 6.0
SP2 and higher, Mozilla Firefox 3.0 and higher, Google Chrome 2.0.174.0 and higher.
•
The Web-based configuration interface does not support the Back, Next, and Refresh buttons.
Using these buttons may result in abnormal display of Web pages.
• The Windows firewall limits the number of TCP connections, so when you use IE to log in to the Web interface, sometimes you may be unable to open the Web interface. To avoid this problem, turn off the Windows firewall before login.
• If the software version of the device changes, clear the cache data on the browser before logging in to the device through the Web interface; otherwise, the Web page content may not be displayed correctly.
•
You can display at most 20,000 entries that support content display by pages.
39
Troubleshooting Web browser
Failure to access the device through the Web interface
Symptom
You can ping the device successfully, and log in to the device through telnet. HTTP is enabled and the operating system and browser version meet the Web interface requirements. However, you cannot access the Web interface of the device.
Analysis
•
If you use the Microsoft Internet Explorer, you can access the Web interface only when these functions are enabled: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for scripting and active scripting.
•
If you use the Mozilla Firefox, you can access the Web interface only when JavaScript is enabled.
Configuring the Internet Explorer settings
1.
2.
Open the Internet Explorer, and then select Tools > Internet Options.
Click the Security tab, and then select a Web content zone to specify its security settings.
Figure 25 Internet Explorer setting (I)
3.
Click Custom Level, and a dialog box Security Settings appears.
40
4.
As shown in Figure 26 , set the enable these functions: Run ActiveX controls and plug-ins, script
ActiveX controls marked safe for scripting and active scripting.
Figure 26 Internet Explorer setting (II)
5.
Click OK in the Security Settings dialog box.
Configuring Firefox Web browser settings
1.
2.
Open the Firefox Web browser, and then select Tools > Options.
Click the Content tab, select Enable JavaScript, and click OK.
41
Figure 27 Firefox Web browser setting
42
Summary
Device information
You can view the following information on the Device Info menu:
•
Device information
• System resource state
• Device interface information
•
Recent system logs (at most five)
After logging in to the Web interface, you enter the Summary > Device Info page.
Figure 28 Device info page
Select the refresh mode from the Refresh Period list.
• If you select a specific refresh period (for example, 1 minute), the system periodically refreshes the
Device Info page according to the selected refresh period.
•
If you select Manual, you need to click Refresh to refresh the page.
43
Device info
Table 15 Field description
Field Description
Device Name Display the device model.
Product Information Display the product information.
Device Location
Contact Information
SerialNum
Software Version
Hardware Version
Bootrom Version
Running Time
Display the location of the device.
To configure the device location information, select Device > SNMP > Setup; for more information, see "SNMP configuration."
Display the contact information for device maintenance.
To configure the contact information, select Device > SNMP > Setup; for more information, see "SNMP configuration."
Display the serial number of the device.
Display the software version of the device.
Display the hardware version of the device.
Display the Boot ROM version of the device.
Display the running time after the latest boot of the device.
System resource state
Table 16 Field description
Field Description
CPU Usage Display the real-time CPU usage.
Memory Usage Display the real-time memory usage and the total memory size.
Temperature Display the temperature of the device.
Device interface information
Table 17 Field description
Field Description
Interface Display interface name and interface number.
IP Address/Mask Display the IP address and mask of an interface.
Status
Display interface status.
•
—The interface is up and is connected.
•
—The interface is up, but not connected.
•
—The interface is down.
44
NOTE:
For more information about device interfaces, click the More hyperlink under the Device Interface
Information area to enter the Device > Interface page to view and operate the interfaces. For more information, see "Interface management."
Recent system logs
Table 18 Field description
Field Description
Time Display the time when the system logs are generated.
Level
Description
Display the level of the system logs.
Display the contents of the system logs.
NOTE:
For more information about system logs, click the More hyperlink under the Recent System Operation
Logs area to enter the Device > Syslog > Loglist page to view the logs. For more information, see "Log management."
Displaying WLAN service
1.
2.
Select Summary > Wireless Service from the navigation tree
Click the specified WLAN service to view the detailed information, statistics, or connection history.
Displaying detailed information of WLAN service
45
Figure 29 Display detailed information of WLAN service (clear type)
Table 19 Field description
Field Description
Service Template Number Service template number.
SSID Service set identifier (SSID) for the ESS.
Binding Interface
Service Template Type
Authentication Method
SSID-hide
Name of the interface bound with the service template.
Service template type.
Type of authentication used.
WLAN service of the clear type only uses open system authentication.
•
Disable—The SSID is advertised in beacon frames.
•
Enable—Disables the advertisement of the SSID in beacon frames.
Bridge Mode
Service Template Status
Forwarding mode:
•
Local forwarding—Uses local forwarding in the service template.
•
Remote forwarding—Uses AC remote forwarding in the service template.
Status of service template:
•
Enable—Enables WLAN service.
•
Disable—Disables WLAN service.
Maximum clients per BSS Maximum number of associated clients per BSS.
The detailed information of WLAN service (crypto type) is as shown in Figure 30
. For the description of the fields in the detailed information, see
.
46
Figure 30 Display detailed information of WLAN service (crypto type)
Table 20 Field description
Field Description
Service Template Number Service template number.
SSID
Binding Interface
Service Template Type
Security IE
Authentication Method
SSID-hide
SSID for the ESS.
Name of the interface bound with the service template.
Service template type.
Security IE: WPA or WPA2 (RSN)
Authentication method: open system or shared key.
•
Disable—The SSID is advertised in beacon frames.
•
Enable—Disables the advertisement of the SSID in beacon frames.
Cipher suite: AES-CCMP, TKIP, WEP40, WEP104, or WEP128. Cipher Suite
TKIP Countermeasure Time(s)
PTK Life Time(s)
GTK Rekey
GTK Rekey Method
TKIP countermeasure time in seconds.
PTK lifetime in seconds.
GTK rekey configured.
GTK rekey method configured: packet based or time based.
GTK Rekey Time(s)
Bridge Mode
Time for GTK rekey in seconds.
•
If Time is selected, the GTK will be refreshed after a specified period of time.
•
If Packet is selected, the GTK will be refreshed after a specified number of packets are transmitted.
Forwarding mode:
•
Local forwarding—Uses local forwarding in the service template.
•
Remote forwarding—Uses AC remote forwarding in the service template.
47
Field Description
Service Template Status
Status of service template:
•
Enable—Enables WLAN service.
•
Disable—Disables WLAN service.
Maximum clients per BSS Maximum number of associated clients per BSS.
Displaying statistics of WLAN service
The statistics of WLAN service are as shown in
Figure 31 Displaying WLAN service statistics
Displaying connection history information of WLAN service
The connection history information of WLAN service is as shown in
48
Figure 32 Displaying the connection history information of WLAN service
Displaying AP
Select Summary > AP from the navigation tree to enter the AP page, as shown in Figure 33 . You can
display the WLAN service information, connection history, radio and detailed information of an AP by clicking the tabs on the page.
Displaying WLAN service information of an AP
The WLAN service information of an AP is as shown in Figure 33
.
Figure 33 Displaying WLAN service information
Displaying AP connection history information
The connection history information of an AP is as shown in
.
49
Figure 34 Displaying AP connection history information
Displaying AP radio information
Select Summary > AP from the navigation tree to enter the AP page, click the Radio tab on the page, and click the name of the specified AP to view the radio statistics of an AP.
The radio statistics of an AP are as shown in
Figure 35 . For the description of the fields in the AP radio
statistics, see
50
Figure 35 Displaying AP radio information
NOTE:
•
The Noise Floor item in the table indicates various random electromagnetic waves during the wireless communication. For the environment with a high noise floor, you can improve the signal-to-noise ratio
(SNR) by increasing the transmit power or reducing the noise floor.
•
The Service Type item in the table has two options: Access and Mesh.
• Res Using Ratio represents the resource utilization of a radio within a certain period. For example, in a period of 10 seconds, if a radio has occupied the channel for five seconds, the resource utilization of the radio is 5 seconds divided by 10 seconds: 50%.
Table 21 Field description
Field Description
AP name Access point name.
Radio Id
Transmitted Frames Statistics
Total Frames
Unicast Frames
Radio ID.
Statistics of transmitted frames.
Total number of frames (probe response frames and beacon frames) transmitted.
Total Frames = Unicast Frames + Broadcast/Multicast Frames +
Others.
Number of unicast frames (excluding probe response frames) transmitted.
51
Field Description
Broadcast/Multicast Frames
Number of broadcast or multicast frames (excluding beacon frames) transmitted.
Others
Discard Frames
Retry Count
Multiple Retry Count
Authentication Frames
Failed RTS
Successful RTS
Failed ACK
Association Frames
Received Frames Statistics
Total Frames
Unicast Frames
Broadcast/Multicast Frames
Fragmented Frames
FCS Failures
Authentication Frames
Duplicate Frames
Decryption Errors
Association Frames
Total number of other type of frames transmitted.
Number of frames discarded.
Number of transmission retries.
Number of frames that have been retransmitted.
Number of authentication responses transmitted.
Number of RTS failed during transmission.
Number of RTS transmitted successfully.
Number of transmitted frames for which no acknowledgement is received.
Number of association responses transmitted.
Statistics of received frames.
Number of frames received.
Number of unicast frames received.
Number of broadcast or multicast frames received.
Number of fragmented frames received.
Number of frames dropped due to FCS failure.
Number of authentication requests received.
Number of duplicate frames received.
Number of frames dropped due to decryption error.
Number of association requests received.
Displaying AP detailed information
Select Summary > AP from the navigation tree to enter the AP page, click the Detail tab on the page, and click the name of the specified AP to view the detailed information of an AP.
The detailed information of an AP is as shown in
. For the description of the fields in the AP
detailed information, see Table 22 .
52
Figure 36 Displaying AP detailed information
Table 22 Field description
Field Description
APID Access point identifier.
AP System Name Access point name.
Map Configuration
State
Configuration file mapped to the AP.
Current state of the AP:
•
ImageDownload—The AP is downloading the version. If the
ImageDownload state persists, check the following: 1) The version of the fit AP saved on the AC matches with the version that the AC requires; 2)
The space of the flash is enough.
•
Idle—The AP is idle. If the Idle state persists, check the following: 1) If the fields of Latest IP Address and Tunnel Down Reason are displayed as
-NA-, it indicates that the AP has never connected to the AC successfully.
You need to check the network cable, power supply of the fit AP, and the
AP serial number if the serial number was manually input. 2) If the fields of Latest IP Address and Tunnel Down Reason are displayed as other contents, it indicates that the AP has connected to the AC successfully.
See the output of the Tunnel Down Reason field for the detailed reason.
•
Run—The AP is operating. It indicates that the AP has connected to the
AC successfully.
•
Config—The AC is delivering configuration file to the fit AP, and the fit AP is collecting radio information through the radio interface and reporting to the AC. This state is an instantaneous state.
Up Time(hh:mm:ss)
Model
Time duration for which the AP has been connected to the AC. NA indicates
AP is not connected to the AC.
AP model name.
53
Field Description
Serial-ID Serial ID of the AP.
IP Address
H/W Version
S/W Version
Boot-Rom version
IP address of the AP.
Hardware version of the AP.
Software version of the AP.
Boot ROM version of the AP.
Description Description of the AP.
Connection Type AP connection type: "Master" or "Backup"
Peer AC MAC Address
Priority Level
Peer AC MAC address in case of AC backup.
AP connection priority.
Echo Interval(s)
Statistics report Interval(s)
Cir (Kbps)
Cbs (Bytes)
Jumboframe Threshold
Transmitted control packets
Received control packets
Transmitted data packets
Received data packets
Configuration Failure Count
Last Failure Reason
Interval for sending echo requests, in seconds.
Interval for sending statistics information messages, in seconds.
Committed information rate in kbps.
Committed burst size in bytes.
Threshold value of jumbo frames.
Number of transmitted control packets.
Number of received control packets.
Number of transmitted data packets.
Number of received data packets.
Count of configuration request message failures.
Last Reboot Reason
Latest IP Address
Last configuration request failure reason.
Last reboot reason of the AP:
•
Normal—The AP was powered off.
•
Crash—The AP crashed, and the information is needed for analysis.
•
Tunnel Initiated—The reset wlan ap command is executed on the AC (in this case, the Tunnel Down Reason is displayed as Reset AP).
•
Tunnel Link Failure—The fit AP rebooted abnormally because an error occurred when the AP was establishing a connection with the AC.
IP address of the last AP.
Tunnel Down Reason
The tunnel between the AC and the AP is down when one of the following occurs:
•
Neighbor Dead Timer Expire—The AC does not receive an Echo request from the AP within three times the handshake interval.
•
Response Timer Expire—The AC sends a control packet to the AP but does not receive any response within the specified waiting time.
•
Reset AP—The AP is rebooted by the execution of a command on the AC.
•
AP Config Change: The corresponding configurations are modified on the AC.
•
No Reason—Other reasons.
54
Field Description
Connection Count
Connection count between the AP and AC. This field is reset in one of the following situations:
•
AC is rebooted.
•
You re-configure an AP template after deleting the old one.
If you click Reboot on this page to reboot the AP, the connection count will not be reset.
AP Mode
AP operation mode
Portal Service
Device Detection
Maximum Number of Radios
Current Number of Radios
Client Keep-alive Interval
Client Idle Interval(s)
Broadcast-probe Reply Status
Basic BSSID
Current BSS Count
Running Clients Count
Wireless Mode
Mode supported by the AP. Currently only the split MAC mode is supported.
Operation mode of AP. Currently Normal and Monitor modes are supported.
Whether the portal service is enabled or not.
Whether device detection is enabled or not.
Maximum number of radios supported by the AP.
Number of radios in use on the AP.
Interval to detect clients segregated from the system due to various reasons such as power failure or crash, and disconnect them from the AP.
If the client is idle for more than the specified interval, that is, if the AP does not receive any data from the client within the specified interval, the client will be removed from the network.
Whether the AP is enabled to respond to broadcast probe requests or not.
MAC address of the AP.
Number of BSSs connected with the AP.
Number of clients currently running.
Client Dot11n-only
Channel Band-width
Wireless mode: 802.11a, 802.11b, or 802.11g.
•
Enabled—Only 802.11n clients can be associated with the AP.
•
Disabled—802.11a/b/g/n clients can be associated with the AP.
Channel bandwidth, 20 MHz or 40 MHz.
Secondary channel offset
Secondary channel information for 802.11n radio mode:
•
SCA (Second Channel Above)—The AP operates in 40 MHz bandwidth mode, and the secondary channel is above the primary channel.
•
SCB (Second Channel Below)—The AP operates in 40 MHz bandwidth mode, and the secondary channel is below the primary channel.
•
SCN—The AP operates in 20 MHz bandwidth mode.
55
Field Description
HT protection mode
802.11n protection modes:
• no protection mode(0)—The clients associated with the AP, and the wireless devices within the coverage of the AP operate in 802.11n mode, and all the clients associated with the AP operate in either 40 MHz or 20
MHz mode.
•
Non-member mode(1)—The clients associated with the AP operate in
802.11n mode, but non-802.11n wireless devices exist within the coverage of the AP.
•
20 MHz mode(2)—The radio mode of the AP is 40 MHz. The clients associated with the AP and the wireless devices within the coverage of the
AP operate in 802.11n mode, and at least one 802.11n client operating in
20 MHz mode is associated with the radio of the AP.
•
Non-HT mix mode(3)—All situations except the above three.
Short GI for 20MHz
Short GI for 40MHz
Mandatory MCS Set
Supported MCS Set
A-MSDU
A-MPDU
Whether the AP supports short GI when it operates in 20 MHz mode.
Whether the AP supports short GI when it operates in 40 MHz mode.
Mandatory MCS for the AP.
Supported MCS for the AP.
Status of the A-MSDU function: enable or disable.
Status of the A-MPDU function: enable or disable.
Configured Channel
Configured Power(dBm)
Interference (%)
Channel Load (%)
Utilization (%)
Co-channel Neighbor Count
Channel Health
Preamble Type
Radio Policy
Service Template
SSID
Port
Mesh Policy
Operating channel:
•
If the channel is manually configured, the configured channel number is displayed.
•
If the channel is automatically selected, auto(channel) is displayed, where
channel is the optimal channel automatically selected by the AC.If the AP operates in 802.11n radio mode and 40 MHz bandwidth mode, this field displays the primary channel.
Transmission power on the radio.
•
If one-time (transmit power control) is adopted, the configured transmit power is displayed.
•
If auto TPC is adopted, two values are displayed, with the first being the maximum power, and the second auto (number), where number in the brackets represents the actual power.
Interference observed on the operating channel, in percentage.
Load observed on the operating channel, in percentage.
Utilization rate of the operating channel, in percentage.
Number of neighbors found on the operating channel.
Status of the channel.
Type of preamble that the AP can support: short or long.
Radio policy used.
Service template number.
SSID for the ESS.
WLAN-DBSS interface associated with the service template.
Mesh policy adopted.
56
Field Description
ANI Support ANI (Adaptive Noise Immunity) status: enabled or disabled.
11g Protection
Admin State
Physical State
Operational Rates (Mbps)
Radar detected Channels
11.g protection status: enable or disable.
Administrative state of the radio.
Physical state of the radio.
Operational rates in Mbps.
Channels on which radar signals are detected.
Displaying clients
Select Summary > Client from the navigation tree to enter the page as shown in Figure 37 . For the
description of the fields in the client information, see
Figure 37 Displaying clients
Table 23 Field description
Field Description
Refresh Refresh the current page.
Add to Blacklist
Reset Statistic
Disconnect
Add the selected client to the static blacklist, which you can display by selecting Security > Filter from the navigation tree.
Clear statistics of the specified client.
Log off the selected client.
Displaying client detailed information
Select Summary > Client from the navigation tree to enter the Client page, click the Detail Information tab on the page, and click the name of the specified client to view the detailed information of the client.
The detailed information of a client is as shown in
. For the description of the fields in the client
detailed information, see Table 24
.
57
Figure 38 Displaying client detailed information
Table 24 Field description
Field Description
MAC address MAC address of the client.
AID Association ID of the client.
User Name
Username of the client.
•
The field is displayed as –NA– if the client adopts plain-text authentication or an authentication method that does not require a username.
•
The field is irrelevant to the portal authentication method. If the client uses the portal authentication method, the field does not display the portal username of the client.
AP Name
Radio Id
SSID
BSSID
Port
VLAN
State
Power Save Mode
Wireless Mode
Name of the AP.
Radio ID of the client.
SSID of the AP.
BSSID of the AP.
WLAN-DBSS interface associated with the client.
VLAN to which the client belongs.
State of the client.
Backup indicates a backup client.
Client's power save mode: active or sleep.
Wireless mode such as 802.11a, 802.11b, 802.11g, 802.11an, or
803.11gn.
58
Field Description
Channel Band-width Channel bandwidth, 20 MHz or 40 MHz.
SM Power Save Enable
Short GI for 20MHz
Short GI for 40MHz
SM Power Save enables a client to have one antenna in active state, and others in sleep state to save power.
•
Enabled: SM Power Save is supported.
•
Disabled: SM Power Save is not supported.
Whether the client supports short GI when its channel bandwidth is 20
MHz.
•
Not Supported.
•
Supported.
Whether the client supports short GI when its channel bandwidth is 40
MHz.
•
Not Supported.
•
Supported.
Support MCS Set
BLOCK ACK-TID 0
BLOCK ACK-TID 1
BLOCK ACK-TID 2
BLOCK ACK-TID 3
QoS Mode
MCS supported by the client.
BLOCK ACK is negotiated based on QoS priority ID 0:
•
OUT—Outbound direction.
•
IN— Inbound direction.
•
BOTH—Both directions.
BLOCK ACK is negotiated based on QoS priority ID 1:
•
OUT—Outbound direction.
•
IN—Inbound direction.
•
BOTH—Both directions.
BLOCK ACK is negotiated based on QoS priority ID 2:
•
OUT—Outbound direction.
•
IN—Inbound direction.
•
BOTH—Both directions.
BLOCK ACK is negotiated based on QoS priority ID 3:
•
OUT—Outbound direction.
•
IN—Inbound direction.
•
BOTH—Both directions.
Whether the AP supports the WMM function.
Listen Interval (Beacon Interval)
RSSI
Rx/Tx Rate
Client Type
Authentication Method
AKM Method
Specifies how often the client wakes up to receive frames saved in the
AP and is expressed in units of beacon interval.
Received signal strength indication. This value indicates the client signal strength detected by the AP.
Represents the frame reception/transmission rate of the client, including data, management, and control frames. For the AC + fit AP mode, there is delay because Rx Rate is transmitted from AP to AC periodically depending on the statistics interval.
Client type such as RSN, WPA, or Pre-RSN.
Authentication method such as open system or shared key.
AKM suite used, such as Dot1X or PSK.
59
Field Description
4-Way Handshake State
Displays either of the 4-way handshake states:
•
IDLE—Displayed in initial state.
•
PTKSTART—Displayed when the 4–way handshake is initialized.
•
PTKNEGOTIATING—Displayed after valid message 3 was sent.
•
PTKINITDONE—Displayed when the 4-way handshake is successful.
Group Key State
Encryption Cipher
Roam Status
Displays the group key state:
•
IDLE—Displayed in initial state.
•
REKEYNEGOTIATE—Displayed after the AC sends the initial message to the client.
•
REKEYESTABLISHED—Displayed when re-keying is successful.
Encryption password: clear or crypto.
Roam Count
Up Time
Displays the roaming status: Normal or Fast Roaming.
Roaming count of the client, including intra-AC roaming and inter-AC roaming.
•
For intra-AC roaming, this field is reset after the client is de-associated with the AP connected to the AC.
•
For inter-AC roaming, this field is reset after the client leaves the mobility group to which the AC belongs.
Time for which the client has been associated with the AP.
Displaying client statistics
Select Summary > Client from the navigation tree to enter the Client page, click the Statistic Information tab on the page, and click the name of the specified client to view the statistics of the client.
The statistics of a client is as shown in
Figure 39 . For the description of the fields in the client statistic
.
Figure 39 Displaying client statistics
60
Table 25 Field description
Field Description
AP Name Name of the associated access point.
Radio Id
SSID
BSSID
MAC Address
RSSI
Transmitted Frames
Back Ground(Frames/Bytes)
Best Effort(Frames/Bytes)
Video(Frames/Bytes)
Radio ID.
SSID of the AP.
BSSID of the AP.
MAC Address of the client.
Received signal strength indication. This value indicates the client signal strength detected by the AP.
Number of transmitted frames.
Statistics of background traffic, in frames or in bytes.
Statistics of best effort traffic, in frames or in bytes.
Statistics of video traffic, in frames or in bytes.
Received Frames
Discarded Frames
Number of received frames.
Number of discarded frames.
NOTE:
You can collect statistics of priority queues such as Back Ground, Best Effort, Video and Voice on a QoS client only. Traffic including SVP packets sent and received on a client where QoS is not enabled falls into
Best Effort priority queue. Therefore, the queues collected may be different from the queues actually sent.
You can collect statistics of priority queues carried in Dot11E or WMM packets; otherwise, statistics collection of priority queues on the receive end may fail.
Displaying client roaming information
Select Summary > Client from the navigation tree to enter the Client page, click the Roam Information tab on the page, and click the name of the specified client to view the roaming information of the client.
Client roaming information is as shown in Figure 40
. For the detailed description of the fields in the client roaming information, see
.
61
Figure 40 Displaying client roaming information
Table 26 Field description
Field Description
BSSID BSSID of the AP associated with the client.
Online-time
AC-IP-address
Online time of the client.
The IP address of the AC connected with the client. When the configured roaming channel type is IPv6, the IPv6 address of the AC is displayed.
Displaying RF ping information
Radio Frequency Ping (RF Ping) is a ping function performed on wireless links. This function enables you to get the connection information between the AP and its associated clients, such as signal strength, packet re-transmission attempts, and round trip time (RTT).
Select Summary > Client from the navigation tree to enter the Client page, click the Link Test Information tab on the page, and click the name of the specified client to view the link test information of the client,
62
Figure 41 View link test information
Table 27 Field description
Field Description
No./MCS
•
Rate number for a non-802.11n client.
•
MCS value for an 802.11n client.
Rate(Mbps) Rate at which the radio interface sends wireless ping frames.
TxCnt
RxCnt
RSSI
Retries
RTT(ms)
Number of wireless ping frames that the radio interface sent.
Number of wireless ping frames that the radio interface received from the client.
Received signal strength indication. This value indicates the client signal strength detected by the AP.
Total number of retransmitted ping frames.
Round trip time.
63
License management
Configuring licenses
A license controls the maximum number of online APs. You can add a license on a device to increase the maximum number of online APs that the device supports. However, the upper limit of online APs that a device supports is restricted by its specification and varies by device model. For more information, see
"Feature matrixes."
Adding a license
CAUTION:
• After adding a license, you must reboot the device to validate the license.
•
You can also increase the maximum number of online APs by adding an enhanced license. For more information about enhanced license, see "Enhanced license management."
1.
Select Device > License from the navigation tree.
The License page appears.
Figure 42 License
2.
3.
In the Add License area, configure the license information as described in Table 28
.
Click Add.
Table 28 Configuration items
Item Description
License Key Enter the license key.
Activation Key Enter the activation key for the license.
64
Displaying license information
1.
Select Device > License from the navigation tree
2.
The page Figure 42 in appears.
View the license information in the License area.
Table 29 Field description
Field Description default AP number Maximum number of APs that the device supports by default. max AP number Upper limit of APs that the device supports. current AP number
License Key
Activation Key
AP Number
Maximum number of APs that the device currently supports.
License key of the license.
Activation key of the license.
Number of APs that the license supports.
Configuring enhanced licenses
Some features of the device can be used only after you register them by using an enhanced license. The enhanced license required for registration can be a beta version or an official version. A beta version has a lifetime, and the features registered by using the version cannot be used any more after the version expires. An official version, obtained by purchasing the features, provides the serial number for registering the features and presents a description of the features.
Registering an enhanced license
CAUTION:
After registering an enhanced license, you must reboot the device to validate the newly added features.
You can also increase the number of allowed APs by adding a license. For more information about license, see "License management."
1.
Select Device > License from the navigation tree.
2.
Click the Enhanced License tab.
The Enhanced License tab page appears.
65
Figure 43 Enhanced license
3.
4.
Configure enhanced license information as described in
.
Click Add.
Table 30 Configuration items
Item Description
Feature Name
Select the name of the feature to be registered.
For example, AP allows you to increase the number of APs.
Serial Number Type the serial number of the license.
Displaying registered enhanced licenses
1.
Select Device > License from the navigation tree.
2.
3.
Click the Enhanced License tab
The page in
appears.
View the registered enhanced licenses at the lower part of the page.
Table 31 Field description
Filed Description
Feature Name Name of the feature registered.
Serial Number Serial number of the license.
Available Time Left
Left time of the license. After the time elapses, the license expires.
The value Forever means that the license is an official version.
Number of APs that the license supports. AP Number
66
Device basic information configuration
The device basic information feature provides you the following functions:
• Set the system name of the device. The configured system name will be displayed on the top of the navigation bar.
•
Set the idle timeout period for a logged-in user. That is, the system logs an idle user off the Web for security purpose after the configured period.
Configuring system name
1.
Select Device > Basic from the navigation tree
The page for configuring the system name appears.
Figure 44 System name
2.
3.
Set the system name for the device.
Click Apply.
Configuring Web idle timeout period
1.
2.
Select Device > Basic from the navigation tree.
Click the Web Idle Timeout tab.
The page for configuring Web idle timeout period appears.
Figure 45 Configuring Web idle timeout period
67
3.
4.
Set the Web idle timeout period for a logged-in user.
Click Apply.
68
Device maintenance
Software upgrade
A boot file, also known as the system software or device software, is an application file used to boot the device. Software upgrade allows you to obtain a target application file from the local host and set the file as the boot file to be used at the next reboot. In addition, you can select whether to reboot the device to bring the upgrade software into effect.
CAUTION:
•
A software upgrade takes some time. Avoid performing any operation on the Web interface during the upgrading procedure. Otherwise, the upgrade operation may be interrupted.
• You can keep the original file name or change it to another one (extension name not changed) after you get the target application file from the local host.
1.
Select Device > Device Maintenance from the navigation tree.
The software upgrade configuration page appears.
Figure 46 Software upgrade configuration page
2.
3.
Configure the software upgrade parameters as described in Table 32 .
Click Apply.
Table 32 Configuration items
Item Description
File
Specify the path of the local application file, which must be with an extension .app or .bin.
69
Item Description
File Type
Specify the type of the boot file for the next boot:
•
Main—Boots the device.
•
Backup—Boots the device when the main boot file is unavailable.
If a file with the same name already exists, overwrite it without any prompt
Reboot after the upgrade is finished.
Specify whether to overwrite the file with the same name.
If you do not select the option, when a file with the same name exists, the system prompts "The file has existed.", and you cannot upgrade the software.
Specify whether to reboot the device to make the upgraded software take effect after the application file is uploaded.
Rebooting the device
CAUTION:
•
Before rebooting the device, save the configuration. Otherwise, all unsaved configurations are lost after device reboot.
•
Re-log in to the Web interface after the device reboots.
1.
Select Device > Device Maintenance from the navigation tree.
2.
Click the Reboot tab.
The reboot tab page appears.
Figure 47 Device reboot page
3.
4.
5.
Clear the box before "Check whether the current configuration is saved in the next startup configuration file" or keep it selected.
Click Apply.
A confirmation dialog box appears.
Click OK.
If you select the box before "Check whether the current configuration is saved in the next startup configuration file", the system checks the configuration before rebooting the device. If the check succeeds, the system reboots the device; if the check fails, the system displays a dialog box to inform you that the current configuration and the saved configuration are inconsistent, and
70
does not reboot the device. In this case, you must save the current configuration manually before you can reboot the device.
If you do not select the box, the system reboots the device directly.
Generating the diagnostic information file
Each functional module has its own running information, and generally, you need to view the output information for each module one by one. To receive as much information as possible in one operation during daily maintenance or when system failure occurs, the device supports generating diagnostic information. When you perform the diagnostic information generation operation, the system saves the running statistics of multiple functional modules to a file named default.diag, and then you can locate problems faster by checking this file.
To generate the diagnostic information file:
1.
Select Device > Device Maintenance from the navigation tree.
2.
Click the Diagnostic Information tab.
The diagnostic information tab page appears.
Figure 48 Diagnostic information
3.
Click Create Diagnostic Information File.
The system begins to generate diagnostic information file, and after the file is generated, the page
appears.
Figure 49 The diagnostic information file is created
4.
Click Click to Download.
The File Download dialog box appears. You can select to open this file or save this file to the local host.
71
NOTE:
•
The generation of the diagnostic file will take a period of time. During this process, do not perform any operation on the Web page.
• To view this file after the diagnostic file is generated successfully, select Device > File Management, or download this file to the local host. For more information, see "File management configuration."
72
System time
You need to configure a correct system time so that the device can work with other devices properly.
System time allows you to display and set the device system time on the Web interface.
The device supports setting system time through manual configuration and automatic synchronization of
NTP server time.
An administrator cannot keep time synchronized among all the devices within a network by changing the system clock on each device, because this is time-consuming task and cannot guarantee clock precision.
Defined in RFC 1305, the Network Time Protocol (NTP) synchronizes timekeeping among distributed time servers and clients.
NTP can keep consistent timekeeping among all clock-dependent devices within the network and ensure a high clock precision so that the devices can provide diverse applications based on consistent time.
Displaying the system time
1.
Select Device > System Time from the navigation tree.
The page for configuring system time appears.
Figure 50 System time page
2.
View the current system time on the top of the page.
Configuring the system time
1.
Select Device > System Time from the navigation tree.
2.
The page in
appears.
Click the System Time Configuration field.
The calendar page appears.
73
Figure 51 Calendar page
3.
4.
Modify the system time either in the System Time Configuration field, or through the calendar page.
You can perform the following operations on the calendar page: a. b.
Click Today to set the current date on the calendar to the current system date of the local host, and the time keeps unchanged.
Set the year, month, date and time, and then click OK.
Click Apply in the system time configuration page to save your configuration.
Configuring the network time
1.
Select Device > System Time from the navigation tree.
2.
Click Net Time.
The network time page appears.
74
Figure 52 Network time
3.
4.
Configure system time parameters as described in Table 33
.
Click Apply.
Table 33 Configuration items
Item Description
Clock status Display the synchronization status of the system clock.
Local Reference Source
Set the IP address of the local clock source to 127.127.1.u, where u ranges from 0 to 3, representing the NTP process ID.
•
If the IP address of the local clock source is specified, the local clock is used as the reference clock, and thus can provide time for other devices.
•
If the IP address of the local clock source is not specified, the local clock is not used as the reference clock.
Stratum
Source Interface
Set the stratum level of the local clock.
The stratum level of the local clock decides the precision of the local clock. A higher value indicates a lower precision. A stratum 1 clock has the highest precision, and a stratum 16 clock is not synchronized and cannot be used as a reference clock.
Set the source interface for an NTP message.
If you do not want the IP address of a certain interface on the local device to become the destination address of response messages, you can specify the source interface for NTP messages, so that the source IP address in the NTP messages is the primary IP address of this interface.
If the specified source interface is down, the source IP address of the
NTP messages sent is the primary IP address of the outbound interface.
75
Item Description
Key 1
Key 2
Set NTP authentication key.
The NTP authentication feature should be enabled for a system running
NTP in a network where there is a high security demand. This feature enhances the network security by means of client-server key authentication, which prohibits a client from synchronizing with a device that has failed authentication.
You can set two authentication keys, each of which is composed of a key ID and key string.
•
ID is the ID of a key.
•
Key string is a character string for MD5 authentication key.
External
Reference Source
NTP Server
1/Reference
Key ID
Specify the IP address of an NTP server, and configure the authentication key ID used for the association with the NTP server. The device synchronize its time to the NTP server only if the key provided by the server is the same with the specified key.
You can configure two NTP servers. The clients will choose the optimal reference source.
TimeZone
NTP Server
2/Reference
Key ID
IMPORTANT:
The IP address of an NTP server is a unicast address, and cannot be a broadcast or a multicast address, or the IP address of the local clock source.
Set the time zone for the system.
System time configuration example
Network requirements
•
, the local clock of Switch is set as the reference clock.
•
AC operates in client mode, and uses Switch as the NTP server.
•
NTP authentication is configured on both AC and Switch.
Figure 53 Network diagram
Configuring the switch
Configure the local clock as the reference clock, with the stratum of 2, configure authentication, with the key ID of 24, and trusted key as aNiceKey. (Details not shown.)
Configuring the AC
To configure Switch as the NTP server of AC:
1.
Select Device > System Time from the navigation tree.
2.
Click the Net Time tab.
The Net Time tab page appears.
76
Figure 54 Configuring Switch as the NTP server of AC
3.
4.
Enter 24 for the ID of key 1, and aNiceKey for the key string. Enter 1.0.1.12 in the NTP Server 1 box and 24 in the Reference Key ID box.
Click Apply.
Verifying the configuration
After the above configuration, the current system time displayed on the System Time page is the same for
AC and Switch.
Configuration guidelines
•
A device can act as a server to synchronize the clock of other devices only after its clock has been synchronized. If the clock of a server has a stratum level higher than or equal to that of a client's clock, the client will not synchronize its clock to the server's.
•
The synchronization process takes a period of time. The clock status may be displayed as unsynchronized after your configuration. In this case, you can refresh the page to view the clock status later on.
• If the system time of the NTP server is ahead of the system time of the device, and the difference between them exceeds the Web idle time specified on the device, all online Web users are logged out because of timeout.
77
Log management
System logs contain a large amount of network and device information, including running status and configuration changes. System logs are an important way for administrators to know network and device status. With system logs, administrators can take corresponding actions against network problems and security problems.
The system sends system logs to the following destinations:
• Console
•
Monitor terminal, which is a user terminal that has login connections through the AUX, VTY, or TTY user interface.
• Log buffer
• Loghost
•
Web interface
Displaying syslog
The Web interface provides abundant search and sorting functions. You can view syslogs through the
Web interface conveniently.
To display syslog:
1.
Select Device > Syslog from the navigation tree.
The page for displaying syslog appears.
Figure 55 Displaying syslog
78
TIP:
•
You can click Reset to clear all system logs saved in the log buffer on the Web interface.
• You can click Refresh to manually refresh the page, or you can set the refresh interval on the Log Setup page to enable the system to automatically refresh the page periodically. For more information, see
"
Setting buffer capacity and refresh interval
."
2.
View system logs.
Table 34 Field description
Field Description
Time/Date Display the time/date when system logs are generated.
Source Display the module that generates system logs.
Level
Digest
Description
Display the system information levels. The information is classified into eight levels by severity:
•
Emergency—The system is unusable.
•
Alert—Action must be taken immediately.
•
Critical—Critical conditions.
•
Error—Error conditions.
•
Warning—Warning conditions.
•
Notification—Normal but significant condition.
•
Informational—Informational messages.
•
Debug—Debug-level messages.
Display the brief description of system logs.
Display the contents of system logs.
Setting the log host
You can set the loghost on the Web interface to enable the system to output syslogs to the log host. You can specify at most four different log hosts.
To set the log host:
1.
Select Device > Syslog from the navigation tree.
2.
Click the Loghost tab
The loghost configuration page appears.
79
Figure 56 Setting loghost
3.
4.
Configure the log host as described in Table 35 .
Click Apply .
Table 35 Configuration items
Item Description
IPv4/Domain
IPv6 Set the IPv4 address, domain, or IPv6 address of the loghost..
Loghost IP/Domain
Setting buffer capacity and refresh interval
1.
2.
Select Device > Syslog from the navigation tree.
Click the Log Setup tab.
The syslog configuration page appears.
80
Figure 57 Syslog configuration page
3.
4.
Configure buffer capacity and refresh interval as described in
Click Apply.
Table 36 Configuration items
Item Description
Buffer Capacity Set the number of logs that can be stored in the log buffer of the Web interface.
Refresh Interval
Set the refresh period on the log information displayed on the Web interface.
You can select manual refresh or automatic refresh:
•
Manual—Click Refresh to refresh the Web interface when displaying log information.
•
Automatic—You can select to refresh the Web interface every 1 minute, 5 minutes, or 10 minutes.
81
Configuration management
NOTE:
When backing up a configuration file, back up the configuration file with the extension .xml. Otherwise some configuration information may not be restored in some cases (for example, when the configuration is removed).
Backing up the configuration
Configuration backup provides the following functions:
•
Open and view the configuration file (.cfg file or .xml file) for the next startup
• Back up the configuration file (.cfg file or .xml file) for the next startup to the host of the current user
To back up the configuration:
1.
Select Device > Configuration from the navigation tree.
The page for backing up configuration appears.
Figure 58 Backup configuration page
2.
3.
Click the upper Backup button.
A file download dialog box appears. You can select to view the .cfg file or to save the file locally.
Click the lower Backup button.
A file download dialog box appears. You can select to view the .xml file or to save the file locally.
Restoring the configuration
CAUTION:
The restored configuration file takes effect at the next device reboot.
Configuration restore provides the following functions:
•
Upload the .cfg file on the host of the current user to the device for the next startup
•
Upload the .xml file on the host of the current user to the device for the next startup, and delete the previous .xml configuration file that was used for the next startup
To restore the configuration:
82
1.
2.
Select Device > Configuration from the navigation tree.
Click the Restore tab.
The page for restoring configuration appears.
Figure 59 Configuration restore page
3.
4.
5.
Click the upper Browse button.
The file upload dialog box appears. You can select the .cfg file to be uploaded.
Click the lower Browse button in this figure.
The file upload dialog box appears. You can select the .xml file to be uploaded.
Click Apply.
Saving the configuration
CAUTION:
•
Saving the configuration takes some time.
•
The system does not support the operation of saving configuration of two or more consecutive users. If such a case occurs, the system prompts the latter users to try later.
The save configuration module provides the function to save the current configuration to the configuration file (.cfg file or .xml file) to be used at the next startup. You can save the configuration in one of the following ways:
Fast
Click the Save button at the upper right of the auxiliary area, and you can save the configuration to the configuration file.
83
Figure 60 Saving configuration confirmation
Common
1.
2.
3.
Select Device > Configuration from the navigation tree.
Click the Save tab.
The page in
appears.
Click Save Current Settings to save the current configuration to the configuration file.
Initializing the configuration
This operation restores the system to factory defaults, delete the current configuration file, and reboot the device.
To initialize the configuration:
1.
Select Device > Configuration from the navigation tree.
2.
Click the Initialize tab.
The initialize confirmation page appears.
Figure 61 Initializing the configuration
3.
Click Restore Factory-Default Settings to restore the system to factory defaults.
84
File management
NOTE:
There are many types of storage media such as flash, compact flash (CF), and so on. Different devices support different types of storage device. For more information, see "Feature matrixes."
The device saves useful files (such as host software, configuration file) into the storage device, and the system provides the file management function for the users to manage those files conveniently and effectively.
Displaying file list
1.
Select Device > File Management from the navigation tree.
The file management page appears.
Figure 62 File management
2.
3.
4.
Select a disk from the Please select disk list on the top of the page.
View the used space, free space and capacity of the disk at the right of the list.
View all files saved in this disk (in the format of path + filename), file sizes, and the boot file types
(Main or Backup is displayed if the file is an application file, that is, with the extension of .bin or .app).
85
Downloading a file
1.
2.
3.
Select Device > File Management from the navigation tree.
The page in
appears.
Select a file from the list.
You can select one file at a time.
Click Download File.
The File Download dialog box appears. You can select to open the file or to save the file to a specified path.
Uploading a file
NOTE:
Uploading a file takes some time. H3C recommends you not to perform any operation on the Web interface during the upgrading procedure.
1.
Select Device > File Management from the navigation tree.
The page in
appears.
2.
3.
4.
Select the disk to save the file in the Upload File box.
Click Browse to set the path and name of the file.
Click Apply.
Removing a file
1.
2.
3.
Select Device > File Management from the navigation tree.
The page in
appears.
Select one or multiple files from the file list,
Click Remove File.
NOTE:
You can also remove a file by clicking the icon.
Specifying the main boot file
1.
2.
3.
Select Device > File Management from the navigation tree.
The page in
appears.
Select the box to the left of an application file (with the extension of .bin or .app).
You can set one file at a time.
Click Set as Main Boot File to set the main boot file to be used at the next startup.
86
Interface management
Interface management overview
An interface is the point of interaction or communication used for exchanging data between entities.
There are two types of interfaces: physical and logical. A physical interface refers to an interface that physically exists as a hardware component. An example is Ethernet interfaces. A logical interface refers to an interface that can implement data switching but does not exist physically. A logical interface must be created manually. An example is VLAN interfaces.
You can use the interface management feature on the Web-based configuration interface to manage the following types of interfaces.
•
Layer 2 Ethernet interface—Physical interface operating on the data link layer for forwarding Layer
2 protocol packets.
•
Management Ethernet interface—Physical interface operating on the network layer. You can configure IP addresses for a management Ethernet interface. You can log in to the device through a management Ethernet interface to manage the device.
•
Loopback interface—A loopback interface is a software-only virtual interface. The physical layer state and link layer protocols of a loopback interface are always up unless the loopback interface is manually shut down. You can enable routing protocols on a loopback interface, and a loopback interface can send and receive routing protocol packets. When you assign an IPv4 address whose mask is not 32-bit, the system automatically changes the mask into a 32-bit mask.
• Null interface—A null interface is a completely software-based logical interface, and is always up.
However, you cannot use it to forward data packets or configure an IP address or link layer protocol on it. With a null interface specified as the next hop of a static route to a specific network segment, any packets routed to the network segment are dropped. The null interface provides a simpler way to filter packets than ACL. You can filter uninteresting traffic by transmitting it to a null interface instead of applying an ACL.
•
VLAN interface—Virtual Layer 3 interface used for Layer 3 communications between VLANs. A
VLAN interface corresponds to a VLAN. You can assign an IP address to a VLAN interface and specify it as the gateway of the corresponding VLAN to forward traffic destined for an IP network segment different from that of the VLAN.
•
Virtual template (VT) interface—Template used for configuring virtual access (VA) interfaces.
• Bridge-Aggregation interface (BAGG)—Multiple Layer 2 Ethernet interfaces can be combined to form a Layer 2 aggregation group. The logical interface created for the group is called an aggregate interface.
With the interface management feature, you can view interface information, create/remove logical interfaces, change interface status, and reset interface parameters.
Displaying interface information and statistics
1.
Select Device > Interface from the navigation tree.
The interface management page appears. The page displays the interfaces' names, IP addresses, masks, and status.
87
Figure 63 Interface management page
2.
Click an interface name in the Name column to display the statistics of that interface.
The page for displaying interface statistics appears.
88
Figure 64 Statistics on an interface
Creating an interface
1.
2.
Select Device > Interface from the navigation tree.
The page in
appears.
Click Add.
The page for creating an interface appears.
89
Figure 65 Creating an interface
3.
4.
Configure the interface as described in Table 37 .
Click Apply.
Table 37 Configuration items
Item Description
Interface Name Set the type and number of a logical interface.
If you are creating a Layer 3 Ethernet subinterface, set the VLANs associated with the subinterface.
This parameter is available only for Layer 3 Ethernet subinterfaces.
VID
IMPORTANT:
Currently, this configuration item is not configurable because the device does not support Layer 3 Ethernet subinterfaces.
Set the maximum transmit unit (MTU) of the interface.
The MTU value affects fragmentation and reassembly of IP packets.
MTU
IMPORTANT:
Support for this configuration item depends on the interface type. All Layer 3 interfaces support MTU.
90
Item Description
Set the maximum segment size (MSS) for IP packets on the interface.
The TCP MSS value affects fragmentation and reassembly of IP packets.
TCP MSS
IMPORTANT:
Support for this configuration item depends on the interface type. All Layer 3 interfaces support MTU.
IP Config
Set the way for the interface to obtain an IP address, include:
•
None—Select this option if you do not want to assign an IP address for the interface.
•
Static Address—Select the option to manually assign an IP address and mask for the interface. If this option is selected, you must set the IP Address and Mask fields.
•
DHCP—Select the option for the interface to obtain an IP address through DHCP automatically.
•
BOOTP—Select the option for the interface to obtain an IP address through
BOOTP automatically.
•
PPP Negotiate—Select the option for the interface to obtain an IP address through PPP negotiation.
•
Unnumbered—Select this option to borrow the IP address of another interface on the same device for the interface. If this option is selected, you must select the interface whose IP address you want to borrow in the Unnumbered Interfaces list.
IMPORTANT:
Support for the way of obtaining an IP address depends on the interface type.
IP Address/Mask
Secondary IP
Address/Mask
Unnumbered Interface
IPv6 Config
IPv6 Link Local Address
After selecting the Static Address option for the IP Config configuration item, you need to set the primary IP address and mask, and secondary IP addresses and masks for the interface.
IMPORTANT:
•
The primary and secondary IP addresses cannot be 0.0.0.0.
•
For a loopback interface, the mask is fixed to 32 bits and is not configurable.
•
The number of secondary IP addresses supported by the device depends on the device model..
If the Unnumbered option is selected as the way for the interface to obtain an IP address, you must set the interface whose IP address is to be borrowed.
Set the way for the interface to obtain an IPv6 link-local address, include.
•
None—Select this option if you do not want to assign an IPv6 link-local address to the interface.
•
Auto—Select this option for the system to automatically assign an IPv6 link-local address to the interface.
•
Manual—Select this option to manually assign an IPv6 link-local address to the interface. If this option is selected, you must set the IPv6 Link Local Address field.
If the Manual option is selected as the way for the interface to obtain an IPv6 link-local address, you must set an IPv6 link-local address for the interface.
91
Modifying a Layer 2 interface
1.
Select Device > Interface from the navigation tree.
The page in
appears.
2.
Click the icon corresponding to a Layer 2 interface.
The page for modifying a Layer 2 interface appears.
Figure 66 Modifying a Layer 2 physical interface
3.
4.
Modify the information about the Layer 2 physical interface as described in
Click Apply.
Table 38 Configuration items
Item Description
Port State
Enable or disable the interface.
In some cases, modification to the interface parameters does not take effect immediately. You need to shut down and then bring up the interface to make the modification work.
92
Item Description
Speed
Set the transmission rate of the interface.
Available options include:
•
10—10 Mbps.
•
100—100 Mbps.
•
1000—1000 Mbps.
•
Auto—Auto-negotiation.
•
Auto 10—The auto-negotiation rate of the interface is 10 Mbps.
•
Auto 100—The auto-negotiation rate of the interface is 100 Mbps.
•
Auto 1000—The auto-negotiation rate of the interface is 1000 Mbps.
•
Auto 10 100—The auto-negotiation rate of the interface is 10 Mbps or 100 Mbps.
•
Auto 10 1000—The auto-negotiation rate of the interface is 10 Mbps or 1000
Mbps.
•
Auto 100 1000—The auto-negotiation rate of the interface is 100 Mbps or 1000
Mbps.
•
Auto 10 100 1000—The auto-negotiation rate of the interface is 10 Mbps, 100
Mbps or 1000 Mbps.
Duplex
Set the duplex mode of the interface.
•
Auto—Auto-negotiation.
•
Full—Full duplex.
•
Half—Half duplex.
Set the link type of the current interface, which can be access, hybrid, or trunk. For
more information, see Table 39
.
Link Type
IMPORTANT:
To change the link type of a port from trunk to hybrid or vice versa, you must first set its link type to access.
Set the default VLAN ID of the hybrid or trunk port.
PVID
IMPORTANT:
The trunk ports at the two ends of a link must have the same PVID.
93
Item Description
MDI
Set the Medium Dependent Interface (MDI) mode for the interface.
Two types of Ethernet cables can be used to connect Ethernet devices: crossover cable and straight-through cable. To accommodate these two types of cables, an
Ethernet interface on the device can operate in one of the following three MDI modes:
•
Across mode.
•
Normal mode.
•
Auto mode.
An Ethernet interface is composed of eight pins. By default, each pin has its particular role. For example, pin 1 and pin 2 are used for transmitting signals; pin 3 and pin 6 are used for receiving signals. You can change the pin roles through setting the MDI mode.
•
In across mode, the default pin roles are kept, that is, pin 1 and pin 2 for transmitting signals, and pin 3 and pin 6 for receiving signals.
•
In auto mode, the pin roles are determined through auto negotiation.
•
In normal mode, pin 1 and pin 2 are used for receiving signals while pin 3 and pin 6 are used for transmitting signals.
To enable normal communication, you should connect the local transmit pins to the remote receive pins. Therefore, you should configure the MDI mode depending on the cable types.
•
Generally, the auto mode is recommended. The other two modes are useful only when the device cannot determine the cable types.
•
When straight-through cables are used, the local MDI mode must be different from the remote MDI mode.
•
When crossover cables are used, the local MDI mode must be the same as the remote MDI mode, or the MDI mode of at least one end must be set to auto.
Flow Control
Enable or disable flow control on the interface.
After flow control is enabled on both ends, if there is traffic congestion on the device on the local end, it sends information to notify the peer end to stop sending packets temporarily; upon receiving the information, the peer end stops sending packets; and vice versa. This is used to avoid packet loss.
Jumbo Frame
Max MAC Count
Broadcast Suppression
IMPORTANT:
Flow control can be realized only when it is enabled on both ends.
Enable or disable the forwarding of jumbo frames.
Set the maximum number of MAC addresses the interface can learn. Available options include:
•
User Defined—Select this option to set the limit manually.
•
No Limited—Select this option to set no limit.
Set broadcast suppression. You can suppress broadcast traffic by percentage or by
PPS as follows:
• ratio—Sets the maximum percentage of broadcast traffic to the total transmission capability of an Ethernet interface. When this option is selected, you need to enter a percentage in the box below.
• pps—Sets the maximum number of broadcast packets that can be forwarded on an Ethernet interface per second. When this option is selected, you need to enter a number in the box below.
94
Item Description
Multicast Suppression
Set multicast suppression. You can suppress multicast traffic by percentage or by PPS as follows:
• ratio—Sets the maximum percentage of multicast traffic to the total transmission capability of an Ethernet interface. When this option is selected, you need to enter a percentage in the box below.
• pps—Sets the maximum number of multicast packets that can be forwarded on an
Ethernet interface per second. When this option is selected, you need to enter a number in the box below.
Unicast Suppression
Set unicast suppression. You can suppress unicast traffic by percentage or by PPS as follows:
• ratio—Sets the maximum percentage of unicast traffic to the total transmission capability of an Ethernet interface. When this option is selected, you need to enter a percentage in the box below.
• pps—Sets the maximum number of unicast packets that can be forwarded on an
Ethernet interface per second. When this option is selected, you need to enter a number in the box below.
Table 39 Link type description
Link type Description
Access
An access port can belong to only one VLAN and is usually used to connect a user device.
Hybrid
A hybrid port can be assigned to multiple VLANs to receive and send packets for them and allows packets of multiple VLANs to pass through untagged.
Hybrid ports can be used to connect network devices, as well as user devices.
Trunk
A trunk port can be assigned to multiple VLANs to receive and send packets for them but allows only packets of the default VLAN to pass through untagged.
Trunk ports are usually used to connect network devices.
Modifying a Layer 3 interface
1.
Select Device > Interface from the navigation tree.
The page in
appears.
2.
Click the icon corresponding to a Layer 3 interface.
The page for modifying a Layer 3 interface appears.
95
Figure 67 Modifying a Layer 3 physical interface
3.
4.
Modify the information about the Layer 3 interface.
The configuration items of modifying the Layer 3 interface are similar to those of creating an interface.
Table 40 describes configuration items proper to modifying a Layer 3 interface.
Click Apply.
Table 40 Configuration items
Item Description
Interface Type Set the interface type, which can be Electrical port, Optical port, or None.
Interface Status
Display and set the interface status.
•
The display of Connected indicates that the current status of the interface is up and connected. You can click Disable to shut down the interface.
•
The display of Not connected indicates that the current status of the interface is up but not connected. You can click Disable to shut down the interface.
•
The display of Administratively Down indicates that the interface is shut down by the administrator. You can click Enable to bring up the interface.
After you click Enable or Disable, the page displaying interface information appears.
Working Mode
IMPORTANT:
For an interface whose status cannot be changed, the Enable or Disable button is not available.
Set the interface to work in bridge mode or router mode.
96
Interface management configuration example
Network requirements
Create VLAN-interface 100 and specify its IP address as 10.1.1.2.
Configuration procedure
1.
Create VLAN 100: a.
Select Network > VLAN from the navigation tree. b.
The VLAN tab page appears.
Click Add.
The page for creating VLANs appears.
Figure 68 Creating VLAN 100
2. c. d.
Enter VLAN ID 100.
Click Apply.
Create VLAN-interface 100 and assign an IP address for it: a. b.
Select Device > Interface from the navigation tree.
Click Add.
The page for creating an interface appears.
97
Figure 69 Creating VLAN-interface 100 c. d.
Select Vlan-interface from the Interface Name list, enter the interface ID 100, select the Static
Address option in the IP Config area, enter the IP address 10.1.1.2, and select 24
(255.255.255.0) from the Mask list.
Click Apply.
98
Port mirroring
NOTE:
•
There are two kinds of port mirroring: local port mirroring and remote port mirroring. Unless otherwise specified, port mirroring described in this chapter all refers to local port mirroring.
•
Support for the port mirroring feature depends on the device model. For more information, see "Feature matrixes."
Introduction to port mirroring
Port mirroring is to copy the packets passing through one or multiple ports (called mirroring ports) to a port (called the monitor port) on the local device. The monitor port is connected with a monitoring device.
By analyzing on the monitoring device the packets mirrored to the monitor port, you can monitor the network and troubleshoot possible network problems.
Figure 70 A port mirroring implementation
Port mirroring is implemented through mirroring groups. The mirroring ports and the monitor port are in the same mirroring group. With port mirroring enabled, the device copies packets passing through the mirroring ports to the monitor port.
99
Port mirroring configuration task list
Table 41 Port mirroring configuration task list
Task Remarks
Add a mirroring group
Required.
For more information, see "
You need to select the mirroring group type local in the Type list.
Configure the mirroring ports
Configure the monitor port
Required.
For more information, see "
Configuring ports for a mirroring group
."
During configuration, you need to select the port type Mirror Port.
Required.
For more information, see "
Configuring ports for a mirroring group."
During configuration, you need to select the port type Monitor Port.
Adding a mirroring group
1.
2.
Select Device > Port Mirroring from the navigation tree.
Click the Add tab.
The page for adding a mirroring group appears.
Figure 71 The page for adding a mirroring group
3.
4.
Configure the mirroring group as described in
.
Click Apply.
100
Table 42 Configuration items
Item Description
Mirroring Group ID ID of the mirroring group to be added.
Type
Specify the type of the mirroring group to be added:
Local: Adds a local mirroring group.
Configuring ports for a mirroring group
1.
2.
Select Device > Port Mirroring from the navigation tree.
Click the Modify Port tab.
The page for configuring ports for a mirroring group appears.
Figure 72 The page for configuring ports for a mirroring group
3.
4.
5.
Configure the port information for the mirroring group as described in Table 43 .
Click Apply.
The progress bar appears.
Click Close after the progress bar prompts that the configuration is complete.
Table 43 Configuration items
Item Description
Mirroring Group ID ID of the mirroring group to be configured.
Port Type
Set the types of the ports to be configured:
•
Monitor Port—Configures the monitor port for the mirroring group.
•
Mirror Port—Configures mirroring ports for the mirroring group.
101
Item Description
Stream Orientation
Set the direction of the traffic monitored by the monitor port of the mirroring group.
This configuration item is available when Mirror Port is selected is the Port Type list.
• both—Mirrors both received and sent packets on mirroring ports.
• inbound—Mirrors only packets received by mirroring port.
• outbound—Mirrors only packets sent by mirroring ports. interface name Select the ports to be configured from the interface name list.
Configuration examples
Network requirements
As shown in
, the customer network is as described below:
• Packets from AP access AC through GigabitEthernet 1/0/1.
•
Server is connected to GigabitEthernet 1/0/2 of AC.
Configure port mirroring to monitor the bidirectional traffic on GigabitEthernet 1/0/1 of AC on the server.
To satisfy the above requirement through port mirroring, perform the following configuration on AC:
•
Configure GigabitEthernet 1/0/1 of AC as a mirroring port.
•
Configure GigabitEthernet 1/0/2 of AC as the monitor port.
Figure 73 Network diagram
Adding a mirroring group
1.
2.
Select Device > Port Mirroring from the navigation tree.
Click Add.
The page for adding a mirroring group appears.
102
Figure 74 Adding a mirroring group
3.
4.
Enter 1 for Mirroring Group ID and select Local in the Type list.
Click Apply.
Configuring the mirroring ports
1.
Click Modify Port.
The page for configuring a mirroring port appears.
Figure 75 Configuring a mirroring port
2.
3.
4.
Select 1 – Local for Mirroring Group ID, select Mirror Port for Port Type, select both for Stream
Orientation, and select GigabitEthernet 1/0/1 from the interface name list.
Click Apply.
The progress bar appears.
Click Close after the progress bar prompts that the configuration is complete.
103
Configuring the monitor port
1.
Click Modify Port tab.
The page for configuring the mirroring port appears.
Figure 76 Configuring the monitor port
2.
3.
4.
Select 1 – Local for Mirroring Group ID, select Monitor Port for Port Type, and select
GigabitEthernet 1/0/2 from the interface name list.
Click Apply.
A progress bar appears.
Click Close after the progress bar prompts that the configuration is complete.
Configuration guidelines
When you configure port mirroring, follow these guidelines:
• Depending on the device model, you can assign these types of ports to a mirroring group as mirroring ports: Layer 2 Ethernet, Layer 3 Ethernet, POS, CPOS, serial, and MP-group.
•
Depending on the device model, you can configure these types of ports as the monitor port: Layer
2 Ethernet, Layer 3 Ethernet, and tunnel.
• To ensure normal operation of your device, do not enable STP, MSTP, or RSTP on the monitor port.
•
On some types of devices, you can configure a member port in link aggregation as the monitor port.
•
Other restrictions on the monitor port depend on your device model.
• You can configure multiple mirroring ports but only one monitor port for a mirroring group.
•
A port can be assigned to only one mirroring group.
104
User management
In the user management part, you can perform the following configuration:
• Create a local user, and set the password, access level, and service type for the user.
•
Set the super password for switching the current Web user level to the management level.
•
Switch the current Web user access level to the management level.
Creating a user
1.
2.
Select Device > Users from the navigation tree.
Click the Create tab.
The page for creating local users appears.
Figure 77 Creating a user
3.
4.
Configure the user information as described in
.
Click Apply.
Table 44 Configuration items
Item Description
Username Set the username for a user.
105
Item Description
Access Level
Set the access level for a user. Users of different levels can perform different operations.
Web user levels, from low to high, are visitor, monitor, configure, and management.
•
Visitor—Users of visitor level can perform the ping and traceroute operations, but they can neither access the device data nor configure the device.
•
Monitor—Users of this level can only access the device data but cannot configure the device.
•
Configure—Users of this level can access data on the device and configure the device, but they cannot upgrade the host software, add/delete/modify users, or back up/restore the application file.
•
Management—Users of this level can perform any operations on the device.
Password
Confirm Password
Service Type
Set the password for a user.
Enter the same password again. Otherwise, the system prompts that the two passwords enter are not consistent when you apply the configuration.
Set the service type, including Web, FTP, and Telnet services. You must select one of them.
Setting the super password
In this part, users of the management level can specify the password for a lower-level user to switch from the current access level to the management level. If no such a password is configured, the switchover will fail.
To set the super password:
1.
Select Device > Users from the navigation tree.
2.
Click the Super Password tab.
The super password configuration page appears.
Figure 78 Super password
3.
4.
Set the super password as described in Table 45 .
Click Apply.
106
Table 45 Configuration items
Item Description
Create/Remove
Set the operation type:
•
Create—Configure or modify the super password.
•
Remove—Remove the current super password.
Password
Confirm Password
Set the password for a user to switch to the management level.
Enter the same password again. Otherwise, the system prompts that the two passwords enter are not consistent when you apply the configuration.
Switching the user access level to the management level
This function is provided for a user to switch the current user level to the management level. Note the following:
• Before switching, make sure that the super password is already configured. A user cannot switch to the management level without a super password.
•
The access level switchover of a user is valid for the current login only. The access level configured for the user is not changed. When the user re-logs in to the Web interface, the access level of the user is still the original level.
To switch the user access level to the management level:
1.
Select Device > Users from the navigation tree.
2.
Click the Switch To Management tab.
The access level switching page appears.
Figure 79 Switching to the management level.
3.
4.
Enter the super password.
Click Login.
107
SNMP configuration
SNMP overview
Simple Network Management Protocol (SNMP) offers the communication rules between a management device and the managed devices on the network; it defines a series of messages, methods and syntaxes to implement the access and management from the management device to the managed devices. SNMP shields the physical differences between various devices and realizes automatic management of products from different manufacturers.
An SNMP enabled network comprises the network management system (NMS) and agents.
The NMS manages agents by exchanging management information through SNMP. The NMS and managed agents must use the same SNMP version.
SNMP agents support SNMPv1, SNMPv2c, and SNMPv3.
• SNMPv1 uses community name for authentication. Community name defines the relationship between an SNMP NMS and an SNMP agent. SNMP packets with community names that do not pass the authentication on the device are simply discarded. A community name plays a similar role as a key word and can be used to control access from NMS to the agent.
• SNMPv2c uses community name for authentication. Compatible with SNMPv1, it extends the functions of SNMPv1. SNMPv2c provides more operation modes such as GetBulk and
InformRequest; it supports more data types such as Counter64; and it provides various error codes, thus being able to distinguish errors in more detail.
• SNMPv3 offers an authentication that is implemented with a User-Based Security Model (USM).
You can set the authentication and privacy functions. The former is used to authenticate the validity of the sending end of the authentication packets, preventing access of illegal users; the latter is used to encrypt packets between the NMS and agents, preventing the packets from being intercepted.
USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy.
For more information about SNMP, see H3C WX Series Access Controllers Network Management and
Monitoring Configuration Guide.
SNMP configuration task list
SNMPv1 or SNMPv2c configuration task list
Perform the tasks in
to configure SNMPv1 or SNMPv2c.
Table 46 SNMPv1 or SNMPv2c configuration task list
Task Remarks
Required.
The SNMP agent function is disabled by default.
IMPORTANT:
If SNMP agent is disabled, all SNMP agent-related configurations are removed.
108
Task Remarks
Optional.
After creating SNMP views, you can specify an SNMP view for an
SNMP group to limit the MIB objects that can be accessed by the
SNMP group.
Required.
Configuring SNMP trap function
Optional.
Allows you to configure that the agent can send SNMP traps to the
NMS, and configure information about the target host of the SNMP traps.
By default, an agent is allowed to send SNMP traps to the NMS.
Optional.
Displaying SNMP packet statistics
SNMPv3 configuration task list
Perform the tasks in
to configure SNMPv3.
Table 47 SNMPv3 configuration task list
Task Remarks
Required.
The SNMP agent function is disabled by default.
IMPORTANT:
If SNMP agent is disabled, all SNMP agent-related configurations are removed.
Optional.
After creating SNMP views, you can specify an SNMP view for an SNMP group to limit the MIB objects that can be accessed by the SNMP group.
Required.
After creating an SNMP group, you can add SNMP users to the group when creating the users. Therefore, you can realize centralized management of users in the group through the management of the group.
Configuring SNMP trap function
Required.
Before creating an SNMP user, you need to create the SNMP group to which the user belongs.
Optional.
Allows you to configure that the agent can send SNMP traps to the NMS, and configure information about the target host of the SNMP traps
By default, an agent is allowed to send SNMP traps to the NMS.
Displaying SNMP packet statistics
Optional.
Enabling SNMP
1.
Select Device > SNMP from the navigation tree.
The SNMP configuration page appears.
109
Figure 80 Set up
2.
3.
Configure SNMP settings on the upper part of the page as described in Table 48
.
Click Apply.
Table 48 Configuration items
Item Description
SNMP Specify to enable or disable SNMP.
Local Engine ID
Configure the local engine ID.
The validity of a user after it is created depends on the engine ID of the SNMP agent. If the engine ID when the user is created is not identical to the current engine ID, the user is invalid.
110
Item Description
Maximum Packet Size
Configure the maximum size of an SNMP packet that the agent can receive/send.
Contact
Location
Set a character string to describe the contact information for system maintenance.
If the device is faulty, the maintainer can contact the manufacture factory according to the contact information of the device.
Set a character string to describe the physical location of the device.
SNMP Version Set the SNMP version run by the system.
Configuring an SNMP view
Creating an SNMP view
1.
2.
Select Device > SNMP from the navigation tree.
Click the View tab.
The view page appears.
Figure 81 View page
3.
Click Add.
The Add View window appears.
Figure 82 Creating an SNMP view (1)
111
4.
5.
Enter the view name.
Click Apply.
The page in
appears.
Figure 83 Creating an SNMP view (2)
6.
7.
8.
9.
Configure the parameters as described in
Click Add.
Repeat steps 6 and 7 to add more rules for the SNMP view.
Click Apply.
To cancel the view, click Cancel.
Table 49 Configuration items
Item Description
View Name Set the SNMP view name.
Rule
MIB Subtree OID
Subtree Mask
Select to exclude or include the objects in the view range determined by the MIB subtree OID and subtree mask.
Set the MIB subtree OID (such as 1.4.5.3.1) or name (such as system).
MIB subtree OID identifies the position of a node in the MIB tree, and it can uniquely identify a MIB subtree.
Set the subtree mask.
If no subtree mask is specified, the default subtree mask (all Fs) will be used for mask-OID matching.
Adding rules to an SNMP view
1.
2.
Select Device > SNMP from the navigation tree.
Click the View tab.
The page in
appears.
3.
Click the icon of the target view.
112
The Add rule for the view ViewDefault window appears.
Figure 84 Adding rules to an SNMP view
4.
5.
Configure the parameters as described in
Click Apply.
NOTE:
You can modify the rules of a view in the page you enter by clicking the icon of that view.
Configuring an SNMP community
1.
Select Device > SNMP from the navigation tree.
2.
Click the Community tab.
The community tab page appears.
Figure 85 Configuring an SNMP community
3.
Click Add.
The Add SNMP Community page appears.
113
Figure 86 Creating an SNMP Community
4.
5.
Configure SNMP community settings as described in Table 50 .
Click Apply.
Table 50 Configuration items
Item Description
Community Name Set the SNMP community name.
Access Right
View
ACL
Configure SNMP NMS access right.
•
Read only—The NMS can perform read-only operations to the MIB objects when it uses this community name to access the agent.
•
Read and write—The NMS can perform both read and write operations to the MIB objects when it uses this community name to access the agent.
Specify the view associated with the community to limit the MIB objects that can be accessed by the NMS.
Associate the community with a basic ACL to allow or prohibit the access to the agent from the NMS with the specified source IP address.
Configuring an SNMP group
1.
2.
Select Device > SNMP from the navigation tree.
Click the Group tab.
The group tab page appears.
114
Figure 87 SNMP group
3.
Click Add.
The Add SNMP Group page appears.
Figure 88 Creating an SNMP group
4.
5.
Configure SNMP group settings as described in
Click Apply.
Table 51 Configuration items
Item Description
Group Name Set the SNMP group name.
Security Level
Read View
Select the security level for the SNMP group. The available security levels are:
•
NoAuth/NoPriv—No authentication no privacy.
•
Auth/NoPriv—Authentication without privacy.
•
Auth/Priv—Authentication and privacy.
Select the read view of the SNMP group.
115
Item Description
Write View
Select the write view of the SNMP group.
If no write view is configured, the NMS cannot perform the write operations to all MIB objects on the device.
Notify View
ACL
Select the notify view of the SNMP group, that is, the view that can send trap messages.
If no notify view is configured, the agent does not send traps to the
NMS.
Associate a basic ACL with the group to restrict the source IP address of SNMP packets, that is, you can configure to allow or prohibit
SNMP packets with a specific source IP address, so as to restrict the intercommunication between the NMS and the agent.
Configuring an SNMP user
1.
2.
Select Device > SNMP from the navigation tree.
Click the User tab.
The user tab page appears.
Figure 89 SNMP user
3.
Click Add.
The Add SNMP User page appears.
116
Figure 90 Creating an SNMP user
4.
5.
Configure SNMP user settings as described in Table 52 .
Click Apply.
Table 52 Configuration items
Item Description
User Name Set the SNMP user name.
Security Level
Group Name
Authentication Mode
Select the security level for the SNMP group. The available security levels are:
•
NoAuth/NoPriv—No authentication no privacy.
•
Auth/NoPriv—Authentication without privacy.
•
Auth/Priv—Authentication and privacy.
Select an SNMP group to which the user belongs.
•
When the security level is NoAuth/NoPriv, you can select an
SNMP group with no authentication no privacy.
•
When the security level is Auth/NoPriv, you can select an
SNMP group with no authentication no privacy or authentication without privacy.
•
When the security level is Auth/Priv, you can select an SNMP group of any security level.
Select an authentication mode (including MD5 and SHA) when the security level is Auth/NoPriv or Auth/Priv.
117
Item Description
Authentication Password
Confirm Authentication Password
Set the authentication password when the security level is
Auth/NoPriv or Auth/Priv.
The confirm authentication password must be the same with the authentication password.
Privacy Mode
Privacy Password
Confirm Privacy Password
ACL
Select a privacy mode (including DES56, AES128, and 3DES) when the security level is Auth/Priv.
Set the privacy password when the security level is Auth/Priv.
The confirm privacy password must be the same with the privacy password.
Associate a basic ACL with the user to restrict the source IP address of SNMP packets, that is, you can configure to allow or prohibit
SNMP packets with a specific source IP address, so as to allow or prohibit the specified NMS to access the agent by using this user name.
Configuring SNMP trap function
1.
Select Device > SNMP from the navigation tree.
2.
Click the Trap tab.
The trap configuration page appears.
Figure 91 Traps configuration
3.
4.
5.
Select the box of Enable SNMP Trap.
Click Apply.
Click Add.
The page for adding a target host of SNMP traps appears.
118
Figure 92 Adding a target host of SNMP traps
6.
7.
Configure the settings for the target host as described in Table 53
.
Click Apply.
Table 53 Configuration items
Item Description
Destination IP Address
Set the destination IP address or domain.
Select the IP address type: IPv4/Domain or IPv6, and then type the corresponding IP address or domain in the field according to the IP address type.
Security Name
Set the security name, which can be an SNMPv1 community name, an SNMPv2c community name, or an SNMPv3 user name.
Set UDP port number.
UDP Port
Security Model
Security Level
IMPORTANT:
The default port number is 162, which is the SNMP-specified port used for receiving traps on the NMS. Generally (such as using iMC or MIB
Browser as the NMS), you can use the default port number. To change this parameter to another value, you need to make sure that the configuration is the same with that on the NMS.
Select the security model, that is, the SNMP version, which must be the same with that running on the NMS; otherwise, the NMS cannot receive any trap.
Set the authentication and privacy mode for SNMP traps when the security model is selected as v3. The available security levels are: no authentication no privacy, authentication but no privacy, and authentication and privacy.
Displaying SNMP packet statistics
1.
Select Device > SNMP from the navigation tree.
119
The page for displaying SNMP packet statistics appears.
Figure 93 SNMP packet statistics
SNMP configuration example
Network requirements
The NMS connects to the agent, an AC, through an Ethernet. The IP address of the NMS is 1.1.1.2/24.
The IP address of the VLAN interface on the AC is 1.1.1.1/24. Configure SNMP to achieve the following purposes.
• The NMS monitors the agent by using SNMPv3.
• The agent reports errors or faults to the NMS.
Figure 94 Network diagram
Configuring the agent
1.
Enable SNMP agent: a.
Select Device > SNMP from the navigation tree. b.
The page in
appears.
Select the Enable option. c. d.
Select the v3 box.
Click Apply.
120
Figure 95 Enabling SNMP
2.
Configure an SNMP view: a.
Click the View tab. b.
Click Add.
The page in
appears. c. d. e.
Enter view1 in the field.
Click Apply.
The page in
appears.
Select the Included radio box, enter the MIB subtree OID interfaces, and click Add. f. g.
Click Apply.
A configuration progress dialog box appears.
Click Close after the configuration process is complete.
Figure 96 Creating an SNMP view (1)
121
Figure 97 Creating an SNMP view (2)
3.
Configure an SNMP group: a.
Click the Group tab. b.
Click Add.
The page in
appears. c. d.
Enter group1 in the field of Group Name, select view1 from the Read View box, and select view1 from the Write View box.
Click Apply.
Figure 98 Creating an SNMP group
4.
Configure an SNMP user: a.
Click the User tab. b.
Click Add.
122
c. d.
The page in
appears.
Enter user1 in the field of User Name and select group1 from the Group Name box.
Click Apply.
Figure 99 Creating an SNMP user
5.
Enable the agent to send SNMP traps: a.
Click the Trap tab
The page in
appears. b. c.
Select the Enable SNMP Trap box.
Click Apply.
123
Figure 100 Enabling the agent to send SNMP traps
6.
Add target hosts of SNMP traps: a.
Click Add on the Trap tab. b. c.
The page in
appears.
Select the destination IP address type as IPv4/Domain, enter the destination address 1.1.1.2, enter the user name user1, and select v3 from the Security Model list.
Click Apply.
Figure 101 Adding target hosts of SNMP traps
Configuring the NMS
CAUTION:
The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform corresponding operations.
124
SNMPv3 adopts a security mechanism of authentication and privacy. You must configure username and security level. According to the configured security level, you must configure the related authentication mode, authentication password, privacy mode, privacy password, and so on.
You must also configure the aging time and retry times. After these configurations, you can configure the device as needed through the NMS. For more information about NMS configuration, see the manual provided for NMS.
Verifying the configuration
• After the above configuration, an SNMP connection is established between the NMS and the agent.
The NMS can get and configure the values of some parameters on the agent through MIB nodes.
•
If an idle interface on the agent is shut down or brought up, the NMS receives a trap information sent by the agent.
125
Loopback
You can check whether an Ethernet port works normally by performing the Ethernet port loopback test, during which the port cannot forward data packets normally.
Ethernet port loopback test can be an internal loopback test or an external loopback test.
•
In an internal loopback test, self loop is established in the switching chip to check whether there is a chip failure related to the functions of the port.
• In an external loopback test, a self-loop header is used on the port. Packets forwarded by the port will be received by itself through the self-loop header. The external loopback test can be used to check whether there is a hardware failure on the port.
Loopback operation
1.
Select Device > Loopback from the navigation tree.
The loopback test configuration page appears.
Figure 102 Loopback test configuration page
2.
Configure the loopback test parameters as described in Table 54
.
Table 54 Configuration items
3.
Item Description
Testing type
External
Internal
Set the loopback test type, which can be selected between External and
Internal.
Support for the test type depends on the device model.
Click Test to start the loopback test.
126
The Result box displays the test results.
Figure 103 Loopback test result
Configuration guidelines
When you perform a loopback test, follow these guidelines:
•
You can perform an internal loopback test but not an external loopback test on a port that is physically down, while you can perform neither test on a port that is manually shut down.
•
The system does not allow Rate, Duplex, Cable Type, and Port Status configuration on a port under a loopback test.
•
An Ethernet port operates in full duplex mode when the loopback test is performed, and restores its original duplex mode after the loopback test.
127
MAC address configuration
NOTE:
•
MAC address configurations related to interfaces apply only to Layer 2 Ethernet interfaces.
• This chapter covers only the management of static and dynamic MAC address entries, not multicast
MAC address entries.
Overview
A device maintains a MAC address table for frame forwarding. Each entry in this table indicates the
MAC address of a connected device, to which interface this device is connected and to which VLAN the interface belongs. A MAC address table consists of two types of entries: static and dynamic. Static entries are manually configured and never age out. Dynamic entries can be manually configured or dynamically learned and will age out.
When a frame arrives at a port, Port A for example, the device performs the following tasks:
1.
2.
Checks the frame for the source MAC address (MAC-SOURCE for example).
Looks up the MAC address in the MAC address table.
If an entry is found, updates the entry.
If no entry is found, adds an entry for the MAC address and the receiving port (Port A) to the
MAC address table.
When receiving a frame destined for MAC-SOURCE, the device looks up the MAC address table and forwards it from port A.
NOTE:
Dynamically learned MAC addresses cannot overwrite static MAC address entries, but the latter can overwrite the former.
When forwarding a frame, the device adopts the following forwarding modes based on the MAC address table:
•
Unicast mode—If an entry matching the destination MAC address exists, the device forwards the frame directly from the sending port recorded in the entry.
•
Broadcast mode—If the device receives a frame with the destination address being all Fs, or no entry matches the destination MAC address, the device broadcasts the frame to all the ports except the receiving port.
128
Figure 104 MAC address table of the device
MAC address Port
MAC A 1
MAC B 1
MAC C
MAC D
2
2
MAC A
MAC B
MAC C
MAC D
Port 1 Port 2
Configuring a MAC address entry
1.
Select Network > MAC from the navigation tree. The system automatically displays the MAC tab, which shows all the MAC address entries on the device, as shown in
.
Figure 105 The MAC tab
2.
Click Add in the bottom to enter the page for creating MAC address entries, as shown in
.
129
Figure 106 Creating a MAC address entry
3.
4.
Configure the MAC address entry as described in
.
Click Apply.
Table 55 Configuration items
Item
MAC
Type
VLAN
Port
Description
Set the MAC address to be added.
Set the type of the MAC address entry:
• static—Static MAC address entries that never age out.
• dynamic—Dynamic MAC address entries that will age out.
• blackhole—Blackhole MAC address entries that never age out.
IMPORTANT:
The tab displays the following types of MAC address entries:
•
Config static—Static MAC address entries manually configured by the users.
•
Config dynamic—Dynamic MAC address entries manually configured by the users.
•
Blackhole—Blackhole MAC address entries.
•
Learned—Dynamic MAC address entries learned by the device.
•
Other—Other types of MAC address entries.
Set the ID of the VLAN to which the MAC address belongs.
Set the port to which the MAC address belongs.
Setting the aging time of MAC address entries
1.
2.
Select Network > MAC from the navigation tree.
Click the Setup tab to enter the page for setting the MAC address entry aging time, as shown
130
Figure 107 Setting the aging time for MAC address entries
3.
4.
Set the aging time as described in
Click Apply.
Table 56 Configuration items
Item Description
No-aging Specify that the MAC address entry never ages out.
Aging time Set the aging time for the MAC address entry.
MAC address configuration example
Network requirements
Use the MAC address table management function of the Web-based NMS. Create a static MAC address
00e0-fc35-dc71 for GigabitEthernet 1/0/1 in VLAN 1.
Configuration procedure
1.
Create a static MAC address entry: a.
Select Network > MAC from the navigation tree to enter the MAC tab. b.
Click Add.
The page shown in
c. d.
Enter MAC address 00e0-fc35-dc71, select static from the Type list, select 1 from the VLAN list, and select GigabitEthernet1/0/1 from the Port list.
Click Apply.
131
Figure 108 Creating a static MAC address entry
132
VLAN configuration
Overview
Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect
(CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on an Ethernet. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate
VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all broadcast
traffic is contained within it, as shown in Figure 109 .
Figure 109 A VLAN diagram
VLAN 2
Switch A Switch B
Router
VLAN 5
You can implement VLANs based on a variety of criteria. The web interface, however, is available only for port-based VLANs, which group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN.
For more information about VLAN, see H3C WX Series Access Controllers Layer 2 Configuration Guide.
Recommended configuration procedure
Step
Remarks
Required.
Required.
Select either task.
Configure the untagged member ports and tagged member ports of the VLAN, or remove ports from the VLAN.
Creating a VLAN
1.
Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab
and enters the page as shown in Figure 110
.
133
Figure 110 VLAN configuration page
TIP:
To easily configure a specific range of VLANs within a large number of VLANs, enter a VLAN range in the
VLAN Range field and click Select, and all undesired VLANs will be filtered out. If you click Remove, all
VLANs within this range will be deleted.
2.
Click Add to enter the page for creating a VLAN, as shown in
3.
4.
Enter the ID of the VLAN you want to create.
Click Apply.
Figure 111 Creating a VLAN
Modifying a VLAN
1.
Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab
and enters the page as shown in Figure 110
.
2.
Click the icon of the VLAN you want to modify to enter the page as shown in
.
134
Figure 112 Modifying a VLAN
3.
4.
Configure the description and port members for the VLAN as described in
Click Apply.
Table 57 Configuration items
Item
ID
Description
Port
Untagged Member
Tagged Member
Not a Member
Description
Display the ID of the VLAN to be modified.
Set the description string of the VLAN.
By default, the description string of a VLAN is its VLAN ID, such as VLAN
0001.
Find the port to be modified and select the Untagged Member, Tagged
Member, or Not a Member option for the port:
•
Untagged—Indicates that the port sends the traffic of the VLAN with the
VLAN tag removed.
•
Tagged—Indicates that the port sends the traffic of the VLAN without removing the VLAN tag.
•
Not a Member—Removes the port from the VLAN.
IMPORTANT:
When you configure an access port as a tagged member of a VLAN, the link type of the port is automatically changed into hybrid.
Modifying a port
1.
2.
Select Network > VLAN from the navigation tree
Click the Port tab to enter the page as shown in
135
Figure 113 Port configuration page
3.
Click the icon for the port to be modified to enter the page as shown in
Figure 114 Modifying a port
4.
5.
Configure the port as described in
Click Apply.
Table 58 Configuration items
Item
Port
Untagged Member
Tagged Member
Description
Display the port to be modified.
Display the VLAN(s) to which the port belongs as an untagged member.
Display the VLAN(s) to which the port belongs as a tagged member.
136
Item
Member
Type
Untagged
Tagged
Not a
Member
Description
Select the Untagged, Tagged, or Not a Member option:
•
Untagged—Indicates that the port sends the traffic of the VLAN with the VLAN tag removed.
•
Tagged—Indicates that the port sends the traffic of the VLAN without removing the VLAN tag.
•
Not a Member—Removes the port from the VLAN.
IMPORTANT:
•
You cannot configure an access port as an untagged member of a nonexistent
VLAN.
•
When you configure an access port as a tagged member of a VLAN, or configure a trunk port as an untagged member of multiple VLANs in bulk, the link type of the port is automatically changed into hybrid.
•
You can configure a hybrid port as a tagged or untagged member of a VLAN only if the VLAN is an existing, static VLAN.
Specify the VLAN to which the port belongs. VLAN ID
VLAN configuration examples
Network requirements
As shown in
:
•
GigabitEthernet 1/0/1 of AC is connected to GigabitEthernet 1/0/1 of Switch.
•
GigabitEthernet 1/0/1 on both devices are hybrid ports with VLAN 100 as their default VLAN.
• Configure GigabitEthernet 1/0/1 to permit packets of VLAN 2, VLAN 6 through VLAN 50, and
VLAN 100 to pass through.
Figure 115 Network diagram
Configuring AC
1.
Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100: a.
Select Network > VLAN from the navigation tree to enter the VLAN tab. b. c. d.
Click Add.
Enter VLAN IDs 2,6-50,100, as shown in
.
Click Apply.
137
Figure 116 Creating a VLAN
2.
Configure GigabitEthernet 1/0/1 as an untagged member of VLAN 100: a.
Enter 100 in the VLAN Range field, as shown in
. b.
Click Select to display only the information of VLAN 100.
Figure 117 Selecting a VLAN c. d. e.
Click the icon of VLAN 100.
Select the Untagged Member option for port GigabitEthernet 1/0/1, as shown in Figure 118
.
Click Apply.
138
Figure 118 Modifying a VLAN
3.
Configure GigabitEthernet 1/0/1 as a tagged member of VLAN 2, and VLAN 6 through VLAN
50: a.
Select Network > VLAN from the navigation tree and then select the Port tab. b. c.
Click the icon of port GigabitEthernet 1/0/1.
Select the Tagged option, and enter VLAN IDs 2, 6-50, as shown in Figure 119 .
Figure 119 Modifying a port d. e.
Click Apply. A dialog box appears asking you to confirm the operation.
Click OK in the dialog box.
139
Configuring Switch
The configuration on Switch is similar to that on AC.
Configuration guidelines
When you configure VLAN, follow these guidelines:
•
VLAN 1 is the default VLAN, which cannot be manually created or removed.
•
Some VLANs are reserved for special purposes. You cannot manually create or remove them.
• Dynamic VLANs cannot be manually removed.
140
ARP configuration
Overview
Introduction to ARP
The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or physical address).
In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding
MAC address.
For more information about ARP, see H3C WX Series Access Controllers Layer 3 Configuration Guide.
Introduction to gratuitous ARP
Gratuitous ARP packets
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device, the sender MAC address is the MAC address of the sending device, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff.
A device sends a gratuitous ARP packet for either of the following purposes:
• Determine whether its IP address is already used by another device. If the IP address is already used, the device will be informed of the conflict by an ARP reply.
•
Inform other devices of the change of its MAC address.
Learning of gratuitous ARP packets
With this feature enabled, a device, upon receiving a gratuitous ARP packet, adds an ARP entry that contains the sender IP and MAC addresses in the packet to its ARP table. If the corresponding ARP entry exists, the device updates the ARP entry.
With this feature disabled, the device uses the received gratuitous ARP packets to update existing ARP entries, but not to create new ARP entries.
Displaying ARP entries
Select Network > ARP Management from the navigation tree to enter the default ARP Table page shown
. All ARP entries are displayed on the page.
141
Figure 120 ARP Table configuration page
Creating a static ARP entry
1.
2.
Select Network > ARP Management from the navigation tree to enter the default ARP Table page
.
Click Add to enter the New Static ARP Entry page, as shown in
Figure 121 Adding a static ARP entry
3.
4.
Configure the static ARP entry as described in Table 59 .
Click Apply.
Table 59 Configuration items
Item Description
IP Address Enter an IP address for the static ARP entry.
MAC Address Enter a MAC address for the static ARP entry.
142
Item Description
Enter a VLAN ID and specify a port for the static ARP entry.
VLAN ID
Advanced
Options
Port
IMPORTANT:
The VLAN ID must be the ID of the VLAN that has already been created, and the port must belong to the VLAN. The corresponding VLAN interface must have been created.
Removing ARP entries
1.
2.
Select Network > ARP Management from the navigation tree to enter the default ARP Table page
.
Remove ARP entries:
To remove specific ARP entries, select target ARP entries, and click Del Selected.
To remove all static and dynamic ARP entries, click Delete Static and Dynamic.
To remove all static ARP entries, click Delete Static.
To remove all dynamic ARP entries, click Delete Dynamic.
Configuring gratuitous ARP
1.
2.
Select Network > ARP Management from the navigation tree.
Click the Gratuitous ARP tab to enter the page shown in Figure 122
.
Figure 122 Gratuitous ARP configuration page
3.
Configure gratuitous ARP as described in Table 60
.
Table 60 Configuration items
Item Description
Disable gratuitous ARP packets learning function
Disable learning of ARP entries according to gratuitous ARP packets.
Enabled by default.
Send gratuitous ARP packets when receiving ARP requests from another network segment
Enable the device to send gratuitous ARP packets upon receiving ARP requests from another network segment.
Disabled by default.
143
Static ARP configuration example
Network requirements
To enhance communication security between the AC and the router, configure a static ARP entry on the
AC.
Figure 123 Network diagram
Configuration procedure
1.
Create VLAN 100: a. b.
Select Network > VLAN from the navigation tree to enter the default VLAN page.
Click Add. c. d.
Enter 100 for VLAN ID, as shown in Figure 124
.
Click Apply.
Figure 124 Creating VLAN 100
2. a. b. c.
Add GigabitEthernet 1/0/1 to VLAN 100:
On the VLAN page, click the icon of VLAN 100.
Select the Untagged Member option for GigabitEthernet1/0/1.
Click Apply.
144
Figure 125 Adding GigabitEthernet 1/0/1 to VLAN 100
3.
Configure VLAN-interface 100: a.
Select Device > Interface from the navigation tree. b. c. d.
Click Add.
On the page that appears, select Vlan-interface from the Interface Name list, and enter 100, select the Static Address option for IP Config, enter 192.168.1.2 for IP Address., and select 24
(255.255.255.0) for Mask.
Click Apply.
145
Figure 126 Configuring VLAN-interface 100
4.
Create a static ARP entry: a.
Select Network > ARP Management from the navigation tree to enter the default ARP Table page. b. c. d.
Click Add.
On the page that appears, enter 192.168.1.1 for IP Address, enter 00e0-fc01-0000 for MAC
Address, select the Advanced Options option, enter 100 for VLAN ID, and select
GigabitEthernet1/0/1 from the Port list.
Click Apply.
146
Figure 127 Creating a static ARP entry
147
ARP attack protection configuration
Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple features to detect and prevent such attacks. This chapter mainly introduces these features.
ARP detection
The ARP detection feature enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks.
ARP detection provides the following functions:
• User validity check—The device compares the sender IP and MAC addresses of a received ARP packet against the static IP source guard binding entries, DHCP snooping entries, 802.1X security entries, or OUI MAC addresses. If no match is found, the ARP packet is discarded.
•
ARP packet validity check—The device does not check ARP packets received from an ARP trusted port. Upon receiving an ARP packet from an ARP untrusted port, the device checks the ARP packet based on source MAC address, destination MAC address, or source and destination IP addresses.
ARP packets that fail the check are discarded.
For more information about ARP detection, see H3C WX Series Access Controllers Security
Configuration Guide.
Source MAC address based ARP attack detection
This feature allows the device to check the source MAC address of ARP packets delivered to the CPU. If the number of ARP packets from a MAC address within five seconds exceeds the specified threshold, the device considers this an attack and adds the MAC address to the attack detection table. Before the attack detection entry is aged out, the device generates a log message upon receiving an ARP packet sourced from that MAC address and filters out subsequent ARP packets from that MAC address (in filter mode), or only generates a log message upon receiving an ARP packet sourced from that MAC address (in monitor mode).
A gateway or critical server may send a large number of ARP packets. To prevent these ARP packets from being discarded, you can specify the MAC address of the gateway or server as a protected MAC address. A protected MAC address is excluded from ARP attack detection even if it is an attacker.
ARP active acknowledgement
The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP packets.
ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid generating any incorrect ARP entry.
148
ARP packet source MAC address consistency check
This feature enables a gateway device to filter out ARP packets with the source MAC address in the
Ethernet header different from the sender MAC address in the ARP message, so that the gateway device can learn correct ARP entries.
Configuring ARP detection
NOTE:
If both the ARP detection based on specified objects and the ARP detection based on static IP Source
Guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses are enabled, the former one applies first, and then the latter applies.
1.
Select Network > ARP Anti-Attack from the navigation tree to enter the default ARP Detection page
.
Figure 128 ARP Detection configuration page
2.
3.
Configure ARP detection as described in
Click Apply.
Table 61 Configuration items
Item Description
VLAN Settings
Select VLANs on which ARP detection is to be enabled.
To add VLANs to the Enabled VLANs list box, select one or multiple VLANs from the
Disabled VLANs list box and click the << button.
To remove VLANs from the Enabled VLANs list box, select one or multiple VLANs from the list box and click the >> button.
149
Item Description
Trusted Ports
Select trusted ports and untrusted ports.
To add ports to the Trusted Ports list box, select one or multiple ports from the Untrusted
Ports list box and click the << button.
To remove ports from the Trusted Ports list box, select one or multiple ports from the list box and click the >> button.
ARP Packet
Validity Check
Select ARP packet validity check modes, including:
•
Discard the ARP packet whose sender MAC address is different from the source MAC address in the Ethernet header.
•
Discard the ARP packet whose target MAC address is all 0s, all 1s, or inconsistent with the destination MAC address in the Ethernet header.
•
Discard the ARP request whose source IP address is all 0s, all 1s, or a multicast address, and discard the ARP reply whose source and destination IP addresses are all 0s, all 1s, or multicast addresses.
ARP packet validity check takes precedence over user validity check. If none of the above is selected, the system does not check the validity of ARP packets.
Configuring other ARP attack protection functions
Other ARP attack protection functions include source MAC address based ARP attack detection, ARP active acknowledgement, and ARP packet source address consistency check.
1.
2.
Select Network > ARP Anti-Attack from the navigation tree.
Click the Advanced Configuration tab to enter the page shown in Figure 129
.
Figure 129 Advanced Configuration page
3.
4.
Configure ARP attack protection parameters as described in Table 62 .
Click Apply.
150
Table 62 Configuration items
Item Description
Detection Mode
Select the detection mode for source MAC address based ARP attack detection. The detection mode can be:
•
Disable—The source MAC address attack detection is disabled.
•
Filter Mode—The device generates an alarm and filters out ARP packets sourced from a MAC address if the number of ARP packets received from the MAC address within five seconds exceeds the specified value.
•
The device only generates an alarm if the number of ARP packets sent from a MAC address within five seconds exceeds the specified value.
Source
MAC
Address
Attack
Detection
Aging Time
Threshold
Enter the aging time of the source MAC address based ARP attack detection entries.
Enter the threshold of source MAC address based ARP attack detection.
Protected MAC
Configuration
Add a protected MAC address in the following way:
1.
Expand Protected MAC Configuration and contents are displayed as
shown in
.
2.
Enter a MAC address.
3.
Click Add.
A protected MAC address is excluded from ARP attack detection even if it is an attacker. You can specify certain MAC addresses, such as that of a gateway or an important server, as a protected MAC address.
Enable ARP Packet Active
Acknowledgement
Enable or disable ARP packet active acknowledgement.
Enable Source MAC Address
Consistency Check
Enable or disable source MAC address consistency check.
Figure 130 Protected MAC configuration
151
IGMP snooping configuration
Overview
Internet Group Management Protocol (IGMP) snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups.
By analyzing received IGMP messages, a Layer 2 device that is running IGMP snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.
to all devices at Layer 2. However, when IGMP snooping is running on the switch, multicast packets for known multicast groups are multicast to the receivers, rather than broadcast to all hosts, at Layer 2.
Figure 131 Multicast forwarding before and after IGMP snooping runs
IGMP snooping sends Layer 2 multicast packets to the intended receivers only. This mechanism provides the following advantages:
•
Reducing Layer 2 broadcast packets and saving network bandwidth
•
Enhancing the security of multicast packets
• Facilitating the implementation of accounting for each host
For more information about IGMP snooping, see H3C WX Series Access Controllers IP Multicast
Configuration Guide.
152
Recommended configuration procedure
Step Remarks
1. Enabling IGMP snooping globally
Required.
By default, IGMP snooping is disabled.
Required.
Enable IGMP snooping in the VLAN and configure the IGMP snooping version and querier feature.
By default, IGMP snooping is disabled in a VLAN.
2. Configuring IGMP snooping on a
IMPORTANT:
•
IGMP snooping must be enabled globally before it can be enabled in a VLAN.
•
When you enable IGMP snooping in a VLAN, this function takes effect for ports in this VLAN only.
Optional.
Configure the maximum number of multicast groups allowed and the fast leave function for ports in the specified VLAN.
3. Configuring IGMP snooping on a port
IMPORTANT:
•
Multicast routing or IGMP snooping must be enabled globally before IGMP snooping can be enabled on a port.
•
IGMP snooping configured on a port takes effect only after IGMP snooping is enabled in the VLAN or IGMP is enabled on the
VLAN interface.
4. Displaying IGMP snooping multicast entry information
Optional.
Enabling IGMP snooping globally
1.
2.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
.
Select Enable, and click Apply.
153
Figure 132 Basic IGMP snooping configurations
Configuring IGMP snooping on a VLAN
1.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
.
2.
Click the icon corresponding to the VLAN to enter the page you can configure IGMP snooping
in the VLAN, as shown in Figure 133
.
Figure 133 Configuring IGMP snooping in the VLAN
3.
Configure IGMP snooping as described in
.
154
4.
Click Apply.
Table 63 Configuration items
Item Description
VLAN ID This field displays the ID of the VLAN to be configured.
IGMP snooping
Version
Enable or disable IGMP snooping in the VLAN.
You can proceed with the subsequent configurations only if Enable is selected here.
By configuring an IGMP snooping version, you actually configure the versions of IGMP messages that IGMP snooping can process.
•
IGMP snooping version 2 can process IGMPv1 and IGMPv2 messages, but not IGMPv3 messages, which will be flooded in the VLAN.
•
IGMP snooping version 3 can process IGMPv1, IGMPv2, and IGMPv3 messages.
Drop Unknown
Querier
Query interval
General Query Source IP
Special Query Source IP
Enable or disable the function of dropping unknown multicast packets.
Unknown multicast data refers to multicast data for which no entries exist in the
IGMP snooping forwarding table.
•
With the function of dropping unknown multicast data enabled, the device drops all the unknown multicast data received.
•
With the function of dropping unknown multicast data disabled, the device floods unknown multicast data in the VLAN to which the unknown multicast data belong.
Enable or disable the IGMP snooping querier function.
On a network without Layer 3 multicast devices, no IGMP querier-related function can be implemented because a Layer 2 device does not support
IGMP. To address this issue, you can enable IGMP snooping querier on a
Layer 2 device so that the device can generate and maintain multicast forwarding entries at data link layer, thereby implementing IGMP querier-related functions.
Configure the IGMP query interval.
Source IP address of IGMP general queries.
Source IP address of IGMP group-specific queries.
Configuring IGMP snooping on a port
1.
2.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.
Click the Advanced tab to enter the page shown in
.
155
Figure 134 Advanced configuration
3.
4.
Configure IGMP snooping on a port as described in Table 64 .
Click Apply.
Table 64 Configuration items
Item Description
Port
Select the port on which advanced IGMP snooping features are to be configured.
After a port is selected, advanced features configured on this port are displayed at the lower part of this page.
VLAN ID
Specify a VLAN in which you can configure the fast leave function for the port or the maximum number of multicast groups allowed on the port.
Configure the maximum number of multicast groups that the port can join.
With this feature, you can regulate multicast traffic on the port.
Group Limit
IMPORTANT:
•
When the number of multicast groups a port has joined reaches the configured threshold, the system deletes all the forwarding entries persistent on that port from the IGMP snooping forwarding table, and the hosts on this port must join the multicast groups again.
•
Support for the maximum number of multicast groups that a port can join may vary depending on your device model. For more information, see "Feature matrixes."
156
Item Description
Fast Leave
Enable or disable the fast leave function for the port.
With the fast leave function enabled on a port, the device, when receiving an IGMP leave message on the port, immediately deletes that port from the outgoing port list of the corresponding forwarding table entry. Then, when receiving IGMP group-specific queries for that multicast group, the device will not forward them to that port. In VLANs where only one host is attached to each port, the fast leave function helps improve bandwidth and resource usage.
IMPORTANT:
If fast leave is enabled for a port to which more than one host is attached, when one host leaves a multicast group, the other hosts listening to the same multicast group will fail to receive multicast data.
Displaying IGMP snooping multicast entry information
1.
2.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
.
Click the plus sign (+) in front of Show Entries to display IGMP snooping multicast entries, as shown
Figure 135 Displaying entry information
3.
Clicking the icon corresponding to an entry to display the detailed information of the entry, as
.
Figure 136 Detailed information of an entry
157
Table 65 Field description
Field Description
VLAN ID ID of the VLAN to which the entry belongs.
Source
Group
Router port
Member port
Multicast source address, where 0.0.0.0 indicates all multicast sources.
Multicast group address.
All router ports.
All member ports.
IGMP snooping configuration examples
Network requirements
•
As shown in Figure 137 , Router A connects to a multicast source (Source) through Ethernet 1/2, and
to AC through Ethernet 1/1.
• The multicast source sends multicast data to group 224.1.1.1. Host A is a receiver of the multicast group.
•
IGMPv2 runs on Router A and IGMP snooping version 2 runs on AC.
•
The function of dropping unknown multicast packets is enabled on AC to prevent AC from flooding multicast packets in the VLAN if no corresponding Layer 2 forwarding entry exists.
•
The fast leave function is enabled for GigabitEthernet 1/0/2 on AC to improve bandwidth and resource usage.
Figure 137 Network diagram
Configuring IP addresses
Configure the IP address for each interface, as shown in Figure 137 . (Details not shown.)
Configuring Router A
Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/1.
(Details not shown.)
Configuring the AC
1.
Create VLAN 100: a.
Select Network > VLAN from the navigation tree to enter the VLAN displaying page. b. c. d.
Click Add.
Enter the VLAN ID 100, as shown in Figure 138 .
Click Apply.
158
Figure 138 Creating VLAN 100
2.
Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as untagged members of VLAN
100: a. b. c.
Click the icon of VLAN 100 to enter its configuration page.
Select the Untagged Member option for GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2,
.
Click Apply.
Figure 139 Adding a port to the VLAN
3.
Enable IGMP snooping globally: a.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page. b. c.
Select the Enable option for IGMP Snooping.
Click Apply.
159
Figure 140 Enabling IGMP snooping globally
4.
Enable IGMP snooping and the function of dropping unknown multicast data on VLAN 1: a. b. c.
Click the icon corresponding to VLAN 100.
On the page that appears, select the Enable option for IGMP Snooping, select the 2 option for
Version, and select the Enable option for Drop Unknown.
Click Apply.
Figure 141 Configuring the VLAN
5.
Enable the fast leave function for GigabitEthernet 1/0/2: a.
Click the Advanced tab.
160
b. c.
Select GigabitEthernet 1/0/2 from the Port list, enter the VLAN ID 100, and select the Enable option for Fast Leave.
Click Apply.
Figure 142 Advanced configuration
Verifying the configuration
Display the IGMP snooping multicast entry information on AC.
1.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.
2.
Click the plus sign (+) in front of Show Entries to view IGMP snooping multicast entries, as shown
Figure 143 IGMP snooping multicast entry information displaying page
3.
Click the icon corresponding to the multicast entry to view information about this entry, as
. The page shows that GigabitEthernet 1/0/2 of AC is added to multicast group 224.1.1.1.
161
Figure 144 Information about an IGMP snooping multicast entry
162
IPv4 and IPv6 routing configuration
NOTE:
The term router in this document refers to routers, access controllers, unified switches, and access controller modules.
Overview
Upon receiving a packet, a router determines the optimal route based on the destination address and forwards the packet to the next router in the path. When the packet reaches the last router, it then forwards the packet to the destination host. Routing provides the path information that guides the forwarding of packets.
A router selects optimal routes from the routing table, and sends them to the forwarding information base
(FIB) table to guide packet forwarding. Each router maintains a routing table and a FIB table.
Static routes are manually configured. If a network's topology is simple, you only need to configure static routes for the network to work properly. Static routes cannot adapt to network topology changes. If a fault or a topological change occurs in the network, the network administrator must modify the static routes manually.
For more information about routing table and static routing, see H3C WX Series Access Controllers Layer
3 Configuration Guide.
Displaying the IPv4 active route table
Select Network > IPv4 Routing from the navigation tree to enter the page shown in
Figure 145 IPv4 active route table
163
Table 66 Field description
Field Description
Destination IP Address
Destination IP address and subnet mask of the IPv4 route.
Mask
Protocol Protocol that discovered the IPv4 route.
Preference
Next Hop
Interface
Preference value for the IPv4 route.
The smaller the number, the higher the preference.
Next hop IP address of the IPv4 route.
Outgoing interface of the IPv4 route. Packets destined for the specified network segment will be sent out the interface.
Creating an IPv4 static route
1.
2.
Select Network > IPv4 Routing from the navigation tree.
Click the Create tab to enter the IPv4 static route configuration page, as shown in Figure 146
.
Figure 146 Creating an IPv4 static route
3.
4.
Specify relevant information as described in Table 67
.
Click Apply.
Table 67 Configuration items
Item Description
Destination IP Address
Enter the destination host or network IP address, in dotted decimal notation.
164
Item Description
Mask
Enter the mask of the destination IP address.
You can enter a mask length or a mask in dotted decimal notation.
Preference
Set a preference value for the static route. The smaller the number, the higher the preference.
For example, specifying the same preference for multiple static routes to the same destination enables load sharing on the routes, while specifying different preferences enables route backup.
Next Hop
Interface
Enter the next hop IP address, in dotted decimal notation.
Select the outgoing interface.
You can select any available Layer 3 interface, for example, a virtual interface, of the device. If you select NULL 0, the destination IP address is unreachable.
Displaying the IPv6 active route table
Select Network > IPv6 Routing from the navigation tree to enter the page shown in
Figure 147 IPv6 active route table
Table 68 Field description
Field Description
Destination IP Address
Destination IP address and prefix length of the IPv6 route.
Prefix Length
Protocol Protocol that discovered the IPv6 route.
Preference
Next Hop
Interface
Preference value for the IPv6 route.
The smaller the number, the higher the preference.
Next hop IP address of the IPv6 route.
Outgoing interface of the IPv6 route. Packets destined for the specified network segment will be sent out the interface.
165
Creating an IPv6 static route
1.
2.
Select Network > IPv6 Routing from the navigation tree.
Click the Create tab to enter the IPv6 static route configuration page, as shown in
.
Figure 148 Creating an IPv6 static route
3.
4.
Specify relevant information as described in Table 69
.
Click Apply.
Table 69 Configuration items
Item Description
Destination IP Address
Enter the destination host or network IP address, in the X:X::X:X format. The 128-bit destination IPv6 address is a hexadecimal address with eight parts separated by colons (:). Each part is represented by a 4-digit hexadecimal integer.
Prefix Length
Preference
Next Hop
Enter the prefix length of the destination IPv6 address.
Set a preference value for the static route. The smaller the number, the higher the preference.
For example, specifying the same preference for multiple static routes to the same destination enables load sharing on the routes, while specifying different priorities for them enables route backup.
Enter the next hop address, in the same format as the destination IP address.
166
Item Description
Interface
Select the outgoing interface.
You can select any available Layer 3 interface, for example, a virtual interface, of the device. If you select NULL 0, the destination IPv6 address is unreachable.
IPv4 static route configuration example
Network requirements
Switch B and AC for Host A and Host B to communicate with each other.
Figure 149 Network diagram
Configuration outlines
1.
2.
3.
On Switch A, configure a default route with Switch B as the next hop.
On Switch B, configure one static route with Switch A as the next hop and the other with AC as the next hop.
On AC, configure a default route with Switch B as the next hop.
Configuration procedure
1.
2.
3.
Configure a default route with the next hop address 1.1.4.2 on Switch A.
Configure two static routes on Switch B: one with destination address 1.1.2.0/24 and next hop address 1.1.4.1, and the other with destination address 1.1.3.0/24 and next hop address
1.1.5.6.
Configure a default route on AC: a.
Select Network > IPv4 Routing from the navigation tree. b. c. d.
Click the Create tab to enter the IPv4 static route configuration page, as shown in Figure 150
.
Enter 0.0.0.0 for Destination IP Address, 0 for Mask, and 1.1.5.5 for Next Hop.
Click Apply.
167
Figure 150 Configuring a default route
Verifying the configuration
1.
2.
Display the route table:
Enter the IPv4 route page of Switch A, Switch B, and AC, respectively, to verify that the newly configured static routes are displayed as active routes on the page.
Ping Host B from Host A (assuming both hosts run Windows XP):
C:\Documents and Settings\Administrator>ping 1.1.3.2
Pinging 1.1.3.2 with 32 bytes of data:
Reply from 1.1.3.2: bytes=32 time=1ms TTL=128
Reply from 1.1.3.2: bytes=32 time=1ms TTL=128
Reply from 1.1.3.2: bytes=32 time=1ms TTL=128
Reply from 1.1.3.2: bytes=32 time=1ms TTL=128
Ping statistics for 1.1.3.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
IPv6 static route configuration example
Network requirements
The IP addresses of devices are shown in
Figure 151 . IPv6 static routes must be configured on Switch A,
Switch B and AC for Host A and Host B to communicate with each other.
168
Figure 151 Network diagram
Vlan-int200
4::2/64
Switch B
Vlan-int300
5::2/64
Vlan-int200
4::1/64
Vlan-int300
5::1/64
Host A
1::2/64
Vlan-int100
1::1/64
Switch A
Vlan-int500
3::1/64
AC AP
Host B
3::2/64
Configuration outlines
1.
2.
3.
On Switch A, configure a default route with Switch B as the next hop.
On Switch B, configure one static route with Switch A as the next hop and the other with AC as the next hop.
On AC, configure a default route with Switch B as the next hop.
Configuration procedure
1.
2.
3.
Configure a default route with the next hop address 4::2 on Switch A.
Configure two static routes on Switch B: one with destination address 1::/64 and next hop address 4::1, and the other with destination address 3::/64 and next hop address 5::1.
Configure a default route on AC: a.
Select Network > IPv6 Routing from the navigation tree. b. c. d.
Click the Create tab to enter the IPv6 static route configuration page, as shown in Figure 152
.
Enter :: for Destination IP Address, select 0 for Prefix Length, and enter 5::2 for Next Hop.
Click Apply.
Figure 152 Configuring a default route
169
Verifying the configuration
1.
2.
Display the route table:
Enter the IPv6 route page of Switch A, Switch B, and AC, respectively, to verify that the newly configured static routes are displayed as active routes on the page.
Ping Host B from Switch A:
<SwitchA> system-view
[SwitchA] ping ipv6 3::2
PING 3::2 : 56 data bytes, press CTRL_C to break
Reply from 3::2
bytes=56 Sequence=1 hop limit=254 time = 63 ms
Reply from 3::2
bytes=56 Sequence=2 hop limit=254 time = 62 ms
Reply from 3::2
bytes=56 Sequence=3 hop limit=254 time = 62 ms
Reply from 3::2
bytes=56 Sequence=4 hop limit=254 time = 63 ms
Reply from 3::2
bytes=56 Sequence=5 hop limit=254 time = 63 ms
--- 3::2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/62/63 ms
Configuration guidelines
When you configure a static route, follow these guidelines:
1.
If you do not specify the preference when you configure a static route, the default preference is used. Reconfiguration of the default preference applies only to newly created static routes.
Currently, the Web interface does not support configuration of the default preference.
2.
3.
When you configure a static route, the static route does not take effect if you specify the next hop address first and then configure it as the IP address of a local interface, such as an Ethernet interface and VLAN interface.
When specifying the output interface, note that:
If NULL 0 or a loopback interface is specified as the output interface, there is no need to configure the next hop address.
If a point-to-point interface is specified as the output interface, you do not need to specify the next hop or change the configuration after the peer address has changed. For example, a PPP interface obtains the peer's IP address through PPP negotiation, and therefore, you only need to specify it as the output interface.
If the output interface is an NBMA or P2MP interface, which supports point-to-multipoint networks, the IP address-to-link layer address mapping must be established. Therefore, H3C recommends that you specify the next hop IP address when you configure it as the output interface.
170
If you want to specify a broadcast interface (such as an Ethernet interface, virtual template, or
VLAN interface) as the output interface, which may have multiple next hops, you must specify the next hop at the same time.
171
DHCP overview
NOTE:
•
After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and other configuration parameters from the DHCP server. This facilitates configuration and centralized management. For more information about the DHCP client configuration, see "Interface management."
•
For more information about DHCP, see
H3C WX Series Access Controllers Layer 3 Configuration Guide.
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices.
DHCP uses the client/server model. Figure 153
shows a typical a DHCP application.
Figure 153 A typical DHCP application
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent.
Figure 154 DHCP relay agent application
DHCP client DHCP client
DHCP relay agent
IP network
DHCP client DHCP client DHCP server
Introduction to DHCP snooping
172
NOTE:
The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.
As a DHCP security feature, DHCP snooping can implement the following:
1.
Recording IP-to-MAC mappings of DHCP clients
2.
Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
Recording IP-to-MAC mappings of DHCP clients
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record
DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports that connect to DHCP clients, and VLANs to which the ports belong.
Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
If there is an unauthorized DHCP server on a network, DHCP clients may obtain invalid IP addresses and network configuration parameters, and cannot normally communicate with other network devices. With
DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients to obtain IP addresses from authorized DHCP servers.
•
Trusted—A trusted port forwards DHCP messages normally.
• Untrusted—An untrusted port discards the DHCP-ACK or DHCP-OFFER messages received from any DHCP server.
Recommended configuration procedure (for DHCP server)
Step Remarks
Required.
Enable DHCP globally.
By default, global DHCP is disabled.
2. Creating an address pool for the DHCP server
Creating a static address pool for the DHCP server
Creating a dynamic address pool for the DHCP server
Required.
Use at least one approach.
IMPORTANT:
•
If the DHCP server and DHCP clients are on the same subnet, make sure the address pool is on the same network segment as the interface with the
DHCP server enabled; otherwise, the clients will fail to obtain IP addresses.
•
If a DHCP client obtains an IP address via a DHCP relay agent, an IP address pool on the same network segment as the DHCP relay agent interface must be configured; otherwise, the client will fail to obtain an IP address.
173
Step Remarks
3. Enabling the DHCP server on an interface
Optional.
With the DHCP server enabled on an interface, upon receiving a client's request, the DHCP server will assign an IP address from its address pool to the
DHCP client.
With DHCP enabled, interfaces work in the DHCP server mode.
IMPORTANT:
•
An interface cannot serve as both the DHCP server and the DHCP relay agent. The latest configuration takes effect.
•
The DHCP server works on interfaces with IP addresses manually configured only.
4. Displaying information about assigned IP addresses
Optional.
Enabling DHCP
1.
2.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
Select the Enable option on the upper part of the page to enable DHCP globally.
Figure 155 DHCP configuration page
174
Creating a static address pool for the DHCP server
1.
2.
3.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
Select the Static option in the Address Pool field to view all static address pools.
Click Add to enter the page shown in
.
Figure 156 Creating a static address pool
4.
5.
Configure the static address pool as described in
Click Apply.
Table 70 Configuration items
Item Description
IP Pool Name Enter the name of a static address pool.
IP Address
Mask
Enter an IP address and select a subnet mask for the static address pool.
The IP address cannot be the IP address of any interface on the DHCP server.
Otherwise, an IP address conflict may occur and the bound client cannot obtain an
IP address correctly.
You can enter a mask length or a mask in dotted decimal notation..
Client MAC Address
Configure the client MAC address or the client ID for the static address pool.
Client ID
Client Domain Name
IMPORTANT:
The client ID must be identical to the ID of the client to be bound. Otherwise, the client cannot obtain an IP address..
Enter the domain name suffix for the client.
With the suffix assigned, the client only needs to enter part of a domain name, and the system adds the domain name suffix for name resolution.
175
Item Description
Gateway Address
Enter the gateway addresses for the client.
A DHCP client that wants to access an external host needs to send requests to a gateway. You can specify gateways in each address pool and the DHCP server will assign gateway addresses while assigning an IP address to the client.
Up to eight gateways can be specified in a DHCP address pool, separated by commas.
DNS Server Address
WINS Server Address
NetBIOS Node Type
Enter the DNS server addresses for the client.
To allow the client to access a host on the Internet through DNS, you need to specify a DNS server address.
Up to eight DNS servers can be specified in a DHCP address pool, separated by commas.
Enter the WINS server addresses for the client.
If b-node is specified for the client, you do not need to specify any WINS server address.
Up to eight WINS servers can be specified in a DHCP address pool, separated by commas.
Select the NetBIOS node type for the client.
Creating a dynamic address pool for the DHCP server
1.
2.
3.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
Select the Dynamic option in the Address Pool field to view all dynamic address pools.
Click Add to enter the page shown in
.
176
Figure 157 Creating a dynamic address pool
4.
5.
Configure the dynamic address pool as described in Table 71
.
Click Apply.
Table 71 Configuration items
Item Description
IP Pool Name Enter the name of a dynamic address pool.
IP Address
Mask
Enter an IP address segment for dynamic allocation.
To avoid address conflicts, the DHCP server excludes the IP addresses used by gateways or FTP servers from dynamic allocation.
You can enter a mask length or a mask in dotted decimal notation.
Lease
Duration
Unlimited. days/hours/minutes/seconds.
Configure the address lease duration for the address pool.
Unlimited indicates the infinite duration.
Client Domain Name
Enter the domain name suffix for the client.
With the suffix assigned, the client only needs to enter part of a domain name, and the system will add the domain name suffix for name resolution.
177
Item Description
Gateway Address
Enter the gateway addresses for the client.
DHCP clients that want to access hosts outside the local subnet request gateways to forward data. You can specify gateways in each address pool for clients and the DHCP server will assign gateway addresses while assigning an IP address to the client.
Up to eight gateways can be specified in a DHCP address pool, separated by commas.
DNS Server Address
Enter the DNS server addresses for the client.
To allow the client to access a host on the Internet via the host name, you need to specify DNS server addresses.
Up to eight DNS servers can be specified in a DHCP address pool, separated by commas.
WINS Server Address
NetBIOS Node Type
Enter the WINS server addresses for the client.
If b-node is specified for the client, you do not need to specify any
WINS server address.
Up to eight WINS servers can be specified in a DHCP address pool, separated by commas.
Select the NetBIOS node type for the client.
Enabling the DHCP server on an interface
1.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
2.
3.
4.
Click the icon next to a specific interface to enter the page shown in
.
Select the Enable option for DHCP Server.
Click Apply.
Figure 158 Configuring a DHCP server interface
Displaying information about assigned IP addresses
1.
2.
Select Network > DHCP > DHCP Server from the navigation tree to enter the page, as shown
Click Addresses in Use in the Address In Use field on the lowest part of the page to view information about the IP address assigned from the address pool.
178
Figure 159 Displaying addresses in use
Table 72 Field description
Field Description
IP Address Assigned IP address.
Client MAC Address/Client
ID
Pool Name
Client MAC address or client ID bound to the IP address.
Name of the DHCP address pool where the IP address belongs.
Lease Expiration Lease time of the IP address.
Recommended configuration procedure (for DHCP relay agent)
Step Remarks
1. Enabling DHCP and configuring advanced parameters for the
Required.
Enable DHCP globally and configure advanced DHCP parameters.
By default, global DHCP is disabled.
2. Creating a DHCP server group
Required.
To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface with the server group. When the interface receives requesting messages from clients, the relay agent will forward them to all the
DHCP servers of the group.
179
Step Remarks
Required.
Enable the DHCP relay agent on an interface, and correlate the interface with a DHCP server group.
With DHCP enabled, interfaces work in the DHCP server mode by default.
3. Enabling the DHCP relay agent on an interface
4. Configuring and displaying clients' IP-to-MAC bindings
IMPORTANT:
•
An interface cannot serve as both the DHCP server and the DHCP relay agent. The latest configuration takes effect.
•
If the DHCP relay agent is enabled on an Ethernet subinterface, a packet received from a client on this interface must contain a VLAN tag and the VLAN tag must be the same as the VLAN ID of the subinterface; otherwise, the packet is discarded.
•
The DHCP relay agent works on interfaces with IP addresses manually configured only.
•
If an Ethernet subinterface serves as a DHCP relay agent, it conveys
IP addresses only to subinterfaces of DHCP clients. In this case, a
PC cannot obtain an IP address as a DHCP client.
Optional.
Create a static IP-to-MAC binding, and view static and dynamic bindings.
The DHCP relay agent can dynamically record clients' IP-to-MAC bindings after clients get IP addresses. It also supports static bindings.
In other words, you can manually configure IP-to-MAC bindings on the
DHCP relay agent, so that users can access external network using fixed IP addresses.
By default, no static binding is created.
Enabling DHCP and configuring advanced parameters for the DHCP relay agent
1.
2.
Select Network > DHCP from the navigation tree.
Click the DHCP Relay tab to enter the page as shown in Figure 160 .
180
Figure 160 DHCP relay agent configuration page
3.
4.
Select the Enable option for DHCP Service.
Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration field, as shown in
.
Figure 161 Advanced DHCP relay agent configuration field
5.
6.
Configure the advanced DHCP relay agent parameters as described in
Click Apply. You must also click Apply for enabling the DHCP service.
181
Table 73 Configuration items
Item Description
Unauthorized Server
Detect
Enable or disable unauthorized DHCP server detection.
There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses.
With this feature enabled, upon receiving a DHCP request, the DHCP relay agent will record the IP address of any DHCP server that assigned an IP address to the DHCP client and the receiving interface. The administrator can use this information to check out DHCP unauthorized servers. The device puts a record once for each DHCP server. The administrator needs to find unauthorized DHCP servers from the log information. After the information of recorded DHCP servers is cleared, the relay agent will re-record server information following this mechanism.
Dynamic Bindings
Refresh
Track Timer Interval
Enable or disable periodic refresh of dynamic client entries, and set the refresh interval.
Via the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast message to the DHCP server to relinquish its IP address. In this case the DHCP relay agent simply conveys the message to the DHCP server, thus it does not remove the IP address from dynamic client entries. To solve this problem, the periodic refresh of dynamic client entries feature is introduced.
With this feature, the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay agent interface to periodically send a DHCP-REQUEST message to the DHCP server.
•
If the server returns a DHCP-ACK message or does not return any message within a specified interval, which means that the IP address is assignable now, the DHCP relay agent will age out the client entry.
•
If the server returns a DHCP-NAK message, which means the IP address is still in use, the relay agent will not age it out.
If the Auto option is selected, the refresh interval is calculated by the relay agent according to the number of client entries..
Creating a DHCP server group
1.
2.
3.
Select Network > DHCP from the navigation tree.
Click the DHCP Relay tab to enter the page as shown in Figure 160 .
In the Server Group field, click Add to enter the page as shown in
Figure 162 Creating a server group
4.
5.
Specify the DHCP server group information as described in
.
Click Apply.
182
Table 74 Configuration items
Item Description
Server Group ID
Enter the ID of a DHCP server group.
You can create up to 20 DHCP server groups.
IP Address
Enter the IP address of a server in the DHCP server group.
The server IP address cannot be on the same subnet as the IP address of the DHCP relay agent. Otherwise, the client cannot obtain an IP address.
Enabling the DHCP relay agent on an interface
1.
2.
Select Network > DHCP from the navigation tree.
Click the DHCP Relay tab to enter the page as shown in Figure 160 .
3.
In the Interface Config field, click the icon of a specific interface to enter the page as shown
Figure 163 Configuring a DHCP relay agent interface
4.
5.
Configure the parameters as described in
Click Apply.
Table 75 Configuration items
Item Description
Interface Name This field displays the name of a specific interface.
DHCP Relay
Address Match Check
Server Group ID
Enable or disable the DHCP relay agent on the interface.
If the DHCP relay agent is disabled, the DHCP server is enabled on the interface.
Enable or disable IP address check.
With this function enabled, the DHCP relay agent checks whether a requesting client's IP and MAC addresses match a binding (dynamic or static) on the
DHCP relay agent. If not, the client cannot access outside networks via the
DHCP relay agent. This prevents invalid IP address configuration.
Correlate the interface with a DHCP server group.
A DHCP server group can be correlated with multiple interfaces.
183
Configuring and displaying clients' IP-to-MAC bindings
1.
2.
3.
Select Network > DHCP from the navigation tree
Click the DHCP Relay tab to enter the page as shown in Figure 160 .
In the User Information field, click User Information to view static and dynamic bindings, as shown
Figure 164 Displaying clients' IP-to-MAC bindings
4.
Click Add to enter the page shown in
.
Figure 165 Creating a static IP-to-MAC binding
5.
6.
Configure
static IP-to-MAC binding as described in Table 76 .
Click Apply.
Table 76 Configuration items
Item Description
IP Address Enter the IP address of a DHCP client.
MAC Address Enter the MAC address of the DHCP client.
Select the Layer 3 interface connected with the DHCP client.
Interface Name
IMPORTANT:
The interface of a static binding entry must be configured as a DHCP relay agent.
Otherwise, address entry conflicts may occur.
184
Recommended configuration procedure (for DHCP snooping)
Step Remarks
Required.
By default, DHCP snooping is disabled.
2. Configuring DHCP snooping functions on an interface
Required.
Specify an interface as trusted and configure DHCP snooping to support
Option 82.
By default, an interface is untrusted and DHCP snooping does not support
Option 82.
3. Displaying clients' IP-to-MAC bindings
IMPORTANT:
You need to specify the ports connected to the authorized DHCP servers as trusted to make sure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same
VLAN.
Optional.
Display clients' IP-to-MAC bindings recorded by DHCP snooping.
Enabling DHCP snooping
1.
2.
3.
Select Network > DHCP from the navigation tree.
Click the DHCP Snooping tab to enter the page as shown in
.
Select the Enable option for DHCP Snooping.
185
Figure 166 DHCP snooping configuration page
Configuring DHCP snooping functions on an interface
1.
2.
Select Network > DHCP from the navigation tree.
Click the DHCP Snooping tab to enter the page as shown in
.
3.
In the Interface Config field, click the icon of a specific interface to enter the page as shown
Figure 167 DHCP snooping interface configuration page
4.
5.
Configure the parameters as described in
Click Apply.
186
Table 77 Configuration items
Item Description
Interface Name This field displays the name of a specific interface.
Interface State
Option 82 Support
Option 82 Strategy
Configure the interface as trusted or untrusted.
Configure DHCP snooping to support Option 82 or not.
Select the handling strategy for DHCP requests containing Option 82. The strategies include:
•
Drop—The message is discarded if it contains Option 82.
•
Keep—The message is forwarded without its Option 82 being changed.
•
Replace—The message is forwarded after its original Option 82 is replaced with the Option 82 padded in normal format.
Displaying clients' IP-to-MAC bindings
1.
2.
3.
Select Network > DHCP from the navigation tree.
Click the DHCP Snooping tab to enter the page as shown in
.
Click User Information to enter the DHCP snooping user information page, as shown in Figure
.
Figure 168 DHCP snooping user information
4.
View clients' IP-to-MAC bindings recorded by DHCP snooping as described in
.
Table 78 Configuration items
Item Description
IP Address This field displays the IP address assigned by the DHCP server to the client.
MAC Address
Type
This field displays the MAC address of the client.
This field displays the client type, which can be:
•
Dynamic—The IP-to-MAC binding is generated dynamically.
•
Static—The IP-to-MAC binding is configured manually. Currently, static bindings are not supported.
Interface Name
VLAN
Remaining Lease Time
This field displays the device interface to which the client is connected.
This field displays the VLAN to which the device belongs.
This field displays the remaining lease time of the IP address.
187
DHCP server configuration example
Network requirements
As shown in
Figure 169 , the DHCP client on subnet 10.1.1.0/24 obtains an IP address dynamically from
the DHCP server (AC). The IP address of VLAN-interface 2 of the AC is 10.1.1.1/24.
In subnet 10.1.1.0/24, the address lease duration is ten days and twelve hours and the gateway address is 10.1.1.1.
Figure 169 Network diagram
Vlan-int2
10.1.1.1/24
Host
DHCP client
AP
DHCP client
AC
DHCP server
Configuration procedure
1.
Enable DHCP: a.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page. b.
Select the Enable option for DHCP Service.
Figure 170 Enabling DHCP
188
2. a. b. c.
Enable the DHCP server on VLAN-interface 2: (This operation can be omitted because the DHCP server is enabled on the interface by default.)
In the Interface Config field, click the icon of VLAN-interface 2.
Select the Enable option for DHCP Server.
Click Apply.
Figure 171 Enabling the DHCP server on VLAN-interface 2
3.
Configure a dynamic address pool for the DHCP server: a.
Select the Dynamic option in the Address Pool field (default setting), and click Add. b. c.
On the page that appears, enter test for IP Pool Name, enter 10.1.1.0 for IP Address, enter
255.255.255.0 for Mask, enter 10 days 12 hours 0 minutes 0 seconds for Lease Duration, and enter 10.1.1.1 for Gateway Address.
Click Apply.
Figure 172 Configuring a dynamic address pool for the DHCP server
189
DHCP relay agent configuration example
Network requirements
, VLAN-interface 1 on the DHCP relay agent (AC) connects to the network where
DHCP clients reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and the IP address of
VLAN-interface 2 is 10.1.1.1/24. VLAN-interface 2 is connected to the DHCP server whose IP address is
10.1.1.1/24.
The AC forwards messages between DHCP clients and the DHCP server.
Figure 173 Network diagram
Configuration procedure
NOTE:
Because the DHCP relay agent and server are on different subnets, you must configure a static route or dynamic routing protocol so they can communicate.
1.
Enable DHCP: a. b.
Select Network > DHCP from the navigation tree.
Click the DHCP Relay tab. c. d.
Select the Enable option for DHCP Service.
Click Apply.
190
Figure 174 Enabling DHCP
2.
Configure a DHCP server group: a.
In the Server Group field, click Add. b. c.
Enter 1 for Server Group ID, and 10.1.1.1 for IP Address.
Click Apply.
Figure 175 Adding a DHCP server group
3.
Enable the DHCP relay agent on VLAN-interface 1: a.
In the Interface Config field, click the icon of VLAN-interface 1.
191
b. c.
Select the Enable option for DHCP Relay, and select 1 for Server Group ID.
Click Apply.
Figure 176 Enabling the DHCP relay agent on an interface and correlate it with a server group
DHCP snooping configuration example
Network requirements
As shown in
Figure 177 , a DHCP snooping device (AC) is connected to a DHCP server through
GigabitEthernet 1/0/2, and to an AP through GigabitEthernet 1/0/1.
•
Enable DHCP snooping on the AC and configure DHCP snooping to support Option 82. Configure the handling strategy for DHCP requests containing Option 82 as replace.
• Enable GigabitEthernet 1/0/2 to forward DHCP server responses; disable GigabitEthernet 1/0/1 from forwarding DHCP server responses.
•
Configure the AC to record clients' IP-to-MAC address bindings in DHCP-REQUEST messages and
DHCP-ACK messages received from a trusted port.
Figure 177 Network diagram
Configuration procedure
1.
Enable DHCP snooping: a.
Select Network > DHCP from the navigation tree. b. c.
Click the DHCP Snooping tab.
Select the Enable option for DHCP Snooping.
192
Figure 178 Enabling DHCP snooping
2.
Configure DHCP snooping functions on GigabitEthernet 1/0/2: a. b. c.
Click the icon of GigabitEthernet 1/0/2 on the interface list.
Select the Trust option for Interface State.
Click Apply.
Figure 179 Configuring DHCP snooping functions on GigabitEthernet 1/0/2
3.
Configure DHCP snooping functions on GigabitEthernet 1/0/1. a. b. c.
Click the icon of GigabitEthernet 1/0/1 on the interface list.
To configure the DHCP snooping functions on the interface:
Select the Untrust option for Interface State.
Select the Enable option for Option 82 Support.
Select Replace from the Option 82 Strategy list.
Click Apply.
193
Figure 180 Configuring DHCP snooping functions on GigabitEthernet 1/0/1
194
DNS configuration
Overview
Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses.
There are two types of DNS services, static and dynamic. After a user specifies a name, the device checks the local static name resolution table for an IP address. If no IP address is available, it contacts the DNS server for dynamic name resolution, which takes more time than static name resolution. Therefore, some frequently queried name-to-IP address mappings are stored in the local static name resolution table to improve efficiency.
Static domain name resolution
Configuring static domain name resolution is to set up mappings between domain names and IP addresses manually. IP addresses of the corresponding domain names can be found in the static domain resolution table when you use applications such as telnet.
Dynamic domain name resolution
Dynamic domain name resolution is implemented by querying the DNS server.
DNS proxy
A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server.
A DNS client considers the DNS proxy as the DNS server and sends a DNS request to the DNS proxy, which forwards the request to the designated DNS server, and conveys the reply from the DNS server to the client.
The DNS proxy simplifies network management. When the DNS server address is changed, you only need to change the configuration on the DNS proxy instead of on each DNS client.
For more information about DNS, see H3C WX Series Access Controllers Layer 3 Configuration Guide.
Recommended configuration procedure
Configuring static name resolution table
Step Remarks
Configuring static name resolution table
Required.
By default, no host name-to-IP address mappings are configured in the static domain name resolution table.
195
Configuring dynamic domain name resolution
Step Remarks
1. Configuring dynamic domain name resolution
Required.
This function is disabled by default.
2. Adding a DNS server address
3. Adding a domain name suffix
Required.
Not configured by default.
Optional.
Not configured by default.
Optional.
Configuring DNS proxy
Step Remarks
Required.
By default, the device is not a DNS proxy.
2. Adding a DNS server address
Required.
Not configured by default.
Configuring static name resolution table
1.
Select Network > DNS from the navigation tree to enter the default static domain name resolution configuration page shown in
.
Figure 181 Static domain name resolution configuration page
2.
Click Add to enter the page shown in
.
196
Figure 182 Creating a static domain name resolution entry
3.
4.
Configure the parameters as described in
Click Apply.
Table 79 Configuration items
Item Description
Host Name
Host IP Address
Configure the mapping between a host name and an IP address in the static domain mane table.
Each host name corresponds to only one IP address. If you configure multiple IP addresses for a host name, the last configured one takes effect..
Configuring dynamic domain name resolution
1.
2.
3.
4.
Select Network > DNS from the navigation tree.
Click the Dynamic tab to enter the page shown in Figure 183 .
Select the Enable option for Dynamic DNS.
Click Apply.
197
Figure 183 Dynamic domain name resolution configuration page
Configuring DNS proxy
1.
2.
3.
4.
Select Network > DNS from the navigation tree.
Click the Dynamic tab to enter the page shown in Figure 183 .
Select the Enable option for DNS Proxy.
Click Apply.
Adding a DNS server address
1.
2.
3.
4.
5.
Select Network > DNS from the navigation tree.
Click the Dynamic tab to enter the page shown in Figure 183 .
Click Add IP to enter the page shown in
.
Enter an IP address in DNS Server IP address field.
Click Apply.
198
Figure 184 Adding a DNS server address
Adding a domain name suffix
1.
2.
3.
4.
5.
Select Network > DNS from the navigation tree.
Click the Dynamic tab to enter the page shown in Figure 183 .
Click Add Suffix to enter the page shown in Figure 185 .
Enter a DNS suffix in the DNS Domain Name Suffix field.
Click Apply.
Figure 185 Adding a domain name suffix
Clearing dynamic DNS cache
1.
2.
3.
4.
Select Network > DNS from the navigation tree.
Click the Dynamic tab to enter the page shown in Figure 183 .
Select the Clear Dynamic DNS cache box.
Click Apply.
DNS configuration example
Network requirements
As shown in
, the AC wants to access the host by using an easy-to-remember domain name rather than an IP address, and to request the DNS server on the network for an IP address by using dynamic domain name resolution. The IP address of the DNS server is 2.1.1.2/16 and the DNS server has a com domain, which stores the mapping between domain name host and IP address 3.1.1.1/16.
199
AC serves as a DNS client, and uses dynamic domain name resolution and the suffix to access the host with the domain name host.com and the IP address 3.1.1.1/16.
Figure 186 Network diagram
NOTE:
• Before performing the following configuration, make sure that the AC and the host are reachable to
each another, and the IP addresses of the interfaces are configured as shown in Figure 186
.
•
This configuration may vary with DNS servers. The following configuration is performed on a PC running Windows Server 2000.
Configuring the DNS server
1.
Create zone com: a. b. c.
Select Start > Programs > Administrative Tools > DNS.
As shown in Figure 187 , right click Forward Lookup Zones and select New Zone.
Follow the instructions to create a new zone named com.
Figure 187 Creating a zone
2.
Create a mapping between host name and IP address: a.
, right click zone com, and then select New Host.
200
Figure 188 Adding a host b. c.
In the dialog box as shown in
Figure 189 , enter host name host and IP address 3.1.1.1.
Click Add Host.
Figure 189 Adding a mapping between domain name and IP address
Configuring the AC
1.
Enable dynamic domain name resolution.
201
a. b. c. d.
Select Network > DNS from the navigation tree.
Click the Dynamic tab
Select the Enable option for Dynamic DNS, as shown in
.
Click Apply.
Figure 190 Enabling dynamic domain name resolution
2.
Configure the DNS server address: a. b. c.
to enter the page for adding a DNS server IP address.
Enter 2.1.1.2 for DNS Server IP Address, as shown in Figure 191
.
Click Apply.
Figure 191 Adding a DNS server address
3.
Configure the domain name suffix:
•
Click Add Suffix in
.
•
Enter com for DNS Domain Name Suffix, as shown in Figure 192
.
• Click Apply.
202
Figure 192 Adding a DNS domain name suffix
Verifying the configuration
Use the ping host command on the AC to verify that the communication between the AC and the host is normal and that the corresponding destination IP address is 3.1.1.1.
1.
2.
Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.
Enter host in the Destination IP address or host name field.
3.
4.
Click Start to execute the ping command
View the result in the Summary field.
Figure 193 Ping operation
203
Service management
Overview
The service management module provides the following types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services as needed. In this way, the performance and security of the system can be enhanced, thus secure management of the device can be achieved.
The service management module also provides the function to modify HTTP and HTTPS port numbers, and the function to associate the FTP, HTTP, or HTTPS service with an ACL, thus reducing attacks of illegal users on these services.
FTP service
The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network.
Telnet service
The Telnet protocol is an application layer protocol that provides remote login and virtual terminal functions on the network.
SSH service
Secure Shell (SSH) offers an approach to securely logging in to a remote device. By encryption and strong authentication, it protects devices against attacks such as IP spoofing and plain text password interception.
SFTP service
The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The device can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The device can also serve as an SFTP client, enabling a user to login from the device to a remote device for secure file transfer.
HTTP service
The Hypertext Transfer Protocol (HTTP) is used for transferring web page information across the Internet.
It is an application-layer protocol in the TCP/IP protocol suite.
You can log in to the device using the HTTP protocol with HTTP service enabled, accessing and controlling the device with Web-based network management.
HTTPS service
The Secure HTTP (HTTPS) refers to the HTTP protocol that supports the Security Socket Layer (SSL) protocol.
The SSL protocol of HTTPS enhances the security of the device in the following ways:
•
Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal clients;
• Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity, realizing the security management of the device;
204
• Defines certificate attribute-based access control policy for the device to control the access right of the client, in order to further avoid attacks from illegal clients.
Configuring service management
1.
Select Network > Service from the navigation tree to enter the service management configuration page, as shown in
.
Figure 194 Service management
2.
3.
Enable or disable various services on the page as described in Table 80 .
Click Apply.
Table 80 Configuration items
Item Description
Enable FTP service
Specify whether to enable the FTP service.
The FTP service is disabled by default.
FTP
Telnet
ACL
Enable Telnet service
Associate the FTP service with an ACL. Only the clients that pass the ACL filtering are permitted to use the FTP service.
You can view this configuration item by clicking the expanding button in front of FTP.
Specify whether to enable the Telnet service.
The Telnet service is enabled by default.
SSH
Specify whether to enable the SSH service.
The SSH service is disabled by default.
Specify whether to enable the SFTP service.
The SFTP service is disabled by default.
SFTP
Enable SSH service
Enable SFTP service
IMPORTANT:
When you enable the SFTP service, the SSH service must be enabled.
205
Item Description
Enable HTTP service
Specify whether to enable the HTTP service.
The HTTP service is disabled by default.
Port Number
Set the port number for HTTP service.
You can view this configuration item by clicking the expanding button in front of HTTP.
HTTP
ACL
Enable HTTPS service
Port Number
IMPORTANT:
When you modify a port, make sure that the port is not used by other service.
Associate the HTTP service with an ACL. Only the clients that pass the ACL filtering are permitted to use the HTTP service.
You can view this configuration item by clicking the expanding button in front of HTTP.
Specify whether to enable the HTTPS service.
The HTTPS service is disabled by default.
Set the port number for HTTPS service.
You can view this configuration item by clicking the expanding button in front of HTTPS.
HTTPS
ACL
IMPORTANT:
When you modify a port, make sure that the port is not used by other service.
Associate the HTTPS service with an ACL. Only the clients that pass the ACL filtering are permitted to use the HTTPS service.
You can view this configuration item by clicking the expanding button in front of HTTPS.
Set the local certificate for the HTTPS service. The list displays certificate subjects.
You can configure the available PKI domains by selecting Authentication >
Certificate Management from the navigation tree at the left side of the interface. For more information, see "Certificate management."
Certificate
IMPORTANT:
The service management, portal authentication and local EAP service modules always reference the same PKI domain. Changing the referenced
PKI domain in any of the three modules also changes that referenced in the other two modules.
206
Diagnostic tools
Ping
You can use the ping function to check whether a device with a specified address is reachable, and to examine network connectivity.
A successful execution of the ping command involves the following steps:
1.
2.
3.
The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device.
The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source device after receiving the ICMP echo request.
The source device displays related statistics after receiving the reply.
Output of the ping command falls into the following:
•
The ping command can be applied to the destination's host name or IP address. If the destination's host name is unknown, the prompt information is displayed.
• If the source device does not receive an ICMP echo reply within the timeout time, it displays the prompt information and the statistics during the ping operation. If the source device receives an
ICMP echo reply within the timeout time, it displays the number of bytes of the echo reply, the message sequence number, Time to Live (TTL), the response time, and the statistics during the ping operation. Statistics during the ping operation include number of packets sent, number of echo reply messages received, percentage of messages not received, and the minimum, average, and maximum response time.
Trace route
By using the trace route command, you can display the Layer 3 devices involved in delivering a packet from source to destination. This function is useful for identification of failed node(s) in the event of network failure.
The trace route command involves the following steps in its execution:
1.
The source device sends a packet with a TTL value of 1 to the destination device.
2.
3.
4.
5.
The first hop (the Layer 3 device that first receives the packet) responds by sending a TTL-expired
ICMP message to the source, with its IP address encapsulated. In this way, the source device can get the address of the first Layer 3 device.
The source device sends a packet with a TTL value of 2 to the destination device.
The second hop responds with a TTL-expired ICMP message, which gives the source device the address of the second Layer 3 device.
This process continues until the ultimate destination device is reached. In this way, the source device can trace the addresses of all the Layer 3 devices involved to get to the destination device.
The traceroute command can be applied to the destination's host name or IP address. If the destination's host name is unknown, the prompt information is displayed.
207
Ping operation
IPv4 ping operation
1.
2.
Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.
Click the expansion button before Advanced Setup to display the configurations of the advanced parameters of IPv4 ping operation, as shown in
.
Figure 195 IPv4 ping configuration page
3.
4.
5.
6.
Enter the IPv4 address or host name of the destination device in the Destination IP address or host name field.
Set the advanced parameters for the IPv4 ping operation.
Click Start to execute the ping command.
View the result in the Summary field.
208
Figure 196 IPv4 ping operation results
IPv6 ping operation
1.
Select Diagnostic Tools > Ping from the navigation tree.
2.
3.
Enter the IPv6 ping configuration page (default setting).
Expand Advanced Setup to display the configurations of the advanced parameters of IPv6 ping
operation, as shown in Figure 197 .
209
Figure 197 IPv6 ping
5.
6.
7.
4.
Enter the IPv6 address or host name of the destination device in the Destination IP address or host name field.
Set the advanced parameters for the IPv6 ping operation.
Click Start to execute the ping command.
View the result in the Summary field, as shown in
.
210
Figure 198 IPv6 ping operation results
Trace route operation
NOTE:
•
The web interface does not support trace route on IPv6 addresses.
• Before performing the trace route operations, execute the ip ttl-expires enable command on the intermediate device to enable the sending of ICMP timeout packets and the ip unreachables enable command on the destination device to enable the sending of ICMP destination unreachable packets.
1.
2.
Select Diagnostic Tools > Trace Route from the navigation tree.
Click the Trace Route tab to enter the Trace Route configuration page, as shown in
.
211
Figure 199 Trace Route configuration page
3.
4.
5.
Enter the destination IP address or host name.
Click Start to execute the trace route command.
View the result in the Summary field, as shown in
.
Figure 200 Trace route operation results
212
AP configuration
The AP configuration module allows you to perform the following configurations:
• Establish a connection between AC and AP
•
Configure auto AP
•
Configure an AP group
AC-AP connection
An AP and an AC establish a tunnel connection based on UDP.
An AP uses a data tunnel to encapsulate data packets to be sent to the AC. These packets can be raw
802.11 packets or 802.11 to 802.3 translated packets. An AC provides a control tunnel to support remote
AP configuration and management, and WLAN and mobile management.
The AC can dynamically configure an AP based on the information provided by the administrator.
Auto AP
The auto AP feature allows an AP to automatically connect to an AC. When you deploy a wireless network with many APs, the auto AP function avoids configuration of many AP serial IDs, thus simplifying configuration.
AP group
Some wireless service providers need to control the access positions of clients. For example, as shown in the figure below, to meet security or billing needs, it is required to connect wireless clients 1, 2 and 3 to the wired network through APs 1, 2 and 3 respectively. To achieve this, you can configure an AP group that the clients can be associated with and then apply the AP group in a user profile.
Figure 201 Client access control
213
Configuring an AP
Creating an AP
1.
2.
Select AP > AP Setup from the navigation tree.
Click Add to enter the page for adding an AP.
Figure 202 Adding an AP
3.
4.
Create the AP as described in Table 81
.
Click Apply.
Table 81 Configuration items
Item Description
AP Name AP name.
Serial ID
•
Auto—If selected, the AC automatically searches the AP serial ID. This function is used together with the auto AP function. For how to configure auto AP, see
"
•
Manual—If this mode is selected, you need to type an AP serial ID.
Configuring an AP
1.
Select AP > AP Setup from the navigation tree.
2.
Click the icon corresponding to the target AP to enter the page for configuring an AP.
214
Figure 203 AP setup
3.
4.
Configure the AP as described in Table 82 .
Click Apply.
Table 82 Configuration items
Item Description
AP Name Display the name of the AP selected.
Radio Number
Radio Type
Select the number of the radios on the AP. The value depends on the AP model.
Select the radio type, which can be one of the following values:
•
802.11a.
•
802.11b.
•
802.11g.
•
802.11n (2.4 GHz)
•
802.11n (5 GHz)
The value depends on the AP model and radio type.
Set a serial ID for the AP.
•
Auto—If selected, the AP serial ID is automatically found. This option is used together with the auto AP function. For how to configure auto AP, see "
•
Manual—You need to enter an AP serial ID.
Serial ID
IMPORTANT:
The serial ID is the unique identity of the AP. If the AP has connected to the AC, changing or deleting its serial ID renders the tunnel down and the AP needs to discover the AC to connect again.
Description Description of the AP.
215
Item Description
By default, no district code is configured for an AP, which uses the global district code.
An AP configured with a district code uses its own district code rather than the global one. For how to configure the global district code, see "Advanced settings".
District Code
IMPORTANT:
Some ACs and fit APs use locked district codes, whichever is used is determined as follows:
•
An AC's locked district code cannot be changed, and all managed fit APs whose district codes are not locked must use the AC's locked district code.
•
A fit AP's locked district code cannot be changed and the fit AP can only use the district code.
•
If an AC and a managed fit AP use different locked district codes, the fit AP uses its own locked district code.
Configuring advanced settings
1.
Select AP > AP Setup from the navigation tree.
2.
3.
Click the icon corresponding to the target AP.
On the page that appears, expand Advanced Setup to enter the page for advanced AP setup.
Figure 204 Advanced setup
4.
5.
Configure advanced settings for the AP as described in Table 83
.
Click Apply.
216
Table 83 Configuration items
Item Description
AP Connection
Priority
Broadcast Probe
AP connection priority.
For more information, see "Advanced settings."
•
Enable—Enable the AP to respond to broadcast probe requests. The AP will respond to broadcast probe requests with the SSID null.
•
Disable—Disable the AP from responding to broadcast probe requests. The AP will respond to broadcast probe requests with the specified SSID.
By default, this option is enabled.
Configuration File
Specify a name for the configuration file in the storage media and maps the specified configuration file to the AP.
When local forwarding is enabled, you can use the configuration file to configure the
AP. For example, when you configure a user profile when local forwarding is enabled, you must write the user profile, QoS policy, and ACL commands to the configuration file, and download the configuration file to the AP.
Jumbo Frame Size
AP Echo Interval
Client Alive Time
Client Free Time
Backup AC IPv4
Address
Backup AC IPv6
Address
AP CAR
IMPORTANT:
The commands in the configuration file must be in their complete form.
Set the maximum size of jumbo frames.
When this function is enabled, the AC can send frames whose size does not exceed the maximum size to the AP.
By default, the AC cannot send jumbo frames to the AP.
Set the interval for sending echo requests.
There is a keep-live mechanism between AP and AC, to confirm whether the tunnel is working or not. An AP periodically sends echo requests to an AC. The AC responds to echo requests by sending echo responses, which indicates that the tunnel is up.
Set the client keep alive interval.
The keep-alive mechanism is used to detect clients segregated from the system due to various reasons such as power failure or crash, and disconnect them from the AP.
By default, the client keep-alive functionality is disabled.
Maximum interval for which the link between the AP and a client can be idle.
Set the IPv4 address of the backup AC for the AP.
Set the IPv6 address of the backup AC for the AP.
If you configure the global backup AC information both in Advanced Setup > AC
Backup and AP > AP Setup, the configuration in AP > AP Setup takes precedence. For more information about
AC backup, see "Advanced settings."
Select this box to configure CAR for the AP.
By default, no CAR is set for an AP.
217
Item Description
•
Enable—Enable the remote AP function.
•
Disable—Disable the remote AP function.
Remote AP
By default, the remote AP function is disabled.
With this function enabled, when the tunnel between the AP and AC is terminated, the
AP automatically enables local forwarding (despite whether or not local forwarding is configured on the AC) to provide wireless access for logged-in clients but not allow new clients. When a tunnel is established between the AP and AC again, the AP automatically switches to the centralized forwarding mode and logs off all clients on the remote AP.
CIR
CBS
IMPORTANT:
If a tunnel has been established between the remote AP and AC, when the tunnel between the AP and AC is terminated, the remote AP uses the backup tunnel to provide wireless access for logged-in clients. For more information about AC backup, see "Advanced settings."
Committed information rate, in Kbps.
Committed burst size, in bits.
By default, the CBS is the number of bytes transmitted in 500 ms at the rate of CIR. For example, if CIR is 100, CBS is 50000 bits, or, 6250 bytes by default.
Configuring auto AP
Enabling auto AP
1.
Select Advance > Auto AP from the navigation tree.
Figure 205 Configuring auto AP
2.
Enable auto AP as described in Table 84 .
218
Table 84 Configuration items
Item Description
• enable—Enable the auto AP function. You must also select Auto from the Serial ID list on the AP setup page to use the auto AP function.
• disable—Disable the auto AP function.
Auto AP
By default, the auto AP function is disabled.
IMPORTANT:
After using the auto AP function, H3C recommends you to disable the auto AP function.
Renaming an AP
1.
After enabling auto AP, click Refresh.
2.
To modify the automatically found AP name, click the icon in the Operation column.
Figure 206 Renaming an AP
3.
4.
On the page that appears, rename the AP as described in Table 85
.
Click Apply.
Table 85 Configuration items
Item Description
Old AP Name Display the name of the automatically discovered AP.
AP Rename Select the AP Rename check box, and type the new AP name.
For the example of configuring auto AP, see "Access service configuration."
Batch switch
If you do not need to modify the automatically found AP names, you can select the AP Name box, and then click Transmit All AP to complete auto AP setup.
219
Configuring an AP group
Creating an AP group
1.
2.
Select AP > AP Group from the navigation tree.
Click Add.
Figure 207 Creating an AP group
3.
Create the AP group as described in
.
Table 86 Configuration items
Item Description
AP Group ID
AP group ID.
The value range varies with devices. For more information, see
"Feature matrixes."
Configuring an AP group
1.
Select AP > AP Group from the navigation tree.
2.
Click the icon corresponding to the target AP group to enter the page for configuring an AP group.
Figure 208 Configuring an AP group
220
3.
4.
Configure the AP group as described in Table 87 .
Click Apply.
Table 87 Configuration items
Item Description
AP Group ID Display the ID of the selected AP group.
Description Select this option to configure a description for the AP group.
Exist AP List
Set the APs in the configured AP group.
•
To add the APs to the Selected AP List, click the APs to be added to the AP group, and click the > button in the AP List area.
•
To delete the selected APs from the AP group, select the APs to be deleted in the Selected AP List, and click the < button.
The APs to be added in AP Group ID should be created by selecting AP > AP Setup first.
Applying the AP group
Select Authentication > Users from the navigation tree to apply the AP group. For the related configuration, see "Users."
AP connection priority configuration example
Network requirements
Configure a higher AP connection priority on AC 1 to enable the AP to establish a connection with AC
1.
Figure 209 Network diagram
AC 1
Switch
AP
Client
AC 2
Configuring AC 1
1.
2.
Configure AP-related information:
For the detailed configuration, see "Access service configuration."
Configure an AP connection priority: a.
Select AP > AP Setup from the navigation tree. b.
Click the icon corresponding to the target AP to enter the AP setup page.
221
c. d.
Expand Advanced Setup to enter the page shown in
and set the AP connection priority to 6.
Click Apply.
Figure 210 Configuring AP connection priority
Configuring AC 2
1.
2.
Configure AP-related information:
For the detailed configuration, see "Access service configuration."
Configure AP connection priority:
Use the default AP connection priority on AC 2.
Verifying the configuration
A higher AP connection priority is configured on AC 1, so AP must establish a connection with AC 1.
222
Configuring access services
Wireless Local Area Networks (WLAN) provide the following services:
• Connectivity to the Internet
•
Secured WLAN access with different authentication and encryption methods
•
Seamless roaming of WLAN clients in a mobility domain
Access service overview
Terminology
Wireless client
A handheld computer or laptop with a wireless Network Interface Card (NIC) or a terminal supporting
WiFi can be a WLAN client.
Access point (AP)
An AP bridges frames between wireless and wired networks.
Access controller (AC)
An AC can control and manage APs associated with it in a WLAN. The AC communicates with an authentication server for WLAN client authentication.
SSID
The service set identifier. A client scans all networks at first, and then selects a specific SSID to connect to a specific wireless network.
Client access
A client access process involves three steps: active/passive scanning surrounding wireless services, authentication, and association, as shown in
223
Figure 211 Establishing a client access
Scanning
Wireless clients can get the surrounding wireless network information in two ways, active scanning and passive scanning. With active scanning, a wireless client actively sends probe requests during scanning, and receives probe responses. With passive scanning, a wireless client listens to Beacon frames sent by surrounding APs.
A wireless client usually uses both passive scanning and active scanning to get information about surrounding wireless networks.
1.
Active scanning
When a wireless client operates, it periodically searches for (that is, scans) surrounding wireless networks. Active scanning falls into two modes according to whether a specified SSID is carried in a probe request.
•
Mode 1—A client sends a probe request without any SSID on supported channels to scan wireless networks. APs that receive the probe request frame send a probe response frame. The client associates with the AP with the strongest signal.
Figure 212 Active scanning (no SSID in the probe request)
AP 1 AC 1
Client
Prob e req uest
(wit h no e
Prob e res pons
SSI
D)
Probe r equest
Probe r
(with no espons e
SSID)
AP 2 AC 2
• Mode 2—When a wireless client is configured to access a specific wireless network or has already been connected to a wireless network, the client periodically sends a probe request carrying the specified SSID. When an AP that can provide the wireless service with the specified SSID receives the probe request, it sends a probe response. This active scanning mode enables a client to access
a specified wireless network. The active scanning process is as shown in Figure 213 .
224
Figure 213 Active scanning (the probe request carries the specified SSID AP 1)
2.
Passive scanning
Passive scanning is used by clients to discover surrounding wireless networks through listening to the beacon frames periodically sent by an AP. All APs providing wireless services periodically send beacons frames, so that wireless clients can listen to beacon frames on the supported channels to get information about surrounding wireless networks. Passive scanning is used by a client when it wants to save battery power. Typically, VoIP clients adopt the passive scanning
mode. The passive scanning process is as shown in Figure 214 .
Figure 214 Passive scanning
Authentication
To secure wireless links, the wireless clients must be authenticated before accessing an AP. 802.11 links define two authentication mechanisms: open system authentication and shared key authentication.
• Open system authentication
Open system authentication is the default authentication algorithm. This is the simplest of the available authentication algorithms. Essentially it is a null authentication algorithm. Any client that requests authentication with this algorithm can become authenticated. Open system authentication is not required to be successful as an AP may decline to authenticate the client. Open system authentication involves a two-step authentication process. In the first step, the wireless client sends a request for authentication. In the second step, the AP returns the result to the client.
225
Figure 215 Open system authentication process
Client
Authentication request
AP AC c. d.
Authentication response
•
Shared key authentication
shows a shared key authentication process. The two parties have the same shared key configured. a.
The client sends an authentication request to the AP. b.
The AP randomly generates a challenge and sends it to the client.
The client uses the shared key to encrypt the challenge and sends it to the AP.
The AP uses the shared key to encrypt the challenge and compares the result with that received from the client. If they are identical, the client passes the authentication. If not, the authentication fails.
Figure 216 Shared key authentication process
Association
A client that wants to access a wireless network via an AP must be associated with that AP. Once the client chooses a compatible network with a specified SSID and authenticates to an AP, it sends an association request frame to the AP. The AP sends an association response to the client and adds the client's information in its database. At a time, a client can associate with only one AP. An association process is always initiated by the client, but not by the AP.
WLAN data security
Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN devices share the same medium and thus every device can receive data from any other sending device.
If no security service is provided, plain-text data is transmitted over the WLAN.
To secure data transmission, 802.11 protocols provide some encryption methods to ensure that devices without the right key cannot read encrypted data.
226
1.
WEP encryption
Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream encryption algorithm) for confidentiality. WEP encryption falls into static and dynamic encryption according to how a WEP key is generated.
•
Static WEP encryption
With Static WEP encryption, all clients using the same SSID must use the same encryption key. If the encryption key is deciphered or lost, attackers will get all encrypted data. In addition, periodical manual key update brings great management workload.
•
Dynamic WEP encryption
2.
Dynamic WEP encryption is a great improvement over static WEP encryption. With dynamic WEP encryption, WEP keys are negotiated between client and server through the 802.1X protocol so that each client is assigned a different WEP key, which can be updated periodically to further improve unicast frame transmission security.
Although WEP encryption increases the difficulty of network interception and session hijacking, it still has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.
TKIP encryption
3.
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has many advantages over WEP, and provides more secure protection for WLAN as follows:
First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption,
TKIP encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from
24 bits to 48 bits.
Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single static key with a base key generated by an authentication server. TKIP dynamic keys cannot be easily deciphered.
Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the
MIC, the data may be tampered, and the system may be attacked. If two packets fail the MIC in a certain period, the AP automatically takes countermeasures. It will not provide services in a certain period to prevent attacks.
CCMP encryption
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The
AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a dynamic key negotiation and management method, so that each wireless client can dynamically negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to ensure that each encrypted packet uses a different PN, thus improving the security to a certain extent.
Client access authentication
1.
2.
PSK authentication
To implement PSK authentication, the client and the authenticator must have the same shared key configured. Otherwise, the client cannot pass pre-shared key (PSK) authentication.
802.1X authentication
227
3.
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at the port level. A device connected to an 802.1X-enabled port of a WLAN access control device can access the resources on the WLAN only after passing authentication.
The administrators of access devices can select to use RADIUS or local authentication to cooperate with 802.1X for authenticating users. For more information about remote/local 802.1X authentication, see "802.1X configuration."
MAC authentication
MAC authentication provides a way for authenticating users based on ports and MAC addresses.
You can configure permitted MAC address lists to filter MAC addresses of clients. However, the efficiency will be reduced when the number of clients increases. Therefore, MAC authentication is applicable to environments without high security requirements, for example, SOHO and small offices.
MAC authentication falls into two modes:
Local MAC authentication—When this authentication mode is adopted, you need to configure a permitted MAC address list on the device. If the MAC address of a client is not in the list, its access request will be denied.
Figure 217 Local MAC authentication
AC L2 switch
Permitted MAC address list:
0009-5bcf-cce3
0011-9548-4007
000f-e200-00a2
Client: 0009-5bcf-cce3
Client: 0011-9548-4007
AP
Client: 001a-9228-2d3e
Remote MAC authentication—Remote Authentication Dial-In User Service (RADIUS) based
MAC authentication. If the device finds that the current client is an unknown client, it sends an unsolicited authentication request to the RADIUS server. After the client passes the authentication, the client can access the WLAN network and the corresponding authorized information.
228
Figure 218 Remote MAC authentication
When a RADIUS server is used for MAC authentication, you can specify a domain for each wireless service, and thus send MAC authentication information of different SSIDs to different remote RADIUS servers.
802.11n
As the next generation wireless LAN technology, 802.11n supports both 2.4GHz and 5GHz bands. It provides higher throughput to customers by using the following methods:
1.
2.
Increasing bandwidth: 802.11n can bond two adjacent 20-MHz channels together to form a
40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with one acting as the primary channel and the other acting as the secondary channel or work together as a 40-MHz channel. This provides a simple way of doubling the data rate.
Improving channel utilization through the following ways:
802.11n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU can accommodate multiple Message Protocol Data Units (MPDUs) which have their PHY headers removed. This reduces the overhead in transmission and the number of ACK frames to be used, and thus improves network throughput.
Similar with MPDU aggregation, multiple MAC Service Data Units (MSDU) can be aggregated into a single A-MSDU. This reduces the MAC header overhead and thus improves MAC layer forwarding efficiency.
To improve physical layer performance, 802.11n introduces the short GI function, which shortens the GI interval of 800 us in 802.11a/g to 400 us. This can increase the data rate by
10 percent.
229
Configuring access service
Recommended configuration procedure
Step Remarks
Required.
2. Configuring wireless service
Configuring clear type wireless service
Configuring crypto type wireless service
3. Enabling a wireless service
4. Binding an AP radio to a wireless service
Required.
Use either approach.
Complete the security settings as needed.
Required.
Required.
Optional.
6. Displaying the detailed information of a wireless service
Optional.
Creating a WLAN service
1.
Select Wireless Service > Access Service from the navigation tree.
Figure 219 Configuring access service
2.
Click Add.
Figure 220 Creating a wireless service
3.
4.
Configure the wireless service as described in
.
Click Apply.
230
Table 88 Configuration items
Item Description
Wireless Service Name
Set the Service Set Identifier (SSID), a case-sensitive string of 1 to 32 characters, which can include letters, digits, underlines, and spaces.
An SSID should be as unique as possible. For security, the company name should not be contained in the SSID. Meanwhile, it is not recommended to use a long random string as the SSID, because a long random string only adds payload to the header field, without any improvement to wireless security.
Wireless Service Type
Select the wireless service type:
• clear—Indicates the SSID will not be encrypted.
• crypto—Indicates the SSID will be encrypted.
Configuring clear type wireless service
Configuring basic settings for a clear type wireless service
NOTE:
Before configuring a clear-type wireless service, disable it first and then click the corresponding icon.
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the icon corresponding to the target clear type wireless service to enter the page for configuring wireless service.
Figure 221 Configuring clear type wireless service
3.
4.
Configure basic settings for the clear type wireless service as described in
.
Click Apply.
Table 89 Configuration items
Item Description
Wireless Service Display the selected Service Set Identifier (SSID).
VLAN (Untagged)
Enter the ID of the VLAN whose packets are to be sent untagged. VLAN
(Untagged) indicates that the port sends the traffic of the VLAN with the
VLAN tag removed.
231
Item Description
Default VLAN
Set the default VLAN of a port.
By default, the default VLAN of all ports is VLAN 1. After you set the new default VLAN, VLAN 1 is the ID of the VLAN whose packets are to be sent untagged.
Delete VLAN
Remove the IDs of the VLANs whose packets are to be sent untagged and tagged.
•
Enable—Disable the advertisement of the SSID in beacon frames.
•
Disable—Enable the advertisement of the SSID in beacon frames.
By default, the SSID is advertised in beacon frames.
SSID HIDE
IMPORTANT:
•
If the advertising of the SSID in beacon frames is disabled, the SSID must be configured for the clients to associate with the AP.
•
Disabling the advertising of the SSID in beacon frames does little good to wireless security. Allowing the advertising of the SSID in beacon frames enables a client to discover an AP more easily.
Configuring advanced settings for the clear type wireless service
1.
2.
Select Wireless Service > Access Service from the navigation tree.
Click the icon corresponding to the target clear type wireless service to enter the page for configuring advanced settings for a clear type wireless service.
Figure 222 Advanced settings for the clear type wireless service
3.
4.
Configure advanced settings for the clear type wireless service as described in
.
Click Apply.
232
Table 90 Configuration items
Item Description
Local Forwarding
Local forwarding enables an AP to forward data frames between clients. In a centralized WLAN architecture, an AP transparently transmits data frames to an AC for processing. With the increase of clients, the forwarding load of the
AC increases either. With local forwarding enabled, an AP, rather the AC forwards client data, greatly reducing the load of the AC.
•
Enable—If local forwarding is enabled, data frames from an associated station will be forwarded by the AP itself.
•
Disable—If local forwarding is disabled, data frames from an associated station will be handled by the AC.
Local Forwarding VLAN
Clients using the same SSID may belong to different VLANs. You can configure a local forwarding VLAN when configuring a local forwarding policy.
Maximum number of clients of an SSID to be associated with the same radio of the AP.
Client Max Users
Management Right
IMPORTANT:
When the number of clients of an SSID to be associated with the same radio of the AP reaches the maximum, the SSID is automatically hidden.
Web interface management right of online clients.
•
Disable—Disable the web interface management right of online clients.
•
Enable—Enable the web interface management right of online clients.
•
Enable—Enable the MAC VLAN feature for the wireless service.
•
Disable—Disable the MAC VLAN feature for the wireless service.
MAC VLAN
Fast Association
IMPORTANT:
Before binding an AP radio to a VLAN, a step of enabling AP-based access
VLAN recognition, enable the MAC VLAN feature first.
•
Enable—Enable fast association.
•
Disable—Disable fast association.
By default, fast association is disabled.
When fast association is enabled, the device does not perform band navigation and load balancing calculations for associated clients.
Configuring security settings for a clear type wireless service
1.
2.
Select Wireless Service > Access Service from the navigation tree.
Click the icon corresponding to the target clear type wireless service to enter the page for configuring security settings for the clear type wireless service.
233
Figure 223 Security settings for the clear-type wireless service
3.
4.
Configure security settings for the clear type wireless service as described in
Click Apply.
Table 91 Configuration items
Item Description
Authentication Type
For the clear type wireless service, you can select Open-System only.
234
Item Description
Port Mode
• mac-authentication—Perform MAC address authentication on users.
• mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication; upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.
• mac-else-userlogin-secure-ext—This mode is similar to the mac-else-userlogin-secure mode, except that it supports multiple 802.1X and MAC authentication users on the port.
• userlogin-secure—In this mode, MAC-based 802.1X authentication is performed for users; multiple 802.1X authenticated users can access the port, but only one user can be online.
• userlogin-secure-or-mac—This mode is the combination of the userlogin-secure and mac-authentication modes, with 802.1X authentication having a higher priority. For a wireless user,
802.1X authentication is performed first. If 802.1X authentication fails, MAC authentication is performed.
• userlogin-secure-or-mac-ext—This mode is similar to the userlogin-secure-or-mac mode, except that it supports multiple
802.1X and MAC authentication users on the port.
• userlogin-secure-ext—In this mode, a port performs 802.1X authentication on users in macbased mode and supports multiple 802.1X users.
Max User
TIP:
There are multiple security modes. To remember them easily, follow these rules to understand part of the port security mode names:
• userLogin indicates port-based 802.1X authentication.
• mac indicates MAC address authentication.
•
The authentication mode before Else is used preferentially. If the authentication fails, the authentication after Else may be used depending on the protocol type of the packets to be authenticated.
•
The authentication mode before Or and that after Or have the same priority. The device determines the authentication mode according to the protocol type of the packets to be authenticated. For wireless users, the 802.1X authentication mode is used preferentially.
• userLogin together with Secure indicates MAC-based 802.1X authentication.
•
A security mode with Ext allows multiple 802.1X users to pass the authentication. A security mode without Ext allows only one 802.1X user to pass the authentication.
Maximum number of users that can be connected to the network through a specific port. a.
Configure mac-authentication
235
Figure 224 mac-authentication port security configuration page
Table 92 Configuration items
Item Description
Port Mode mac-authentication—MAC-based authentication is performed on access users.
Select Wireless Service > Access Service from the navigation tree, click MAC Authentication List, and enter the MAC address of the client.
Max User
Control the maximum number of users allowed to access the network through the port.
MAC Authentication
Domain
Select MAC Authentication.
Select an existing domain from the list.
The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a new domain name in the Domain Name field.
•
The selected domain name applies to only the current wireless service, and all clients accessing the wireless service use this domain for authentication, authorization, and accounting.
•
Do not delete a domain name in use. Otherwise, the clients that access the wireless service will be logged out. b.
Configure userlogin-secure/userlogin-secure-ext
236
Figure 225 userlogin-secure/userlogin-secure-ext port security configuration page (userlogin-secure is taken for example)
Table 93 Configuration items
Item Description
Port Mode
• userlogin-secure—Perform MAC-based 802.1X authentication for access users.
In this mode, multiple 802.1X authenticated users can access the port, but only one user can be online.
• userlogin-secure-ext—Perform MAC-based 802.1X authentication for access users. In this mode, the port supports multiple 802.1X users.
Max User
Control the maximum number of users allowed to access the network through the port.
Mandatory Domain
Authentication Method
Handshake
Select an existing domain from the list.
The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a new domain name in the Domain Name field.
•
The selected domain name applies to only the current wireless service, and all clients accessing the wireless service use this domain for authentication, authorization, and accounting.
•
Do not delete a domain name in use. Otherwise, the clients that access the wireless service will be logged out.
•
EAP—Use the Extensible Authentication Protocol (EAP). With EAP authentication, the authenticator encapsulates 802.1X user information in the EAP attributes of
RADIUS packets and sends the packets to the RADIUS server for authentication; it does not need to repackage the EAP packets into standard RADIUS packets for authentication.
•
CHAP—Use the Challenge Handshake Authentication Protocol (CHAP). By default, CHAP is used. CHAP transmits usernames in simple text and passwords in cipher text over the network. Therefore this method is safer.
•
PAP—Use the Password Authentication Protocol (PAP). PAP transmits passwords in plain text.
•
Enable—Enable the online user handshake function so that the device can periodically send handshake messages to a user to check whether the user is online. By default, the function is enabled.
•
Disable—Disable the online user handshake function.
237
Item Description
•
Enable—Enable the multicast trigger function of 802.1X to send multicast trigger messages to the clients periodically for initiating authentication. By default, the multicast trigger function is enabled.
•
Disable—Disable the 802.1X multicast trigger function.
Multicast Trigger
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the AP can discover users and trigger authentication. Therefore, the ports do not need to send 802.1X multicast trigger messages for initiating authentication periodically. H3C recommends that you disable the multicast trigger function in a WLAN because the multicast trigger messages consume bandwidth. c.
Configure the other four port security modes
Figure 226 Port security configuration page for the other four security modes
(mac-else-userlogin-secure is taken for example)
238
Table 94 Configuration items
Item Description
Port Mode
• mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication; upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.
• mac-else-userlogin-secure-ext—This mode is similar to the mac-else-userlogin-secure mode, except that it supports multiple
802.1X and MAC authentication users on the port.
• userlogin-secure-or-mac—This mode is the combination of the userlogin-secure and mac-authentication modes, with 802.1X authentication having a higher priority. For a wireless user,
802.1X authentication is performed first. If 802.1X authentication fails, MAC authentication is performed.
• userlogin-secure-or-mac-ext—This mode is similar to the userlogin-secure-or-mac mode, except that it supports multiple
802.1X and MAC authentication users on the port.
Select Wireless Service > Access Service from the navigation tree, click MAC Authentication List, and enter the MAC address of the client.
Max User
Control the maximum number of users allowed to access the network through the port.
Mandatory Domain
Authentication Method
Handshake
Select an existing domain from the list. After a mandatory domain is configured, all 802.1X users accessing the port are forced to use the mandatory domain for authentication, authorization, and accounting.
The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a new domain name in the Domain Name field.
•
EAP—Use the Extensible Authentication Protocol (EAP). With
EAP authentication, the authenticator encapsulates 802.1X user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication; it does not need to repackage the EAP packets into standard RADIUS packets for authentication.
•
CHAP—Use the Challenge Handshake Authentication Protocol
(CHAP). By default, CHAP is used. CHAP transmits usernames in simple text and passwords in cipher text over the network.
Therefore this method is safer.
•
PAP—Use the Password Authentication Protocol (PAP). PAP transmits passwords in plain text.
•
Enable—Enable the online user handshake function so that the device can periodically send handshake messages to a user to check whether the user is online. By default, the function is enabled.
•
Disable—Disable the online user handshake function.
239
Item Description
•
Enable—Enable the multicast trigger function of 802.1X to send multicast trigger messages to the clients periodically for initiating authentication. By default, the multicast trigger function is enabled.
•
Disable—Disable the 802.1X multicast trigger function.
Multicast Trigger
MAC Authentication
Domain
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the AP can discover users and trigger authentication. Therefore, the ports do not need to send 802.1X multicast trigger messages periodically for initiating authentication. You are recommended to disable the multicast trigger function in a WLAN because the multicast trigger messages consume bandwidth.
Select MAC Authentication.
Select an existing domain from the list.
The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a new domain name in the Domain Name field.
•
The selected domain name applies to only the current wireless service, and all clients accessing the wireless service use this domain for authentication, authorization, and accounting.
•
Do not delete a domain name in use. Otherwise, the clients that access the wireless service will be logged out.
Configuring crypto type wireless service
Configuring basic settings for a crypto type wireless service
1.
2.
Select Wireless Service > Access Service from the navigation tree.
Click the icon corresponding to the target crypto type wireless service to enter the page for configuring wireless service.
Figure 227 Crypto type wireless service
3.
4.
Configure basic settings for the crypto type wireless service as described in
Click Apply.
240
Configuring advanced settings for a crypto type wireless service
1.
2.
Select Wireless Service > Access Service from the navigation tree.
Click the icon corresponding to the target crypto type wireless service to enter the page for configuring wireless service.
Figure 228 Advanced settings for the crypto type wireless service
3.
4.
Configure advanced settings for the crypto type wireless service as described in Table 95 .
Click Apply.
Table 95 Configuration items
Item Description
Local Forwarding
Local forwarding enables an AP to forward data frames between clients. In a centralized WLAN architecture, an AP transparently transmits data frames to an AC for processing. With the increase of clients, the forwarding load of the AC increases either. With local forwarding enabled, an AP, rather the AC, forwards client data, greatly reducing the load of the AC.
•
Enable—If local forwarding is enabled, data frames from an associated station will be forwarded by the AP itself.
•
Disable—If local forwarding is disabled, data frames from an associated station will be handled by the AC.
Local Forwarding VLAN
Clients using the same SSID may belong to different VLANs. You can configure a local forwarding VLAN when configuring a local forwarding policy.
241
Item Description
Maximum number of clients of an SSID to be associated with the same radio of the AP.
Client Max Users
PTK Life Time
TKIP CM Time
Management Right
MAC VLAN
Fast Association
GTK Rekey Method
GTK User Down Status
IMPORTANT:
When the number of clients of an SSID to be associated with the same radio of the AP reaches the maximum, the SSID is automatically hidden.
Set the pairwise transient key (PTK) lifetime. A PTK is generated through a four-way handshake.
Set the TKIP countermeasure time.
By default, the TKIP countermeasure time is 0 seconds, that is, the
TKIP countermeasure policy is disabled.
Message integrity check (MIC) is designed to avoid hacker tampering. It uses the Michael algorithm and is extremely secure.
When failures occur to MIC, the data may have been tampered, and the system may be under attack. With the countermeasure policy enabled, if more than two MIC failures occur within the specified time, the TKIP associations are disassociated and no new associations are allowed within the TKIP countermeasure time.
Web interface management right of online clients.
•
Disable—Disable the web interface management right of online clients.
•
Enable—Enable the web interface management right of online clients.
•
Enable—Enable the MAC VLAN feature for the wireless service.
•
Disable—Disable the MAC VLAN feature for the wireless service.
IMPORTANT:
Before you bind an AP radio to a VLAN, a step of enabling AP-based access VLAN recognition, enable the MAC VLAN feature first.
•
Enable—Enable fast association.
•
Disable—Disable fast association.
By default, fast association is disabled.
When fast association is enabled, the device does not perform band navigation and load balancing calculations for associated clients.
An AC generates a group transient key (GTK) and sends the GTK to a client during the authentication process between an AP and the client through group key handshake/the 4-way handshake. The client uses the GTK to decrypt broadcast and multicast packets.
•
If Time is selected, the GTK will be refreshed after a specified period of time.
•
If Packet is selected, the GTK will be refreshed after a specified number of packets are transmitted.
By default, the GTK rekeying method is time-based, and the interval is
86400 seconds.
Enable refreshing the GTK when some client goes offline.
By default, the GTK is not refreshed when a client goes off-line.
242
Configuring security settings for a crypto type wireless service
1.
2.
Select Wireless Service > Access Service from the navigation tree.
Click the icon corresponding to the target crypto type wireless service to enter the page for configuring crypto type wireless service.
Figure 229 Security settings for the crypto type wireless service
3.
4.
Configure security settings for the crypto type wireless service as described in Table 96 .
Click Apply.
Table 96 Configuration items
Item Description
•
Open-System—No authentication. With this authentication mode enabled, all the clients will pass the authentication.
•
Shared-Key—The two parties need to have the same shared key configured for this authentication mode. You can select this option only when WEP encryption mode is used.
•
Open-System and Shared-Key—It indicates that you can select both open-system and shared-key authentication.
Authentication Type
IMPORTANT:
WEP encryption can be used together with open system and shared-key authentication.
•
Open system authentication—When this authentication mode is used, a WEP key is used for encryption only. If the two parities do not use the same key, a wireless link can still be established, but all data will be discarded.
•
Shared-key authentication—When this authentication mode is used, a WEP key is used for both authentication and encryption. If the two parties do not use the same key, the client cannot pass the authentication, and thus cannot access the wireless network.
243
Item Description
Cipher Suite
Encryption mechanisms supported by the wireless service, which can be:
•
AES-CCMP—Encryption mechanism based on the AES encryption algorithm.
•
TKIP—Encryption mechanism based on the RC4 algorithm and dynamic key management.
•
AES-CCMP and TKIP—It indicates that you can select both CCMP and TKIP encryption.
Security IE
Wireless service type (IE information carried in the beacon or probe response frame):
•
WPA—Wi-Fi Protected Access.
•
RSN—An RSN is a security network that allows only the creation of robust security network associations (RSNAs). It provides greater protection than WEP and WPA.
•
WPA and RSN—It indicates that you can select both WPA and RSN..
Encryption
•
Enable—A WEP key is dynamically assigned.
•
Disable—A static WEP key is used.
By default, a static WEP key is used.
When you enable this function, the WEP option is automatically set to wep104.
Provide Key
Automatically
WEP
Key ID
Key Length
WEP Key
IMPORTANT:
•
This function must be used together with 802.1X authentication.
•
With dynamic WEP encryption configured, the WEP key used to encrypt unicast frames is negotiated between client and server. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If not, the device randomly generates a multicast WEP key.
• wep40—Indicates the WEP40 key option.
• wep104—Indicates the WEP104 key option.
• wep128—Indicates the WEP128 key option.
•
1—Key index 1.
•
2—Key index 2.
•
3—Key index 3.
•
4—Key index 4.
There are 4 static keys in WEP. The key index can be 1, 2, 3 or 4. The key corresponding to the specified key index will be used for encrypting and decrypting broadcast and multicast frames.
Key length.
•
For wep40, the key is a string of 5 alphanumeric characters or a 10-digit hexadecimal number.
•
For wep104, the key is a string of 13 alphanumeric characters or a 26-digit hexadecimal number.
•
For wep128, the key is a string of 16 alphanumeric characters or a 32-digit hexadecimal number.
Configure the WEP key.
244
Item Description
Port Security
See
Parameters such as authentication type and encryption type determine the port mode. For more information, see
.
After you select the Cipher Suite option, the following three port security modes are added:
• mac and psk—MAC-based authentication must be performed on access users first. If MAC-based authentication succeeds, an access user has to use the pre-configured PSK to negotiate with the device. Access to the port is allowed only after the negotiation succeeds.
• psk—An access user must use the pre-shared key (PSK) that is pre-configured to negotiate with the device. The access to the port is allowed only after the negotiation succeeds.
• userlogin-secure-ext—Perform MAC-based 802.1X authentication for access users. In this mode, the port supports multiple 802.1X users. a.
Configure mac and psk
Figure 230 mac and psk port security configuration page
Table 97 Configuration items
Item Description
Port Mode mac and psk: MAC-based authentication must be performed on access users first. If MAC-based authentication succeeds, an access user has to use the pre-configured PSK to negotiate with the device. Access to the port is allowed only after the negotiation succeeds.
Select Wireless Service > Access Service from the navigation tree, click
MAC Authentication List, and enter the MAC address of the client.
Max User
Control the maximum number of users allowed to access the network through the port.
MAC Authentication Select MAC Authentication.
245
Item Description
Domain
Pre-shared Key
Select an existing domain from the list.
The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain Setup tab, and enter a new domain name in the Domain Name field.
•
The selected domain name applies to only the current wireless service, and all clients accessing the wireless service use this domain for authentication, authorization, and accounting.
•
Do not delete a domain name in use. Otherwise, the clients that access the wireless service will be logged out.
• pass-phrase—Enter a PSK in the form of a character string. You must enter a string that can be displayed and is of 8 to 63 characters.
• raw-key—Enter a PSK in the form of a hexadecimal number. You must enter a valid 64-bit hexadecimal number. b.
Configure psk
Figure 231 psk port security configuration page
Table 98 Configuration items
Item Description
Port Mode psk—An access user must use the pre-shared key (PSK) that is pre-configured to negotiate with the device. The access to the port is allowed only after the negotiation succeeds.
Max User
Pre-shared Key
Control the maximum number of users allowed to access the network through the port.
• pass-phrase—Enter a PSK in the form of a character string. You must enter a string that can be displayed and is of 8 to 63 characters.
• raw-key—Enter a PSK in the form of a hexadecimal number. You must enter a valid 64-bit hexadecimal number. c.
Configure userlogin-secure-ext
Perform the configurations as shown in Configure userlogin-secure/userlogin-secure-ext .
246
Security parameter dependencies
For a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are
Table 99 Security parameter dependencies
Service type
Crypto
Authenticati on mode
Encryption type
Security IE
WEP encryption/key ID Port mode
• mac-authentication
• mac-else-userlogin-secu re
• mac-else-userlogin-secu re-ext
• userlogin-secure
• userlogin-secure-ext
• userlogin-secure-or-mac
• userlogin-secure-or-mac
-ext
Selected Required
WEP encryption is available
The key ID can be 2,
3, or 4.
• mac and psk
• psk
• userlogin-secure-ext
Open-System
Unselected Unavailable
WEP encryption is required
The key ID can be 1,
2, or 3.
Shared-Key Unavailable Unavailable
Open-System and
Shared-Key
WEP encryption is required
The key ID can be 1,
2, 3 or 4.
Selected Required
WEP encryption is required
The key ID can be 1,
2, 3 or 4.
Unselected Unavailable
WEP encryption is required
The key ID can be 1,
2, 3 or 4.
•
•
• mac-authentication userlogin-secure userlogin-secure-ext mac-authentication
•
•
•
•
•
• mac and psk psk userlogin-secure-ext mac-authentication userlogin-secure userlogin-secure-ext
Enabling a wireless service
1.
Select Wireless Service > Access Service from the navigation tree.
247
Figure 232 Enabling a wireless service
2.
3.
Select the wireless service to be bound.
Click Enable.
Binding an AP radio to a wireless service
Binding an AP radio to a wireless service
1.
2.
Select Wireless Service > Access Service from the navigation tree.
Click the icon corresponding to the target wireless service to enter the page for binding an AP radio to a wireless service.
Figure 233 Binding an AP radio to a wireless service
3.
4.
5.
Select the AP radio to be bound.
Click Bind.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
Binding an AP radio to a VLAN
Traffic of different services is identified by SSIDs. Locations are identified by APs. Users at different locations access different services. For a user roaming between different APs, you can provide services for the user based on its access AP. The detailed requirements are as follows:
•
Users with the same SSID but accessing through different APs can be assigned to different VLANs based on their configurations.
• A roaming user always belongs to the same VLAN.
• For a user roaming between ACs, if the local AC does not have a VLAN-interface, the user needs to use an HA in the AC group for forwarding packets to avoid packet loss.
248
Figure 234 Schematic diagram for WLAN support for AP-based access VLAN recognition
RADIUS server
AC 1
HA IACTP tunnel
VLAN 3
AP 1
VLAN 3
Intra AC roaming
AP 2
VLAN 3
Inter AC roaming
AP 3
AC 2
FA
AP 4
VLAN 2
Client 1 Client 1
Client 1
Client 2
As shown in
, Client 1 goes online through AP 1 and belongs to VLAN 3. When Client 1 roams within an AC or between ACs, Client 1 always belongs to VLAN 3. When Client 1 roams between
ACs, if FA, that is, AC 2, has VLAN-interface 3, AC 2 forwards packets from Client 1. Otherwise, packets from Client 1 are sent to HA (AC 1) through the data tunnel and then HA forwards these packets.
Client 2 goes online through AP 4 and belongs to VLAN 2. That is, a client going online through a different AP is assigned to a different VLAN.
1.
Select Wireless Service > Access Service from the navigation tree.
2.
3.
Click the icon corresponding to the target wireless service to enter the AP radio setup page, as
.
Select the box corresponding to the AP radio mode to be bound.
4.
5.
Enter the VLAN to be bound in the Binding VLAN field.
Click Bind.
Enabling a radio
1.
Select Radio > Radio from the navigation tree.
249
Figure 235 Enabling 802.11n radio
2.
3.
4.
Select the box of the target radio.
Click Enable.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
Displaying the detailed information of a wireless service
Displaying the detailed information of a clear-type wireless service
1.
2.
Select Wireless Service > Access Service from the navigation tree.
Click the specified clear-type wireless service to see its detailed information.
Figure 236 Displaying the detailed information of a clear-type wireless service
250
Table 100 Field description
Field Description
Service Template Number Current service template number.
SSID
Binding Interface
Service Template Type
Service set identifier.
Name of the WLAN-ESS interface bound with the service template.
Authentication Method
SSID-hide
Bridge Mode
Service template type.
Type of authentication used.
A clear-type wireless service can use only Open System authentication.
•
Disable—Indicates that SSID advertisement is enabled.
•
Enable—Indicates that SSID advertisement is disabled, that is, the AP does not advertise the SSID in the beacon frames.
Forwarding mode, which can be:
•
Local Forwarding—Use the local forwarding mode.
•
Remote Forwarding—Use the remote forwarding mode, that is, uses the AC to forward data.
Service Template Status
Service template status, which can be:
•
Enable—Indicates that the wireless service is enabled.
•
Disable—Indicates that the wireless service is disabled.
Maximum clients per BSS Maximum number of associated clients per BSS.
Displaying the detailed information of a crypto-type wireless service
1.
2.
Select Wireless Service > Access Service from the navigation tree.
Click a crypto-type wireless service to see its detailed information.
251
Figure 237 Displaying the detailed information of a crypto-type wireless service
Table 101 Field description
Field Description
Service Template Number Current service template number.
SSID
Binding Interface
Service Template Type
Security IE
Service set identifier.
Name of WLAN-ESS the interface bound with the service template.
Service template type.
Security IE, which can be WPA or WPA2.
Authentication Method
SSID-hide
Cipher Suite
WEP Key Index
WEP Key Mode
WEP Key
TKIP Countermeasure Time(s)
PTK Life Time(s)
Type of authentication used, which can be Open System or Shared
Key.
•
Disable—Indicates that SSID advertisement is enabled.
•
Enable—Indicates that SSID advertisement is disabled, that is, the AP does not advertise the SSID in the beacon frames.
Cipher suite, which can be CCMP, TKIP, or
WEP40/WEP104/WEP128.
WEP key index for encryption or de-encryption frames.
WEP key mode:
•
HEX—WEP key in hexadecimal format.
•
ASCII—WEP key in the format of string.
WEP key.
TKIP MIC failure holdtime, in seconds.
PTK lifetime in seconds.
252
Field Description
GTK Rekey GTK rekey configured.
GTK Rekey Method
GTK rekey method configured, which can be:
•
Time-based, which displays the GTK rekey time in seconds.
•
Packet-based, which displays the number of packets.
GTK Rekey Time
Bridge Mode
Service Template Status
Maximum clients per BSS
Time for GTK rekey in seconds.
Forwarding mode, which can be:
•
Local Forwarding—Use the local forwarding mode.
•
Remote Forwarding—Use the remote forwarding mode, that is, uses the AC to forward data.
Service template status, which can be:
•
Enable—Indicates that the wireless service is enabled.
•
Disable—Indicates that the wireless service is disabled.
Maximum number of associated clients per BSS.
Wireless service configuration example
Network requirements
time. More specifically:
• An AC and the AP (serial ID 210235A29G007C000020) is connected through a Layer 2 switch.
•
The AP provides clear type wireless access service with SSID service1.
•
802.11n (2.4GHz) radio mode is adopted.
Figure 238 Network diagram
Configuring the AC
1.
Create an AP: a.
Select AP > AP Setup from the navigation tree. b.
Click Add. c. d.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select the serial ID manual, and enter the serial ID of the AP.
Click Apply.
253
Figure 239 Creating an AP
2.
Configure a wireless service: a.
Select Wireless Service > Access Service from the navigation tree. b.
Click Add. c. d.
On the page that appears, set the service name to service1 and select the wireless service type clear.
Click Apply.
Figure 240 Creating a wireless service
3.
Enable the wireless service: a.
Select Wireless Service > Access Service from the navigation tree. b.
On the page that appears, select the service1 box and click Enable.
Figure 241 Enabling wireless service
4.
Bind an AP radio to a wireless service: a.
Select Wireless Service > Access Service from the navigation tree. b.
Click the icon corresponding to the wireless service service1.
254
c. d.
On the page that appears, select the box before ap with radio type 802.11n(2.4GHz).
Click Bind.
Figure 242 Binding an AP radio
5.
Enable 802.11n(2.4GHz) radio a.
Select Radio > Radio from the navigation tree. b. c.
Select the box before ap with the radio mode 802.11n(2.4GHz).
Click Enable.
Figure 243 Enabling 802.11n(2.4GHz) radio
Verifying the configuration
• The client can successfully associate with the AP and access the WLAN network.
•
You can view the online clients on the page that you enter by selecting Summary > Client from the navigation tree.
255
Figure 244 Viewing the online clients
Configuration guidelines
Select a correct district code.
Auto AP configuration example
Network requirements
As shown in
, enable the auto-AP function to enable APs to automatically connect to the AC.
•
The AP provides a clear type wireless service with the SSID service1.
• 802.11n(2.4GHz) radio mode is adopted.
Figure 245 Network diagram
Configuring the AC
1.
Create an AP: a.
Select AP > AP Setup from the navigation tree. b. c.
Click Add.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select the serial ID auto, and click Apply.
256
Figure 246 Creating an AP
2.
Configure a wireless service: a.
Select Wireless Service > Access Service from the navigation tree. b. c.
Click Add.
On the page that appears, set the service name to service1, select the wireless service type clear, and click Apply.
Figure 247 Creating a wireless service
3.
Enable the wireless service: a. b. c.
Select Wireless Service > Access Service from the navigation tree.
Select the service1 box.
Click Enable.
Figure 248 Enabling the wireless service
4.
Bind an AP to a wireless service: a.
Select Wireless Service > Access Service from the navigation tree. b.
Click the icon corresponding to the wireless service service1.
257
c.
On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz), and click Bind.
Figure 249 Binding an AP d.
To view the AP status, select AP > AP Setup from the navigation tree. You can see that the AP is in IDLE state.
Figure 250 AP status before auto AP is enabled
5.
Enable auto AP a.
Select AP > Auto AP from the navigation tree. b. c.
Select enable.
Click Apply.
Figure 251 Configuring auto AP d.
To view the automatically found AP (ap_0001), click Refresh.
258
Figure 252 Viewing the automatically found AP
6.
Rename the automatically found AP
If you do not need to rename the automatically found AP, select the ap_0001 box, and then click Transmit All AP. a.
To rename the automatically found AP:
Select AP > Auto AP from the navigation tree. b. c. d.
Click the icon of the target AP.
On the page that appears, select AP Rename and enter ap1.
Click Apply.
Figure 253 Modifying the AP name e.
To view the renamed AP, select AP > AP Setup from the navigation tree.
259
Figure 254 Displaying AP
7.
Enable 802.11n(2.4GHz) radio a.
Select Radio > Radio from the navigation tree. b. c.
Select the box of the target AP.
Click Enable.
Verifying the configuration
•
You can see that the AP is in the Run state on the page you enter by selecting AP > AP Setup from the navigation tree.
• The client can successfully associate with the AP and access the WLAN network.
•
You can view the online clients on the page that you enter by selecting Summary > Client from the navigation tree.
260
Figure 255 Viewing the online clients
Configuration guidelines
Follow these guidelines when you configure an auto AP:
•
Select a correct district code.
•
Select the renamed AP (AP 1 in the example) rather than the auto AP (ap in the example) when enabling the radio. If you enable the radio of the automatically found AP, the radios of all the automatically found APs are enabled.
802.11n configuration example
Network requirements
, deploy an 802.11n network to provide high bandwidth access for multi-media applications.
• The AP provides a plain-text wireless service with SSID service.
•
802.11gn is adopted to inter-work with the existing 802.11g network and protect the current investment.
Figure 256 Network diagram
261
Configuring the AC
1.
2.
3.
4.
Create an AP: a.
Select AP > AP Setup from the navigation tree. b. c.
Click Add.
On the page that appears, set the AP name to 11nap, select the AP model WA22610E-AGN, select the serial ID manual, enter the serial ID of the AP, and click Apply.
Create a wireless service: a. b. c.
Select Wireless Service > Access Service from the navigation tree.
Click Add.
On the page that appears, set the service name to 11nservice, select the wireless service type clear, and click Apply.
Enable wireless service: a.
Select Wireless Service > Access Service from the navigation tree. b. c.
Select the 11nservice box.
Click Enable.
Bind an AP radio: a.
Select Wireless Service > Access Service from the navigation tree.
5. b. c.
Click the icon corresponding to the target wireless service.
Select the 11nap box. d.
Click Bind.
Enable 802.11n(2.4GHZ) radio: a. b. c.
Select Radio > Radio from the navigation tree.
Select the 11nap box of the target AP.
Click Enable.
Verifying the configuration
•
The client can successfully associate with the AP and access the WLAN network.
• You can view the online clients on the page you enter by selecting Summary > Client from the navigation tree.
Figure 257 Viewing the online clients
In this example, 0014-6c8a-43ff is an 802.11g user, and 001c-f0bf-9c92 is an 802.11n user. Both of the two users can access the WLAN network because there is no limit on the user type. If you enable client
802.11n only, only 001c-f0bf-9c92 can access the WLAN network.
262
Configuration guidelines
Follow these guidelines when you configure 802.11n:
• Select Radio > Radio from the navigation tree, select the AP to be configured, and click to enter the page for configuring a radio. Then you can modify the 802.11n parameters, including bandwidth mode, A-MPDU, A-MSDU, short GI and whether 802.11n clients are allowed.
•
Select Radio > Rate from the navigation tree to set 802.11n rates.
WPA-PSK authentication configuration example
Network requirements
As shown in
, connect the client to the wireless network through WPA-PSK authentication. The
PSK key configuration on the client is the same as that on the AC: 12345678.
Figure 258 Network diagram
Configuring the AC
1.
Create an AP: a.
Select AP > AP Setup from the navigation tree. b. c.
Click Add.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select the serial ID manual, enter the AP serial ID, and click Apply.
Figure 259 Creating an AP
2.
Create a wireless service a.
Select Wireless Service > Access Service from the navigation tree. b. c.
Click Add.
On the page that appears, set the service name to psk, select the wireless service type crypto, and click Apply.
263
Figure 260 Creating a wireless service
3.
Configure wireless service.
After you create a wireless service, you will enter the wireless service configuration page. a. b.
In the Security Setup area, select Open-System from the Authentication Type list.
Select the Cipher Suite box, select ASE-CCMP and TKIP (select an encryption type as needed), and then select WPA from the Security IE list. c. d. e.
Select the Port Set box, and select psk from the Port Mode list.
Select pass-phrase from the Pre-shared Key list, and enter the key ID 12345678.
Click Apply.
Figure 261 Security setup
4.
Enable wireless service. a.
Select Wireless Service > Access Service from the navigation tree. b. c.
Select the psk[Bind] box.
Click Enable.
264
Figure 262 Enabling wireless service
5.
Bind an AP radio to a wireless service a. b. c.
Select Wireless Service > Access Service from the navigation tree.
Click the icon corresponding to the wireless service psk.
On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz) and click Bind. d.
A configuration progress dialog box appears.
After the configuration progress is complete, click Close.
Figure 263 Binding an AP radio
6.
Enable 802.11n(2.4GHz) radio a.
Select Radio > Radio from the navigation tree. b.
Select the ap box before 802.11n(2.4GHz). c. d.
Click Enable.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
265
Figure 264 Enabling 802.11n(2.4GHz) radio
Configuring the client
1.
2.
3.
4.
Launch the client, and refresh the network list.
Select the configured service in Choose a wireless network (PSK in this example).
Click Connect.
In the popup dialog box, enter the key (12345678 in this example), and then click Connect.
266
Figure 265 Configuring the client
The client has the same pre-shared PSK key as the AP, so the client can associate with the AP.
267
Figure 266 The client is associated with the AP
Verifying the configuration
• The client can successfully associate with the AP and access the WLAN network.
•
You can view the online clients on the page you enter by selecting Summary > Client from the navigation tree.
Local MAC authentication configuration example
Network requirements
AC is connected to AP through a Layer 2 switch, and they are in the same network. Perform MAC authentication on the client.
Figure 267 Network diagram
Configuring the AC
1.
Create an AP: a.
Select AP > AP Setup from the navigation tree. b.
Click Add.
268
c.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select the serial ID manual, enter the AP serial ID, and click Apply.
Figure 268 Creating an AP
2.
Create a wireless service a. b. c.
Select Wireless Service > Access Service from the navigation tree.
Click Add.
On the page that appears, set the service name to mac-auth, select the wireless service type clear, and click Apply.
Figure 269 Creating a wireless service
3.
Configure the wireless service:
After you have created a wireless service, you enter the wireless service configuration page. a. b. c. d.
In the Security Setup area, select Open-System from the Authentication Type list.
Select the Port Set box, and select mac-authentication from the Port Mode list.
Select the MAC Authentication box, and select system from the Domain list.
To create a domain, select Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a domain name in the Domain Name field.
Click Apply.
269
Figure 270 Security setup
4.
Enable wireless service. a.
Select Wireless Service > Access Service from the navigation tree. b. c.
Select the mac-auth box.
Click Enable.
Figure 271 Enabling wireless service
5.
Configure a MAC authentication list
270
a. b. c. d.
Select Wireless Service > Access Service from the navigation tree.
Click MAC Authentication List.
On the page that appears, add a local user in the MAC Address field. 0014-6c8a-43ff is used in this example.
Click Add.
Figure 272 Adding a MAC authentication list
6.
Bind an AP radio to a wireless service a.
Select Wireless Service > Access Service from the navigation tree. b.
Click the icon corresponding to the wireless service mac-auth. c. d.
On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz) and click Bind.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
Figure 273 Binding an AP radio
7.
Enable 802.11n(2.4GHz) radio a. b.
Select Radio > Radio from the navigation tree.
Select the ap 802.11n(2.4GHz) box of the target AP.
271
c. d.
Click Enable.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
Figure 274 Enabling 802.11n(2.4GHz) radio
Configuring the client
1.
2.
3.
Launch the client, and refresh the network list.
Select the configured service in Choose a wireless network (mac-auth in this example).
Click Connect.
If the MAC address of the client is in the MAC address list, the client can pass the MAC authentication and access the wireless network.
272
Figure 275 Configuring the client
Verifying the configuration
•
The client can successfully associate with the AP and access the WLAN network.
•
You can view the online clients on the page you enter by selecting Summary > Client.
Remote MAC authentication configuration example
Network requirements
As shown in
, perform remote MAC authentication on the client.
• Use the intelligent management center (IMC) as the RADIUS server for authentication, authorization, and accounting (AAA). On the RADIUS server, configure the client's username and password as the MAC address of the client and the shared key as expert. The IP address of the RADIUS server is 10.18.1.88.
• The IP address of the AC is 10.18.1.1. On the AC, configure the shared key for communication with the RADIUS server as expert, and configure the AC to remove the domain name of a username before sending it to the RADIUS server.
273
Figure 276 Network diagram
Configuring the AC
1.
2.
Assign an IP address to the AC: a.
Select Network > VLAN to create a VLAN on the AC. b.
Select Device > Interface Management to assign an IP address to the VLAN interface.
Configure a RADIUS scheme: a. b. c.
Select Authentication > RADIUS from the navigation tree.
Click Add.
On the page that appears, add two servers in the RADIUS Server Configuration area, and specify the key expert. d. e. f. g.
Enter mac-auth in the Scheme Name field.
Select Extended as the server type.
Select Without domain name from the Username Format List.
Click Apply.
274
Figure 277 Configuring RADIUS
3.
Configure AAA: a. b.
From the navigation tree, select Authentication > AAA.
Optional: On the Domain Setup tab, create a new ISP domain. c. d.
This example uses the default domain system.
On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box, select the authentication mode RADIUS, select the authentication scheme mac-auth from the
Name list, and click Apply.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
275
Figure 278 Configuring the AAA authentication method for the ISP domain e. f.
On the Authorization tab, select the ISP domain system, select the LAN-access AuthZ box, select the authorization mode RADIUS, select the authorization scheme mac-auth from the
Name list, and click Apply.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
Figure 279 Configuring the AAA authorization method for the ISP domain g. h.
On the Accounting tab, select the ISP domain system, select the Accounting Optional box, and select Enable from the Accounting Optional list, select the LAN-access Accounting box, select the accounting method RADIUS, select the accounting scheme mac-auth from the Name list, and click Apply.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
276
Figure 280 Configuring the AAA accounting method for the ISP domain
4.
Create an AP: a.
Select AP > AP Setup from the navigation tree. b. c.
Click Add.
On the page that appears, set the AP name to ap., select the AP model WA2620-AGN., select the serial ID manual, enter the AP serial ID, and click Apply.
Figure 281 AP setup
5.
Configure wireless service: a.
Select Wireless Service > Access Service from the navigation tree. b. c.
Click Add.
On the page that appears, set the wireless service name to mac-auth, select the wireless service type clear, and click Apply.
277
Figure 282 Creating a wireless service
6.
Configure MAC authentication:
After you create a wireless service, the wireless service configuration page appears. a. b.
In the Security Setup area, select Open-System from the Authentication Type list.
Select the Port Set box, and select mac-authentication from the Port Mode list. c. d. e.
Select the MAC Authentication box, and select system from the Domain list.
Click Apply.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
Figure 283 Security setup
7.
Enable the wireless service:
278
a. b. c. d.
Select Wireless Service > Access Service from the navigation tree.
On the page that appears, select the mac-auth box.
Click Enable.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
Figure 284 Enabling the wireless service
8.
Bind an AP radio to the wireless service: a.
Select Wireless Service > Access Service from the navigation tree. b. c.
Click the icon corresponding to the wireless service mac-auth.
Select the box of the AP with the radio mode 802.11n(2.4GHz). d. e.
Click Bind.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
Figure 285 Binding an AP radio to a wireless service
9.
Enable 802.11n(2.4GHz) radio: a.
Select Radio > Radio from the navigation tree. b.
Select the ap 802.11n(2.4GHz) box of the target AP.
279
c. d.
Click Enable.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
Figure 286 Enabling 802.11n(2.4GHz) radio
Configuring the RADIUS server (IMCv3)
NOTE:
The following takes the IMC (IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) as an example to illustrate the basic configuration of the RADIUS server.
1.
Add an access device. a.
Click the Service tab in the IMC Platform. b. c. d.
Select Access Service > Access Device from the navigation tree.
Click Add.
On the page that appears, add expert for Shared Key, add ports 1812 and 1813 for
Authentication Port and Accounting Port respectively, select LAN Access Service for Service
Type, select H3C for Access Device Type, select or manually add an access device with the IP address 10.18.1.1, and click Apply.
280
Figure 287 Adding access device
2.
Add service. a.
Click the Service tab. b. c. d.
Select Access Service > Access Device from the navigation tree.
Click Add.
On the page that appears, set the service name to mac, keep the default values for other parameters, and click Apply.
Figure 288 Adding service
3.
Add account. a. b.
Click the User tab.
Select User > All Access Users from the navigation tree. c. d.
Click Add.
On the page that appears, enter a username 00146c8a43ff, add an account and password
00146c8a43ff, select the service mac, and click Apply.
281
Figure 289 Adding account
Configuring the RADIUS server (IMC v5)
NOTE:
The following takes the IMC (IMC PLAT 5.0 and IMC UAM 5.0) as an example to illustrate the basic configuration of the RADIUS server.
1.
Add an access device. a. b.
Click the Service tab in the IMC Platform.
Select User Access Manager > Access Device Management from the navigation tree. c. d.
Click Add.
On the page that appears, enter 12345678 as the Shared Key, keep the default values for other parameters, select or manually add the access device with the IP address 10.18.1.1, and click Apply.
Figure 290 Adding access device
2.
Add service. a.
Click the Service tab.
282
b. c. d.
Select User Access Manager > Service Configuration from the navigation tree.
Click Add.
On the page that appears, set the service name to mac, keep the default values for other parameters, and click Apply.
Figure 291 Adding service
3.
Add an account. a.
Click the User tab. b. c. d.
Select User > All Access Users from the navigation tree to enter the user page.
Click Add.
On the page that appears, enter username 00146c8a43ff, set the account name and password both to 00146c8a43ff, select the service mac, and click Apply.
Figure 292 Adding account
Verifying the configuration
•
During authentication, the user does not need to enter the username or password. After passing
MAC authentication, the client can associate with the AP and access the WLAN.
• You can view the online clients on the page you enter by selecting Summary > Client from the navigation tree.
283
Remote 802.1X authentication configuration example
Network requirements
Perform remote 802.1X authentication on the client.
• Use the IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username as user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
•
On the AC, configure the shared key as expert, and configure the AC to remove the domain name of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
Figure 293 Network diagram
Configuring the AC
1.
2.
Assign an IP address to the AC: a.
Select Network > VLAN to create a VLAN on the AC. b.
Select Device > Interface Management to assign an IP address to the VLAN interface.
Configure a RADIUS scheme: a. b. c. d. e. f.
Select Authentication > RADIUS from the navigation tree.
Click Add.
On the page that appears, add two servers in the RADIUS Server Configuration, and specify the key expert.
Enter 802.1x in the Scheme Name field.
Select the server type Extended, and select Without domain name from the Username Format list.
Click Apply.
284
Figure 294 Configuring RADIUS
3.
Configure AAA a.
Select Authentication > AAA from the navigation tree. b. c.
Optional: On the Domain Setup tab, create a new ISP domain.
This example uses the default domain system.
On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box, select the authentication mode RADIUS, select the authentication scheme 802.1x from the
Name list, and click Apply.
Figure 295 Configuring the AAA authentication method for the ISP domain
285
d.
On the Authorization tab, select the domain name system, select the LAN-access AuthZ box, select the authorization mode RADIUS, select the authorization scheme 802.1x from the Name list, and click Apply.
Figure 296 Configuring the AAA authorization method for the ISP domain e.
On the Accounting tab, select the ISP domain name system, select the Accounting Optional box and then select Enable from the Accounting Optional list, select the LAN-access Accounting box, select the accounting method RADIUS, select the accounting scheme 802.1x from the Name list, and click Apply.
Figure 297 Configuring the AAA accounting method for the ISP domain
4.
Create an AP. a.
Select AP > AP Setup from the navigation tree. b. c.
Click Add.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select the serial ID manual, enter the AP serial ID, and click Apply.
286
Figure 298 AP setup
5.
Configure wireless service a.
Select Wireless Service > Access Service from the navigation tree. b. c.
Click Add.
On the page that appears, set the service name to dot1x, select the wireless service type crypto, and click Apply.
Figure 299 Creating a wireless service
6.
Configure 802.1X authentication.
After you create a wireless service, the wireless service configuration page appears. a. b.
In the Security Setup area, select Open-System from the Authentication Type list, select the
Cipher Suite box, select AES-CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list.
Select the Port Set box, and select userlogin-secure-ext from the Port Mode list. c. d. e. f. g. h.
Select system from the Mandatory Domain list.
Select EAP from the Authentication Method list.
Disable Handshake and Multicast Trigger (recommended).
Click Apply.
A progress dialog box appears. During the process, another dialog box appears asking you whether to enable EAP authentication. Click OK.
After the configuration progress is complete, click Close.
287
Figure 300 Security setup
7.
Enable the wireless service a. b.
Select Wireless Service > Access Service from the navigation tree.
On the page that appears, select the dot1x box and click Enable.
Figure 301 Enabling the wireless service
8.
Bind an AP radio to the wireless service. a.
Select Wireless Service > Access Service from the navigation tree. b. c. d.
Click the icon corresponding to the wireless service dot1x.
Select the box of the AP with the radio mode 802.11n(2.4GHz).
Click Bind.
288
e.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
Figure 302 Binding an AP radio to a wireless service
9.
Enable 802.11n(2.4GHz) radio a.
Select Radio > Radio from the navigation tree. b. c. d.
Select the box of the target AP.
Click Enable.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
Figure 303 Enabling 802.11n(2.4GHz) radio
Configuring the RADIUS server (IMCv3)
NOTE:
The following takes the IMC (IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) as an example to illustrate the basic configuration of the RADIUS server.
1.
Add access device.
289
a. b. c. d.
Click the Service tab in the IMC management platform.
Select Access Service > Access Device from the navigation tree.
Click Add.
On the page that appears, enter the shared key expert, enter the authentication and accounting ports 1812 and 1813, select LAN Access Service from the Service Type list, select
H3C from the Access Device Type list, select or manually add an access device with the IP address 10.18.1.1, and click Apply.
Figure 304 Adding access device
2.
Add service. a. b.
Click the Service tab.
Select Access Service > Access Device from the navigation tree. c. d.
Click Add.
On the page that appears, set the service name to dot1x, and set the Certificate Type to
EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply.
290
Figure 305 Adding service
3.
Add account. a. b.
Click the User tab.
Select User > All Access Users from the navigation tree. c. d.
Click Add.
On the page that appears, enter a username user, add an account user and password dot1x, and select the service dot1x, and click Apply.
Figure 306 Adding account
291
Configuring the RADIUS server (IMC v5)
NOTE:
The following takes the IMC (IMC PLAT 5.0 and IMC UAM 5.0) as an example to illustrate the basic configuration of the RADIUS server.
1.
Add an access device. a.
Click the Service tab in the IMC platform. b.
Select User Access Manager > Access Device Management from the navigation tree. c. d.
Click Add.
On the page that appears, enter 12345678 as the Shared Key, keep the default values for other parameters, and select or manually add the access device with the IP address 10.18.1.1, and click Apply.
Figure 307 Adding access device
2.
Add a service. a.
Click the Service tab. b. c. d.
Select User Access Manager > Service Configuration from the navigation tree.
Click Add.
On the page that appears, set the service name to dot1x, and set the Certificate Type to
EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply.
292
Figure 308 Adding a service
3.
Add an account. a. b.
Click the User tab.
Select User > All Access Users from the navigation tree. c. d.
Click Add.
On the page that appears, enter username user, set the account name to user and password to dot1x, and select the service dot1x, and click Apply.
Figure 309 Adding account
Configuring the wireless client
1.
2.
Double click the icon at the bottom right corner of your desktop.
The Wireless Network Connection Status window appears.
Click Properties in the General tab.
The Wireless Network Connection Properties window appears.
293
4.
5.
6.
3.
In the Wireless Networks tab, select wireless network with the SSID dot1x, and then click
Properties.
The dot1x Properties window appears.
In the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
In the popup window, clear Validate server certificate, and click Configure.
In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any).
294
Figure 310 Configuring the wireless client (I)
295
Figure 311 Configuring the wireless client (II)
296
Figure 312 Configuring the wireless client (III)
Verifying the configuration
•
After the user enters username user and password dot1x in the popup dialog box, the client can associate with the AP and access the WLAN.
•
You can view the online clients on the page you enter by selecting Summary > Client.
Dynamic WEP encryption-802.1X authentication configuration example
Network requirements
Perform dynamic WEP encryption-802.1X authentication on the client. More specifically,
• Use the IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username as user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
•
On the AC, configure the shared key as expert, and configure the AC to remove the domain name of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
297
Figure 313 Network diagram
Configuration procedure
1.
2.
3.
4.
5.
Assign an IP address for the AC:
See " Assign an IP address to the AC:
."
Configure a RADIUS scheme:
See " Configure a RADIUS scheme
."
Configure AAA:
."
Configure the AP:
."
Create a wireless service: a.
Select Wireless Service > Access Service from the navigation tree. b. c.
Click Add.
On the page that appears, set the service name to dot1x, select the wireless service type crypto, and click Apply.
Figure 314 Creating a wireless service
6.
Configure 802.1X authentication.
After you create a wireless service, the wireless service configuration page appears. a.
In the Security Setup area, select Open-System from the Authentication Type list. b. c.
Select Encryption, and select Enable from the Provide Key Automatically list.
Select the Cipher Suite box, select CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list. d. e. f.
Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
Select system from the Mandatory Domain list.
Select EAP from the Authentication Method list.
298
g. h.
Disable Handshake and Multicast Trigger (recommended).
Click Apply.
Figure 315 Security setup
7.
Enable the wireless service. a.
Select Wireless Service > Access Service from the navigation tree. b.
On the page that appears, select the dot1x box and click Enable.
Figure 316 Enabling the wireless service
8.
Bind an AP radio to the wireless service. a.
Select Wireless Service > Access Service from the navigation tree.
299
b. c.
Click the icon corresponding to the wireless service dot1x.
On the page that appears, select the box of the AP with the radio mode 802.11n(2.4GHz) and click Bind.
Figure 317 Binding an AP radio to a wireless service
9.
10.
11.
Enable 802.11n(2.4GHz) radio:
See " Enable 802.11n(2.4GHz) radio ."
Configure the RADIUS server (IMCv3):
See " Configuring the RADIUS server (IMCv3)
."
Configure the RADIUS server (IMCv5):
See " Configuring the RADIUS server (IMC v5) ."
Configuring the wireless client
1.
2.
3.
4.
5.
Double click the icon at the bottom right corner of your desktop.
The Wireless Network Connection Status window appears.
Click Properties.
The Wireless Network window appears.
Click Add.
Click the Association tab, and enter dot1x in the Network name (SSID) field. Make sure that you have selected The key is provided for me automatically.
300
Figure 318 Configuring the wireless client (I)
6.
7.
8.
On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
In the popup window, clear Validate server certificate, and click Configure.
In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any), and then click OK.
301
Figure 319 Configuring the wireless client (II)
302
Figure 320 Configuring the wireless client (III)
Verifying the configuration
•
After the user enters username user and password dot1x in the popup dialog box, the client can associate with the AP and access the WLAN.
• You can view the online clients on the page you enter by selecting Summary > Client.
303
Configuring mesh services
Different from a traditional WLAN, a WLAN mesh network allows for wireless connections between APs, making the WLAN more mobile and flexible. Moreover, multi-hop wireless links can be established between APs. From the perspective of end users, a WLAN mesh network has no difference from a traditional WLAN.
Mesh overview
Basic concepts in WLAN mesh
Figure 321 Typical WLAN mesh network
AC
MPP
MP MP
MP
MAP MAP
MAP MAP
WLAN mesh network
Client
Client
Client
Client
As shown in
Figure 321 , the concepts involved in WLAN mesh are described below.
Concept Description
Access controller (AC) A device that controls and manages all the APs in the WLAN.
Mesh point (MP)
A wireless AP that connects to a mesh portal point (MPP) through a wireless connection but cannot have any client attached.
Mesh access point (MAP)
Mesh portal point (MPP)
Mesh link
An AP providing the mesh service and the access service concurrently.
A wireless AP that connects to an AC through a wired connection.
A wireless link between MPs.
304
Advantages of WLAN mesh
The WLAN mesh technology allows operators to easily deploy wireless networks anywhere and anytime.
WLAN mesh has the following advantages:
• High performance/price ratio—In a mesh network, only the MPPs need to connect to a wired network. In this way, the dependency on the wired network is reduced to the minimum extent, and the investment in wired devices, cabling, and installation is greatly reduced.
• Excellent scalability—In a mesh network, the APs can automatically discover each other and initiate wireless link setup. To add new APs to the mesh network, you just need to install these new APs and perform the related configurations on them.
•
Fast deployment—Since only the MPPs need to connect to a wired network, WLAN mesh greatly reduces the network deployment time.
•
Various application scenarios—The mesh network is applicable to enterprise, office, and campus networks, which are common application scenarios of traditional WLANs, and also applicable to large-sized warehouse, port, MAN, railway transportation, and crisis communication networks.
• High reliability—In a traditional WLAN, when the wired upstream link of an AP fails, all clients associated with the AP cannot access the WLAN. Comparatively, in a mesh network, all APs are fully meshed. There are multiple available wireless links for a mesh AP to reach a portal node in the wired network, thus avoiding single point failure effectively.
Deployment scenarios
This section covers deployment scenarios of WLAN mesh, which are in two categories: subway networking and normal networking.
Normal WLAN mesh deployment
1.
Normal fit MP scenario
As shown in
, two mesh networks are controlled by the same AC. At least one MPP in a mesh has wired connectivity with the AC. When an MP comes up, it scans the network and forms temporary connections with all available MPs in its vicinity. Such temporary connections allow the
MP to connect to the AC for downloading its configurations. After downloading its configurations from the AC, the MP will establish secure connections with neighbors sharing the same pre-shared key.
305
Figure 322 Normal fit MP scenario
2.
One fit MP with two radios, each on a different mesh
, to avoid cross-interruption between Mesh 1 and Mesh 2, you can configure two radios for an MP, each of which is present in a different mesh network. The only constraint is that both meshes have to be managed by the same AC.
Figure 323 Two radios on different meshes
3.
One fit MP with two radios on the same mesh
306
As shown in
, Radio 1 of MP 1 joins the mesh through the MPP. In this case, only Radio
1 can provide access for downstream MPs. Radio 2 cannot automatically access the mesh and provide the mesh service.
Figure 324 Two radios on different meshes
If an MP supports three radios, you can configure Radio 1 as the uplink interface, Radio 2 as the downlink interface, and Radio 3 as the multi-beam antenna. To utilize the dual-radio resources on
MPs, you can establish the network as shown in Figure 325
. In such a network, when Radio 1 of
MP 1 accesses the mesh, Radio 2 on MP 1 also automatically joins the mesh. In this network, you should apply the same mesh service to both Radio 1 and Radio 2. For more information, see
" Tri-radio mesh configuration example
."
Figure 325 Two radios on the same mesh
Radio 1 Radio 2
Radio 3
Radio 1 Radio 2
Radio 3
Radio 1 Radio 2
Radio 3
Radio 1 Radio 2
AC
MPP
MP 1
MP 2
MP 2
Subway WLAN mesh deployment
A subway is an important traffic means for a modern city. In a subway system, control information must be sent to trains to effectively manage trains and provide various services to customers.
, a subway WLAN mesh solution has fit MPs deployed along the rail, which are managed by the same AC. A train MP (fat AP) continuously scans new rail MPs (fit APs), and sets up active/dormant links with the rail MPs with the best signal quality. The active mesh link is used for data transmission, and the dormant mesh link acts as the backup link.
307
Figure 326 Subway deployment of mesh
The subway WLAN mesh deployment is based on the Mobile Link Switch Protocol (MLSP), which is used for high-speed link switch with zero packet loss during train movement. New IEEE standard 802.11s is adopted as the underlying protocol for link formation and communication between mobile radio (MR) and wayside AP. Train MPs are not required to act as authenticators.
WLAN mesh security
A WLAN network uses air as the communication medium, so it is vulnerable to malicious attacks. In a mesh network, a wireless connection passes through multiple hops, and thus a mesh network is more vulnerable to malicious attacks. Therefore, WLAN mesh network security becomes an essential part of
WLAN mesh networks. Security involves encryption algorithms and distribution and management of keys.
Currently, PSK + CCMP combination is used for securing mesh networks.
Mobile link switch protocol
At any given time, an active link should be available between a rail MP and a train MP for data communication. MLSP was developed to create and break links during train movement.
As shown in
Figure 327 , when the train is moving, it must break the existing active link with rail MP 2 and
create a new active link with another rail MP.
308
Figure 327 Diagram for MLSP
• Active Link: Logical link through which all data communication from/to a train MP happens.
•
Dormant Link: Logical link over which no data transfer happens, but it satisfies all the criteria for becoming an active link.
MLSP advantages
• MLSP ensures that the link switch time is less than 30 ms.
•
MLSP works well even if the devices get saturated at high power level.
•
MLSP achieves zero packet loss during link switch.
Operation of MLSP
MLSP establishes multiple links at any given time between a train MP and multiple rail MPs to provide link redundancy, thus ensuring high performance and good robustness for the network.
The following parameters are considered by MLSP for link switch. Based on the deployment, all these parameters are tunable to achieve best results.
•
Link formation RSSI/link hold RSSI—This is the minimum RSSI to allow a link to be formed and held.
Therefore, the minimum RSSI must be ensured at any given point in the tunnel. Otherwise, the error rate can be very high.
• Link switch margin—If the RSSI of the new link is greater than that of the current active link by the link switch margin, active link switch occurs. This mechanism is used to avoid frequent link switch.
•
Link hold time—An active link remains up within the link hold time, even if the link switch margin is reached. This mechanism is used to avoid frequent link switch.
•
Link saturation RSSI—This is the upper limit of RSSI on the active link. If the value is reached, link switch occurs.
Formation of dormant links
A train MP performs active scanning to find neighboring rail MPs by sending probe requests at a very high rate. Based on probe responses received, the train MP forms a neighbor table.
After that, the train MP creates dormant links with rail MPs that have an RSSI value greater than the link formation RSSI.
309
Selection of active link
A train MP selects the active link from dormant links based on the following rules:
1.
If no dormant link is available, the active link cannot be formed.
2.
Active link switch will not happen within the link hold time, except the following two conditions:
Condition 1—The active link RSSI exceeds the link saturation RSSI.
Condition 2—The active link RSSI is below the link hold RSSI.
3.
4.
5.
When the link hold timer expires, if no dormant link has RSSI greater than the active link RSSI by the link switch margin, link switch will not happen.
In normal scenarios, active link switch will happen when all of these following conditions are met:
The link hold timer expires.
The dormant link's RSSI is higher than the current active link's RSSI by the link switch margin.
The dormant link RSSI is not greater than the link saturation RSSI.
Once the RSSI of the active and dormant links has gone below the link hold RSSI, links should be broken. However, to ensure service availability in worse cases, if the active link RSSI has gone below the link hold RSSI and no dormant links exist, the active link is not broken.
Mesh network topologies
The mesh feature supports the following three topologies. Mesh is implemented through configuration of a peer MAC address for each AP. For more information, see "
Configuring a peer MAC address ."
Point to point connection
In this topology, by configuring the peer MAC address for an AP, you can determine the mesh link to be formed.
Figure 328 Mesh point to point topology
Point to multi-point connection
In this topology, a centralized bridging device forms wireless links with multiple MPs to bridge data among multiple LAN segments. As shown below, data transferred between different LAN segments goes via AP 1.
310
Figure 329 Mesh point to multi-point topology
AP 2
AP 3
AC
AP 1
AP 4
AP 5
Self topology detection and bridging connection
In this topology, MPs automatically detect neighbors and form wireless links to provide wireless
connectivity between LAN segments, as shown Figure 330
. Loops are easy to occur in the topology. In the topology, you can use mesh routes to selectively block redundant links to eliminate loops, and back up the links when the mesh links fail.
Figure 330 Self topology detection and bridging
AP 2
AC
AP 3
AP 1
AP 4
Configuring mesh service
Configuring mesh service
Creating a mesh service
1.
2.
Select Wireless Service > Mesh Service from the navigation tree.
Click the Mesh Service tab.
311
Figure 331 Mesh service configuration page
3.
Click Add.
Figure 332 Creating a mesh service
4.
5.
Configure the mesh service as described in
Click Apply.
Table 102 Configuration items
Item Description
Mesh Service Name Name of the created mesh service.
Configuring a mesh service
1.
2.
3.
Select Wireless Service > Mesh Service from the navigation tree.
Click the Mesh Service tab.
Click the icon corresponding to the target mesh service to enter the page for configuring mesh service.
312
Figure 333 Configuring mesh service
4.
5.
Configure the mesh service as described in
Click Apply.
Table 103 Configuration items
Item Description
Mesh Service Display the selected mesh service name.
VLAN (Tagged)
VLAN (Untagged)
Default VLAN
Exclude VLAN
Mesh Route
Enter the ID of the VLAN whose packets are to be sent tagged. VLAN (Tagged) indicates that the port sends the traffic of the VLAN without removing the VLAN tag.
Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged) indicates that the ports send the traffic of the VLAN with the VLAN tag removed.
Set the default VLAN.
By default, the default VLAN of all ports is VLAN 1. After you set the new default
VLAN, VLAN 1 is the ID of the VLAN whose packets are to be sent untagged.
Remove the IDs of the VLANs whose packets are to be sent untagged and tagged.
Enable or disable mesh route selection algorithm:
•
Disable—Disable the mesh route selection algorithm.
•
Enable—Enable the mesh route selection algorithm.
By default, the mesh route selection algorithm is disabled.
Link Keep Alive Interval Configure the mesh link keep-alive interval.
Link Backhaul Rate Configure the backhaul radio rate.
Security Configuration
Pass Phrase Enter a pre-shared key in the format of character string.
313
Item Description
Raw Key Enter a pre-shared key in the format of hexadecimal digits.
Pre-shared Key
Pre-shared key.
•
A string of 8 to 63 characters, or.
•
A valid hexadecimal number of 64 bits.
Binding an AP radio to a mesh service
1.
2.
3.
4.
Select Wireless Service > Mesh Service from the navigation tree.
Click the icon to enter the page for binding an AP radio to a mesh service.
Select the AP radio to be bound.
Click Bind.
Figure 334 Binding an AP radio to a mesh service
Enabling a mesh service
1.
2.
Select Wireless Service > Mesh Service from the navigation tree.
Click the Mesh Service tab to enter the mesh service configuration page.
Figure 335 Enabling a mesh service
3.
4.
Select the mesh service to be enabled.
Click Enable.
314
Displaying the detailed information of a mesh service
1.
2.
3.
Select Wireless Service > Mesh Service from the navigation tree.
Click the Mesh Service tab to enter the mesh service configuration page.
Click a mesh service to see its detailed information.
Figure 336 Mesh service detailed information
Table 104 Field description
Field Description
Mesh Profile Number Mesh service number.
Mesh ID
Binding Interface
MKD Service
Mesh ID of the mesh service.
Mesh interface bound to the mesh service.
MKD service status, which can be:
•
Enable—Indicates that the MKD service is enabled.
•
Disable—Indicates that the MKD service is disabled.
Link Keep Alive Interval
Link Backhaul Rate
Mesh Profile Status
Interval to send keep-alive packets.
Link backhaul rate.
Mesh service status, which can be:
•
Enable—Indicates that the mesh service is enabled.
•
Disable—Indicates that the mesh service is disabled.
315
Configuring a mesh policy
Creating a mesh policy
1.
2.
Select Wireless Service > Mesh Service from the navigation tree.
Click the Mesh Service tab to enter the mesh policy configuration page.
Figure 337 Mesh policy configuration page
3.
Click Add.
Figure 338 Create a mesh policy
4.
5.
Configure the mesh policy as described in
.
Click Apply.
Table 105 Configuration items
Item Description
Mesh Policy Name
Name of the created mesh policy.
The created mesh policies use the contents of the default mesh policy default_mp_plcy.
Configuring a mesh policy
1.
2.
3.
Select Wireless Service > Mesh Service from the navigation tree.
Click the Mesh Policy tab.
Click the icon corresponding to the target mesh policy to enter the mesh policy configuration page.
316
Figure 339 Configuring a mesh policy
4.
5.
Configure the mesh policy as described in
.
Click Apply.
Table 106 Configuration items
Item Description
Mesh Policy Display the name of the created mesh policy.
By default, link initiation is enabled.
Link establishment
Minimum time to hold a link
Maximum number of links
IMPORTANT:
•
This feature should be disabled when you configure an MP policy for a rail AP.
•
This feature is used on train MPs in subway WLAN mesh deployment.
Set the link hold time.
An active link remains up within the link hold time, even if the link switch margin is reached. This mechanism is used to avoid frequent link switch.
Set the maximum number of links that an MP can form in a mesh network.
IMPORTANT:
When configuring mesh, if the number of mesh links configured on an AP is greater than 2, you need to configure the maximum links that an MP can form as needed.
317
Item Description
Minimum rssi to hold a link
Set link formation/link hold RSSI (received signal strength indicator).
This is the minimum RSSI to allow a link to be formed and held.
Therefore, the minimum RSSI must be ensured at any given point in the tunnel. Otherwise, the error rate can be very high.
Minimum margin rssi
Maximum rssi to hold a link
Set the link switch margin.
If the RSSI of the new link is greater than that of the current active link by the link switch margin, active link switch will happen. This mechanism is used to avoid frequent link switch.
Set link saturation RSSI.
This is the upper limit of RSSI on the active link. If the value is reached, the chipset is saturated and link switch will happen.
Interval between probe requests
Role as authenticator ratemode
Set the probe request interval.
By default, whether a device plays the role of an authenticator is based on negotiation results.
• fixed—The rate adopted is of a fixed value. It is the maximum rate of the current radio.
• realtime—The rate adopted changes with the link quality, that is, the rate changes with the change of the RSSI of the current radio.
The fixed mode is adopted by default..
The Mobile Link Switch Protocol (MLSP) implements high-speed link switch with zero packet loss during train movement. It is applicable to subway WLAN mesh deployment only.
Proxy MAC Address
Select the Proxy MAC Address option to specify the MAC address of the peer device.
VLAN ID of the peer device. Proxy VLAN
Binding an AP radio to a mesh policy
1.
2.
3.
4.
5.
Select Wireless Service > Mesh Service from the navigation tree.
Click the Mesh Policy tab.
Click the button corresponding to the target mesh policy.
Select the AP radio to be bound.
Click Bind.
Displaying the detailed information of a mesh policy
1.
2.
3.
Select Wireless Service > Mesh Service from the navigation tree.
Click the Mesh Policy tab to enter the mesh policy configuration page.
Click a mesh policy to see its detailed information.
318
Figure 340 Mesh policy detailed information
Table 107 Field description
Field Description
MP Policy Name
Mesh Link Initiation
Name of the mesh policy.
Whether link initiation is enabled or not.
Mlsp
Authenticator Role
Mobile Link Switch Protocol (MLSP) status, which can be:
•
Enable—Indicates that MLSP is enabled.
•
Disable—Indicates that MLSP is disabled.
Authenticator role status, which can be:
•
Enable—Indicates that the authenticator role is enabled.
•
Disable—Indicates that the authenticator role is disabled.
Max Links
Probe Request Interval (ms)
Link Hold RSSI
Link Hold Time (ms)
Link Switch Margin
Link saturation RSSI
Link rate-mode
Maximum number of links on a device using this mesh policy.
Interval between probe requests sent by a device using this mesh policy.
Link hold RSSI.
Link hold time.
Link switch margin.
Link saturation RSSI.
Method of calculating the link cost, which can be:
•
Fixed—Indicates that the mesh interface rate is fixed.
• real-time—Indicates that the mesh interface rate changes with the RSSI in real-time.
319
Mesh global setup
Mesh basic setup
1.
2.
Select Wireless Service > Mesh Service from the navigation tree.
Click the Global Setup tab to enter the mesh global setup page.
Figure 341 Mesh basic setup
3.
4.
Configure the basic mesh settings as described in Table 108
.
Click Apply.
Table 108 Configuration items
Item Description
MKD-ID
•
Make sure the MAC address configured is unused and has the correct vendor specific part.
•
The MAC address of an AC should not be configured as the MKD ID.
Dynamic Channel Select
•
Manual—Select one-time dynamic channel selection (DFS) and click
Apply to enable it. After manual mode is selected, if no mesh network is manually specified when the next calibration interval is reached, the AC will refresh radio information of all mesh networks that it manages, and display it on the Radio Info tab of the Mesh Channel Optimize page. You can view the radio information and select mesh networks for which one-time DFS will be performed on the Mesh Channel Optimize tab. After that, if you want the AC to perform DFS for the mesh network, you have to make this configuration again.
•
Auto—Select auto-DFS and click Apply to enable it. Auto-DFS applies to all mesh networks where the working channels of the radios are automatically selected. With auto DFS enabled, an AC makes DFS decisions at the calibrate interval automatically.
•
Close—Close DFS. At the next calibration interval, the radio information and channel switching information on the Mesh Channel Optimize page will be cleared.
By default, DFS for a mesh network is disabled.
IMPORTANT:
Before enabling auto or one-time DFS for a mesh network, make sure that auto mode is selected for the working channel of radios in the mesh network. For the related configuration, see "Radio configuration."
Enabling mesh portal service
1.
Select Wireless Service > Mesh Service from the navigation tree.
320
2.
Click the Global Setup tab to enter the mesh portal service configuration page.
Figure 342 Mesh portal service configuration page
3.
4.
Select the AP for which mesh portal service is to be enabled.
Click Enable.
Configuring a working channel
You can configure a working channel in one of the following ways:
Manual
1.
Select Radio > Radio from the navigation tree.
Figure 343 Radio configuration page
2.
3.
On the page that appears, select a specified channel from the Channel list.
Click Apply.
NOTE:
Specify a working channel for the radios of the MAP and MPP, and the working channel on the radio of the MAP should be consistent with that on the MPP.
321
Auto
Set the working channel mode on the MPP and MAP to auto so that the working channel is automatically negotiated when a WDS link is established between the MPP and MAP.
NOTE:
If you configure the working channel mode of the radios of the MPP and MAP as auto, the automatically selected working channel is a non-radar channel.
Enabling radio
1.
Select Radio > Radio from the navigation tree to enter the radio setup page.
Figure 344 Enabling radio
2.
3.
Select the radio mode to be enabled.
Click Enable.
Configuring a peer MAC address
1.
2.
Select Wireless Service > Mesh Service from the navigation tree.
Click to enter the page for binding an AP radio to a mesh service.
3.
Select the AP radio to be bound, and click the icon to enter the page for configuring a peer
MAC address.
322
Figure 345 Configuring a peer MAC address
4.
5.
Configure the peer MAC address as described in Table 109
.
Click Apply.
Table 109 Configuration items
Item Description
Peer MAC Address
The mesh feature supports three topologies. For more information, see "
." The mesh feature is implemented through configuration of peer MAC addresses for each AP. cos
Sets the STP cost of the mesh link to the peer. If not configured, the STP cost is automatically calculated by STP.
You can view the cost of the mesh link on the page shown in
Mesh DFS
Displaying radio information
1.
2.
3.
Select Wireless Service > Mesh Service from the navigation tree.
Click the Mesh Channel Optimize tab to enter the mesh optimization tab.
Click the specified mesh network, and click the Radio Info tab to enter the page shown in Figure
to view radio information.
323
Figure 346 Displaying radio information
Displaying channel switch information
1.
2.
3.
Select Wireless Service > Mesh Service from the navigation tree.
Click the Mesh Channel Optimize tab to enter the mesh optimization tab.
Click the mesh network, and then select the Channel Switch Info tab to enter the page shown
in Figure 347 to view the channel switching information.
Figure 347 Mesh channel switching information
NOTE:
• If you select Auto or Close for dynamic channel selection on the Global Setup tab, when you enter the
Mesh Channel Optimize page, the Channel Optimize button is grayed out, meaning you cannot perform the operation.
• If you select manual DFS on the Global Setup tab, select mesh networks where DFS will be performed, and then click Channel Optimize to complete DFS. In auto mode, DFS is performed at the calibration interval; in manual mode, DFS is performed for once.
324
Table 110 Field description
Field Description
AP AP name in the mesh network.
Radio Radio of the AP.
Date(yyyy-mm-dd)
Time(hh:mm:ss)
Date, in the format of yyyy-mm-dd.
Time, in the format of hh:mm:ss.
Displaying the mesh link status
Mesh link monitoring
1.
2.
Select Wireless Service > Mesh Service from the navigation tree.
Click the Mesh Link Info tab to enter the mesh link monitoring page.
Figure 348 Displaying the mesh link monitoring information
You can monitor the mesh link status in real-time on the mesh link monitoring page.
Mesh link test
1.
2.
Select Wireless Service > Mesh Service from the navigation tree.
Click the Mesh Link Test tab to enter the mesh link test page.
325
Figure 349 Displaying mesh link test information
3.
4.
Select the box of the target AP.
Click Begin.
Normal WLAN mesh configuration example
Network requirements
As shown in the figure below, establish a mesh link between the MAP and the MPP.
Configure 802.11g on the MAP so that the client can access the network.
1.
Establish a mesh link between the MPP and the MAP by following these steps:
Configure MAP and MPP—Select AP > AP Setup from the navigation tree, and click Add to
configure MAP and MPP. For more information, see " Create an MAP and MPP ."
Configure mesh service—After creating a mesh service and configuring a pre-shared key, you can bind the mesh service to the AP and enable the mesh service. For more information, see
"
2.
Configure a mesh policy—A mesh policy exists by default. You can create a mesh policy and
bind the mesh policy to an AP. For more information, see " (Optional) Configure a mesh policy ."
Mesh global setup—Configure an MKD-ID (which exists by default), enable mesh portal
service for the MPP. For more information, see " Configure mesh service globally ."
Configure the same working channel, and enable the radio. For more information, see
"
Configure the same working channel and enable the radio on the MAP and MPP: ."
Configure 802.11g service on the MAP to enable the client to access the WLAN network.
For more information, see "
Wireless service configuration example
."
Figure 350 Network diagram
802.11g
802.11a
AC
MPP MAP
Client
326
Configuring the AC
1.
Create an MAP and MPP: a.
Select AP> AP Setup from the navigation tree. b. c.
Click Add.
On the page that appears, set the AP name to map, select the AP model WA2620-AGN, select the serial ID manual, enter the AP serial ID, and click Apply.
Figure 351 AP setup
2. d.
Configure MPP by following the same steps.
Create a mesh service: a.
Select Wireless Service > Mesh Service from the navigation tree. b. c. d.
Click the Mesh Service tab.
Click Add.
On the page that appears, set the mesh service name to outdoor and click Apply.
After completing mesh service configuration, you enter the page shown in Figure 353
.
Figure 352 Creating a mesh service
Figure 353 Configuring a pre-shared key e. f.
Select Pass Phrase, and set the pre-shared key to 12345678.
Click Apply.
327
3.
Bind an AP radio to the mesh service. a.
Select Wireless Service > Mesh Service from the navigation tree. b. c. d.
Click the icon corresponding to the mesh service outdoor to enter the page for binding an
AP radio to a mesh service.
Select the AP radios to be bound.
Click Bind.
Figure 354 Binding an AP radio to a mesh service
4.
Enable the mesh service. a.
Select Wireless Service > Mesh Service from the navigation tree.
Figure 355 Enabling the mesh service
5. b.
Select the mesh service to be enabled. c.
Click Enable.
(Optional) Configure a mesh policy (by default, the default mesh policy default_mp_plcy already exists.)
NOTE:
A mesh policy exists by default. You can create a mesh policy and bind the mesh policy to an AP as needed. By default, the default_mp_plcy mesh policy is mapped to an AP.
6.
Configure mesh service globally:
328
a. b. c.
(Optional) Select Wireless Service > Mesh Service from the navigation tree, and click the
Global Setup tab to enter the mesh global setup page to set the MKD-ID (By default, the MKD-ID exists.)
Select the MPP that has wired connectivity with the AC to enable mesh portal service.
Click Enable.
Figure 356 Mesh portal service configuration page
7.
Configure the same working channel and enable the radio on the MAP and MPP: a.
Select Radio > Radio from the navigation tree. b.
Click the icon corresponding to the target MAP to enter the radio setup page.
Figure 357 Configuring the working channel c. d.
Select the channel to be used from the Channel list.
Click Apply.
329
8.
You can follow this step to configure the working channel for the MPP. Note that the working channel of the radio on the MPP must be the same as that on the MAP.
Enable radio: a. b. c.
Select Radio > Radio from the navigation tree.
Select the radio modes to be enabled for the MAP and MPP.
Click Enable.
Figure 358 Enabling radio
Verifying the configuration
•
The mesh link between the MAP and the MPP has been established, and they can ping each other.
• After 802.11n(2.4GHz) is configured on the MAP, the client can access the network through the mesh link.
Subway WLAN mesh configuration example
Network requirements
•
As shown in Figure 359 , all rail MPs are connected to an AC.
•
Configure WLAN mesh so that the train MP will form links with rail MPs during movement, among them one link is the active link and all others are dormant links.
Subway WLAN mesh configuration is basically the same as normal WLAN mesh configuration. Note the following guidelines when you configure subway WLAN mesh:
1.
Create a rail AP mesh policy:
Disable the link initiation function. For more information, see " Configuring a mesh policy ."
2.
Enable mesh portal service. For more information, see " Enabling mesh portal service ."
Create a train AP mesh policy:
Enable MLSP.
Configure MLSP proxy MAC address and VLAN information.
Disable Role as authenticator. For more information, see "
330
Set the value of maximum links that an MP can form in a mesh network (the default value is 2.).
For more information, see "
Figure 359 Network diagram
Configuring the AC
Subway mesh configuration differs from normal WLAN mesh configuration in the mesh policy configuration of rail APs and train APs. Other configurations are the same. For more information, see
"
Mesh point-to-multipoint configuration example
Network requirements
AP 1 operates as an MPP to establish a mesh link with AP 2, AP 3, AP 4, and AP 5 respectively.
The mesh configuration is the same as the normal WLAN mesh configuration.
Figure 360 Network diagram
AP 2
AP 3
AC
AP 1
AP 4
AP 5
Configuration considerations
• Configure a peer MAC address for each radio interface. Configure the MAC addresses of AP 2 through AP 5 on AP 1, and configure the MAC address of AP 1 on AP 2 through AP 5.
331
• Set the value of maximum links that an MP can form in a mesh network (The default value is 2. It
should be set to 4 in this example.). For more information, see " Configuring a mesh policy ."
Configuring the AC
Mesh configuration is the same as normal WLAN mesh configuration. For more information, see
"
Tri-radio mesh configuration example
Network requirements
As shown in Figure 361 , set up mesh links between MPs and the MPP, and use radio resources to make
Radio 1 of MPP, Radio 1 and Radio 2 of MP, and Radio 1 of an MP 2 join the same mesh and use Radio
3 as the multi-beam antenna, which provides the wireless access service.
Figure 361 Network diagram
Configuration considerations
1.
Configure the mesh service:
The mesh configuration here is similar to a common wireless mesh configuration. Pay attention to the following points:
Radios joining the same mesh must use the same mesh service. Thus, bind Radio 1 of MPP,
Radio 1 and Radio 2 of MP 1, and Radio 1 of MP 2 to the same mesh service.
Figure 362 Binding radios to the mesh service
332
2.
On Radio 1 of the MPP, configure Radio 1 of MP 1 as the peer MAC address. Similarly, configure Radio 1 of the MPP as the peer MAC address on MP 1. Perform the same operation for Radio 2 of MP 1 and Radio 1 of MP 2.
Configure the access service:
As the multi-beam antenna, Radio 3 provides the wireless access service. For more information,
see " Wireless service configuration example
." You can strictly follow the configuration example to configure the access service.
Configuration procedure
The mesh configuration here is similar to a common wireless mesh configuration. For more information, see "
Mesh DFS configuration example
Network requirements
•
As shown in
, establish an 802.11a mesh link between the MAP and MPP. The working channel is automatically selected.
•
Enable one-time DFS. After that, the AC performs DFS for the radios when certain trigger conditions are met on the channel.
Figure 363 Network diagram
Configuration considerations
The mesh configuration in this example is similar to a common wireless mesh configuration. Note the following guidelines:
• Configure the working channel mode of the radios that provide mesh services as auto.
•
Do not configure any wireless service on radios that provide mesh services.
Configuration procedure
The mesh configuration is the same as the normal WLAN mesh configuration. For configuration
procedures, see " Normal WLAN mesh configuration example ." Perform the following operations after
completing mesh configuration:
1.
(Optional) Set a calibration interval: a. b. c.
Select Radio > Calibration from the navigation tree.
Click the Parameters tab.
On the page that appears, enter the calibration interval 3 and click OK.
333
Figure 364 Mesh calibration interval
2.
Configure mesh DFS: a.
Select Wireless Service > Mesh Service from the navigation tree. b. c. d.
Click the Global Setup tab.
On the page that appears, select the Manual box for Dynamic Channel Select.
Click OK.
Figure 365 DFS
3.
Enable one time DFS for the mesh network: a.
Select Wireless Service > Mesh Service from the navigation tree. b. c. d.
Click the Mesh Channel Optimize tab.
Select the outdoor mesh network.
Click Channel Optimize.
Figure 366 One-time mesh DFS
334
Verifying the configuration
After a next calibration interval, you can view the channel switching information:
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
3.
4.
Click the Mesh Channel Optimize tab to enter the Mesh Channel Optimize tab.
Click the Channel Info tab.
Select the target mesh network to display the radio information.
Figure 367 Displaying mesh channel switching information
335
WLAN roaming configuration
The Inter AC Tunneling Protocol (IACTP) is a proprietary protocol of H3C which defines how access controllers (ACs) communicate with each other. IACTP provides a generic packet encapsulation and transport mechanism between ACs to provide secure AC-AC communications based on the standard TCP client/server model.
A mobility group is a group of ACs that communicate with each other using the IACTP protocol. A maximum of 8 ACs can be present in a mobility group in current version. Formation and maintenance of a mobility group is done using IACTP.
IACTP provides a control tunnel for applications such as roaming to share/exchange messages. It also provides a data tunnel to encapsulate data packets to be transported between ACs. It can be used either with IPv4 or with IPv6.
Whenever a station supporting key caching associates to any of the ACs in a mobility group (which would be its Home-AC (HA)) for the first time, it goes through 802.1X authentication followed by 11 Key exchange. The station information is synchronized across the ACs in the mobility group prior to the roaming of the station within an AC/across ACs. When this station roams to another AC in the mobility group (which would be its Foreign-AC (FA)), the station information is used to fast authenticate the station by skipping 802.1X authentication, and performing only 802.11 key exchange to facilitate seamless roaming within the mobility group.
Configuring WLAN roaming
Configuring a roaming group
NOTE:
Roaming group configuration is available only for inter-AC roaming. For the configuration example of
inter-AC roaming, see " Inter-AC roaming configuration example
."
1.
Select Roam > Roam Group from the navigation tree.
Figure 368 Configuring a roaming group
2.
3.
Configure a roaming group as described in
Click Apply.
336
Table 111 Configuration items
Item Description
Service status
• enable—Enable IACTP service.
• disable—Disable IACTP service.
IP type Select IPv4 or IPv6.
Source address
Auth mode
Auth key
Source address of the IACTP protocol.
MD5—Select the MD5 authentication mode. This item is optional.
The control message integrity can be verified when the MD5 authentication mode is selected. The sender (an AC) calculates a digest based on the content of a control message. On receiving such a message, the receiver (another AC in the roaming group) will calculate the digest again and compare it against the digest present in the message to verify the integrity of the packet received. If the digests are the same, the packet is not tampered.
MD5 authentication key.
If you select the MD5 authentication mode, you need to input an authentication key.
Adding a group member
1.
Select Roam > Roam Group from the navigation tree.
Figure 369 Adding a group member
2.
3.
4.
Add a group member as described in Table 112
.
Click Add.
Click Apply.
Table 112 Configuration items
Item Description
Add the IP address of an AC to a roaming group.
IP address
IMPORTANT:
When you configure a roaming group, the roaming group name configured for the ACs in the same roaming group must be the same.
337
Item Description
VLAN
Configure the VLAN to which the roaming group member belongs.
This configuration item is optional.
NOTE:
•
The user profile configurations of the ACs in a roaming group must be the same. For more information, see "User configuration."
• The ACs in a roaming group cannot be configured as hot backup ACs.
Displaying client information
1.
Select Roam > Roam Client from the navigation tree.
Figure 370 Displaying client information
By clicking a target client, you can view the detailed information and roaming information of the client.
The detailed information and roaming information of a client you can view by selecting Roam > Client
Information are the same as those you can view by selecting Summary > Client. For the related information, see "Summary."
WLAN roaming configuration examples
Intra-AC roaming configuration example
Network requirements
As shown in Figure 371 , an AC has two APs associated and all of them are in VLAN 1. A client is
associated with AP 1. Configure intra-AC roaming so that the client can associate with AP 2 when roaming to AP 2.
338
Figure 371 Network diagram
AC
RADIUS server
AP 1
000f-e27b-3d90
VLAN 1
L2 switch
AP 2
AP 2
000f-e233-5500
VLAN 1
Roaming
Client
Configuring the AC
NOTE:
If remote authentication is required in the authentication mode you select, configure the RADIUS server.
For how to configure the RADIUS server, see "AAA configuration."
1.
Create two APs: a. b. c.
Select AP > AP Setup from the navigation tree.
Click Add.
On the page that appears, set the AP name to ap1, select the AP model WA2620-AGN, select manual from the Serial ID list, enter the serial ID of the AP, and click Apply.
2. d.
Follow the same steps to create the other AP.
Configure wireless service: a. b. c.
Select Wireless Service > Access Service from the navigation tree.
Click Add.
On the page that appears, set the service name to Roam. And click Apply.
NOTE:
For how to configure the authentication mode, see "Access service configuration." However, fast roaming can be implemented only when the RSN+802.1X authentication mode is adopted.
3.
Enable wireless service:
4. a. b.
Select Wireless Service > Access Service from the navigation tree.
Select the Roam box. c.
Click Enable.
Bind AP radios to the wireless service:
339
a. b. c. d.
Select Wireless Service > Access Service from the navigation tree.
Click the icon corresponding to the wireless service Roam to enter the page for binding
AP radio.
Select the box before ap1 with radio type 802.11n(2.4GHz), and the box before ap2 with radio type 802.11n(2.4GHz).
Click Bind.
Figure 372 Binding AP radios
5.
Enable dot11g radio: a.
Select Radio > Radio Setup from the navigation tree. b. c.
On the page that appears, select the box before ap1 with the radio mode 802.11n(2.4GHz), and select the box before ap2 with the radio mode 802.11n(2.4GHz).
Click Enable.
Figure 373 Enabling radio
Verifying the configuration
1.
Display the roaming information of the client:
340
a. b. c.
Select Summary > Client from the navigation tree.
Select the Roam Information tab.
Click the desired client to view the roaming information of the client.
From the roaming information, you can see that the client accesses the WLAN through AP 1,
and the BSSID of AP 1 is 000f-e27b-3d90 (see Figure 374
.).
Figure 374 Client status before intra-AC roaming d.
Click Refresh.
On the page that appears, you can see that the client is connected to the WLAN through AP
2, and the BSSID of AP 2 is 000f-e233-5500.
Figure 375 Client status after intra-AC roaming
2.
View the Roam Status field: a.
Select Summary > Client from the navigation tree.
341
b. c.
Click the Detail Information tab.
Click the desired client.
You can see that Intra-AC roam association is displayed in the Roam Status field.
Figure 376 Verifying intra-AC roaming
Configuration guidelines
When you configure intra-AC roaming, the SSIDs of the two APs must be the same. The same wireless service must be bound to the radios of the two APs in
Bind AP radios to the wireless service
.
Inter-AC roaming configuration example
Network requirements
As shown in Figure 377 , two ACs that each are connected to an AP are connected through a Layer 2
switch. Both ACs are in the same network. The IP address of AC 1 is 192.168.1.100 and that of AC 2 is
192.168.1.101. A client associates with AP 1.
Configure inter-AC roaming so that the client can associate with AP 2 when roaming to it.
342
Figure 377 Network diagram
Configuring AC 1 and AC 2
NOTE:
If remote authentication is required in the authentication mode you select, configure the RADIUS server.
For how to configure the RADIUS server, see "AAA configuration."
1.
Establish AC-AP connections:
Configure AC 1 and AC 2 so that a connection can be established between AP 1 and AC 1, and between AP 2 and AC 2. Only after the connections are established can you see that the two APs are in the running status. To view the AP status, select Summary > AP or AP > AP Setup.
For the related configuration, see "Access service configuration."
NOTE:
For the configuration of authentication mode, see "Access service configuration." Fast roaming supporting key caching can be implemented only when RSN+802.1X authentication is adopted.
2.
Configure a roaming group: a. b. c.
Select Roam > Roam Group from the navigation tree.
On the page that appears, select enable from the Service status list, select IPv4 from the IP Type list, enter 192.168.1.100 for Source address, the IP address of AC 1, enter the IP address of
AC 2 in the member list, and click Add.
Click Apply.
343
Figure 378 Configuring a roaming group on AC 1 d.
Create a roaming group on AC 2. The source address is the IP address of AC 2, and the member address is the IP address of AC 1. (Details not shown.)
Verifying the configuration
1.
Verify the status of the roaming group: a.
On AC 1, select Roam > Roam Group from the navigation tree, and you can see that the group member 192.168.1.101 is in Run state.
Figure 379 Verifying the roaming group state b.
On AC 2, select Roam > Roam Group from the navigation tree, and you can see that the group member 192.168.1.100 is in Run state.
Figure 380 Verifying the roaming group state:
2.
Display the client information: a.
After the client roams from AP 1 to AP 2, select Roam > Roam Client on AC 1.
You can see that the client roams out of 192.168.1.100.
344
Figure 381 Viewing client information
3. b.
Select Roam > Roam Client on AC 2.
You can see that the client roams in to 192.168.1.100.
View connection information about the client that is associated with the AP, and the Roam Status field in the client detailed information: a.
Before roaming, select Summary > Client from the navigation tree on AC 1. b. c. d.
You can see that the client is associated with AP 1.
After roaming: Select Summary > Client from the navigation tree on AC 1.
The client has roamed from AP 1 to AP 2, so no client information is displayed on the page.
Select Summary > Client from the navigation tree on AC 2.
You can view the client information.
Select the Detail Information tab, and then click the desired client.
You will see that Inter-AC roam association is displayed in the Roam Status field, which indicates that the client has roamed to AP 2.
Figure 382 Verifying inter-AC roaming
4.
View the BSSID field a.
Before roaming, select Summary > Client from the navigation tree on AC 1, select the Detail
Information tab, and click the desired client to view the roaming information of the client.
The roaming information in
shows that the client connects to the WLAN through AP
1, and the BSSID of AP 1 is 000f-e27b-3d90.
345
Figure 383 Client status before inter-AC roaming b.
Select Summary > Client, from the navigation tree on AC 2, select the Detail Information tab, and click the desired client to view the roaming information of the client.
The roaming information in
shows that the client connects to the WLAN through AP
2, and the BSSID of AP 2 is 000f-e233-5500.
Figure 384 Client status after intra-AC roaming
Configuration guidelines
Follow these guidelines when you configure inter-AC roaming:
•
The SSIDs and the authentication and encryption modes of two APs should be the same.
• A roaming group must be configured on both of the two ACs.
• Do not configure the ACs in a roaming group as AC backup.
346
Radio configuration
Radio overview
Radio frequency (RF) refers to electrical signals that can be transferred over the space to a long distance.
802.11b/g in the IEEE 802.11 standards operates at the 2.4 GHz band, 802.11a operates at the 5 GHz band, and 802.11n operates at both the 2.4 GHz and 5 GHz bands. Radio frequency is allocated in bands, each of which corresponds to a range of frequencies.
WLAN RRM overview
Radio signals are susceptible to surrounding interference. The causes of radio signal attenuation in different directions are very complex, so you need to make careful plans before deploying a WLAN network. After WLAN deployment, the running parameters must still to be adjusted because the radio environment is always varying due to interference from mobile obstacles, micro-wave ovens and so on.
To adapt to environment changes, radio resources such as working channels and transmit power should be dynamically adjusted. Such adjustments are complex and require experienced personnel to implement regularly, which brings high maintenance costs.
WLAN radio resource management (RRM) is a scalable radio resource management solution. Through information collection (APs collect radio environment information in real time), information analysis (The
AC analyzes the collected information), decision-making (The AC makes radio resource adjustment configuration according to analysis results), and implementation (APs implement the configuration made by the AC for radio resource optimization), WLAN RRM delivers a real-time, intelligent, integrated radio resource management solution, which enables a WLAN network to quickly adapt to radio environment changes and ensures the optimal communication quality.
Dynamic frequency selection
A WLAN has limited working channels. Channel overlapping can easily occur. In addition, other radio sources such as radar and micro-wave ovens may interfere with the operation of APs. Dynamic frequency selection (DFS) can solve these problems.
With DFS, the AC selects an optimal channel for each AP in real time to avoid co-channel interference and interference from other radio sources.
The following conditions determine DFS:
• Error code rate—physical layer error code and CRC errors.
• Interference—influence of 802.11 and non-802.11 wireless signals on wireless services.
•
Retransmission—APs retransmit data if they do not receive ACK messages from the AC.
•
Radar signal detected on a working channel—the AC immediately notifies the AP to change its working channel.
If the first three conditions are met, the AC calculates the channel quality. The AP does not use the new channel until the channel quality difference between the new and old channels exceeds the tolerance level.
347
Figure 385 Dynamic channel adjustment
Transmit power control
Traditionally, an AP uses the maximum power to cover an area as large as possible. This method, however, affects the operation of surrounding wireless devices. Transmit power control (TPC) is used to select a proper transmission power for each AP to satisfy both coverage and usage requirements.
Whether the transmission power of an AP is increased or decreased is determined by these factors: the maximum number of neighbors (detected neighbors that are managed by the same AC), the neighbor
AP that performs power detection, and the power adjustment threshold.
NOTE:
You cannot configure the neighbor AP that performs power detection and the power adjustment threshold on the web interface.
As shown in
Figure 386 , APs 1, 2 and 3 cover an area. When AP 4 joins, the default maximum neighbor
number 3 (configurable) is reached. Then, the APs perform power adjustment. You can find from the figure that they all reduce their transmission power.
348
Figure 386 Power reduction
As shown in
Figure 387 , when AP 3 fails or goes offline, the other APs increase their transmission power
to cover the signal blackhole.
349
Figure 387 Power increasing
Radio setup
Configuring radio parameters
1.
Select Radio > Radio from the navigation tree.
2.
Click the icon of the desired AP to enter the page for AP radio setup.
350
Figure 388 Radio setup
3.
Configure the radio as described in
Table 113 Configuration items
Item Description
AP Name Display the selected AP.
Radio Unit
Radio Mode
Transmit Power
Channel
Display the selected AP's radios.
Display the selected AP's radio mode.
Maximum radio transmission power, which varies with country codes, channels, AP models, radio modes and antenna types. If you adopt the
802.11n mode, the maximum transmit power of the radio also depends on the bandwidth mode.
Specify the working channel of the radio, which varies with radio types and country codes. The working channel list varies with device models. auto—The working channel is automatically selected. If you select this mode, the AP checks the channel quality in the WLAN network, and selects the channel of the best quality as its working channel.
If you modify the working channel configuration, the transmit power is automatically adjusted.
802.11n bandwidth mode
The option is available only when the AP supports 802.11n.
802.11n can bond two adjacent 20-MHz channels together to form a
40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with one acting as the primary channel and the other acting as the secondary channel or work together as a 40-MHz channel. This provides a simple way of doubling the data rate.
By default, the channel bandwidth of the 802.11n radio (5 GHz) is 40 MHz, and that of the 802.11n radio (2.4GHz) is 20 MHz. client dot11n-only
IMPORTANT:
•
If the channel bandwidth of the radio is set to 40 MHz, a 40 MHz channel is used as the working channel. If no 40 MHz channel is available, a 20
MHz channel is used. For the specifications, see IEEE P802.11n D2.00.
•
If you modify the bandwidth mode configuration, the transmit power is automatically adjusted.
If you select the client dot11n-only option, non-802.11n clients are prohibited from access. If you want to provide access for all 802.11a/b/g clients, you must disable this function.
351
Item Description
A-MSDU
Select the A-MSDU option to enable A-MSDU.
Multiple MAC Service Data Units (MSDU) can be aggregated into a single
A-MSDU. This reduces the MAC header overhead and thus improves MAC layer forwarding efficiency.
At present, only A-MSDUs can be received.
A-MPDU
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, ensure that they have the same A-MSDU configuration.
Select the A-MPDU option to enable A-MPDU.
802.11n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU can accommodate multiple Message Protocol Data Units
(MPDUs) which have their PHY headers removed. This reduces the overhead in transmission and the number of ACK frames to be used, and thus improves network throughput. short GI
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, ensure that they have the same A-MSDU configuration.
Select short GI to enable short GI.
The 802.11a/g GI is 800ns. You can configure a short GI, 400 ns for
802.11n. The short GI increases the throughput by 10 percent.
4.
Expand Advanced Setup.
Figure 389 Radio setup (advanced setup)
352
5.
6.
Configure the radio as described in
Click Apply.
Table 114 Configuration items
Item Description
Preamble
Preamble is a pattern of bits at the beginning of a frame so that the receiver can sync up and be ready for the real data.
•
Short preamble—A short preamble improves network performance.
Therefore, this option is always selected.
•
Long preamble—A long preamble ensures compatibility between access point and some legacy client devices. Therefore, you can select this option to make legacy client devices support short preamble.
802.11a/802.11n (5 GHz) do not support this configuration.
Transmit Distance Maximum coverage of a radio.
ANI
Client Max Count
Adaptive Noise Immunity (ANI). After the ANI function is enabled, the device automatically adjusts the noise immunity level according to the surrounding signal environment to eliminate RF interference.
•
Enable—Enable ANI.
•
Disable—Disable ANI.
Maximum number of clients that can be associated with one radio.
Fragment Threshold
Beacon Interval
Specify the maximum length of frames that can be transmitted without fragmentation. When the length of a frame exceeds the specified fragment threshold value, it is fragmented.
•
In a wireless network where error rate is high, you can decrease the fragment threshold by a rational value. In this way, when a fragment of a frame is not received, only this fragment rather than the whole frame needs to be retransmitted, and thus the throughput of the wireless network is improved.
•
In a wireless network where no collision occurs, you can increase the fragment threshold by a rational value to decrease acknowledgement packets and thus increase network throughput.
Interval for sending beacon frames. Beacon frames are transmitted at a regular interval to allow mobile clients to join the network. Beacon frames are used for a client to identify nearby APs or network control devices.
353
Item Description
RTS (CTS)
There are two data collision avoidance mechanisms, RTS/CTS and CTS-to-self.
•
RTS/CTS—In this mode, an AP sends an RTS packet before sending data to a client. After receiving the RTS packet, all the devices within the coverage of the AP will not send data within the specified time. Upon receiving the
RTS packet, the client sends a CTS packet, ensuring that all the devices within the coverage of the client will not send data within the specified time.
The RTS/CTS mechanism requires two frames to implement data collision avoidance, and thus has a higher cost.
•
CTS-to-Self—In this mode, an AP uses its IP address to send a CTS packet before sending data to a client, ensuring that all the devices within the coverage of the AP will not send data within the specified time. The
CTS-to-Self mechanism uses only one frame to avoid data collision.
However, if another device is in the coverage of the client, but not in the coverage of the AP, data collision still may occur.
Compared with RTS/CTS, CTS-to-Self reduces the number of control frames.
However, data collisions still occur when some clients are hidden and thus cannot receive the CTS frames sent by the AP. Therefore, the RTS/CTS mechanism can solve the data collision problem in a larger coverage than
RTS/CTS.
RTS (CTS) Threshold
If a frame is larger than the RTS (CTS) threshold, the data collision avoidance mechanism is used.
A smaller RTS/CTS threshold causes RTS/CTS packets to be sent more often, thus consuming more bandwidth. However, the more often RTS/CTS packets are sent, the quicker the system can recover from collisions.
In a high-density WLAN, you can decrease the RTS threshold to reduce collisions in the network.
DTIM Period
Long Retry Threshold
Short Retry Threshold
Max Receive Duration
IMPORTANT:
The data collision avoidance mechanism occupies bandwidth. Therefore, this mechanism applies only to data frames larger than the RTS/CTS threshold.
Number of beacon intervals between delivery traffic indication message
(DTIM) transmissions. The AP sends buffered broadcast/multicast frames when the DTIM counter reaches 0.
Number of retransmission attempts for unicast frames larger than the RTS/CTS threshold.
Number of retransmission attempts for unicast frames smaller than the
RTS/CTS threshold if no acknowledgment is received for it.
Interval for which a frame received by an AP can stay in the buffer memory.
Enabling a radio
1.
Select Radio > Radio from the navigation tree to enter the radio setup page.
354
Figure 390 Enabling radio
2.
3.
Select the box of the target radio.
Click Enable.
Locking the channel
1.
Select Radio > Radio from the navigation tree to enter the page as shown in
.
Figure 391 Locking a channel
2.
3.
Select the box of the target radio.
Click Lock Channel.
Channel locking takes effect only when the AC adopts the auto mode. For more information about automatic channel adjustment, see "
Configuring radio parameters ."
If you enable channel locking and then enable the radio, the AC automatically selects an optimal channel, and then locks the channel.
When the AC detects any radar signals, it immediately selects another channel even if the current channel is locked, and then locks the new channel.
If you lock the current channel first, and then enable channel adjustment, channel adjustment does not work because the current channel is locked. Therefore, before enabling channel adjustment, make sure that the current channel is not locked. If you enable channel adjustment and then lock the current channel, the last selected channel is locked. For information about
channel adjustment, see " Dynamic frequency selection
." For more information about channel adjustment configuration, see "
."
355
Locking the power
1.
Select Radio > Radio from the navigation tree to enter the page as shown in
.
Figure 392 Locking the current power
2.
3.
Select the box of the target radio.
Click Lock Power.
For transmission power configuration, see "
Configuring radio parameters ."
If you lock the current power first, and then enable power adjustment, power adjustment does not work because the power is locked. Therefore, before enabling power adjustment, make sure that the current power is not locked. If you enable power adjustment, and then lock the current power, the last selected power is locked. For information about power adjustment, see
"
." For how to configure power adjustment, see " Parameter setting
."
Configuring data transmit rates
Configuring 802.11a/802.11b/802.11g rates
1.
Select Radio > Rate from the navigation tree to enter the rate setting page.
356
Figure 393 Setting 802.11a/802.11b/802.11g rates
2.
3.
Configure 802.11a/802.11b/802.11g rates as described in
Click Apply.
Table 115 Configuration items
Item Description
802.11a
Configure rates (in Mbps) for 802.11a.
By default:
•
Mandatory rates are 6, 12, and 24.
•
Supported rates are 9, 18, 36, 48, and 54.
•
Multicast rate: Automatically selected from the mandatory rates. The transmission rate of multicasts in a BSS is selected from the mandatory rates supported by all the clients.
802.11b
Configure rates (in Mbps) for 802.11b.
By default:
•
Mandatory rates are 1 and 2.
•
Supported rates are 5.5 and 11.
•
Multicast rate: Automatically selected from the mandatory rates. The transmission rate of multicasts in a BSS is selected from the mandatory rates supported by all the clients.
357
Item Description
802.11g
Configure rates (in Mbps) for 802.11g.
By default:
•
Mandatory rates are 1, 2, 5.5, and 11.
•
Supported rates are 6, 9, 12, 18, 24, 36, 48, and 54.
•
Multicast rate: Automatically selected from the mandatory rates. The transmission rate of multicasts in a BSS is selected from the mandatory rates supported by all the clients.
Configuring 802.11n MCS
Introduction to MCS
Configuration of mandatory and supported 802.11n rates is achieved by specifying the maximum
Modulation and Coding Scheme (MCS) index. The MCS data rate table shows relations between data rates, MCS indexes, and parameters that affect data rates. Sample MCS data rate tables for 20 MHz and 40 MHz are shown in
respectively. For the entire table, see IEEE P802.11n
D2.00.
and
indicate that MCS 0 through 7 are for one single spatial stream, and when the
MCS is 7, the data rate is the highest. MCS 8 through 15 are for two spatial streams, and when the MCS is 15, the data rate is the highest.
Table 116 MCS index table (20 MHz)
MCS index
Number of spatial streams
Modulation
Data rate (Mbps)
800ns GI 400ns GI
358
Table 117 MCS index table (40 MHz)
MCS index
Number of spatial streams
Modulation
Data rate (Mbps)
800ns GI 400ns GI
For example, if you specify the maximum MCS index as 5 for mandatory rates, rates corresponding to
MCS indexes 0 through 5 are configured as 802.11n mandatory rates.
• Mandatory rates must be supported by the AP and the clients that want to associate with the AP.
•
Supported rates allow some clients that support both mandatory and supported rates to choose higher rates when communicating with the AP.
• Multicast MCS: Specifies 802.11n multicast data rates.
Configuring 802.11n rates
1.
Select Radio > Rate from the navigation tree to enter the rate setting page.
Figure 394 Setting 802.11n rate
2.
3.
Configure the 802.11n rate as described in
Click Apply.
359
Table 118 Configuration items
Item Description
Set the maximum MCS index for 802.11n mandatory rates.
Mandatory Maximum MCS
IMPORTANT:
If you select the client dot11n-only option, you must configure the mandatory maximum MCS.
Set the multicast MCS for 802.11n.
The multicast MCS is adopted only when all the clients use 802.11n. If a non
802.11n client exists, multicast traffic is transmitted at a mandatory MCS data rate.
Multicast MCS
IMPORTANT:
•
If you configure a multicast MCS index greater than the maximum MCS index supported by the radio, the maximum MCS index is adopted.
•
When the multicast MCS takes effect, the corresponding data rates defined for 20 MHz are adopted no matter whether the 802.11n radio operates in
40 MHz mode or in 20 MHz mode.
Set the maximum MCS index for 802.11n supported rates. Supported Maximum MCS
NOTE:
When 802.11n radios are used in a mesh WLAN, make sure that they have the same MCS configuration.
Configuring channel scanning
NOTE:
For more information about active passive scanning, see "WLAN service configuration."
1.
Select Radio > Scan from the navigation tree to enter the page for setting channel scanning.
Figure 395 Setting channel scanning
2.
3.
Configure channel scanning as described in
Click Apply.
360
Table 119 Configuration items
Item Description
Scan Mode
Set the scan mode.
•
Auto—Legal channels with the scanning mode under country code are scanned.
•
All—All the channels of the radio band are scanned.
Scan Non-802.11h Channel
Scan Type
Scan Interval
Some of 802.11h channels, also called radar channels, overlap some
802.11a channels. If the device operates on an overlapping channel, its service quality may be affected. With this function enabled, the device selects a working channel from non-802.11h channels belonging to the configured country code to avoid channel collision.
Selecting the Scan Non-802.11h Channel option enables the function of scanning non-802.11h channels.
By default, the scan mode is auto, that is, all channels of the country code being set are scanned.
Set the scan type.
•
Active—The active scanning mode requires a client to send a probe request. This scanning mode enables a client to discover APs more easily.
•
Passive—Passive scanning is used by a client when it wants to save battery power. Typically, VoIP clients adopt the passive scanning mode.
For an AP that has the monitoring function:
•
Active—The AP simulates a client to send probe requests during the scanning process.
•
Passive—The AP does not send probe requests during the scanning process.
If you set active scanning for the AP, it is more likely to discover devices in the
WLAN.
Set the scan report interval.
•
A longer scan interval enables an AP to discover more devices in the
WLAN.
•
A shorter scan interval enables an AP to send scanning reports to an AC more frequently.
If an AP has the monitoring function, the scan report interval will affect whether the scanning results can be processed in time and the frequency of message exchanges. Therefore, you need to set the interval properly according to the actual network conditions.
Configuring calibration
Parameter setting
1.
Select Radio > Calibration from the navigation tree.
2.
Click the Parameters tab.
361
Figure 396 Setting channel calibration
3.
4.
Configure channel calibration as described in
Click Apply.
NOTE:
Channel switching results in temporary service interruption, so use the dynamic channel adjustment function with caution.
Table 120 Configuration items
Item Description
Basic Setup
Calibration
Interval
Channel and power calibration interval. A calibration interval takes effect on both the mesh network channel calibration and channel and power calibration of wireless services.
362
Item Description
802.11g
Protection
Mode
•
RTS/CTS—Use RTS/CTS mode to implement 802.11g protection. Before sending data to a client, an AP sends an RTS packet to the client, ensuring that all the devices within the coverage of the AP do not send data in the specified time after receiving the RTS packet. Upon receiving the RTS packet, the client will send a CTS packet again, ensuring that all the devices within the coverage of the client do not send data in the specified time.
•
CTS-to-Self—Uses CTS-to-Self mode to implement 802.11g protection.
When an AP sends packets to a client, it uses its IP address to send a CTS packet to inform the client that it will send a packet, ensuring that all the devices within the coverage of the AP do not send data in the specified time.
802.11g
Protection
802.11b devices and 802.11g devices use different modulation modes, so
802.11g protection needs to be enabled for a 802.11g device to send
RTS/CTS or CTS-to-self packets to 802.11b devices, which will defer access to the medium.
An AP running 802.11g uses the 802.11g protection function in the following two cases:
•
An 802.11b client is associated with it.
•
It detects APs or clients running 802.11b on the same channel.
•
Enable—Enable 802.11g protection.
•
Close—Disable 802.11g protection.
Channel
Setup
IMPORTANT:
•
Enabling 802.11g protection reduces network performance.
•
Enabling 802.11g protection applies to the second case only, because
802.11g protection is always enabled for the first case.
802.11n
Protection
Mode
Both RTS/CTS and CTS-to-Self modes can be adopted. The implementation of the two modes is the same as 802.11g.
802.11n
Protection
•
Enable—Enables 802.11n protection. When non 802.11n wireless devices or non 802.11n clients exist within the coverage of the AP, you need to enable 802.11n protection.
•
Close—Disables 802.11n protection.
Note the following guidelines when configuring channel adjustment:
•
Before configuring channel adjustment, make sure that the AC adopts the auto channel
adjustment mode (for more information, see " Configuring radio parameters ."). Otherwise,
channel adjustment does not work.
•
If you lock the channel first, and then enable channel adjustment (by selecting Dynamic
Channel Select), channel adjustment does not work because the channel is locked. Before enabling channel adjustment, make sure that the channel is not locked.
•
If you enable channel adjustment and then lock the channel, the last selected channel is locked.
For how to lock the channel, see "
363
Item Description
Dynamic
Channel Select
•
Close—Disables the DFS function.
•
Auto—With auto DFS enabled, an AC performs DFS for a radio when certain trigger conditions are met on the channel, and returns the result to the AP after a calibration interval (the default calibration interval is 8 minutes, which can be set through the Calibration Interval option). After that, the AC will make DFS decisions at the calibration interval automatically.
•
Manual—With one-time DFS configured for a radio, an AC performs DFS for the radio when certain trigger conditions are met on the channel, and returns the result to the AP after a calibration interval. After that, if you want the AC to perform DFS for the radio, you have to make this configuration again.
IMPORTANT:
If you select the manual mode, click Calibration on the Calibration page every time you perform channel calibration.
CRC Error
Threshold
Channel
Interference
Threshold
Set the CRC error threshold value, in percentage.
Set the channel interference threshold value, in percentage.
Tolerance
Factor
Spectrum
Management
A new channel is selected when either the configured CRC error threshold or interference threshold is exceeded on the current channel. However, the new channel is not applied until the quality of the current channel is worse than that of the new channel by the tolerance threshold.
•
Enable—Enable spectrum management.
•
Close—Disable spectrum management.
Power Setup
Note the following guidelines when configuring power adjustment:
•
If you lock the power first, and then enable power adjustment (by selecting Dynamic
Channel Select), power adjustment does not work because the power is locked. Therefore, before enabling power adjustment, make sure that the power is not locked.
•
If you enable power adjustment and then lock the power, the last selected power is locked.
For how to lock the power, see "
Dynamic
Power Select
•
Close—Disables transmit power control (TPC).
•
Auto—With auto TPC enabled, the AC performs TPC for an AP upon certain interference and returns the result to the AP after a calibration interval (the default calibration interval is 8 minutes, which can be set through the Calibration Interval option). After that, the AC makes TPC decisions at the calibration interval automatically.
•
Manual—With one-time TPC configured, an AC performs TPC for the AP upon certain interference, and returns the result to the AP after a calibration interval (the default calibration interval is 8 minutes, which can be set through the Calibration Interval option). After that, if you want the AC to perform TPC for the AP, you have to make this configuration again.
IMPORTANT:
If you select the manual mode, click Calibration on the Calibration page every time you perform channel calibration.
364
Item Description
Max Neighbor
Count
Specify the maximum number of neighbors, which are managed by the same
AC.
Power
Constraint
Set the power constraint for all 802.11a radios. After power constraint is set, the transmission power of a client is the current transmission power minus the configured power constraint value.
IMPORTANT:
Enable spectrum management before configuring the power constraint; otherwise, the configuration does not take effect.
Configuring a radio group
With DFS or TPC configured for a radio, the AC calculates the channel quality or power of the radio at the calibration interval. When the result meets a trigger condition, the AC selects a new channel or power for the radio. In an environment where interference is serious, frequent channel or power adjustments may affect user access to the WLAN network. In this case, you can configure a radio group to keep the channel or power of radios in the group unchanged within a specified time. The channel and power of radios not in the radio group are adjusted normally.
After a channel or power adjustment (one-time, auto, or initial DFS or TPC), the channel or power of any radio in the radio group keeps unchanged within the specified holddown time. When the holddown time expires, the AC calculates the channel or power again. If the result meets a trigger condition, the channel or power is changed, and the new channel or power keeps unchanged within the specified holddown time. This mechanism continues.
NOTE:
Before entering the Radio Group page, configure channel or power adjustment on the Parameters tab.
1.
2.
Select Radio > Calibration from the navigation tree.
Click Radio Group.
3.
Click Add.
The Radio Group page appears.
365
Figure 397 Configuring a radio group
4.
5.
Configure the radio group as described in
Click Apply.
Table 121 Configuration items
Item Description
Group ID ID of the radio group
Description
Description of the radio group
By default, a radio group has no description.
Specify that the current channel keeps unchanged within the specified time after a channel adjustment (manual, automatic, or initial channel selection).
Channel
Holddown
Interval
IMPORTANT:
The AC immediately selects another channel when it detects any radar signals on the current channel, and then resets the channel holddown timer.
Power
Holddown
Interval
Specify that the current power keeps unchanged within the specified time after a power adjustment (manual or automatic power adjustment).
Radio List
•
Select the target radios from the Radios Available area, and then click << to add them into the Radios Selected area.
•
Select the radios to be removed from the Radios Selected, and the click >> to remove them from the radio group.
366
Calibration operations
NOTE:
If RRM is not enabled, or the radio to be displayed works on a fixed channel, you can only view the work channel and the power of the radio on the Operations tab in the Radio > Calibration page. Other information such as interference observed and the number of neighbors is displayed when RRM is enabled, that is, dynamic power selection or automatic dynamic frequency selection is enabled. For the
configuration of RRM parameters, see " Parameter setting
."
Displaying channel status
1.
2.
3.
Select Radio > Calibration from the navigation tree.
On the Operations tab, click the Channel Status tab.
Click the desired radio to enter the page for displaying channel status.
Figure 398 Channel status
Table 122 Configuration items
Item Description
Channel No Running channel.
Neighbor Num Number of neighbors on a channel.
Load (%)
Utilization (%)
Interference (%)
Packet Error Rate (%)
Load detected on a channel.
Channel utilization.
Interference detected on a channel.
Error rate for packets on a channel.
Retransmission Rate (%)
Radar Detect
Displaying neighbor information
1.
2.
3.
Retransmission rate on a channel.
Radar detection status.
Select Radio > Calibration from the navigation tree.
On the Operations tab, click the Neighbor Info tab.
Click the desired radio to enter the page for displaying neighbor information.
367
Figure 399 Neighbor information
Table 123 Field description
Field Description
AP MAC Address MAC address of an AP.
Channel No
Interference (%)
RSSI (dBm)
AP Type
Displaying history information
Running channel.
Interference detected on a channel.
Received signal strength indication (RSSI) of AP, in dBm.
AP type, managed or unmanaged.
NOTE:
History information is available only if channel switching or power adjustment occurs after RRM is enabled.
1.
Select Radio > Calibration from the navigation tree.
2.
3.
On the Operations tab, click History Info.
Click the desired radio to enter the page for displaying neighbor information.
368
Figure 400 History information
Table 124 Field description
Field Description
Radio Radio ID of the AP.
Basic BSSID MAC address of the AP.
Chl
Power
Load
Util
Intf
PER
Retry
Reason
Date
Time
Channel on which the radio operates in case of the change of channel or power.
Power of the radio in case of the change of channel or power.
Load observed on the radio in percentage in case of the change of channel or power.
Utilization of the radio in percentage in case of the change of channel or power.
Interference observed on the radio in percentage in case of the change of channel or power.
Packet error rate observed on a channel, in percentage.
Percentage of retransmission happened on the radio before/after the change of channel or power.
Reason for the change of channel or power, such as Interference, packets discarded, retransmission, radar or coverage.
Date when the channel or power change occurred.
Time when the channel or power change occurred.
Antenna
1.
2.
3.
Select Radio > Antenna to select an appropriate antenna for the corresponding radio.
Select the antenna type, Internal Antenna, or User-Default external antenna, for a specific radio from the Antenna list.
Click Apply.
369
Figure 401 Antenna switch
Manual channel adjustment configuration example
Network requirements
As shown in
, configure manual channel adjustment on the AC so that the AC can perform manual channel adjustment when the channel of AP 1 is unavailable.
Figure 402 Network diagram
Configuration procedure
1.
2.
Before you configure manual channel adjustment, configure AP 1 on the AC to establish a connection between them.
For the related configuration, see "Access service configuration."
Configure manual channel adjustment: a. b. c. d.
Select Radio > Calibration from the navigation tree.
Select the Parameters tab.
Select Manual from the Dynamic Channel Select list.
Click Apply.
370
Figure 403 Configuring manual channel adjustment
3.
Perform manual channel adjustment: a. b. c.
Select Radio > Calibration from the navigation tree.
On the Operation tab, select the box of the target radio.
Click Channel Optimize..
Figure 404 Performing manual channel adjustment
Verifying the configuration
•
You can view the channel status on the Operation tab you enter by selecting Radio > Calibration from the navigation tree.
371
• After you perform manual channel calibration, the AC informs the adjusted channel to the AP after a calibration interval.
•
You can view the detailed information, such as the specific reason for channel adjustment on the
History Info tab you enter by selecting Radio > Calibration from the navigation tree, clicking
Operation, and then clicking History Info.
Configuration guidelines
If you select manual channel adjustment, click Channel Optimize on the Operation tab every time you perform manual channel adjustment.
Automatic power adjustment configuration example
Network requirements
As shown in Figure 405 , AP 1 through AP 3 are connected to the AC. Configure automatic power
adjustment and specify the adjacency factor as 3 on the AC. In this way, when AP 4 joins, the AC performs automatic power adjustment to avoid interference.
Figure 405 Network diagram
Configuration procedure
1.
2.
Before you configure automatic power adjustment, configure AP 1 through AP 3 on the AC to establish a connection between the AC and each AP.
For the related configuration, see "Access service configuration."
Configure automatic power adjustment: a.
Select Radio > Calibration from the navigation tree. b. c. d.
Click the Parameters tab.
Select Auto from the Dynamic Power Select list.
Click Apply.
372
Figure 406 Configuring automatic power adjustment
Verifying the configuration
•
You can view the power of each AP on the Operation tab you enter by selecting Radio > Calibration from the navigation tree.
• When AP 4 joins (the adjacency number becomes 3), the maximum number of neighbors reaches the upper limit (3 by default), and the AC performs power adjustment after the calibration interval.
You can view the detailed information, such as decrease of the Tx power value, on the History Info tab you enter by selecting Radio > Calibration from the navigation tree, selecting the Operation tab, and then selecting History Info.
Radio group configuration example
Network requirements
As shown in
Figure 407 , AP 1 through AP 3 are connected to the AC.
•
Configure automatic channel adjustment so that the AC can automatically switch the channel when the signal quality on a channel is degraded to a certain level.
373
• Configure automatic power adjustment so that the AC can automatically adjust the power when the third neighbor is discovered (or in other words, when AP 4 joins) to avoid interference.
•
Add radio 2 of AP 1 and radio 2 of AP 2 to a radio group to prevent frequent channel or power adjustments for the radios.
Figure 407 Network diagram
Configuration procedure
1.
2.
Before you configure a radio group, configure AP 1 through AP 3 on the AC to establish a connection between the AC and each AP.
For the related configuration, see "Access service configuration."
Configure automatic channel and power adjustment: a.
Select Radio > Calibration from the navigation tree. b. c.
Click the Parameters tab.
Select Auto from the Dynamic Channel Select list, select Auto from the Dynamic Power Select list, and click Apply.
374
Figure 408 Configuring automatic channel and power adjustment
3.
Configure a radio group: a.
Select Radio > Calibration from the navigation tree. b. c.
Click Radio Group.
Click Add. d. e. f.
On the page that appears, enter the channel holddown interval 20 and enter the power holddown interval 30.
In the Radios Available area, select the target radios and click << to add them into the Radios
Selected area.
Click Apply.
375
Figure 409 Configuring the radio group
Verifying the configuration
•
The working channel of radio 2 of AP 1 and that of radio 2 of AP 2 do not change within 20 minutes after each automatic channel adjustment.
• The power of radio 2 of AP 1 and that of radio 2 of AP 2 do not change within 30 minutes after each automatic power adjustment.
376
Configuring 802.1X
802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for the security of wireless LANs (WLANs). It has been widely used on Ethernet networks for access control.
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
You can also configure the port security feature to perform 802.1X. Port security combines and extends
802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port. Port security is beyond the scope of this chapter. It is described in Security Configuration Guide for the product.
802.1X architecture
802.1X operates in the client/server model. It comprises three entities: client (the supplicant), the network
access device (the authenticator), and the authentication server, as shown in Figure 410
.
Figure 410 802.1X architecture
Device
Authentication server
Client
•
The client is a user terminal seeking access to the LAN. It must have 802.1X software to authenticate to the network access device.
• The network access device authenticates the client to control access to the LAN. In a typical 802.1X environment, the network access device uses an authentication server to perform authentication.
•
The authentication server is the entity that provides authentication services for the network access device. It authenticates 802.1X clients by using the data sent from the network access device, and returns the authentication results for the network access device to make access decisions. The authentication server is typically a Remote Authentication Dial-in User Service (RADIUS) server. In a small LAN, you can also use the network access device as the authentication server.
For more information about the 802.1X protocol, see H3C WX Series Access Controllers Security
Configuration Guide.
Access control methods
H3C implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control.
•
With port-based access control, once an 802.1X user passes authentication on a port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off.
377
• With MAC-based access control, each user is separately authenticated on a port. When a user logs off, no other online users are affected.
Configuring 802.1X
Configuration prerequisites
•
Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. For more information, see "
" and "
."
•
If RADIUS authentication is used, create user accounts on the RADIUS server.
•
If local authentication is used, create local user accounts on the access device and set the service type to LAN-access.
• If you want to use EAP relay when the RADIUS server does not support any EAP authentication method or no RADIUS server is available, configure the EAP server function on your network access device.
NOTE:
Configure 802.1X on a wired port. Wireless ports support only the port security feature, and the port security is enabled by default on the wireless ports.
Recommended configuration procedure
Task Description
1. Configuring 802.1X globally
Required.
Enable 802.1X authentication globally and configure the authentication method and advanced parameters.
By default, 802.1X authentication is disabled globally.
2. Configuring 802.1X on a port
Required.
Enable 802.1X authentication on specified ports and configure 802.1X parameters for the ports.
By default, 802.1X authentication is disabled on a port.
Configuring 802.1X globally
1.
From the navigation tree, select Authentication > 802.1X.
378
Figure 411 802.1X global configuration
2.
3.
In the 802.1X Configuration area, select the Enable 802.1X box.
Select an authentication method for 802.1X users. Options include CHAP, PAP, and EAP.
CHAP—Sets the access device to perform EAP termination and use the CHAP to communicate with the RADIUS server.
PAP—Sets the access device to perform EAP termination and use the PAP to communicate with the RADIUS server.
EAP—Sets the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.
NOTE:
When you configure EAP relay or EAP termination, consider the following factors:
• Whether the RADIUS server supports EAP packets.
•
The authentication methods supported by the 802.1X client and the RADIUS server.
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an H3C iNode 802.1X client, you can use both EAP termination and EAP relay.
To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay.
4.
Click Advanced to expand the advanced 802.1X configuration area.
379
Figure 412 Advanced configuration
5.
6.
Configure advanced 802.1X settings as described in Table 125
.
Click Apply.
Table 125 Configuration items
Item Description
Quiet
Specify whether to enable the quiet timer.
The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication.
Quiet Period
Retry Times
Set the value of the quiet timer.
Set the maximum number of authentication request attempts.
The network access device retransmits an authentication request if it receives no response to the request it has sent to the client within a period of time (specified by using the TX
Period option or the Supplicant Timeout Time option). The network access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.
TX Period
Handshake Period
Re-Authentication
Period
Set the username request timeout timer.
•
The timer starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request. If the device receives no response before this timer expires, it retransmits the request.
•
The timer also sets the interval at which the network device sends multicast
EAP-Request/Identity packets to detect clients that cannot actively request authentication.
Set the handshake timer.
The timer sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off. For information about how to enable the online user handshake function, see "
."
Set the periodic online user re-authentication timer.
The timer sets the interval at which the network device periodically re-authenticates online
802.1X users. The change to the periodic re-authentication timer applies to the users that have been online only after the old timer expires. For information about how to enable
periodic online user re-authentication on a port, see " Configuring 802.1X on a port
."
380
Item Description
Supplicant Timeout
Time
Server Timeout
Time
Set the client timeout timer.
The timer starts when the access device sends an
EAP-Request/MD5 Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.
Set the server timeout timer.
The timer starts when the access device sends a
RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.
TIP:
You can set the client timeout timer to a high value in a low-performance network, and adjust the server timeout timer to adapt to the performance of different authentication servers. In most cases, the default settings are sufficient.
IMPORTANT:
Do not change the timer parameters of global 802.1X from their default values unless you have determined that the changes would better the interaction process.
Configuring 802.1X on a port
1.
From the navigation tree, select Authentication > 802.1X to enter the page, as shown in Figure
.
2.
The Ports With 802.1X Enabled area shows the 802.1X configuration on ports.
Click Add.
Figure 413 802.1X configuration on a port
3.
4.
Configure 802.1X features on a port as described in Table 126
.
Click Apply.
381
Table 126 Configuration items
Item Description
Port
Port Control
Select the port to be enabled with 802.1X authentication. Only 802.1X-disabled ports are available.
NOTE:
802.1X is mutually exclusive with link aggregation group configuration on a port.
Set the access control method for the port, which can be MAC Based or Port Based.
NOTE:
To use both 802.1X and portal authentication on a port, you must select MAC Based.
Port Authorization
Select the port authorization state for 802.1X.
Options include:
•
Auto—Places the port initially in unauthorized state to allow only EAPOL packets to pass, and after a user passes authentication, sets the port in authorized state to allow access to the network. You can use this option in most scenarios.
•
Force-Authorized—Places the port in authorized state, enabling users on the port to access the network without authentication.
•
Force-Unauthorized—Places the port in unauthorized state, denying any access requests from users on the port.
Max Number of
Users
Set the maximum number of concurrent 802.1X users on the port.
Enable Handshake
Enable
Re-Authentication
Specify whether to enable the online user handshake function.
The online user handshake function checks the connectivity status of online 802.1X users.
The network access device sends handshake messages to online users at the interval specified by the Handshake Period setting. If no response is received from an online user after the maximum number of handshake attempts (set by the Retry Times setting) has been made, the network access device sets the user in offline state. For information about the timers, see
.
NOTE:
If the network has 802.1X clients that cannot exchange handshake packets with the network access device, disable the online user handshake function to prevent their connections from being inappropriately torn down.
Specify whether to enable periodic online user re-authentication on the port.
Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, and VLAN.
The re-authentication interval is specified by the Re-Authentication Period setting in
.
NOTE:
•
The periodic online user re-authentication timer can also be set by the authentication server in the session-timeout attribute. The server-assigned timer overrides the timer setting on the access device, and enables periodic online user re-authentication, even if the function is not configured. Support for the server assignment of re-authentication timer and the re-authentication timer configuration on the server vary with servers.
•
The VLAN assignment status must be consistent before and after re-authentication. If the authentication server has assigned a VLAN before re-authentication, it must also assign a VLAN at re-authentication. If the authentication server has assigned no VLAN before re-authentication, it must not assign one at re-authentication. Violation of either rule can cause the user to be logged off. The VLANs assigned to an online user before and after re-authentication can be the same or different.
382
Item Description
Guest VLAN
Specify an existing VLAN as the guest VLAN. For more information, see "
."
Enable MAC VLAN
Auth-Fail VLAN
Select the box to enable MAC-based VLAN.
NOTE:
Only hybrid ports support the feature.
Specify an existing VLAN as the Auth-Fail VLAN to accommodate users that have failed
802.1X authentication.
For more information, see "
."
Configuring an 802.1X guest VLAN
•
Configuration guidelines:
You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different ports can be different.
Assign different IDs for the default VLAN, and 802.1X guest VLAN on a port, so the port can correctly process incoming VLAN tagged traffic.
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.
when you configure multiple security features on a port.
Table 127 Relationships of the 802.1X guest VLAN and other security features
MAC authentication guest VLAN on a port that performs MAC-based access control
Only the 802.1X guest VLAN take effect. A user that fails
MAC authentication will not be assigned to the MAC authentication guest VLAN.
802.1X Auth-Fail VLAN on a port that performs
MAC-based access control
The 802.1X Auth-Fail VLAN has a higher priority.
Port intrusion protection on a port that performs
MAC-based access control
The 802.1X guest VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature.
•
Configuration prerequisites:
Create the VLAN to be specified as the 802.1X guest VLAN.
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger at the command-line interface (CLI). (802.1X multicast trigger is enabled by default.)
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port, enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an untagged member.
Configuring an Auth-Fail VLAN
•
Configuration guidelines:
Assign different IDs for the default VLAN, and 802.1X Auth-Fail VLAN on a port, so the port can correctly process VLAN tagged incoming traffic.
when you configure multiple security features on a port.
383
Table 128 Relationships of the 802.1X Auth-Fail VLAN with other features
MAC authentication guest VLAN on a port that performs MAC-based access control
The 802.1X Auth-Fail VLAN has a high priority.
Port intrusion protection on a port that performs
MAC-based access control
The 802.1X Auth-Fail VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature.
•
Configuration prerequisites:
Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.
(802.1X multicast trigger is enabled by default.)
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port, enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged member.
384
Configuring portal authentication
Introduction to portal authentication
Portal authentication helps control access to the Internet. It is also called "web authentication." A website implementing portal authentication is called a portal website.
With portal authentication, an access device forces all users to log onto the portal website first. Every user can access the free services provided on the portal website; but to access the Internet, a user must pass portal authentication on the portal website.
A user can access a known portal website and enter username and password for authentication. This authentication mode is called active authentication. There is also another authentication mode, forced authentication, in which the access device forces a user trying to access the Internet through HTTP to log on to a portal website for authentication.
The portal feature provides the flexibility for Internet service providers (ISPs) to manage services. A portal website can, for example, present advertisements, and deliver community services and personalized services. In this way, broadband network providers, equipment vendors, and content service providers form an industrial ecological system.
A typical portal system comprises these basic components: authentication client, access device, portal server, authentication/accounting server, and security policy server.
Figure 414 Portal system components
Authentication client
Security policy server
Authentication client
Access device
Portal server
Authentication client
Authentication/accounting server
The components of a portal system interact in the following procedure:
1.
When an unauthenticated user enters a website address in the address bar of the browser to access the Internet, an HTTP request is created and sent to the access device, which redirects the
HTTP request to the web authentication homepage of the portal server. For extended portal functions, authentication clients must run the portal client software.
385
2.
3.
4.
On the authentication homepage/authentication dialog box, the user enters and submits the authentication information, which the portal server then transfers to the access device.
Upon receipt of the authentication information, the access device communicates with the authentication/accounting server for authentication and accounting.
After successful authentication, the access device checks whether there is a corresponding security policy for the user. If not, it allows the user to access the Internet. Otherwise, the client communicates with the access device and the security policy server for security check. If the client passes security check, the security policy server authorizes the user to access the Internet resources.
NOTE:
The web interface of the device supports configuring portal authentication only on Layer 3 interfaces. For more information about portal authentication, see
H3C WX Series Access Controllers Security
Configuration Guide.
Configuring portal authentication
Configuration prerequisites
The portal feature provides a solution for user identity authentication and security checking. However, the portal feature cannot implement this solution by itself. RADIUS authentication needs to be configured on the access device to cooperate with the portal feature to complete user authentication.
The prerequisites for portal authentication configuration are as follows:
•
The portal authentication-enabled interfaces of the access device are configured with valid IP addresses or have obtained valid IP addresses through DHCP.
•
The portal server and the RADIUS server have been installed and configured properly. Local portal authentication requires no independent portal server.
•
With re-DHCP authentication, the invalid IP address check function of DHCP relay is enabled on the access device, and the DHCP server is installed and configured properly.
•
With RADIUS authentication, usernames and passwords of the users are configured on the RADIUS server, and the RADIUS client configurations are performed on the access device. For information
about RADIUS client configuration, see " Configuring RADIUS ."
• To implement extended portal functions, install and configure IMC EAD, and make sure that the
ACLs configured on the access device correspond to those specified for the resources in the quarantined area and for the restricted resources on the security policy server. For information about security policy server configuration on the access device, see "
."
Recommended configuration procedure
Step Remarks
1. Configuring the portal service
Required.
Configure a portal server, apply the portal server to a Layer 3 interface, and configure the portal authentication parameters.
By default, no portal server is configured.
386
Step Remarks
2. Configuring advanced parameters for portal authentication
Optional.
Specify an auto redirection URL, set the time that the device must wait before redirecting an authenticated user to the auto redirection URL, and add web proxy server port numbers.
3. Configuring a portal-free rule
Optional.
Configure a portal-free rule, specifying the source and destination information for packet filtering.
A portal-free rule allows specified users to access specified external websites without portal authentication. Packets matching a portal-free rule will not trigger portal authentication and the users can directly access the specified external websites.
By default, no portal-free policy is configured.
Configuring the portal service
1.
Select Authentication > Portal from the navigation tree.
The portal server configuration page appears.
Figure 415 Portal server configuration
387
TIP:
following states:
• Running—Portal authentication has taken effect on the interface.
•
Enabled—Portal authentication has been enabled on the interface but has not taken effect.
2.
Click Add to enter the portal service application page.
Figure 416 Portal service application
3.
4.
Configure the portal application settings as described in
Click Apply.
Table 129 Configuration items
Item Description
Interface Specify the Layer 3 interface to be enabled with portal authentication.
Portal Server
Specify the portal server to be applied on the specified interface. Options include:
•
Select Server—Select an existing portal server from the Portal Server list.
•
New Server—If you select this option from the list, the portal server configuration area,
as shown in Figure 417 , will be displayed at the lower part of the page. You can add
a remote portal server and apply the portal server to the interface. For detailed configuration, see
.
•
Enable Local Server—If you select this option from the list, the local portal service
configuration area, as shown in Figure 418
, will be displayed at the lower part of the page. You can configure the parameters for local portal service. For detailed configuration, see
388
Item Description
Specify the portal authentication mode, which can be:
•
Direct—Direct portal authentication.
•
Layer3—Cross-subnet portal authentication.
•
Re DHCP—Re-DHCP portal authentication.
Method
Auth Network IP
IMPORTANT:
•
In cross-subnet portal authentication mode, Layer 3 forwarding devices are not required to be present between the authentication client and the access device.
However, if they are present, you must select the cross-subnet portal authentication mode.
•
In re-DHCP portal authentication mode, a client is allowed to send out packets using a public IP address before it passes portal authentication. However, responses of the packets are restricted.
•
If the local portal server is used, you can configure the re-DHCP mode but it does not take effect.
Specify the IP address and mask of the authentication subnet. This field is configurable when you select the Layer3 mode (cross-subnet portal authentication).
By configuring an authentication subnet, you specify that only HTTP packets from users on the authentication subnet can trigger portal authentication. If an unauthenticated user is not on any authentication subnet, the access device discards all the user's HTTP packets that do not match any portal-free rule. Network Mask
Authentication
Domain
IMPORTANT:
The authentication subnet in direct mode is any source IP address, and that in re-DHCP mode is the private subnet to which the interface's private IP address belongs.
Specify the authentication domain for Layer 3 portal users.
After you specify an authentication domain on a Layer 3 interface, the device will use the authentication domain for authentication, authorization, and accounting (AAA) of the portal users on the interface, ignoring the domain names carried in the usernames. You can specify different authentication domains for different interfaces as needed.
The available authentication domains are those specified on the page you enter by selecting Authentication > AAA from the navigation tree. For more information, see
"
Figure 417 Adding a portal server
389
Table 130 Configuration items
Item Description
Server Name Enter a name for the remote portal server.
IP
Key
Port
Enter the IP address of the remote portal server.
Enter the shared key to be used for communication between the device and the remote portal server.
Enter the port number of the remote portal server.
Specify the URL for HTTP packets redirection, in the format http://ip-address. By default, the IP address of the portal server is used in the URL.
URL
IMPORTANT:
Redirection URL supports domain name resolution; however, you must configure a portal-free rule and add the DNS server address into the portal-free address range.
Figure 418 Local portal service configuration
Table 131 Configuration items
Item Description
Server Name Specify the local portal server name.
IP
Specify the IP address of the local portal server. You need to specify the IP address of the interface where the local portal server is applied.
Specify the URL for HTTP packets redirection, in the format http://ip-address/portal/logon.htm or https://ip-address/portal/logon.htm
(depending on the protocol type).
By default, the IP address of the local portal server is used in the URL.
URL
Protocol
IMPORTANT:
•
To use the local portal server for stateful failover in a wireless environment, you must specify the redirection URL, and the IP address of the URL must be the virtual IP address of the VRRP group where the VRRP downlink resides.
•
URL redirection supports domain name resolution, but you need to configure a portal-free rule and add the DNS server address into the portal-free address range.
Specify the protocol to be used for authentication information exchange between the local portal server and the client. It can be HTTP or HTTPS.
390
Item Description
Specify the PKI domain for HTTPS. This field is configurable when you select HTTPS.
The available PKI domains are those specified on the page you enter by selecting
Authentication > Certificate Management from the navigation tree. For more
information, see " Managing certificates
."
PKI Domain
Page
Custom ization
SSID
Page File
IMPORTANT:
The service management, local portal authentication, and local EAP service modules always reference the same PKI domain. Changing the referenced PKI domain in any of the three modules will also change that referenced in the other two modules.
Specify the authentication page files to be bound with SSIDs as required.
After you bind SSIDs with authentication page files, when a user access the portal page, the local portal server pushes the authentication pages for the user according to the SSID of the user login interface and the bound authentication page file.
By default, an SSID is not bound with any authentication page file. In this case, the system pushes the default authentication pages.
You can edit an authentication page file as required and save it in the root directory or the portal directory under the root directory of the access device. For rules of customizing authentication pages, see "
Customizing authentication pages
."
Configuring advanced parameters for portal authentication
1.
Select Authentication > Portal from the navigation tree.
2.
Expand the Advanced area to show the advanced parameters for portal authentication.
Figure 419 Advanced configuration
3.
4.
Configure the advanced parameters as described in
Click Apply.
391
Table 132 Advanced portal parameters
Item Description
Web Proxy Server
Ports
Add the web proxy server ports to allow HTTP requests proxied by the specified proxy servers to trigger portal authentication. By default, only HTTP requests that are not proxied can trigger portal authentication.
Different clients may have different web proxy configurations. To make sure that clients using a web proxy can trigger portal authentication, you must first complete some other relevant configurations. When the IMC portal server is used, you must first complete the following configurations:
•
If the client does not specify the portal server's IP address as a proxy exception, ensure the IP connectivity between the portal server and the web proxy server and perform the following configurations on the IMC portal server:
{
{
{
Select NAT as the type of the IP group associated with the portal device.
Specify the proxy server's IP address as the IP address after NAT.
Configure the port group to support NAT.
•
If the client specifies the portal server's IP address as an exception of the web proxy server, configure the IP group and port group to not support NAT.
Redirection URL
Wait-Time
IMPORTANT:
•
If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover web proxy servers, add the port numbers of the web proxy servers on the device, and configure portal-free rules to allow user packets destined for the IP address of the
WPAD server to pass without authentication.
•
If the web proxy server port 80 is added on the device, clients that do not use a proxy server can trigger portal authentication only when they access a reachable host enabled with the HTTP service.
Authorized ACLs to be assigned to users who have passed portal authentication must contain a rule that permits the web proxy server's IP address. Otherwise, the user cannot receive heartbeat packets from the remote portal server.
Specify the auto redirection URL to which users will be automatically redirected after they pass portal authentication.
To access the network, an unauthenticated user either goes to or is automatically forced to the portal authentication page for authentication. If the user passes portal authentication and the access device is configured with an auto redirection URL, the access device will redirect the user to the URL after a specified period of time.
Period of time that the device must wait before redirecting an authenticated portal user to the auto redirection URL.
Configuring a portal-free rule
1.
Select Authentication > Portal from the navigation tree.
2.
Click the Free Rule tab.
392
Figure 420 Portal-free rule configuration
3.
Click Add.
The page for adding a new portal-free rule appears.
Figure 421 Adding a portal-free rule
4.
5.
Configure the portal-free rule as described in Table 133
.
Click Apply.
Table 133 Configuration items
Item Description
Number Specify the sequence number of the portal-free rule.
Source-interface
Specify the source interface of the portal-free rule.
The SSIDs in the list are the corresponding SSIDs of the wireless ESS interfaces.
Source IP address
Specify the source IP address and mask of the portal-free rule.
Mask
Specify the source MAC address of the portal-free rule.
Source MAC
IMPORTANT:
If you configure both the source IP address and the source MAC address, make sure that the mask of the specified source IP address is 255.255.255.255. Otherwise, the specified source MAC address will not take effect.
393
Item Description
Specify the source VLAN of the portal-free rule.
Source-VLAN
IMPORTANT:
If you configure both a source interface and a source VLAN for a portal-free rule, make sure that the source interface is in the source VLAN. Otherwise, the portal-free rule will not take effect.
Destination IP
Address
Mask
Specify the destination IP address and mask of the portal-free rule.
Customizing authentication pages
When the local portal server is used for portal authentication, the local portal server pushes authentication pages to users. You can customize the authentication pages. If you do not customize the authentication pages, the local portal server pushes the system default authentication pages to users.
Customized authentication pages exist in the form of HTML files. You can compress them and then upload them to the access device. A set of authentication pages include six main pages and some page elements. The six main pages are the logon page, the logon success page, the logon failure page, the online page, the system busy page, and the logoff success page. The page elements are the files that the authentication pages reference, for example, back.jpg for page Logon.htm. Each main authentication page can reference multiple page elements. If you define only some of the main pages, the local portal server pushes the system default authentication pages for the undefined ones to users.
For the local portal server to operate normally and steadily, you need to follow the following rules when customizing authentication pages:
Rules on file names
The main pages of the authentication pages have predefined file names, which cannot be changed.
Table 134 Main authentication page file names
Logon page
Logon success page
Logon failure page
Online page
Pushed for online state notification
System busy page
Pushed when the system is busy or the user is in the logon process
Logoff success page logon.htm logonSuccess.htm logonFail.htm online.htm busy.htm logoffSuccess.htm
NOTE:
You can name the files other than the main page files. The file names and directory names are case insensitive.
394
Rules on page requests
The local portal server supports only Post and Get requests.
•
Get requests are used to get the static files in the authentication pages and allow no recursion. For example, if file Logon.htm includes contents that perform Get action on file ca.htm, file ca.htm cannot include any reference to file Logon.htm.
•
Post requests are used when users submit usernames and passwords, log on to the system, and log off the system.
Rules on Post request attributes
1.
Observe the following requirements when editing a form of an authentication page:
•
An authentication page can have multiple forms, but there must be one and only one form whose action is logon.cgi. Otherwise, user information cannot be sent to the local portal server.
• The username attribute is fixed as PtUser, and the password attribute is fixed as PtPwd.
•
Attribute PtButton is required to indicate the action that the user requests, which can be Logon or
Logoff.
• A logon Post request must contain PtUser, PtPwd, and PtButton attributes.
•
A logoff Post request must contain the PtButton attribute.
2.
Authentication pages logon.htm and logonFail.htm must contain the logon Post request.
The following example shows part of the script in page logon.htm.
<form action=logon.cgi method = post >
<p>User name:<input type="text" name = "PtUser" style="width:160px;height:22px" maxlength=64>
<p>Password :<input type="password" name = "PtPwd" style="width:160px;height:22px" maxlength=32>
<p><input type=SUBMIT value="Logon" name = "PtButton" style="width:60px;" onclick="form.action=form.action+location.search;>
</form>
3.
Authentication pages logonSuccess.htm and online.htm must contain the logoff Post request.
The following example shows part of the script in page online.htm.
<form action=logon.cgi method = post >
<p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;">
</form>
Rules on page file compression and saving
• A set of authentication page files must be compressed into a standard zip file. The name of a zip file can contain only letters, digits, and underscores. The zip file of the default authentication pages must be saved with the name defaultfile.zip.
•
The set of authentication pages must be located in the root directory of the zip file.
• Zip files can be transferred to the device through FTP or TFTP. The default authentication pages file must be saved in the root directory of the device, and customized authentication files can be saved in the root directory or in the portal directory under the root directory of the device.
Rules on file size and contents
For the system to push customized authentication pages smoothly, you need comply with the following size and content requirements on authentication pages.
395
• The size of the zip file of each set of authentication pages, including the main authentication pages and the page elements, must be no more than 500 KB.
•
The size of a single page, including the main authentication page and the page elements, must be no more than 50 KB before being compressed.
• Page elements can contain only static contents such as HTML, JS, CSS, and pictures.
Logging off a user who closes the logon success or online page
After a user passes authentication, the system pushes the logon success page logonSuccess.htm to the user. If the user initiates another authentication through the logon page, the system pushes the online page online.htm. You can configure the device to forcibly log off the user when the user closes either of these two pages. To do so, add the following contents in logonSuccess.htm and online.htm:
1.
Reference to file pt_private.js.
2.
3.
4. pt_unload(), the function for triggering page unloading. pt_submit(), the event handler function for Form. pt_init(), the function for triggering page loading.
The following is a script example with the added contents highlighted in gray:
<html>
<head>
<script type="text/javascript" language="javascript" src="pt_private.js"></script>
</head>
<body onload="pt_init();" onbeforeunload="return pt_unload();">
... ...
<form action=logon.cgi method = post onsubmit="pt_submit()">
... ...
</body>
</html>
Redirecting authenticated users to a specified web page
To make the device automatically redirect authenticated users to a specified web page, do the following in logon.htm and logonSuccess.htm:
1.
In logon.htm, set the target attribute of the form object to blank.
See the contents in gray:
<form method=post action=logon.cgi target="blank">
2.
Add the function for page loading pt_init() to logonSucceess.htm.
See the contents in gray:
<html>
<head>
<title>LogonSuccessed</title>
<script type="text/javascript" language="javascript" src="pt_private.js"></script>
</head>
<body onload="pt_init();" onbeforeunload="return pt_unload();">
... ...
</body>
</html>
396
NOTE:
•
H3C recommends using browser IE 6.0 or later on the authentication clients.
• Make sure that the browser of an authentication client permits pop-ups or permits pop-ups from the access device. Otherwise, the user cannot log off by closing the logon success or online page and can only click Cancel to return to the logon success or online page.
•
If a user refreshes the logon success or online page, or jumps to another web site from either of the pages, the device also logs off the user.
•
If a user is using the Chrome browser, the device cannot log off the user when the user closes the logon success or online page.
Portal authentication configuration example
Network requirements
which belongs to VLAN 3. The model and serial ID of the AP is WA2100 and 210235A29G007C00002, respectively.
AC supports the local portal server, which runs HTTPS. The local portal server can push the corresponding customized pages according to the SSID of the user logon interface.
A RADIUS server (IMC server) serves as the authentication/accounting server.
The client must pass direct portal authentication to access unrestricted Internet resources. Before authentication, the client can access only the local portal server.
Figure 422 Network diagram
Configuration prerequisites
Complete the follow tasks before you perform the portal configuration:
•
Configure IP addresses for the devices as shown in Figure 422
and make sure they can reach each other.
•
Configure PKI domain test, and make sure that a local certificate and a CA certificate are obtained
successfully. For more information, see " Managing certificates ."
• Complete the editing of the authentication page files to be bound with the client SSID.
•
Configure the RADIUS server properly to provide authentication and accounting functions for users.
Configuring the AC
1.
Configure the RADIUS scheme system: a.
From the navigation tree, select Authentication > RADIUS.
397
b. c. d. e. f. g. h.
Click Add.
On the page that appears, enter the scheme name system, select the server type Extended, and select Without domain name for Username Format.
In the RADIUS Server Configuration area, click Add.
On the page that appears, select Primary Authentication as the server type, enter the IP address 1.1.1.2, the port number 1812, and the key expert, enter expert again in the Confirm
Key field, and click Apply.
The RADIUS server configuration page closes, and the RADIUS Server Configuration area on the RADIUS scheme configuration page displays the authentication server you have just configured.
In the RADIUS Server Configuration area, click Add.
On the page that appears, select Primary Accounting as the server type, enter the IP address
1.1.1.2, the port number 1813, and the key expert, enter expert again in the Confirm Key field, and click Apply.
The RADIUS server configuration page closes, and the RADIUS Server Configuration area on the RADIUS scheme configuration page displays the accounting server you have just configured.
Click Apply.
Figure 423 Configuring the RADIUS scheme
2.
Create ISP domain test, and configure it as the default domain. a.
From the navigation tree, select Authentication > AAA.
398
b. c.
The Domain Setup tab appears.
Enter the domain name test, and select Enable from the Default Domain list to use the domain test as the default domain.
Click Apply.
Figure 424 Creating an ISP domain
3.
Configure an authentication method for the ISP domain. a. b.
Click the Authentication tab.
Select the domain name test. c. d.
Select the Default AuthN box and then select RADIUS as the authentication mode.
Select system from the Name list to use it as the authentication scheme e. f.
Click Apply.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
399
Figure 425 Configuring the authentication method for the ISP domain
4.
Configure an authorization method for the ISP domain. a. b.
Click the Authorization tab.
Select the Default AuthZ box and then select RADIUS as the authorization mode. c. d. e.
Select system from the Name list to use it as the authorization scheme
Click Apply.
A configuration progress dialog box appears
After the configuration process is complete, click Close.
Figure 426 Configuring the authorization method for the ISP domain
5.
Configure an accounting method for the ISP domain. a.
Click the Accounting tab. b. c. d. e.
Select the domain name test.
Select the Accounting Optional box, and then select Enable for this parameter.
Select the Default Accounting box and then select RADIUS as the accounting mode.
Select system from the Name list to use it as the accounting scheme
400
f. g.
Click Apply.
The configuration progress dialog box appears
After the configuration process is complete, click Close.
Figure 427 Configuring the accounting method for the ISP domain
6.
Create an AP. a.
From the navigation tree, select AP > AP Setup. b. c. d. e. f.
Click Create.
Enter the AP name ap1.
Select model WA2100.
Select the manual mode for serial ID and then enter the serial ID 210235A29G007C00002.
Click Apply.
Figure 428 Creating an AP
7.
Create a wireless service. a.
From the navigation tree, select Wireless Service > Access Service. b.
Click New. c.
On the page that appears, enter the wireless service name abc, select clear as the wireless service type, and click Apply.
The wireless service configuration page appears.
401
Figure 429 Creating a wireless service d. e.
Enter 2 in the VLAN (Untagged) field, enter 2 in the Default VLAN field, and click Apply.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
Figure 430 Configuring parameters for the wireless service
8.
Enable the wireless service. a.
On wireless service list as shown in
, select the box before wireless service abc. b. c.
Click Enable.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
402
Figure 431 Enabling the wireless service
9.
Bind an AP radio with the wireless service. a. b. c.
On the wireless service list, click the icon in the Operation column of wireless service abc.
On the page that appears, select the box before ap1 with the radio mode of 802.11g.
Click Bind. d.
A configuration progress dialog box appears.
After the configuration process is complete, click Close.
Figure 432 Binding an AP radio
10.
Enable radio. a.
From the navigation tree, select Radio > Radio.
403
b. c.
Select the box before ap1 with the radio mode of 802.11g.
Click Enable.
Figure 433 Enabling 802.11g radio
11.
Configure portal authentication a.
From the navigation tree, select Authentication > Portal. b. c. d.
Click Add.
Select interface Vlan-interface2, select Enable Local Server for Portal Server, select Direct as the authentication method, select the authentication domain test, enter 192.168.1.1 as the server IP address, select HTTPS as the protocol type, select test as the PKI domain, select the box before Page Customization, and select the authentication page file ssid1.zip for SSID abc.
Click Apply.
404
Figure 434 Portal service application
12.
Configure a portal-free rule for Ethernet port GigabitEthernet 1/0/1. a. b.
Click the Free Rule tab.
Click Add. c. d.
On the page that appears, enter the rule number 0, and select the source interface
GigabitEthernet1/0/1.
Click Apply.
Verifying the configuration
When a user accesses subnet 1.1.1.0/24, the user is redirected to page https://192.168.1.1/portal/logon.htm and, after entering the correct username and password on the web page, the user passes the authentication.
405
Configuring AAA
The web interface supports configuring Internet Service Provider (ISP) domains and configuring AAA methods for ISP domains.
AAA overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions:
•
Authentication—Identifies users and determines whether a user is valid.
•
Authorization—Grants different users different rights and controls their access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
•
Accounting—Records all network service usage information of users, including the service type, start time, and traffic. The accounting function not only provides the information required for charging, but also allows for network security surveillance.
AAA usually uses a client/server model. The client runs on the network access server (NAS) and the server maintains user information centrally. In an AAA network, a NAS is a server for users but a client for the AAA servers.
Figure 435 Network diagram for AAA
AAA can be implemented through multiple protocols. The device supports using RADIUS, the most commonly used protocol in practice. For more information about RADIUS, see "
For more information about AAA and ISP, see H3C WA Series WLAN Access Points Security
Configuration Guide.
Configuring AAA
Configuration prerequisites
• To deploy local authentication, configure local users on the access device as described in
406
• To deploy remote authentication, authorization, or accounting, create the RADIUS schemes to be referenced as described in "
Recommended configuration procedure
Step Remarks
1.
Optional.
Create ISP domains and specify one of them as the default ISP domain.
By default, there is an ISP domain named system, which is the default ISP domain.
2.
3.
4.
Optional.
Configure authentication methods for various types of users.
By default, all types of users use local authentication.
Optional.
Specify the authorization methods for various types of users.
By default, all types of users use local authorization.
Required.
Specify the accounting methods for various types of users.
By default, all types of users use local accounting.
AAA user types include LAN access users (such as 802.1x authentication users and MAC authentication users), login users (such as
SSH, Telnet, FTP, terminal access users), PPP users,
Portal users, and
Command users.
Configuring an ISP domain
1.
Select Authentication > AAA from the navigation tree.
The Domain Setup page appears.
407
Figure 436 Domain Setup page
2.
3.
Configure an ISP domain as described in
Click Apply.
Table 135 Configuration items
Item Description
Domain Name
Enter the ISP domain name, which is for identifying the domain.
You can enter a new domain name to create a domain, or specify an existing domain to change its status (whether it is the default domain).
Default Domain
Specify whether to use the ISP domain as the default domain. Options include:
•
Enable—Uses the domain as the default domain.
•
Disable—Uses the domain as a non-default domain.
There can only be one default domain at a time. If you specify a second domain as the default domain, the original default domain will become a non-default domain.
Configuring authentication methods for the ISP domain
1.
2.
Select Authentication > AAA from the navigation tree.
Click the Authentication tab to enter the authentication method configuration page.
408
Figure 437 Authentication method configuration page
3.
4.
5.
Configure authentication methods for different types of users in the domain, as described in Table
.
Click Apply.
A configuration progress dialog box appears.
After the configuration progress is complete, click Close.
Table 136 Configuration items
Item Description
Select an ISP domain
Select the ISP domain for which you want to specify authentication methods.
Default AuthN
Name
Secondary
Method
Configure the default authentication method and secondary authentication method for all types of users.
Options include:
•
HWTACACS—Performs HWTACACS authentication. You must specify the
HWTACACS scheme to be used.
•
Local—Performs local authentication.
•
None—All users are trusted and no authentication is performed. Generally, do not use this mode.
•
RADIUS—Performs RADIUS authentication. You must specify the RADIUS scheme to be used.
•
Not Set—Restore the default, that is, local authentication.
LAN-access AuthN Configure the authentication method and secondary authentication method for LAN access users.
Name
Secondary
Method
Options include:
•
Local—Performs local authentication.
•
None—All users are trusted and no authentication is performed. Generally, do not use this mode.
•
RADIUS—Performs RADIUS authentication. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authentication methods.
409
Item Description
Login AuthN
Name
Secondary
Method
Configure the authentication method and secondary authentication method for login users.
Options include:
•
HWTACACS—Performs HWTACACS authentication. You must specify the
HWTACACS scheme to be used.
•
Local—Performs local authentication.
•
None—All users are trusted and no authentication is performed. Generally, do not use this mode.
•
RADIUS—Performs RADIUS authentication. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authentication methods.
PPP AuthN
Name
Secondary
Method
Portal AuthN
Name
Configure the authentication method and secondary authentication method for PPP users.
Options include:
•
HWTACACS—Performs HWTACACS authentication. You must specify the
HWTACACS scheme to be used.
•
Local—Performs local authentication.
•
None—All users are trusted and no authentication is performed. Generally, do not use this mode.
•
RADIUS—Performs RADIUS authentication. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authentication methods.
Configure the authentication method for Portal users.
Options include:
•
Local—Performs local authentication.
•
None—All users are trusted and no authentication is performed. Generally, do not use this mode.
•
RADIUS—Performs RADIUS authentication. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authentication methods.
Configuring authorization methods for the ISP domain
1.
Select Authentication > AAA from the navigation tree.
2.
Click the Authorization tab to enter the authorization method configuration page.
410
Figure 438 Authorization method configuration page
3.
4.
5.
Configure authorization methods for different types of users in the domain, as described in Table
.
Click Apply.
A configuration progress dialog box appears.
After the configuration progress is complete, click Close.
Table 137 Configuration items
Item Description
Select an ISP domain
Select the ISP domain for which you want to specify authentication methods.
Default AuthZ
Name
Secondary
Method
Configure the default authorization method and secondary authorization method for all types of users.
Options include:
•
HWTACACS—Performs HWTACACS authorization. You must specify the HWTACACS scheme to be used.
•
Local—Performs local authorization.
•
None—All users are trusted and authorized. A user gets the default rights of the system.
•
RADIUS—Performs RADIUS authorization. You must specify the RADIUS scheme to be used.
•
Not Set—Restore the default, that is, local authorization.
LAN-access AuthZ Configure the authorization method and secondary authorization method for LAN access users.
Name
Secondary
Method
Options include:
•
Local—Performs local authorization.
•
None—All users are trusted and authorized. A user gets the default rights of the system.
•
RADIUS—Performs RADIUS authorization. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authorization methods.
411
Item Description
Login AuthZ
Name
Secondary
Method
Configure the authorization method and secondary authorization method for login users.
Options include:
•
HWTACACS—Performs HWTACACS authorization. You must specify the HWTACACS scheme to be used.
•
Local—Performs local authorization.
•
None—All users are trusted and authorized. A user gets the default rights of the system.
•
RADIUS—Performs RADIUS authorization. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authorization methods.
PPP AuthZ
Name
Secondary
Method
Portal AuthZ
Name
Command AuthZ
Name
Configure the authorization method and secondary authorization method for PPP users.
Options include:
•
HWTACACS—Performs HWTACACS authorization. You must specify the HWTACACS scheme to be used.
•
Local—Performs local authorization.
•
None—All users are trusted and authorized. A user gets the default rights of the system.
•
RADIUS—Performs RADIUS authorization. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authorization methods.
Configure the authorization method for Portal users.
Options include:
•
Local—Performs local authorization.
•
None—All users are trusted and authorized. A user gets the default rights of the system.
•
RADIUS—Performs RADIUS authorization. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authorization methods.
Configure the authorization method for command users.
Options include:
•
HWTACACS—Performs HWTACACS authorization. You must specify the HWTACACS scheme to be used.
•
Not Set—Uses the default authorization methods.
Configuring accounting methods for the ISP domain
1.
2.
Select Authentication > AAA from the navigation tree.
Click the Accounting tab to enter the accounting method configuration page.
412
Figure 439 Accounting method configuration page
3.
4.
5.
Configure accounting methods for different types of users in the domain, as described in
.
Click Apply.
A configuration progress dialog box appears.
After the configuration progress is complete, click Close.
Table 138 Configuration items
Item Description
Select an ISP domain
Select the ISP domain for which you want to specify authentication methods.
Accounting
Optional
Specify whether to enable the accounting optional feature.
With the feature enabled, a user that will be disconnected otherwise can use the network resources even when there is no accounting server available or communication with the current accounting server fails.
If accounting for such a user fails, the device will not send real-time accounting updates for the user anymore.
Name
Secondary
Method
Options include:
•
HWTACACS—Performs HWTACACS accounting. You must specify the HWTACACS scheme to be used.
•
Local—Performs local accounting.
•
None—Performs no accounting.
•
RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be used.
•
Not Set—Restore the default, that is, local accounting.
413
Item Description
LAN-access
Accounting
Name
Secondary
Method
Configure the accounting method and secondary accounting method for LAN access users.
Options include:
•
Local—Performs local accounting.
•
None—Performs no accounting.
•
RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default accounting methods.
Login Accounting
Name
Secondary
Method
PPP Accounting
Name
Secondary
Method
Portal Accounting
Name
Configure the accounting method and secondary accounting method for login users.
Options include:
•
HWTACACS—Performs HWTACACS accounting. You must specify the HWTACACS scheme to be used.
•
Local—Performs local accounting.
•
None—Performs no accounting.
•
RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default accounting methods.
Configure the accounting method and secondary accounting method for PPP users.
Options include:
•
HWTACACS—Performs HWTACACS accounting. You must specify the HWTACACS scheme to be used.
•
Local—Performs local accounting.
•
None—Performs no accounting.
•
RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default accounting methods.
Configure the accounting method for Portal users.
Options include:
•
Local—Performs local accounting.
•
None—Performs no accounting.
•
RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default accounting methods.
AAA configuration example
Network requirements
As shown in
, configure the AC to perform local authentication, authorization, and accounting for Telnet users.
414
Figure 440 Network diagram
Configuration procedure
1.
Configure a local user: a. b. c. d. e. f. g. h. i.
Select Authentication > Users from the navigation tree.
The local user management page appears.
Click Add.
Enter telnet the username.
Enter abcd as the password.
Enter abcd again to confirm the password.
Select Common User as the user type.
Select Configure as the level.
Select Telnet as the service type.
Click Apply.
Figure 441 Configuring the local user
2.
Configure ISP domain test. a.
Select Authentication > AAA from the navigation tree.
The Domain Setup page appears, as shown in Figure 442 .
415
b. c.
Enter test as the domain name.
Click Apply.
Figure 442 Configuring ISP domain test
3.
Configure the ISP domain to use local authentication for login users: a.
Select Authentication > AAA from the navigation tree b. c.
Click the Authentication tab.
Select the domain test. d. e. f.
Select the Login AuthN box and select the authentication method Local.
Click Apply.
A configuration progress dialog box appears.
After the configuration progress is complete, click Close.
416
Figure 443 Configuring the ISP domain to use local authentication
4.
Configure the ISP domain to use local authorization for login users: a. b.
Select Authentication > AAA from the navigation tree.
Click the Authorization tab. c. d.
Select the domain test.
Select the Login AuthZ box and select the authorization method Local. e. f.
Click Apply.
A configuration progress dialog box appears.
After the configuration progress is complete, click Close.
Figure 444 Configuring the ISP domain to use local authorization
5.
Log in to the CLI, enable Telnet service, and configure the AC to use AAA for Telnet users.
<AC> system-view
[AC] telnet server enable
[AC] user-interface vty 0 4
[AC-ui-vty0-4] authentication-mode scheme
[AC-ui-vty0-4] quit
417
6.
Verify the configuration
Telnet to the AC and enter the username telnet@test and password abcd. You should be serviced as a user in domain test.
418
Configuring RADIUS
RADIUS overview
The Remote Authentication Dial-In User Service (RADIUS) protocol implements Authentication,
Authorization, and Accounting (AAA). RADIUS uses the client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS defines the packet format and message transfer mechanism, and uses UDP as the transport layer protocol for encapsulating RADIUS packets. It uses UDP port 1812 for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL.
RADIUS provides access authentication and authorization services, and its accounting function collects and records network resource usage information.
For more information about AAA and RADIUS, see H3C WA Series WLAN Access Points Security
Configuration Guide.
Configuring a RADIUS scheme
A RADIUS scheme defines a set of parameters that the device uses to exchange information with the
RADIUS servers. There might be authentication servers and accounting servers, or primary servers and secondary servers. The parameters mainly include the IP addresses of the servers, the shared keys, and the RADIUS server type. By default, no RADIUS scheme exists.
To configure a RADIUS scheme:
1.
Select Authentication > RADIUS from the navigation tree.
Figure 445 RADIUS scheme list
2.
Click Add.
419
Figure 446 RADIUS scheme configuration page
3.
4.
Enter a scheme name.
Select a server type and a username format.
Table 139 Configuration items
5.
Item Description
Server Type
Select the type of the RADIUS servers supported by the device, which can be:
•
Standard—Specifies the standard RADIUS server. That is, the RADIUS client and
RADIUS server communicate by using the standard RADIUS protocol and packet format defined in RFC 2865/2866 or later.
•
Extended—Specifies an extended RADIUS server (usually running on IMC). In this case, the RADIUS client and the RADIUS server communicate by using the proprietary RADIUS protocol and packet format.
Username Format
Select the format of usernames to be sent to the RADIUS server.
A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. If a
RADIUS server (such as a RADIUS server of some early version) does not accept a username that contains an ISP domain name, you can configure the device to remove the domain name of a username before sending it to the RADIUS server.
•
Original format—Sends the username of a user on an "as is" basis.
•
With domain name—Includes the domain name in a username to be sent to the
RADIUS server.
•
Without domain name—Removes the domain name of a username to be sent to the RADIUS server.
Click the expand button before Advanced in the Common Configuration area to expand the advanced configuration area.
420
Figure 447 Common configuration area
6.
Configure the advanced parameters.
421
Table 140 Configuration items
Item Description
Authentication Key
Confirm Authentication
Key
Set the shared key for RADIUS authentication packets and that for RADIUS accounting packets.
The RADIUS client and the RADIUS authentication/accounting server use MD5 to encrypt RADIUS packets, and they verify the validity of packets through the specified shared key. Only if the shared key of the client and that of the server are the same, will the client and the server receive and respond to packets from each other.
Accounting Key
Confirm Accounting Key
IMPORTANT:
•
The shared keys configured on the device must be consistent with those configured on the RADIUS servers.
•
The shared keys configured in the common configuration part are used only when no corresponding shared keys are configured in the RADIUS server configuration part.
Quiet Time
Server Response Timeout
Time
Request Transmission
Attempts
Set the time the device keeps an unreachable RADIUS server in blocked state.
If you set the quiet time to 0, when the device needs to send an authentication or accounting request but finds that the current server is unreachable, it does not change the server's status that it maintains. It simply sends the request to the next server in active state. As a result, when the device needs to send a request of the same type for another user, it still tries to send the request to the server because the server is in active state.
You can use this parameter to control whether the device changes the status of an unreachable server. For example, if you determine that the primary server is unreachable because the device's port for connecting the server is out of service temporarily or the server is busy, you can set the time to 0 so that the device uses the primary server as much.
Set the RADIUS server response timeout time.
If the device sends a RADIUS request to a RADIUS server but receives no response within the specified server response timeout time, it retransmits the request. Setting a proper value according to the network conditions helps in improving the system performance.
Set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request. If the number of transmission attempts exceeds the limit but the device still receives no response from the RADIUS server, the device considers the request a failure.
IMPORTANT:
The server response timeout time multiplied by the maximum number of RADIUS packet transmission attempts must not exceed 75.
422
Item Description
Realtime Accounting
Interval
Set the interval for sending real-time accounting information. The interval must be a multiple of 3.
To implement real-time accounting, the device must send real-time accounting packets to the accounting server for online users periodically.
Different real-time accounting intervals impose different performance requirements on the NAS and the RADIUS server. A shorter interval helps achieve higher accounting precision but requires higher performance. Use a longer interval when a large number of users (1000 or more) exist. For more information about the
recommended real-time accounting intervals, see " Configuration guidelines ."
Realtime Accounting
Attempts
Set the maximum number of attempts for sending a real-time accounting request.
Unit for Data Flows
Unit for Packets
Specify the unit for data flows sent to the RADIUS server, which can be byte, kilo-byte, mega-byte, or giga-byte.
Specify the unit for data packets sent to the RADIUS server, which can be:
•
One-packet.
•
Kilo-packet.
•
Mega-packet.
•
Giga-packet.
Enable EAP offload
Enable or disable the EAP offload function.
Some RADIUS servers do not support EAP authentication. They cannot process EAP packets. In this case, it is necessary to preprocess the EAP packets received from clients on the access device. This is where the EAP offload function comes in.
After receiving an EAP packet, the access device enabled with the EAP offload function first converts the authentication information in the EAP packet into the corresponding RADIUS attributes through the local EAP server, encapsulates the
EAP packet into a RADIUS request and then sends the request to the RADIUS server for authentication. When the RADIUS server receives the request, it analyzes the carried authentication information, encapsulates the authentication result in a
RADIUS packet, and then sends the packet to the local EAP server on the access device for subsequent interaction with the client.
Security Policy Server
RADIUS Packet Source IP
RADIUS Packet Backup
Source IP
Buffer stop-accounting packets
Specify the IP address of the security policy server.
Specify the source IP address for the device to use in RADIUS packets sent to the
RADIUS server.
H3C recommends you to use a loopback interface address instead of a physical interface address as the source IP address, because if the physical interface is down, the response packets from the server cannot reach the device.
Specify the backup source IP address for the device to use in RADIUS packets sent to the RADIUS server.
In a stateful failover environment, the backup source IP address must be the source
IP address for the remote device to use in RADIUS packets sent to the RADIUS server.
Configuring the backup source IP address in a stateful failover environment makes sure that the backup server can receive the RADIUS packets sent from the RADIUS server when the master device fails.
Enable or disable buffering of stop-accounting requests for which no responses are received.
423
Item Description
Stop-Accounting
Attempts
Set the maximum number of stop-accounting attempts.
The maximum number of stop-accounting attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets.
Suppose that the RADIUS server response timeout period is three seconds, the maximum number of transmission attempts is five, and the maximum number of stop-accounting attempts is 20. For each stop-accounting request, if the device receives no response within three seconds, it retransmits the request. If it receives no responses after retransmitting the request five times, it considers the stop-accounting attempt a failure, buffers the request, and makes another stop-accounting attempt.
If 20 consecutive attempts fail, the device discards the request.
Send accounting-on packets
Enable or disable the accounting-on feature.
The accounting-on feature enables a device to send accounting-on packets to
RADIUS servers after it reboots, making the servers forcedly log out users who logged in through the device before the reboot.
Accounting-On Interval
Accounting-On Attempts
IMPORTANT:
When enabling the accounting-on feature on a device for the first time, you must save the configuration so that the feature takes effect after the device reboots.
Set the interval for sending accounting-on packets. This field is configurable only when the Send accounting-on packets option is selected.
Set the maximum number of accounting-on packets transmission attempts. This field is configurable only when the Send accounting-on packets option is selected.
Attribute
Interpretation
7.
Enable or disable the device to interpret the RADIUS class attribute as CAR parameters.
In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration page.
Figure 448 RADIUS server configuration page
8.
9.
10.
11.
Configure a RADIUS server for the RADIUS scheme as described in Table 141
.
Click Apply to add the server to the RADIUS scheme.
Repeat step 7 through step 9 to add more RADIUS servers to the RADIUS scheme.
On the RADIUS scheme configuration page, click Apply.
424
Table 141 Configuration items
Item Description
Server Type
Select the type of the RADIUS server to be configured. Possible values include primary authentication server, primary accounting server, secondary authentication server, and secondary accounting server.
IP Address Specify the IP address of the RADIUS server.
Port
Key
Confirm Key
Specify the UDP port of the RADIUS server.
Specify the shared key for communication with the RADIUS server.
If no shared key is specified here, the shared key specified in the common configuration part is used.
RADIUS configuration example
Network requirements
As shown in
Figure 449 , a RADIUS server running on IMC uses UDP ports 1812 and 1813 to provide
authentication and accounting services respectively.
Configure the AC to use the RADIUS server for Telnet user authentication and accounting, and to remove domain names from the usernames sent to the server.
On the RADIUS server, configure a Telnet user account with the username hello@bbb and the password abc, and set the EXEC privilege level to 3 for the user.
Set the shared keys for packet exchange between the AC and the RADIUS server to expert.
Figure 449 Network diagram
Configuration procedure
1.
Configure RADIUS scheme system: a. b. c. d. e.
Select Authentication > RADIUS from the navigation tree.
Click Add.
Enter the scheme name system, select the server type Extended, and select the username format
Without domain name.
In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration page.
Select the server type Primary Authentication, enter 10.1.1.1 as the IP address of the primary authentication server, 1812 as the port number, and expert as the key, and click Apply to add the primary authentication server to the scheme.
425
Figure 450 RADIUS authentication server configuration page f. g. h.
In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration page again.
Select Primary Accounting as the server type, enter 10.1.1.1 as the IP address of the primary accounting server, enter the port number 1813, the key expert, and click Apply, as shown in
.
The RADIUS scheme configuration page refreshes and the added servers appear in the server list, as shown in
.
Click Apply to finish the scheme configuration.
Figure 451 RADIUS accounting server configuration page
426
Figure 452 RADIUS scheme configuration
2.
Create an ISP domain: a.
From the navigation tree, select Authentication > AAA.
The domain setup page appears. b. c.
Enter bbb in the Domain Name box.
Click Apply.
427
Figure 453 Creating an ISP domain
3.
Configure an authentication method for the ISP domain: a. b. c.
Click the Authentication tab.
Select the domain name bbb.
Select the Default AuthN box and then select the authentication mode RADIUS. d. e. f.
Select the RADIUS scheme system from the Name list to use it as the authentication scheme.
Click Apply.
A configuration progress dialog box appears.
After the configuration progress is complete, click Close.
Figure 454 Configuring an authentication method for the ISP domain
428
4.
Configure an authorization method for the ISP domain: a.
Click the Authorization tab. b. c. d. e.
Select the domain name bbb.
Select the Default AuthZ box and select the authorization mode RADIUS.
Select the RADIUS scheme system from the Name list to use it as the authorization scheme.
Click Apply. f.
A configuration progress dialog box appears.
After the configuration progress is complete, click Close.
Figure 455 Configuring an authorization method for the ISP domain
5.
Configure an accounting method for the ISP domain, and enable accounting optional: a.
Click the Accounting tab. b. c. d.
Select the domain name bbb.
Select the Accounting Optional box and then select Enable.
Select the Default Accounting box and then select accounting mode RADIUS. e. f. g.
Select the RADIUS scheme system from the Name list to use it as the accounting scheme.
Click Apply.
A configuration progress dialog box appears.
After the configuration progress is complete, click Close.
429
Figure 456 Configuring an accounting method for the ISP domain
6.
Enable the Telnet service. a.
From the navigation tree, select Network > Service. b. c.
Select the Enable Telnet service box.
Click Apply.
Figure 457 Enabling the Telnet service
7.
Log in to the CLI, and configure the VTY user interfaces to use AAA for user access control.
<AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] authentication-mode scheme
[AC-ui-vty0-4] quit
Verifying the configuration
Telnet to the AC and enter the username hello@bbb and password abc. You can log in and access commands of levels 0 through 3.
Configuration guidelines
When you configure the RADIUS client, follow these guidelines:
430
• Accounting for FTP users is not supported.
•
If you remove the accounting server used for online users, the device cannot send real-time accounting requests and stop-accounting messages for the users to the server, and the stop-accounting messages are not buffered locally.
• The status of RADIUS servers (blocked or active) determines which servers the device will communicate with or turn to when the current servers are not available. In practice, you can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers that function as the backup of the primary servers. Generally, the device chooses servers based on these rules:
When the primary server is in active state, the device communicates with the primary server. If the primary server fails, the device changes the state of the primary server to blocked, starts a quiet timer for the server, and turns to a secondary server in active state (a secondary server configured earlier has a higher priority). If the secondary server is unreachable, the device changes the state of the secondary server to blocked, starts a quiet timer for the server, and continues to check the next secondary server in active state. This search process continues until the device finds an available secondary server or has checked all secondary servers in active state. If the quiet timer of a server expires or an authentication or accounting response is received from the server, the status of the server changes back to active automatically, but the device does not check the server again during the authentication or accounting process. If no server is found reachable during one search process, the device considers the authentication or accounting attempt a failure.
Once the accounting process of a user starts, the device keeps sending the user's real-time accounting requests and stop-accounting requests to the same accounting server. If you remove the accounting server, real-time accounting requests and stop-accounting requests for the user cannot be delivered to the server any more.
If you remove an authentication or accounting server in use, the communication of the device with the server will soon time out, and the device will look for a server in active state from scratch: it checks the primary server (if any) first and then the secondary servers in the order they are configured.
When the primary server and secondary servers are all in blocked state, the device communicates with the primary server. If the primary server is available, its statues changes to active. Otherwise, its status remains to be blocked.
If one server is in active state but all the others are in blocked state, the device only tries to communicate with the server in active state, even if the server is unavailable.
After receiving an authentication/accounting response from a server, the device changes the status of the server identified by the source IP address of the response to active if the current status of the server is blocked.
• It is a good practice to u se the recommended real-time accounting intervals listed in
Table 142 Recommended real-time accounting intervals
Number of users
1 to 99
100 to 499
500 to 999
≥1000
Real-time accounting interval (in minutes)
3
6
12
≥15
431
Configuring the local EAP service
In some simple application environments, you may want to use an access device to authenticate users locally, instead of deploying AAA servers for user authentication. When the Extensible Authentication
Protocol (EAP) is used for user authentication, configure the local EAP authentication server to cooperate with local authentication method of AAA for local EAP authentication. For more information about AAA, see "
Configuration procedure
1.
Select Authentication > Local EAP Server from the navigation.
The Local EAP service configuration page appears.
Figure 458 Local EAP service configuration page
2.
3.
Configure the local EAP service as described in Table 143
.
Click Apply.
Table 143 Configuration items
Item Description
Status
Enable or disable the EAP server.
If the EAP server is enabled, the EAP authentication method and PKI domain configurations are required.
432
Item Description
Method
Specify the EAP authentication methods, including:
•
MD5—Uses Message Digest 5 (MD5) for authentication.
•
TLS—Uses the Transport Layer Security (TLS) protocol for authentication.
•
PEAP-MSCHAPV2—Uses the Protected Extensible Authentication Protocol (PEAP) for authentication and uses the Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) for authentication in the established TLS tunnel.
•
PEAP-GTC—Uses the Protected Extensible Authentication Protocol (PEAP) for authentication and uses the Microsoft Generic Token Card (GTC) for authentication in the established TLS tunnel.
When an EAP client and the local server communicate for EAP authentication, they first negotiate the EAP authentication method to be used. During negotiation, the local server prefers the authentication method with the highest priority from the EAP authentication method list. If the client supports the authentication method, the negotiation succeeds and they proceed with the authentication process. Otherwise, the local server tries the one with the next highest priority until a supported one is found, or if none of the authentication methods are found supported, the local server sends an
EAP-Failure packet to the client for notification of the authentication failure.
PKI domain
TIP:
•
You can select more than one authentication method. An authentication method selected earlier has a higher priority.
•
PEAP-MSCHAPV2 and PEAP-GTC are mutually exclusive.
Specify the PKI domain for EAP authentication.
The available PKI domains are those configured on the page you enter by selecting
Authentication > Certificate Management. For more information, see "
NOTE:
The service management, local portal authentication, and local EAP service modules always reference the same PKI domain. Changing the referenced PKI domain in any of the three modules will also change that referenced in the other two modules.
Local EAP service configuration example
Network requirements
As shown in Figure 459 , configure the AC to perform local EAP authentication and authorization for
802.1X users by using the authentication method EAP-TLS.
Figure 459 Network diagram
433
Configuration procedure
NOTE:
•
To implement local EAP authentication and authorization for 802.1X users, make sure that port security is enabled and 802.1X authentication uses the EAP authentication mode.
• To use the authentication method of EAP-TLS, configure the network properties of the connection and the client certificate properly on the client.
•
For more information about how to configure PKI domain test, requesting a local certificate, and retrieving a CA certificate, see "
1.
Configure local user usera: a. b. c. d.
Select Authentication > Users from the navigation tree.
Click Add.
Enter the username usera and password 1234, and select the service type LAN-Access.
Click Apply.
Figure 460 Local user configuration page
2.
3.
Configure the ISP domain system to use local authentication and local authorization.
The ISP domain system uses local authentication and local authorization by default. For the
configuration procedure, see " Configuring AAA
."
Enable the EAP server, configure the authentication method as TLS, and the PKI domain as test: a. b. c.
Select Authentication > Local EAP Server from the navigation tree.
Select Enabled for Status.
Select TLS from the Available methods list and click << to add TLS to the Selected methods list.
434
d. e.
Select test from the PKI domain list.
Click Apply.
Figure 461 Configuring a local EAP server
4.
Configure the AP: a.
Select AP > AP Setup from the navigation tree. b. c. d. e. f.
Click Add.
Enter the AP name ap1.
Select the device model WA2620-AGN.
Select manual and enter the serial number in the following box.
Click Apply.
Figure 462 Configuring the AP
5.
Create the wireless service: a.
Select Wireless Service > Access Service from the navigation tree. b. c. d.
Click Add.
Enter the wireless service name 802.1x-auth.
Select the service type crypto.
435
e.
Click Apply.
The wireless service configuration page appears.
Figure 463 Creating a wireless service
6.
Configure the wireless service: a.
Click the expand button before Security Setup to expand the configuration items. b. c.
Select the authentication type Open-System.
Select the Cipher Suite box, and then select AES-CCMP and TKIP (select a cipher suite according to your actual network requirements). Select WPA as the security IE. d. e. f.
Click the expand button before Port Security to expand the configuration items.
Select the Port Set box and Select the port mode userlogin-secure-ext.
Select the Mandatory Domain box, and then select system. g. h. i. j. k.
Select the authentication method EAP.
Disable handshake and multicast trigger.
Click Apply.
A configuration progress dialog box appears.
When a dialog box appears asking for your confirmation to enable the EAP service, confirm the operation to proceed.
After the configuration process is complete, click Close.
436
Figure 464 Wireless service configuration page
7.
Enable the wireless service: a.
On the access service list page, select the wireless service 802.1x-auth. b. c.
Click Enable.
A progress dialog box appears.
After the configuration process is complete, click Close.
437
Figure 465 Enabling the wireless service
8.
Bind the AP's radio mode with the wireless service: a.
In the wireless service list, click the icon of wireless service 802.1x-auth. b. c. d.
Select the AP of ap1 with the radio mode 802.11n(2.4GHz).
Click Bind. A progress dialog box appears.
After the configuration process is complete, click Close.
Figure 466 Binding the radio mode with the wireless service
9.
Enable 802.11n(2.4GHz). a.
Select Radio > Radio from the navigation tree. b.
Select the AP of ap1 with the radio mode 802.11n(2.4GHz).
438
c.
Click Enable.
Figure 467 Enabling 802.11n(2.4GHz)
Verifying the configuration
After the configuration, a client should be able to pass EAP authentication and access the wireless network. You can ping the client successfully from the AC.
439
Configuring users
Overview
This module allows you to configure local users, user groups, guests, and user profiles.
Local user
A local user represents a set of user attributes configured on a device (such as the user password, user type, service type, and authorization attribute), and is uniquely identified by the username. For a user requesting a network service to pass local authentication, you must add an entry as required in the local
user database of the device. For more information about local authentication, see " Configuring AAA
."
User group
A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. All local users in a user group inherit the user attributes of the group, but if you configure user attributes for a local user, the settings of the local user take precedence over the settings for the user group.
By default, every newly added local user belongs to a user group named system, which is automatically created by the system.
Guest
A guest is a local user for specific applications. If Portal or LAN-access users need to access the network temporarily, you can establish a guest account for them and control access of the users as required.
User profile
A user profile is a configuration template for saving predefined configurations. You can configure different items such as Quality of Service (QoS) policy, rate limit, wireless service, and AP group for different user profiles to accommodate to different application scenarios.
When accessing the device, a user needs to be authenticated. During the authentication process, the authentication server sends the user profile name to the device, which then enables the configurations in the user profile. After the user passes the authentication and accesses the device, the device restricts the user's access based on the configurations in the user profile. When the user logs out, the device automatically disables the configurations in the user profile, removing the restrictions on the user as a result. As the mechanism indicates, user profiles are for restricting online users' access. If no user is online
(no user is accessing the network, no user has passed authentication, or all users have logged out), user profiles do not take effect.
With user profiles, you can:
•
Make use of system resources more granularly. For example, you can apply a QoS policy on a per-user basis.
• Restrict users' access rate more flexibly. For example, you can deploy traffic policing on a per-user basis by defining a rate limit in user profiles.
•
Restrict users' access more specifically. For example, you can deploy user access control on a per-wireless service basis by defining an SSID in user profiles. Or you can deploy user access control on a per-AP basis by defining APs in the user profiles.
440
Configuring a local user
1.
Select Authentication > Users from the navigation tree.
The local user management page appears, displaying information about all local users including common users, security log administrator, guest administrator, and guests.
NOTE:
On the Local User tab, you can modify a guest user, but the user type changes to another one after your modification.
Figure 468 Local user list
2.
Click Add.
The local user configuration page appears. On this page, you can create a local user of any type except guest.
Figure 469 Local user configuration page
3.
4.
Configure a local user as described in
Click Apply.
441
Table 144 Configuration items
Item Description
Username Specify a name for the local user.
Password Specify a password for the local user and confirm the password.
The two passwords must be identical.
Confirm
Group
User Type
Level
IMPORTANT:
It is a good practice to specify a password with no leading spaces. The spaces will be ignored, but they count at the user login page.
Select a user group for the local user.
For information about user group configuration, see "
Specify the user type for the local user:
•
Common User.
•
Security Log Admin—Users of this type can only manage security log files through the web interface. Only Users of this type can manage security log files.
•
Guest Admin—Users of this type can only manage guest accounts through the web interface, log in to the Authentication > User > Guest page to add, modify, or delete a guest user.
Select an authorization level for the local user, which can be Visitor, Monitor,
Configure, or Management, in ascending order of priority. A local user has the rights of the specified level and all levels lower than the specified level (if any).
•
Visitor—A user of this level can perform ping and trace route operations but cannot read any data from the device or configure the device.
•
Monitor—A user of this level can read data from the device but cannot configure the device.
•
Configure—A user of this level can read data from the device and configure the device but cannot upgrade the device software, add/delete/modify users, or backup/restore configuration files.
•
Management—A user of this level can perform all operations except for security log file reading and management.
Service Type
Expire-time
IMPORTANT:
This option is effective only for web, FTP, Telnet, and SSH users.
Select the service types for the local user to use, including FTP, Telnet, PPP, Portal, LAN access (accessing through the Ethernet, such as 802.1X users), and SSH.
IMPORTANT:
•
If you do not specify any service type for a local user who uses local authentication, the user cannot pass authentication and cannot log in.
•
The service type of the guest administrator and security log administrator is web.
•
The service type of the guest administrator and security log administrator is Portal and LAN-Access.
Specify an expiration time for the local user.
When authenticating a local user with the expiration time argument configured, the access device checks whether the expiration time has elapsed. If not, the device permits the user to log in.
442
Item Description
VLAN
Specify the VLAN to be authorized to the local user after the user passes authentication.
IMPORTANT:
This option is effective only for Portal and LAN-access users.
ACL
User-profile
Specify the ACL to be used by the access device to restrict the access of the local user after the user passes authentication.
IMPORTANT:
This option is effective only for PPP, Portal, and LAN-access users.
Specify the user profile for the local user.
IMPORTANT:
This option is effective only for PPP, Portal, and LAN-access users.
Configuring a user group
1.
2.
Select Authentication > Users from the navigation tree.
Click the User Group tab to display the existing user groups.
Figure 470 User group list
3.
Click Add to enter the user group configuration page.
443
Figure 471 User group configuration page
4.
5.
Add a user group as described in
Click Apply.
Table 145 Configuration items
Item Description
Group-name Specify a name for the user group.
Level
VLAN
ACL
User-profile
Select an authorization level for the user group, which can be Visitor, Monitor,
Configure, or Management, in ascending order of priority.
Specify the VLAN to be authorized to a user in the user group after the user passes authentication.
Specify the ACL to be used by the access device to restrict the access of a user in the user group after the user passes authentication.
Specify the user profile for the user group.
Specify whether to allow a guest to join the user group.
Allow Guest
Accounts
IMPORTANT:
User group system is an optional group of guest accounts by default, and cannot be modified.
Configuring a guest
Two categories of administrators can configure guests: guest administrators and administrators of the management level.
NOTE:
For information about user type and authorization level, see
.
Procedure for a management level administrator to configure a guest
1.
Select Authentication > Users from the navigation tree.
444
2.
Click the Guest tab to display the guest information.
Figure 472 Guest list
3.
Click Add to enter the guest configuration page.
Figure 473 Guest configuration page
4.
5.
Configure a single guest or a batch of guests as described in
.
Click Apply.
Table 146 Configuration items
Item Description
Create Users in a
Batch
Specify whether to create guests in a batch.
Username
User-name(prefix)
Specify a name for the guest when users are not created in a batch.
Specify the username prefix and number for guests to be created in a batch.
For example, if you specify the username prefix as abc and number as 50, 50 guests will be created, with the usernames abc0 through abc49.
Password
Same as the
Username
Specify a password for the guest.
If you select this option, you do not need to enter the password and confirm password, and the guest password is the same as the username.
445
ValidTime
Specify a valid time range for the guest, including the start time and end time.
When authenticating a local user with the valid time argument configured, the access device checks whether the valid time has elapsed. If not, the device permits the user to log in.
Procedure for a guest administrator to configure a guest
Item Description
If you do not select this option, you must enter the password and confirm password, and they must be the same.
Confirm
IMPORTANT:
If the password starts with a space, the space will be omitted.
Group
Select a user group for the guest.
For information about user group configuration, see " Configuring a user group
."
NOTE:
A guest administrator can only manage guests through the web interface.
1.
Log in to the AC as a guest administrator and select Authentication > User from the navigation tree.
The guest management page appears.
Figure 474 Guest management page
2.
Click Add to enter the guest configuration page.
446
Figure 475 Guest configuration page
3.
4.
Configure the guest as described in
Click Apply.
NOTE:
The guest accounts are also displayed in the local user list. You can click the icon of a guest in the list to edit the guest information and authorization attributes.
Configuring a user profile
1.
2.
Select Authentication > Users from the navigation tree.
Click the User Profile tab to display the existing user profiles
Figure 476 User profile list
3.
Click Add to enter the user profile name configuration page.
447
Figure 477 User profile name configuration item
4.
5.
Enter a profile name profile.
Click Apply.
The user profile configuration page appears.
Figure 478 User profile configuration page
448
6.
7.
Configure the profile as described in
.
Click Apply.
Table 147 Configuration items
Item Description
Userprofile name This field displays the user profile name.
Qos-out policy Select a QoS policy in the outbound direction.
Qos-in policy limited-out rate limited-in rate
Services permitted
APs permitted
Select a QoS policy in the inbound direction.
Specify the rate limit in the outbound direction.
Specify the rate limit in the inbound direction.
Specify the wireless services permitted in the user profile:
Select the services in the Services list box and click the < button to add them to the
Selected services list box.
The available wireless services are those configured on the page you enter by selecting Wireless Service > Access Service. For more information, see "Access service configuration."
Specify the APs permitted in the user profile:
Select the APs in the APs list box and click the < button to add them to the Selected
APs list box.
The available APs are those you configured on the page you enter by selecting
AP > AP Group. For more information, see "AP configuration."
8.
From the page displaying the existing user profiles, select the option before the user profile to be enabled.
Click Enable.
9.
NOTE:
• By default, a newly added user profile is disabled.
•
A user profile takes effect and the authentication server notifies users of authentication results only after the user profile is enabled. Therefore, if you do not enable the user profile, users using the user profile will not be able to get online.
• Only enabled user profiles can be referenced by users. Disabling a user profile logs out all users using the user profile.
•
Enabled user profiles cannot be modified or removed. To modify or remove an enabled user profile, you must disable it first.
449
Managing certificates
PKI overview
The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security through public key technologies, and it is the most widely applied encryption mechanism currently.
H3C's PKI system provides certificate management for IP Security (IPsec), and Secure Sockets Layer (SSL).
PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt data. The key pair consists of a private key and a public key. The private key must be kept secret but the public key needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
A key problem of PKI is how to manage the public keys. Currently, PKI employs the digital certificate mechanism to solve this problem. The digital certificate mechanism binds public keys to their owners, helping distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity.
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI has a wide range of applications. Here are some application examples:
• Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI can address these needs. The secure email protocol that is currently developing rapidly is
Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with signature.
• Web security—For Web security, two peers can establish a Secure Sockets Layer (SSL) connection first for transparent and secure communications at the application layer. With PKI, SSL enables encrypted communications between a browser and a server. Both the communication parties can verify the identity of each other through digital certificates.
NOTE:
For more information about PKI, see
Security Configuration Guide.
Configuring PKI
The system supports the following PKI certificate request modes:
•
Manual—In manual mode, you must retrieve a CA certificate, generate a local RSA key pair, and submit a local certificate request for an entity.
• Auto—In auto mode, an entity automatically requests a certificate through the Simple Certification
Enrollment Protocol (SCEP) when it has no local certificate or the present certificate is about to expire.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes require different configurations.
450
Recommended configuration procedure for manual request
Step Remarks
Required.
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and an entity, where an entity is the collection of the identity information of a user. A CA identifies a certificate applicant by entity.
The identity settings of an entity must be compliant to the CA certificate issue policy. Otherwise, the certificate request might be rejected.
Required.
Create a PKI domain, setting the certificate request mode to Manual.
Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance.
Required.
Generate a local RSA key pair.
By default, no local RSA key pair exists.
Generating an RSA key pair is an important step in certificate request. The key pair includes a public key and a private key. The private key is kept by the user, and the public key is transferred to the CA along with some other information.
4. Retrieving the CA certificate
IMPORTANT:
If a local certificate already exists, you must remove the certificate before generating a new key pair, so as to keep the consistency between the key pair and the local certificate.
Required.
Certificate retrieval serves the following purposes:
•
Locally store the certificates associated with the local security domain for improved query efficiency and reduced query count,
•
Prepare for certificate verification.
IMPORTANT:
If a local CA certificate already exists, you cannot perform the CA certificate retrieval operation. This will avoid possible mismatch between certificates and registration information resulting from relevant changes. To retrieve the CA certificate, you must remove the CA certificate and local certificate first.
451
Step Remarks
5. Requesting a local certificate
Required.
When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate.
A certificate request can be submitted to a CA in online mode or offline mode.
•
In online mode, if the request is granted, the local certificate will be retrieved to the local system automatically.
•
In offline mode, you must retrieve the local certificate by an out-of-band means.
6. Destroying the RSA key pair
IMPORTANT:
If a local certificate already exists, you cannot perform the local certificate retrieval operation. This will avoid possible mismatch between the local certificate and registration information resulting from relevant changes. To retrieve a new local certificate, you must remove the CA certificate and local certificate first.
Optional.
If the certificate to be retrieved contains an RSA key pair, you must destroy the existing RSA key pair. Otherwise, the certificate cannot be retrieved.
Destroying the existing RSA key pair also destroys the corresponding local certificate.
Required if you request a certificate in offline mode.
Retrieve an existing certificate and display its contents.
7. Retrieving and displaying a certificate
8. Retrieving and displaying a CRL
IMPORTANT:
•
If you request a certificate in offline mode, you must retrieve the CA certificate and local certificate by an out-of-band means.
•
Before retrieving a local certificate in online mode, be sure to complete
LDAP server configuration.
Optional.
Retrieve a CRL and display its contents.
Recommended configuration procedure for automatic request
Step Remarks
Required.
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and an entity, where an entity is the collection of the identity information of a user. A CA identifies a certificate applicant by entity.
The identity settings of an entity must be compliant to the CA certificate issue policy. Otherwise, the certificate request might be rejected.
452
Step Remarks
Required.
Create a PKI domain, setting the certificate request mode to Auto.
Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance.
3. Destroying the RSA key pair
Optional.
If the certificate to be retrieved contains an RSA key pair, you must destroy the existing RSA key pair. Otherwise, the certificate cannot be retrieved.
Destroying the existing RSA key pair also destroys the corresponding local certificate.
Optional.
Retrieve an existing certificate and display its contents.
4. Retrieving and displaying a certificate
5. Retrieving and displaying a CRL
IMPORTANT:
•
Before retrieving a local certificate in online mode, be sure to complete
LDAP server configuration.
•
If a CA certificate already exists, you cannot retrieve another CA certificate.
This restriction avoids inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new CA certificate, remove the existing CA certificate and local certificate first.
Optional.
Retrieve a CRL and display its contents.
Creating a PKI entity
1.
Select Authentication > Certificate Management from the navigation tree.
The PKI entity list page is displayed by default.
Figure 479 PKI entity list
2.
Click Add to enter the PKI entity configuration page.
453
Figure 480 PKI entity configuration page
3.
4.
Configure the parameters as described in
Click Apply.
Table 148 Configuration items
Item Description
Entity Name Enter the name for the PKI entity.
Common Name Enter the common name for the entity.
IP Address
FQDN
Enter the IP address of the entity.
Enter the fully qualified domain name (FQDN) for the entity.
An FQDN is a unique identifier of an entity on the network. It consists of a host name and a domain name and can be resolved to an IP address. For example, www.whatever.com is an FQDN, where www indicates the host name and whatever.com the domain name.
Country/Region
Code
State
Locality
Organization
Enter the country or region code for the entity.
Enter the state or province for the entity.
Enter the locality for the entity.
Enter the organization name for the entity.
Organization Unit Enter the unit name for the entity.
Creating a PKI domain
1.
Select Authentication > Certificate Management from the navigation tree.
454
2.
Click the Domain tab.
Figure 481 PKI domain list
3.
Click Add to enter the PKI domain configuration page.
Figure 482 PKI domain configuration page
4.
5.
Configure the parameters as described in
Click Apply.
Table 149 Configuration items
Item Description
Domain Name Enter the name for the PKI domain.
CA Identifier
Entity Name
Enter the identifier of the trusted CA.
An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility of certificate registration, distribution, and revocation, and query.
In offline mode, this item is optional. In other modes, this item is required.
Select the local PKI entity.
When submitting a certificate request to a CA, an entity needs to show its identity information.
Available PKI entities are those that have been configured.
455
Item Description
Institution
Select the authority for certificate request.
•
CA—Indicates that the entity requests a certificate from a CA.
•
RA—Indicates that the entity requests a certificate from an RA.
RA is recommended.
Requesting URL
Enter the URL of the RA.
The entity will submit the certificate request to the server at this URL through the SCEP protocol. The SCEP protocol is intended for communication between an entity and an authentication authority.
In offline mode, this item is optional. In other modes, this item is required.
IMPORTANT:
This item does not support domain name resolution.
LDAP IP
Port
Version
Request Mode
Enter the IP address, port number and version of the LDAP server.
In a PKI system, the storage of certificates and CRLs is a crucial problem, which is usually addressed by deploying an LDAP server.
Password Encrypt
Password
Fingerprint Hash
Fingerprint
Select the online certificate request mode, which can be auto or manual.
Select this box to display the password in cipher text.
This box is available only when the certificate request mode is set to Auto.
Enter the password for certificate revocation.
This item is available only when the certificate request mode is set to Auto.
Specify the fingerprint used for verifying the CA root certificate.
After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain, the entity will reject the root certificate.
•
If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The fingerprint must a string of 32 characters in hexadecimal notation.
•
If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The fingerprint must a string of 40 characters in hexadecimal notation.
•
If you do not specify the fingerprint hash, do not enter any fingerprint. The entity will not verify the CA root certificate, and you yourself must make sure that the CA server is trusted.
Polling Count
Polling Interval
IMPORTANT:
The fingerprint must be configured if you specify the certificate request mode as Auto. If you specify the certificate request mode as Manual, you can leave the fingerprint settings null. If you do not configure the fingerprint, the entity will not verify the CA root certificate and you yourself must make sure that the CA server is trusted.
Set the polling interval and attempt limit for querying the certificate request status.
After an entity makes a certificate request, the CA might need a long period of time if it verifies the certificate request in manual mode. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed.
Enable CRL
Checking
Click this box to specify that CRL checking is required during certificate verification.
456
Item Description
CRL Update Period
Enter the CRL update period, that is, the interval at which the PKI entity downloads the latest CRLs.
This item is available when the Enable CRL Checking box is selected.
By default, the CRL update period depends on the next update field in the CRL file.
CRL URL
Enter the URL of the CRL distribution point.
This item is available when the Enable CRL Checking box is selected.
When the URL of the CRL distribution point is not set, you should acquire the CA certificate and a local certificate, and then acquire a CRL through SCEP.
IMPORTANT:
This item does not support domain name resolution.
Generating an RSA key pair
1.
2.
Select Authentication > Certificate Management from the navigation tree
Click the Certificate tab.
Figure 483 Certificate configuration page
3.
Click Create Key to enter RSA key pair parameter configuration page.
Figure 484 Key pair parameter configuration page
4.
5.
Set the key length.
Click Apply.
457
Destroying the RSA key pair
1.
Select Authentication > Certificate Management from the navigation tree.
2.
3.
4.
Click the Certificate tab.
Click Destroy Key to enter RSA key pair destruction page.
Click Apply to destroy the existing RSA key pair and the corresponding local certificate.
Figure 485 Key pair destruction page
Retrieving and displaying a certificate
You can download an existing CA certificate or local certificate from the CA server and save it locally.
To do so, you can use offline mode or online mode. In offline mode, you can retrieve a certificate by an out-of-band means like FTP, disk, email and then import it into the local PKI system.
To retrieve a certificate:
1.
2.
3.
Select Authentication > Certificate Management from the navigation tree.
Click the Certificate tab.
Click Retrieve Cert to enter PKI certificate retrieval page.
Figure 486 PKI certificate retrieval page
4.
5.
Configure the parameters as described in
Click Apply.
Table 150 Configuration items
Item Description
Domain Name Select the PKI domain for the certificate.
Certificate Type Select the type of the certificate to be retrieved, which can be CA or local.
Enable Offline
Mode
Click this box to retrieve a certificate in offline mode (that is, by an out-of-band means like
FTP, disk, or email) and then import the certificate into the local PKI system.
458
Item Description
Get File From
Device
Get File From PC
Specify the path and name of the certificate file if you retrieve the certificate in offline mode.
•
If the certificate file is saved on the device, select Get File From Device and then specify the path of the file on the device.
•
If the certificate file is saved on a local PC, select Get File From PC and. then specify the path to the file and select the partition of the device for saving the file.
Password
Enter the password for protecting the private key if you retrieve the certificate in offline mode. The password was specified when the certificate was exported.
6.
After retrieving a certificate, click View Cert corresponding to the certificate from the PKI certificates list to display the contents of the certificate.
Figure 487 Certificate information
Requesting a local certificate
1.
2.
3.
Select Authentication > Certificate Management from the navigation tree.
Click the Certificate tab.
Click Request Cert to enter the local certificate request page.
459
Figure 488 Local certificate request page
4.
Configure the parameters as described in
Table 151 Configuration items
Item Description
Domain Name Select the PKI domain for the certificate.
Password Enter the password for certificate revocation.
Enable Offline Mode
Click this box to request a certificate in offline mode, that is, by an out-of-band means like FTP, disk, or email.
5.
Click Apply.
If you request the certificate in online mode, the system displays "Certificate request has been submitted." Click OK. If you request the certificate in offline mode, the system displays the offline certificate request information. You can submit the information to the CA by an out-of-band means.
Figure 489 Offline certificate request information page
Retrieving and displaying a CRL
1.
2.
Select Authentication > Certificate Management from the navigation tree.
Click the CRL tab.
460
Figure 490 CRL page
3.
4.
Click Retrieve CRL to retrieve the CRL of a domain.
Click View CRL for the domain to display the contents of the CRL.
Figure 491 CRL information
Certificate management configuration example
Network requirements
As shown in
, configure the AC as the PKI entity, so that:
•
The AC submits a local certificate request to the CA server, which runs the RSA Keon software.
• The AC acquires CRLs for certificate verification.
461
Figure 492 Network diagram
Configuring the CA server
1.
2.
3.
Create a CA server named myca.
In this example, you must first configure the basic attributes of Nickname and Subject DN on the
CA server: the nickname is the name of the trusted CA, and the subject DN is the DN attributes of the CA, including the common name (CN), organization unit (OU), organization (O), and country
(C). Leave the default values of the other attributes.
Configure extended attributes.
After you configure the basic attributes, perform configuration on the Jurisdiction Configuration page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting.
Configure the CRL publishing behavior
After you complete the previous configuration, perform CRL related configurations.
In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to http://4.4.4.133:447/myca.crl.
After this configuration, make sure that the system clock of the AC is synchronous to that of the CA, so that the AC can request certificates and retrieve CRLs properly.
Configuring the AC
1.
Create a PKI entity. a.
Select Authentication > Certificate Management from the navigation tree. b.
The PKI entity list page is displayed by default.
Click Add. c. d. e.
Enter aaa as the PKI entity name.
Enter ac as the common name.
Click Apply.
462
Figure 493 Configuring a PKI entity
2.
Create a PKI domain. a.
Click the Domain tab. b. c. d.
Click Add.
Enter torsa as the PKI domain name.
Enter myca as the CA identifier. e. f. g. h.
Select aaa as the local entity.
Select CA as the authority for certificate request.
Enter http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for certificate request. The URL must be in the format of http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is the hexadecimal string generated on the CA.
Select Manual as the certificate request mode. i. j. k.
Click the expansion button before Advanced Configuration to display the advanced configuration items.
Click the Enable CRL Checking box.
Enter http://4.4.4.133:447/myca.crl as the CRL URL.
Click Apply. l.
The system displays "Fingerprint of the root certificate not specified. No root certificate validation will occur. Continue?" m.
Click OK.
463
Figure 494 Configuring a PKI domain
3.
Generate an RSA key pair. a.
Click the Certificate tab. b.
Click Create Key to enter the page. c. d.
Enter 1024 for the key length.
Click Apply to generate an RSA key pair.
Figure 495 Generating an RSA key pair
4.
Retrieve the CA certificate. a. b.
Click the Certificate tab.
Click Retrieve Cert. c. d.
Select torsa as the PKI domain.
Select CA as the certificate type.
464
e.
Click Apply.
Figure 496 Retrieving the CA certificate
5.
Request a local certificate. a.
Click the Certificate tab. b. c. d. e. f.
Click Request Cert.
Select torsa for the PKI domain.
Select Password and then enter challenge-word as the password.
Click Apply.
The system displays "Certificate request has been submitted".
Click OK.
Figure 497 Requesting a local certificate
6.
Retrieve the CRL. a.
Click the CRL tab. b.
Click Retrieve CRL of the PKI domain of torsa.
Figure 498 Retrieving the CRL
465
Verifying the configuration
After the configuration, you can select Certificate Management > Certificate from the navigation tree to view detailed information about the retrieved CA certificate and local certificate, or select Certificate
Management > CRL from the navigation tree to view detailed information about the retrieved CRL.
Configuration guidelines
When you configure PKI, note the following guidelines:
• Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of certificates will be abnormal.
•
The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server will not respond to the certificate request.
•
The SCEP plug-in is required when you use the Windows Server as the CA. In this case, you need to specify RA as the authority for certificate request when you configure the PKI domain.
• The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case, you need to specify CA as the authority for certificate request when you configure the PKI domain.
466
WLAN security configuration
WLAN security overview
802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients, ad hoc networks, and Denial of Service (DoS) attacks. Rogue devices are a serious threat to enterprise security. To ensure security, the wireless intrusion detection system (WIDS) is introduced. WIDS provides early detection of malicious attacks and intrusions on a wireless network without affecting network performance, and provides real-time countermeasures.
WLAN security provides these features:
• Rogue detection
•
WIDS attack detection
•
Blacklist and white list.
Terminology
•
Rogue AP—An unauthorized or malicious access point on the network, such as an employee setup
AP, misconfigured AP, neighbor AP or an attacker operated AP. As it is not authorized, if there is any vulnerability in the AP, the hacker will have chance to compromise your network security.
• Rogue client—An unauthorized or malicious client on the network.
•
Rogue wireless bridge—Unauthorized wireless bridge on the network.
•
Monitor AP—An AP that scans or listens to 802.11 frames to detect rogue devices in the network.
• Ad hoc mode—A wireless client in ad-hoc mode can directly communicate with other stations without support from any other device.
Detecting rogue devices
Rogue detection is applicable to large wireless networks. It detects the presence of rogue devices in a
WLAN network based on the pre-configured rules.
Rogue detection can detect different types of devices in a WLAN network, for example, rogue APs, rogue clients, rogue wireless bridges, and ad-hoc terminals. An AP can work in either of the following modes for rogue detection:
• Monitor mode: In this mode, an AP scans all 802.11g frames in the WLAN, but cannot provide
WLAN services. As shown in Figure 499 , AP 1 works as an access AP, and AP 2 works as a monitor
AP to listen to all 802.11g frames. AP 2 cannot provide wireless access services.
467
Figure 499 Monitor AP for rogue detection
• Hybrid mode: In this mode, an AP can both scan devices in the WLAN and provide WLAN data services.
Figure 500 Hybrid AP for rogue detection
Taking countermeasures against rogue device attacks
You can enable the countermeasures on a monitor AP. The monitor AP downloads an attack list from the
AC according to the countermeasure mode and takes countermeasures against detected rogue devices.
The processing methods vary with rogue devices:
•
If the rogue device is a rogue client, it will be logged out.
• If the rogue device is a rogue AP, legal clients will not use the rogue AP to access the WLAN.
• If the rogue device is an ad-hoc client, it is denied and ad-hoc clients cannot communicate with each other.
468
Figure 501 Taking countermeasures against rogue devices
Functionalities supported
The rogue detection feature supports the following functionalities:
•
RF monitoring in different channels
• Rogue AP detection
• Rogue client detection
•
Ad hoc network detection
•
Wireless bridge detection
• Countermeasures against rogue devices, clients and ad hoc networks
WIDS attack detection
The WIDS attack detection function detects intrusions or attacks on a WLAN network, and informs the network administrator of the attacks through recording information or sending logs. WIDS detection supports detection of the following attacks:
•
Flood attack
•
Spoofing attack
• Weak IV attack
Flood attack detection
A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind within a short span of time. When this occurs, the WLAN devices get overwhelmed and are unable to service normal clients.
WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic generated by each device. When the traffic density of a device exceeds the limit, the device is considered flooding the network and, if the dynamic blacklist feature is enabled, will be added to the blacklist and forbidden to access the WLAN for a period of time.
WIDS inspects the following types of frames:
•
Authentication requests and de-authentication requests
469
• Association requests, disassociation requests and reassociation requests
•
Probe requests
•
802.11 null data frames
• 802.11 action frames.
Spoofing attack detection
In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For instance, a client in a WLAN has been associated with an AP and works normally. In this case, a spoofed de-authentication frame can cause a client to get de-authenticated from the network and can affect the normal operation of the WLAN.
At present, spoofing attack detection counters this type of attack by detecting broadcast de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it is identified as a spoofed frame, and the attack is immediately logged.
Weak IV detection
Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame. An IV and a key are used to generate a key stream, and thus encryptions using the same key have different results. When a WEP frame is sent, the IV used in encrypting the frame is also sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is compromised, the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak IV is detected, it is immediately logged.
Blacklist and white list
You can configure the blacklist and white list functions to filter frames from WLAN clients and thereby implement client access control.
WLAN client access control is accomplished through the following three types of lists.
• White list—Contains the MAC addresses of all clients allowed to access the WLAN. If the white list is used, only permitted clients can access the WLAN, and all frames from other clients will be discarded.
• Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is manually configured.
•
Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. A client is dynamically added to the list if it is considered sending attacking frames until the timer of the entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more information about ARP detection, see "ARP attack defense configuration."
When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the frame as follows:
1.
If the source MAC address does not match any entry in the white list, the frame is dropped. If there is a match, the frame is considered valid and will be further processed.
2.
3.
If no white list entries exist, the static and dynamic blacklists are searched.
If the source MAC address matches an entry in any of the two lists, the frame is dropped.
470
4.
If there is no match, or no blacklist entries exist, the frame is considered valid and will be further processed.
A static blacklist or white list configured on an AC applies to all APs connected to the AC, while a dynamic blacklist applies to APs that receive attack frames.
Figure 502 Network diagram for WLAN client access control
• In the topology above, three APs are connected to an AC. Configure white list and static blacklist entries on the AC, which will send all the entries to the APs. If the MAC address of a station, Client
1 for example, is present in the blacklist, it cannot access any of the APs. If only Client 1 is present in the white list, it can access any of the APs, and other clients cannot access any of the APs.
• Enable dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, a dynamic blacklist entry is generated in the blacklist, and Client 1 cannot associate with AP 1, but can associate with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic blacklist entry is generated in the blacklist.
Configuring rogue device detection
Recommended configure procedure
Step Remarks
1. Configuring AP operating mode
Required.
By default, the AP operates in normal mode and only provides WLAN data services.
2. Configuring detection rule lists
3. Enabling countermeasures and configuring aging time for detected rogue devices
Required.
Optional.
Configuring AP operating mode
1.
Select Security > Rogue Detection
from the navigation tree.
471
Figure 503 AP monitor configuration
2.
On the AP Monitor tab, select the AP to be configured and click the icon to enter the page
.
Figure 504 AP operating mode configuration
3.
4.
Configure the AP operating mode as described in Table 152 .
Click Apply.
Table 152 Configuration items
Item Description
Work mode
Configure the AP operating mode:
•
In normal mode, an AP provides WLAN data services but does not perform scanning.
•
In monitor mode, an AP scans all 802.11g frames in the WLAN, but cannot provide
WLAN services.
•
In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN data services.
IMPORTANT:
•
When an AP has its operating mode changed from normal to monitor, it does not restart.
•
When an AP has its operating mode changed from monitor to normal, it restarts.
NOTE:
•
An AP operating in hybrid mode can provide WLAN data services as well as scanning devices in the
WLAN, so WLAN service configurations are needed.
• An AP operating in monitor mode cannot provide WLAN data services, so WLAN service configurations are not needed.
Configuring detection rules
Configuring detection rules is to configure rogue device classification rules. An AC classifies devices as rogues and friends based on the configured classification rules.
472
• Check whether an AP is a rogue.
Figure 505 Checking whether an AP is a rogue
•
Check whether a client is a rogue.
473
Figure 506 Checking whether a client is a rogue
Client
In the static attack list?
No or the list is not configured
In the permitted
MAC address list?
No or the list is not configured
Yes
Yes
Check if AP (BSSID) associated with the client is legal
No
Yes
Legal client
(Friend)
Illegal client
(Rogue)
•
Check whether an ad hoc network or a wireless bridge is a rogue.
Figure 507 Checking whether an ad hoc network or a wireless bridge is a rogue
474
Configuring detection rule lists
1.
Select Security > Rogue Detection from the navigation tree.
2.
Click the Rule List tab to enter detection rule list configuration page.
Figure 508 Rule list configuration
3.
Configure the rule list as described in
Table 153 Configuration items
4.
Item Description
List Type
•
MAC—You can add MAC addresses to be permitted after selecting this option.
•
Wireless Service—You can add SSIDs to be permitted after selecting this option.
•
Vendor—You can specify vendors to be permitted after selecting this option.
•
Attacker—You can add the MAC address of a device to configure the device as a rogue.
Select MAC from the list and click Add to enter the MAC address configuration page.
475
Figure 509 MAC address list configuration page
5.
6.
Configure the MAC address list as described in
Click Apply.
Table 154 Configuration items
Item Description
MAC Enter the permitted MAC address in the box.
Select the existent devices
If you select this option, the MAC address table displays MAC addresses of the current devices. Select the MAC addresses to be permitted.
The operation to add other types of lists is similar to the add operation of a MAC address list, and thus the description is omitted.
Enabling countermeasures and configuring aging time for detected rogue devices
1.
Select Security > Rogue Detection from the navigation tree.
2.
On the AP Monitor tab, click Common Set.
476
Figure 510 Common configuration
3.
4.
Perform common configuration as described in Table 155
.
Click Apply.
Table 155 Configuration items
Item Description
Reverse Mode
•
Unlaw Set—Allows you to take countermeasures against rogue devices
(including illegal APs and illegal clients).
•
Unlaw Adhoc Device—Allows you to take countermeasures against ad hoc devices.
•
Static Unlaw Device—Allows you to take countermeasures against rogue devices configured in the detection rule list.
Device Aging-Duration
Configure the aging time of entries in the device list.
Once a rogue device is detected, an entry for it is added to the monitor record and the aging time starts. The aging time restarts if the device is detected again during the time. When the aging time is reached, the entry is deleted from the monitor record and added to the history record.
Displaying monitor record
1.
Select Security > Rogue Detection from the navigation tree.
2.
Click the Monitor Record tab to enter the monitor record page.
477
Figure 511 Monitor record
Table 156 Field description
Type Description
Type
• r—Rogue device.
• p—Permitted device.
• a—Ad hoc device.
• w—AP.
• b—Wireless bridge.
• c—Client.
For example, pw represents a permitted AP while rb represents a rogue wireless bridge.
Displaying history record
1.
Select Security > Rogue Detection from the navigation tree.
2.
Click the History Record tab to enter the history record page.
478
Figure 512 History record page
Configuring WIDS
Configuring WIDS
1.
Select Security > WIDS from the navigation tree.
Figure 513 WIDS configuration
2.
3.
On the WIDS Setup tab, configure WIDS as described in
Click Apply.
Table 157 Configuration items
Item Description
Flood Attack Detect
If you select the option, flood attack detection is enabled.
It is disabled by default.
Spoofing Attack Detect
Weak IV Attack Detect
If you select the option, spoofing attack detection is enabled. It is disabled by default.
If you select the option, Weak IV attack detection is enabled. It is disabled by default.
Displaying history record
1.
Select Security > WIDS from the navigation tree.
2.
Click the History Record tab to enter the history information page.
479
Figure 514 History information
Displaying statistics information
1.
2.
Select Security > WIDS from the navigation tree.
Click the Statistics tab to enter the statistics information page.
Figure 515 Statistics
Configuring the blacklist and white list functions
NOTE:
A static blacklist or white list configured on an AC applies to all APs connected to the AC, while a dynamic blacklist applies to APs that receive attack frames. For more information, see "
480
Configuring dynamic blacklist
1.
Select Security > Filter from the navigation tree.
Figure 516 Dynamic blacklist configuration page
2.
3.
On the Blacklist tab, configure the dynamic blacklist as described in Table 158
.
Click Apply.
Table 158 Configuration items
Item Description
Dynamic Blacklist
•
Enable—Enable dynamic blacklist.
•
Disable—Disable dynamic blacklist.
Lifetime
Configure the lifetime of the entries in the blacklist. When the lifetime of an entry expires, the entry is removed from the blacklist.
NOTE:
At present, these attacks can be detected through a dynamic blacklist: Assoc-Flood, Reassoc-Flood,
Disassoc-Flood, ProbeReq-Flood, Action-Flood, Auth-Flood, Deauth-Flood and NullData-Flood.
Configuring static blacklist
1.
Select Security > Filter from the navigation tree.
2.
On the Blacklist tab, click Static to enter the static blacklist configuration page.
481
Figure 517 Static blacklist configuration
3.
Click Add Static to enter the static blacklist configuration page.
Figure 518 Adding static blacklist
4.
5.
Add a static blacklist as described in Table 159
.
Click Apply.
Table 159 Configuration items
Item Description
MAC Address Select MAC Address, and then add a MAC address to the static blacklist.
Select from Connected
Clients
If you select the option, the table below lists the current existing clients. Select the options of the clients to add their MAC addresses to the static blacklist.
482
Configuring white list
1.
Select Security > Filter from the navigation tree.
2.
Click the Whitelist tab.
Figure 519 Whitelist configuration
3.
Click Add.
Figure 520 Adding a whitelist
4.
5.
Add a white list as described in
Click Apply.
483
Table 160 Configuration items
Item Description
MAC Address Select MAC Address, and then add a MAC address to the white list.
Select from Connected
Clients
If you select the option, the table below lists the current existing clients. Select the options of the clients to add their MAC addresses to the white list.
Rogue detection configuration example
Network requirements
As shown in Figure 521 , a monitor AP (AP 2 with serial ID SZ001) and AP 1 (serial ID SZ002) are
connected to an AC through a Layer 2 switch.
•
AP 1 operates in normal mode and provides WLAN data services only.
• AP 2 operates in monitor mode, and scans all 802.11g frames in the WLAN.
•
Client 1 (MAC address 000f-e215-1515), Client 2 (MAC address 000f-e215-1530), and Client 3
(MAC address 000f-e213-1235) are connected to AP 1. They are configured as friends.
• Client 4 (MAC address 000f-e220-405e) is connected to AP 2. It is configured as a rogue device.
Figure 521 Network diagram
Configuration procedure
1.
2.
Configure AP 1 to operate in normal mode:
In normal mode, AP 1 provides WLAN data services only. For how to configure WLAN services, see "Access service configuration."
Configure AP 2 to operate in monitor mode: a.
Select AP > AP Setup from the navigation tree. b. c.
Click Add.
On the page that appears, set the AP name to ap2., select the AP model WA2620-AGN, select
Manual and enter the serial ID of AP 2.
484
d.
Click Apply.
Figure 522 AP configuration e. f. g. h. i.
Select Security > Rogue Detection from the navigation tree.
Select Security > Rogue Detection from the navigation tree.
On the AP Monitor tab, click the icon corresponding to the target AP to enter the operating mode configuration page.
Select the operating mode Monitor.
Click Apply.
Figure 523 AP operating mode configuration
3.
Enable the 802.11n(2.4GHz) radio mode: a.
Select Radio > Radio from the navigation tree to enter the AP radio configuration page. b. c.
Select the AP with the radio mode 802.11n(2.4GHz.
Click Enable.
Figure 524 Radio configuration
485
4.
5.
Configure rogue detection rules: a.
Select Security > Rogue Detection from the navigation tree. b.
Click the Rule List tab and click Add. c. d.
On the page that appears, enter 000f-e215-1515, 000f-e215-1530, and 000f-e213-1235 in the MAC Address field, and then click Apply.
Select Attacker, and click Add. Enter 000f-e220-405e in the MAC Address field and click
Apply.
Enable countermeasures against the static rogue device: a.
Select Security > Rogue Detection from the navigation tree. b.
Click the AP Monitor tab, and click Common Set to enter the common configuration page. c. d.
Select Static Rogue Device. This is because the MAC address of Client 4 is added manually to the attacker list.
Click Apply.
Figure 525 Common configuration
Configuration guidelines
•
The radio must be disabled so that the AP operation mode can be changed.
• If you configure more than one detection rule, you need to specify the rogue device types (AP, client, bridge, and ad hoc) and the rule matching order. For more information, see "User isolation."
•
The wireless service configuration is needed for an AP operating in hybrid mode, and not needed for an AP in monitor mode.
486
User isolation
User isolation overview
Without user isolation, all the devices in the same VLAN can access each other directly, which brings forth security problems. User isolation can solve this problem. When an AC configured with user isolation receives unicast packets (broadcast packets and multicast packets in a VLAN are not isolated) from a wireless client to another wireless client or a wired PC in the same VLAN, or from a wired PC to a wireless client in the same VLAN, the AC determines whether to isolate the two devices according to the configured list of permitted MAC addresses.
To avoid user isolation from affecting communications between users and the gateway, you can add the
MAC address of the gateway to the list of permitted MAC addresses.
User isolation both provides network services for users and isolates users, disabling them from communication at Layer-2 and thus ensuring service security.
Before user isolation is enabled
As shown in
, before user isolation is enabled in VLAN 2 on the AC, wireless terminals Client
A and Client B and wired terminal Host A in the VLAN can communicate with each other and access the
Internet.
Figure 526 User communication
487
After user isolation is enabled
, user isolation is enabled on the AC. Client A and Client B, and Host A in VLAN
2 access the Internet through the gateway.
• If you add the MAC address of the gateway to the permitted MAC address list, Client A, Client B, and Host A in the same VLAN are isolated, but they can access the Internet.
•
If you add the MAC address of a user (Client A, for example) to the permitted MAC address list,
Client A and Client B, and Client A and Host A can access each other directly, but Client B and Host
A cannot.
To enable all the users in the VLAN to access one another and the Internet, you need to add the MAC address of the gateway and the MAC addresses of the users to the permitted MAC address list.
Configuring user isolation
Configuring user isolation
1.
2.
Select Security > User Isolation from the navigation tree.
Click Add .
The page for configuring user isolation appears.
Figure 527 Configuring user isolation
3.
4.
Configure user isolation as described in
Click Apply.
Table 161 Configuration items
Item Description
VLAN ID Specify the VLAN in which user isolation is enabled.
488
Item Description
AccessMAC
Specify the MAC addresses to be permitted by the AC. For more information, see
"
After user isolation is enabled
."
•
Enter a MAC address in the field next to the Add button.
•
Click Add to add the MAC address to the permitted MAC list.
•
To delete a MAC address from the list, select an entry and click Delete.
IMPORTANT:
• Broadcast or multicast MAC addresses cannot be specified as permitted MAC addresses.
•
Up to 16 permitted MAC addresses can be configured for one VLAN.
To avoid network disruption caused by user isolation, add the MAC address of the gateway to the permitted MAC address list and then enable user isolation.
If you configure user isolation for a super VLAN, the configuration does not take effect on the sub-VLANs in the super VLAN, and you must configure user isolation on the sub-VLANs if needed.
Displaying user isolation information
Select Security > User Isolation from the navigation tree to enter the page displaying user isolation configuration summary.
Figure 528 Displaying user isolation summary
User isolation configuration example
Network requirements
As shown in
Figure 529 , isolate Client A, Client B, and Host A in VLAN 2 from one another while
allowing them to access the Internet. The MAC address of the gateway is 000f-e212-7788.
489
Figure 529 Network diagram
Configuration procedure
1.
2.
Configure wireless service:
For how to configure wireless service, see "Access service configuration. "
Configure user isolation: a.
Select Security > User Isolation from the navigation tree. b. c.
Click Add to enter the page for configuring user isolation.
On the page that appears, enter the VLAN ID 2, add MAC address 000f-e212-7788 to the permitted MAC address list, and click Apply.
Figure 530 Configuring user isolation
490
Authorized IP
Overview
The authorized IP function is to associate the HTTP or Telnet service with an ACL to filter the requests of clients. Only clients that pass the ACL filtering can access the device.
Configuring authorized IP
Before you configure authorized IP, you must create and configure the ACL. For ACL configuration, see
"QoS configuration."
1.
2.
Select Security > Authorized IP from the navigation tree.
Click the Setup tab to enter the authorized IP configuration page.
Figure 531 Configuration page
3.
4.
Configure an authorized IP as described in
Click Apply.
491
Table 162 Configuration items
Item Description
Select the IPv4 to be associated with the Telnet service.
Available IPv4 ACLs are those configured on the page you enter by selecting
QoS > ACL IPv4.
Telnet
IPv4 ACL
IPv6 ACL
Select the IPv6 to be associated with the Telnet service.
Available IPv6 ACLs are those configured on the page you enter by selecting
QoS > ACL IPv6.
Web
(HTTP)
IPv4 ACL
Select the IPv4 ACL to be associated with the HTTP service.
Available IPv4 ACLs are those configured on the page you enter by selecting
QoS > ACL IPv4.
492
Configuring ACL and QoS
NOTE:
Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.
ACL overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and permits packets that match a permit rule. ACLs are also widely used by many modules, for example, QoS and IP routing, for traffic identification.
ACLs fall into the following categories.
Category
Basic ACLs
Advanced ACLs 3000 to 3999
Ethernet frame header ACLs
ACL number
2000 to 2999
4000 to 4999
IP version
IPv4
IPv6
IPv4
IPv6
IPv4 and IPv6
Match criteria
Source IPv4 address
Source IPv6 address
Source/destination IPv4 address, protocols over
IPv4, and other Layer 3 and Layer 4 header fields
Source/destination IPv6 address, protocols over
IPv6, and other Layer 3 and Layer 4 header fields
Layer 2 header fields, such as source and destination MAC addresses, 802.1p priority, and link layer protocol type
NOTE:
For more information about ACL, see
ACL and QoS Configuration Guide.
QoS overview
Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs. Generally, QoS does not focus on grading services precisely, but on improving services under certain conditions.
In the internet, QoS refers to the ability of the network to forward packets. The evaluation on QoS of a network can be based on different aspects because the network may provide various services. Generally,
QoS refers to the ability to provide improved service by solving the core issues such as delay, jitter, and packet loss ratio in the packet forwarding process.
Traditional packet forwarding services
On traditional IP networks, devices treat all packets equally and handle them using the first in first out
(FIFO) policy. All packets share the resources of the network and devices. How many resources the
493
packets can obtain completely depends on the time they arrive. This service is called "best-effort". It delivers packets to their destinations as possibly as it can, without any guarantee for delay, jitter, packet loss ratio, reliability and so on.
This service policy is only suitable for applications insensitive to bandwidth and delay, such as WWW, file transfer and email.
New requirements from new applications
The Internet has been growing along with the fast development of networking technologies. More and more users take the Internet as their data transmission platform to implement various applications.
Besides traditional applications such as WWW, email and FTP, network users are experiencing new services, such as tele-education, telemedicine, video telephone, videoconference and Video-on-Demand
(VoD). The enterprise users expect to connect their regional branches together through VPN technologies to carry out operational applications, for instance, to access the database of the company or to monitor remote devices through Telnet.
These new applications have one thing in common, and they all have special requirements for bandwidth, delay, and jitter. For instance, videoconference and VoD need large bandwidth, low delay and jitter. As for mission-critical applications, such as transactions and Telnet, they may not require large bandwidth but do require low delay and preferential service during congestion.
The new emerging applications demand higher service performance of IP networks. Better network services during packets forwarding are required, such as providing dedicated bandwidth, reducing packet loss ratio, managing and avoiding congestion, regulating network traffic, and setting the precedence of packets. To meet these requirements, networks must provide more improved services.
NOTE:
For more information about QoS, see
ACL and QoS Configuration Guide.
Configuring an ACL
Recommend configuration procedures
Recommended IPv4 ACL configuration procedure
Step
Remarks
Optional.
A rule referencing a time range takes effect only during the specified time range.
Required.
The category of the added ACL depends on the
ACL number that you specify.
3. Configuring a rule for a basic IPv4 ACL
4. Configuring a rule for an advanced IPv4 ACL
5. Configuring a rule for an Ethernet frame header ACL
Required.
Complete one of the three steps according to the
ACL category.
494
Recommended IPv6 ACL configuration procedure
Step Remarks
Optional.
A rule referencing a time range takes effect only during the specified time range.
3. Configuring a rule for a basic IPv6 ACL
4. Configuring a rule for an advanced IPv6 ACL
Required.
The category of the added IPv6 ACL depends on the
ACL number that you specify.
Required.
Complete one of the steps according to the ACL category.
Adding a time range
1.
Select QoS > Time Range from the navigation tree.
2.
Click the Add tab to enter the time range adding page.
Figure 532 Adding a time range
3.
4.
Configure the time range information, as described in Table 163
.
Click Apply.
Table 163 Configuration items
Item
Time Range Name
Description
Set the name for the time range.
495
Item
Periodic
Time
Range
Start Time
End Time
Sun, Mon,
Tue, Wed,
Thu, Fri, and
Sat.
Description
Set the start time of the periodic time range.
Set the end time of the periodic time range. The end time must be greater than the start time.
Select the day or days of the week on which the periodic time range is valid. You can select any combination of the days of the week.
These items are available after you select the
Periodic Time
Range option.
Absolute
Time
Range
From
To
Set the start time of the absolute time range. The time of the day is in the hh:mm format (24-hour clock), and the date is in the MM/DD/YYYY format.
Set the end time of the absolute time range. The time of the day is in the hh:mm format (24-hour clock), and the date is in the MM/DD/YYYY format. The end time must be greater than the start time.
These items are available after you select the
Absolute Time
Range option.
Adding an IPv4 ACL
1.
2.
Select QoS > ACL IPv4 from the navigation tree.
Click the Add tab to enter the IPv4 ACL adding page, as shown in Figure 533
.
Figure 533 Adding an IPv4 ACL
3.
4.
Configure the IPv4 ACL information, as described in
Click Apply.
496
Table 164 Configuration items
Item
ACL Number
Match Order
Description
Description
Set the number of the IPv4 ACL.
Set the match order of the ACL. Available values are:
•
Config—Packets are compared against ACL rules in the order that the rules are configured.
•
Auto—Packets are compared against ACL rules in the depth-first match order.
Set the description for the ACL.
Configuring a rule for a basic IPv4 ACL
1.
2.
Select QoS > ACL IPv4 from the navigation tree.
Click the Basic Setup tab to enter the rule configuration page for a basic IPv4 ACL, as shown
Figure 534 Configuring an basic IPv4 ACL
3.
4.
Configure a basic IPv4 ACL, as described in
Click Add.
497
Table 165 Configuration items
Item
ACL
Rule ID
Action
Check Fragment
Check Logging
Source IP Address
Source Wildcard
Time Range
Description
Select the basic IPv4 ACL for which you want to configure rules.
Available ACLs are basic IPv4 ACLs.
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system will assign one automatically.
IMPORTANT:
If the rule number you specify already exists, the following operations modify the configuration of the rule.
Select the action to be performed for IPv4 packets matching the rule.
•
Permit—Allows matched packets to pass.
•
Deny—Drops matched packets.
Select this option to apply the rule to only non-first fragments.
If you do no select this option, the rule applies to all fragments and non-fragments.
Select this option to keep a log of matched IPv4 packets.
A log entry contains the ACL rule number, operation for the matched packets, protocol that IP carries, source/destination address, source/destination port number, and number of matched packets.
Select the Source IP Address option and enter a source IPv4 address and source wildcard, in dotted decimal notation.
Select the time range during which the rule takes effect.
Configuring a rule for an advanced IPv4 ACL
1.
2.
Select QoS > ACL IPv4 from the navigation tree.
Click the Advanced Setup tab to enter the rule configuration page for an advanced IPv4 ACL, as
.
498
Figure 535 Configuring an advanced IPv4 ACL
3.
4.
Configure an advanced IPv4 ACL rule, as described in Table 166
.
Click Add.
Table 166 Configuration items
Item
ACL
Description
Select the advanced IPv4 ACL for which you want to configure rules.
Available ACLs are advanced IPv4 ACLs.
499
Item
Rule ID
Action
Non-First Fragments Only
Logging
IP Address Filter
Source IP Address
Source Wildcard
Destination IP Address
Destination Wildcard
Protocol
ICMP Type
ICMP Message
ICMP Type
ICMP Code
Description
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system will assign one automatically.
IMPORTANT:
If the rule number you specify already exists, the following operations modify the configuration of the rule.
Select the action to be performed for IPv4 packets matching the rule.
•
Permit—Allows matched packets to pass.
•
Deny—Drops matched packets.
Select this option to apply the rule to only non-first fragments.
If you do no select this option, the rule applies to all fragments and non-fragments.
Select this option to keep a log of matched IPv4 packets.
A log entry contains the ACL rule number, operation for the matched packets, protocol that IP carries, source/destination address, source/destination port number, and number of matched packets.
Select the Source IP Address option and enter a source IPv4 address and source wildcard, in dotted decimal notation.
Select the Source IP Address option and enter a source IP address and source wildcard, in dotted decimal notation.
Select the protocol to be carried by IP.
If you select 1 ICMP, you can configure the ICMP message type and code; if you select 6 TCP or 17 UDP, you can configure the TCP or UDP specific items.
Specify the ICMP message type and code.
These items are available only when you select 1 ICMP from the Protocol list.
If you select Other from the ICMP Message list, you must enter values in the ICMP Type and ICMP Code fields. Otherwise, the two fields will take the default values, which cannot be changed.
500
Item
TCP/UDP Port
Precedence
Filter
TCP Connection
Established
Source
Destination
DSCP
TOS
Precedence
Operator
Port
-
Operator
Port
-
Description
Select this option to make the rule match packets used for establishing and maintaining TCP connections.
These items are available only when you select 6 TCP from the
Protocol list.
Select the operators and enter the source port numbers and destination port numbers as required.
These items are available only when you select 6 TCP or 17
UDP from the Protocol list.
Different operators have different configuration requirements for the port number fields:
•
Not Check—The following port number fields cannot be configured.
•
Range—The following port number fields must be configured to define a port range.
•
Other values—The first port number field must be configured and the second must not.
Specify the DSCP value.
Specify the ToS preference.
Specify the IP precedence.
Select the time range during which the rule takes effect. Time Range
Configuring a rule for an Ethernet frame header ACL
1.
2.
Select QoS > ACL IPv4 from the navigation tree.
Click the Link Setup tab to enter the rule configuration page for an Ethernet frame header IPv4 ACL, as shown in
.
501
Figure 536 Configuring a rule for an Ethernet frame header ACL
3.
4.
Configure an Ethernet frame header IPv4 ACL rule, as described in
Click Add.
Table 167 Configuration items
Item
ACL
Rule ID
Description
Select the Ethernet frame header IPv4 ACL for which you want to configure rules.
Available ACLs are Ethernet frame header IPv4 ACLs.
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system will assign one automatically.
IMPORTANT:
If the rule number you specify already exists, the following operations modify the configuration of the rule.
502
Item
Action
Description
Select the action to be performed for IPv4 packets matching the rule.
•
Permit—Allows matched packets to pass.
•
Deny—Drops matched packets.
MAC
Address
Filter
Source MAC
Address
Source Mask
Destination MAC
Address
Destination Mask
COS(802.1p priority)
Select the Source MAC Address option and enter a source MAC address and wildcard.
Select the Destination MAC Address option and enter a destination MAC address and wildcard.
Type Filter
Time Range
LSAP Type
LSAP Mask
Protocol Type
Protocol Mask
Specify the 802.1p priority for the rule.
Select the LSAP Type option and specify the DSAP and SSAP fields in the LLC encapsulation by configuring the following items:
•
LSAP Type—Indicates the frame encapsulation format.
•
LSAP Mask—Indicates the LSAP wildcard.
TIP:
You can select only one of the LSAP Type option and the Protocol Type option.
Select the Protocol Type option and specify the link layer protocol type by configuring the following items:
•
Protocol Type—Indicates the frame type. It corresponds to the type-code field of Ethernet_II and Ethernet_SNAP frames.
•
Protocol Mask—Indicates the wildcard.
TIP:
You can select only one of the LSAP Type option and the Protocol Type option.
Select the time range during which the rule takes effect.
Adding an IPv6 ACL
1.
2.
Select QoS > ACL IPv6 from the navigation tree.
Click the Add tab to enter the IPv6 ACL adding page, as shown in Figure 537
.
503
Figure 537 Adding an IPv6 ACL
3.
4.
Configure the IPv6 ACL information, as described in
Click Apply.
Table 168 Configuration items
Item
ACL Number
Match Order
Description
Description
Enter a number for the IPv6 ACL.
Select a match order for the ACL. Available values are:
•
Config—Packets are compared against ACL rules in the order the rules are configured.
•
Auto—Packets are compared against ACL rules in the depth-first match order.
Set the description for the ACL.
Configuring a rule for a basic IPv6 ACL
1.
Select QoS > ACL IPv6 from the navigation tree
2.
Click the Basic Setup tab to enter the rule configuration page for a basic IPv6 ACL, as shown
504
Figure 538 Configuring a rule for a basic IPv6 ACL
3.
4.
Configure the basic IPv6 ACL rule information, as described in Table 169
.
Click Add.
Table 169 Configuration items
Item
Select Access Control List
(ACL)
Rule ID
Operation
Check Fragment
Check Logging
Description
Select the basic IPv6 ACL for which you want to configure rules.
Available ACLs are basic IPv6 ACLs.
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system will assign one automatically.
IMPORTANT:
If the rule number you specify already exists, the following operations modify the configuration of the rule.
Select the operation to be performed for IPv6 packets matching the rule.
•
Permit—Allows matched packets to pass.
•
Deny—Drops matched packets.
Select this option to apply the rule to only non-first fragments.
If you do no select this option, the rule applies to all fragments and non-fragments.
Select this option to keep a log of matched IPv6 packets.
A log entry contains the ACL rule number, operation for the matched packets, protocol that IP carries, source/destination address, source/destination port number, and number of matched packets.
505
Item
Source IP Address
Source Prefix
Description
Select the Source IP Address option and enter a source IPv6 address and prefix length.
The IPv6 address must be in a format like X:X::X:X. An IPv6 address consists of eight
16-bit long fields, each of which is expressed with two hexadecimal numbers and separated from its neighboring fields by colon (:).
Select the time range during which the rule takes effect. Time Range
Configuring a rule for an advanced IPv6 ACL
1.
Select QoS > ACL IPv6 from the navigation tree
2.
Click the Advanced Setup tab to enter the rule configuration page for an advanced IPv6 ACL.
Figure 539 Configuring a rule for an advanced IPv6 ACL
3.
4.
Configure the advanced IPv6 ACL rule information, as described in Table 170
.
Click Add.
506
Table 170 Configuration items
Item
Select Access Control List (ACL)
Description
Select the advanced IPv6 ACL for which you want to configure rules.
Available ACLs are advanced IPv6 ACLs.
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system will assign one automatically.
Rule ID
Operation
Check Fragment
Check Logging
IP Address
Filter
Protocol
ICMPv6
Type
TCP/UDP
IMPORTANT:
If the rule number you specify already exists, the following operations modify the configuration of the rule.
Select the operation to be performed for IPv6 packets matching the rule.
•
Permit—Allows matched packets to pass.
•
Deny—Drops matched packets.
Select this option to apply the rule to only non-first fragments.
If you do no select this option, the rule applies to all fragments and non-fragments.
Select this option to keep a log of matched IPv6 packets.
A log entry contains the ACL rule number, operation for the matched packets, protocol that IP carries, source/destination address, source/destination port number, and number of matched packets.
Source IP Address
Source Prefix
Destination IP Address
Destination Prefix
Named ICMPv6 Type
ICMPv6 Type
ICMPv6 Code
Select the Source IP Address option and enter a source IPv6 address and prefix length.
The IPv6 address must be in a format like X:X::X:X. An IPv6 address consists of eight 16-bit long fields, each of which is expressed with two hexadecimal numbers and separated from its neighboring fields by colon (:).
Select the Destination IP Address option and enter a destination
IPv6 address and prefix length.
The IPv6 address must be in a format like X:X::X:X. An IPv6 address consists of eight 16-bit long fields, each of which is expressed with two hexadecimal numbers and separated from its neighboring fields by colon (:).
Select the protocol to be carried by IP.
If you select 58 ICMPv6, you can configure the ICMP message type and code; if you select 6 TCP or 17 UDP, you can configure the TCP or UDP specific items.
Specify the ICMPv6 message type and code.
These items are available only when you select 58 ICMPv6 from the
Protocol list.
If you select Other from the Named ICMPv6 Type list, you must enter values in the ICMPv6 Type and ICMPv6 Code fields. Otherwise, the two fields will take the default values, which cannot be changed.
Source Operator Select the operators and enter the source port numbers and d b d
507
Item Description
Destination
Port
To Port
Operator
Port
Port
Time Range Select the time range during which the rule takes effect.
Configuring line rate
Line rate uses token buckets to control traffic. The line rate of a physical interface specifies the maximum rate for forwarding packets (including critical packets). Line rate can limit all the packets passing a physical interface.
To configure line rate:
1.
Select QoS > Line rate from the navigation tree.
2.
Click the Setup tab to enter the line rate configuration page, as shown in Figure 540
.
Figure 540 Configuring line rate on a port
3.
4.
Configure line rate, as described in Table 171
.
Click Apply.
508
Table 171 Configuration items
Item
Please select an interface type
Rate Limit
Direction
CIR
CBS
EBS
Please select port(s)
Description
Select the types of interfaces to be configured with line rate.
The interface types available for selection depend on your device model.
Select Enable or Disable to enable or disable line rate on the specified port.
Select a direction in which the line rate is to be applied.
•
Inbound—Limits the rate of packets received on the specified port.
•
Outbound—Limits the rate of packets sent by the specified port.
Set the committed information rate (CIR), the average traffic rate.
Set the committed burst size (CBS), number of bits that can be sent in each interval.
Set the excess burst size (EBS).
This configuration item is not supported.
Specify the ports to be configured with line rate.
Click the ports to be configured with line rate in the port list. You can select one or more ports.
Configuring the priority trust mode of a port
Priority mapping overview
When a packet enters a device, the device assigns a set of QoS priority parameters to the packet based on a certain priority field carried in the packet and sometimes may modify its priority, according to certain rules depending on device status. This process is called "priority mapping". The set of QoS priority parameters decides the scheduling priority and forwarding priority of the packet.
The device provides various types of priority mapping tables, or rather, priority mappings. By looking up a priority mapping table, the device decides which priority value is to assign to a packet for subsequent packet processing.
You can configure priority mapping by configuring trusting packet priority or trusting port priority.
•
If packet priority is trusted, the device uses the specified priority field of the incoming packet to look up the priority mapping tables for the set of QoS priority parameters to assign to the packet. Note that, if a received packet does not carry the specified priority field, the device uses the port priority to look up the priority mapping tables for the set of QoS priority parameters to assign to the packet.
•
If port priority is trusted, the device uses the port priority rather than packet priority to look up the priority mapping tables for the set of QoS priority parameters to assign to the packet.
Configuring priority mapping
Two approaches are available for you to configure the priority trust mode on a port for priority mapping:
• In the first approach, you can configure a port to use the 802.1p or 802.11e priority carried in received packets for priority mapping. This approach is supported for the WLAN-ESS interface in addition to other types of interface.
509
• In the second approach, more options are available. In addition, you can change port priority
(local precedence) of a port for priority mapping. This approach is not supported on the
WLAN-ESS interface.
Approach 1
1.
Select QoS > Trust Mode from the navigation tree to enter the priority trust mode configuration page, as shown in
.
Figure 541 Configuring priority trust mode
2.
3.
Configure the priority trust mode of the interfaces, as described in
.
Click Apply.
510
Table 172 Configuration items
Item Description
Select the type of the ports to be configured. The interface types available for selection depend on your device model.
Please select the interface type
Trust Mode
(Select the ports)
IMPORTANT:
If a WLAN-ESS interface in use has WLAN-DBSS interfaces created on it, its priority cannot be modified. To modify the priority of the WLAN-ESS interface, you must stop the service the interface provides (make the current users on the interface offline).
Select the priority trust mode:
•
Dot1p—Uses the 802.1p priority of received packets for mapping.
•
Dscp—Uses the DSCP value of received packets for mapping.
•
Dot11e—Uses the 802.11e priority of received packets for mapping. This option is applicable to only WLAN-ESS interfaces.
IMPORTANT:
Support for priority trust modes depends on the interface type. The supported priority trust modes are shown in the Trust Mode list.
Specify the ports to be configured.
Click the ports to be configured in the port list. You can select one or more ports.
Approach 2
1.
Select QoS > Port Priority from the navigation tree to enter the page shown in Figure 542 .
Figure 542 Port priority
2.
Click the icon for a port to enter the page for configuring the priority and priority trust mode of the port, as shown in
.
511
Figure 543 Modify the port priority
3.
4.
Set the port priority, as described in
Click Apply.
Table 173 Configuration items
Item Remarks
Interface Name Name of the interface to be configured.
Priority
Set the local precedence value for the port.
Local precedence is allocated by the device and has only local significance. A local precedence value corresponds to an output queue. A packet with higher local precedence is assigned to a higher priority output queue to be preferentially scheduled.
Trust Mode
Set the priority trust mode of the port:
•
Untrust—Uses the port priority rather than a packet priority value for priority mapping.
•
Dot1p—Uses the 802.1p priority of received packets for priority mapping.
•
DSCP—Uses the DSCP value of received packets for priority mapping.
IMPORTANT:
Support for priority trust modes depends on the interface type.
Configuring a QoS policy
Recommended QoS policy configuration procedure
A QoS policy defines what QoS actions to take on what class of traffic for purposes such as traffic shaping or traffic policing. Before configuring a QoS policy, be familiar with these concepts: class, traffic behavior, and policy.
Class
Classes identify traffic.
A class is identified by a class name and contains some match criteria for identifying traffic. The relationship between the criteria can be:
•
AND—A packet is considered belonging to a class only when the packet matches all the criteria in the class.
• OR—A packet is considered belonging to a class if it matches any of the criteria in the class.
512
Traffic behavior
A traffic behavior, identified by a name, defines a set of QoS actions for packets.
Policy
A policy associates a class with a traffic behavior to define what actions to take on which class of traffic.
You can define multiple class-traffic behavior associations in a policy.
You can apply a policy to a port to regulate traffic sent or received on the port. A QoS policy can be applied to multiple ports, but in one direction (inbound or outbound) of a port, only one QoS policy can be applied.
Step
2. Configuring classification rules
4. Configuring actions for a traffic behavior
6. Configuring classifier-behavior associations for the policy
Remarks
Required.
Add a class and specify the operator of the class.
Required.
Configure match criteria for the class.
Required.
Add a traffic behavior.
Use either approach.
Configure various actions for the traffic behavior.
Required.
Add a policy.
Required.
Associate a traffic behavior with a class in the QoS policy.
You can associate a class with only one traffic behavior in a QoS policy. If a class is associated with multiple traffic behaviors, the last associated one takes effect.
7. Apply the policy
•
•
Applying a QoS policy to a WLAN service
Use either approach.
Apply the QoS policy to a port or a WLAN service.
Adding a class
1.
2.
Select QoS > Classifier from the navigation tree.
Click the Add tab to enter the page for adding a class, as shown in Figure 544
.
513
Figure 544 Adding a class
3.
4.
Configure the class information, as described in
Click Add.
Table 174 Configuration items
Item
Classifier Name
Operator
Description
Specify a name for the classifier to be added.
Specify the logical relationship between rules of the classifier.
•
And—Specifies the relationship between the rules in a class as logic AND. The device considers a packet belongs to a class only when the packet matches all the rules in the class.
•
Or—Specifies the relationship between the rules in a class as logic OR. The device considers a packet belongs to a class as long as the packet matches one of the rules in the class.
Configuring classification rules
1.
2.
Select QoS > Classifier from the navigation tree.
Click the Setup tab to enter the page for setting a class, as shown in Figure 545
.
514
Figure 545 Configuring classification rules
3.
4.
5.
Configuration classification rules, as described in
Click Apply.
A progress dialog box appears.
Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Table 175 Configuration items
Item
Please select a classifier
Any
Description
Select an existing classifier in the list.
Define a rule to match all packets.
Select the option to match all packets.
515
Item
DSCP
IP Precedence
Classifier
Inbound Interface
RTP Port
Dot1p
Service 802.1p
Customer
802.1p
Description
Define a rule to match DSCP values.
If multiple such rules are configured for a class, the new configuration does not overwrite the previous one.
You can configure up to eight DSCP values each time. If multiple identical DSCP values are specified, the system considers them as one. The relationship between different DSCP values is OR. After such configurations, all the DSCP values are arranged in ascending order automatically.
Define a rule to match IP precedence values.
If multiple such rules are configured for a class, the new configuration does not overwrite the previous one.
You can configure up to eight IP precedence values each time. If multiple identical IP precedence values are specified, the system considers them as one.
The relationship between different IP precedence values is OR. After such configurations, all the IP precedence values are arranged in ascending order automatically.
Define a rule to match a QoS class.
TIP:
This configuration item is not supported.
Define a rule to match inbound interfaces.
TIP:
This configuration item is not supported.
Define a rule to match a range of RTP ports.
Specify the start port in the from field and the end port in the to field.
TIP:
This configuration item is not supported.
Define a rule to match the service 802.1p precedence values.
If multiple such rules are configured for a class, the new configuration does not overwrite the previous one.
You can configure up to eight Dot1p values each time. If multiple identical
Dot1p values are specified, the system considers them as one. The relationship between different Dot1p values is OR. After such configurations, all the Dot1p values are arranged in ascending order automatically.
TIP:
This configuration item is not supported.
Define a rule to match the customer 802.1p precedence values.
If multiple such rules are configured for a class, the new configuration does not overwrite the previous one.
You can configure up to eight Dot1p values each time. If multiple identical
Dot1p values are specified, the system considers them as one. The relationship between different Dot1p values is OR. After such configurations, all the Dot1p values are arranged in ascending order automatically.
516
Item
MAC
VLAN
ACL
Source MAC
Destination MAC
Service VLAN
Description
Define a rule to match a source MAC address.
If multiple such rules are configured for a class, the new configuration does not overwrite the previous one.
A rule to match a source MAC address is significant only to Ethernet interfaces.
Define a rule to match a destination MAC address.
If multiple such rules are configured for a class, the new configuration does not overwrite the previous one.
A rule to match a destination MAC address is significant only to Ethernet interfaces.
Define a rule to match service VLAN IDs.
If multiple such rules are configured for a class, the new configuration does not overwrite the previous one.
You can configure multiple VLAN IDs each time. If the same VLAN ID is specified multiple times, the system considers them as one. The relationship between different VLAN IDs is logical OR. After such a configuration. You can specify VLAN IDs in two ways:
•
Enter a range of VLAN IDs, such as 10-500. The number of VLAN IDs in the range is not limited.
•
Specify a combination of individual VLAN IDs and VLAN ID ranges, such as
3, 5-7, 10. You can specify up to eight VLAN IDs in this way.
Customer VLAN
ACL IPv4
ACL IPv6
TIP:
This configuration item is not supported.
Define a rule to match customer VLAN IDs.
If multiple such rules are configured for a class, the new configuration does not overwrite the previous one.
You can configure multiple VLAN IDs each time. If the same VLAN ID is specified multiple times, the system considers them as one. The relationship between different VLAN IDs is logical OR. You can specify VLAN IDs in two ways:
•
Enter a range of VLAN IDs, such as 10-500. The number of VLAN IDs in the range is not limited.
•
Specify a combination of individual VLAN IDs and VLAN ID ranges, such as
3, 5-7, 10. You can specify up to eight VLAN IDs in this way.
Define an IPv4 ACL-based rule.
Define an IPv6 ACL-based rule.
Adding a traffic behavior
1.
2.
3.
4.
Select QoS > Behavior from the navigation tree.
Click the Add tab to enter the page for adding a traffic behavior, as shown in
.
Set the traffic behavior name.
Click Add.
517
Figure 546 Adding a traffic behavior
Configuring actions for a traffic behavior
1.
Select QoS > Behavior from the navigation tree.
2.
Click the Setup tab to enter the page for setting a traffic behavior, as shown in
.
518
Figure 547 Setting a traffic behavior
3.
4.
5.
Configure the traffic behavior actions, as described in
Click Apply.
A progress dialog box appears.
Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Table 176 Configuration items
Item
Please select a behavior
Description
Select an existing behavior in the list.
519
Item
CAR
Remark
Queue
Enable/Disable
CIR
CBS
Red
Discard
Pass
IP Precedence
Description
Enable or disable CAR
Set the committed information rate (CIR), the average traffic rate.
Set the committed burst size (CBS), number of bits that can be sent in each interval.
Set the action to perform for exceeding packets.
After selecting the Red option, you can select one of the following options:
•
Discard—Drops the exceeding packet.
•
Pass—Permits the exceeding packet to pass through.
Configure the action of marking IP precedence for packets.
Select the IP Precedence option and then select the IP precedence value to be marked for packets in the following list. Select Not Set to cancel the action of marking IP precedence.
Dot1p
Local Precedence
DSCP
EF
AF
WFQ
Max Bandwidth
CBS
Percent
CBS-Ratio
Min Bandwidth
Percent
TIP:
This configuration item is not supported.
Configure the action of marking 802.1p precedence for packets.
Select the Dot1p option and then select the 802.1p precedence value to be marked for packets in the following list. Select Not Set to cancel the action of marking 802.1p precedence.
Configure the action of marking local precedence for packets.
Select the Local Precedence option and then select the local precedence value to be marked for packets in the following list.
Select Not Set to cancel the action of marking local precedence.
Configure the action of marking DSCP values for packets.
Select the DSCP option and then select the DSCP value to be marked for packets in the following list. Select Not Set to cancel the action of marking DSCP values.
TIP:
This configuration item is not supported.
Configure the maximum bandwidth for expedited forwarding (EF).
Configure the CBS for EF.
Configure the percent of available bandwidth for EF.
Configure the ratio of CBS to CIR for EF.
Configure the minimum guaranteed bandwidth for assured forwarding (AF).
Configure the percent of available bandwidth for AF.
Configure WFQ for the default class by entering the total number of fair queues, which must be the power of two.
TIP:
These configuration items are not supported.
520
Item
Filter
Accounting
Description
Configure the packet filtering action.
After selecting the Filter option, select one item in the following list:
•
Permit—Forwards the packet.
•
Deny—Drops the packet.
•
Not Set—Cancels the packet filtering action.
Configure the traffic accounting action.
Select the Accounting option and select Enable or Disable in the following list to enable/disable the traffic accounting action.
TIP:
This configuration item is not supported.
Adding a policy
1.
2.
3.
4.
Select QoS > QoS Policy from the navigation tree.
Click the Add tab to enter the page for adding a policy, as shown in
Set the policy name.
Click Add.
Figure 548 Adding a policy
Configuring classifier-behavior associations for the policy
1.
2.
Select QoS > QoS Policy from the navigation tree.
Click the Setup tab to enter the page for setting a policy, as shown in Figure 549 .
521
Figure 549 Setting a policy
3.
4.
Configure classifier-behavior associations, as described in Table 177
.
Click Apply.
Table 177 Configuration items
Item
Please select a policy
Classifier Name
Behavior Name
Description
Select an existing policy in the list.
Select an existing classifier in the list.
Select an existing behavior in the list.
Applying a policy to a port
1.
2.
Select QoS > Port Policy from the navigation tree.
Click the Setup tab to enter the page for applying a policy to a port, as shown in Figure 550
.
522
Figure 550 Applying a policy to a port
3.
4.
Select a policy and apply the policy to the specified ports, as described in Table 178
.
Click Apply.
Table 178 Configuration items
Item Description
Please select a policy Select an existing policy in the list.
Direction
Please select port(s)
Set the direction in which you want to apply the policy.
•
Inbound—Applies the policy to the incoming packets of the specified ports.
•
Outbound—Applies the policy to the outgoing packets of the specified ports.
Click the ports to which the QoS policy is to be applied in the port list. You can select one or more ports.
Applying a QoS policy to a WLAN service
1.
Select QoS > Service Policy from the navigation tree to enter the service policy page shown
523
Figure 551 Service policy
2.
Click the
icon for a wireless service to enter the service policy setup page shown in Figure 551
.
Figure 552 Service policy setup
3.
4.
Apply the policy to the wireless service, as described in
Click Apply.
524
Table 179 Configuration items
Item Remarks
Wlan Service Display the specified WLAN service to which you want to apply a QoS policy.
Inbound Policy
Outbound Policy
Apply the QoS policy to the packets received by the wireless service.
Apply the QoS policy to the packets sent by the wireless service.
Trust Mode
QoS Priority
Set the priority trust mode:
•
Untrust—Trusts the port priority.
•
Dscp—Uses the DSCP values of received packets for mapping.
•
802.11e—Uses the 802.11e priority of received 802.11 packets for mapping.
Set the local precedence value.
ACL and QoS configuration example
Network requirements
, in the WLAN, the FTP server (10.1.1.1/24) is connected to the AC (SSID: service1), and the wireless clients are connected to the AC through APs and a Layer 2 switch and access the network resources.
Configure an ACL and a QoS policy on the AC to prohibit the wireless clients from accessing the FTP server from 8:00 to 18:00 every day:
1.
Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.
2.
3.
Configure a QoS policy to drop the packets matching the ACL.
Apply the QoS policy in the inbound direction of the wireless service named service1.
Figure 553 Network diagram
10.1.1.1/24
Client 1 AP 1
L2 switch
AC
FTP server
Client 2 AP 2
Configuration procedure
NOTE:
Before performing the following configurations, make sure the AC has been configured with wireless service service1. For more information about the wireless service configuration, see "Configuring access services."
1.
Define a time range to cover the time range from 8:00 to 18:00 every day:
525
a. b. c. d.
Select QoS > Time Range from the navigation tree.
Click the Add tab.
On the page as shown in
Figure 554 , enter the time range name test-time, select the Periodic
Time Range option, set the Start Time to 8:00 and the End Time to 18:00, and select the options Sun through Sat.
Click Apply.
Figure 554 Defining a time range covering 8:00 to 18:00 every day
2.
Add an advanced IPv4 ACL: a.
Select QoS > ACL IPv4 from the navigation tree. b. c. d.
Click the Add tab.
Enter the ACL number 3000.
Click Apply.
526
Figure 555 Adding an advanced IPv4 ACL
3.
Define an ACL rule for traffic to the FTP server: a.
Click the Advanced Setup tab. b. c.
On the page as shown in Figure 556
, select 3000 in the ACL list, select the Rule ID option, and enter rule ID 2.
Select Permit in the Action list. d. e. f.
Select the Destination IP Address option, and enter IP address 10.1.1.1 and destination wildcard 0.0.0.0.
Select test-time in the Time Range list.
Click Add.
527
Figure 556 Defining an ACL rule for traffic to the FTP server
4.
Add a class: a.
Select QoS > Classifier from the navigation tree. b. c. d.
Click the Add tab.
On the page as shown in Figure 557 , enter the class name class1.
Click Add.
528
Figure 557 Adding a class
5.
Define classification rules: a. b. c.
Click the Setup tab.
On the page as shown in Figure 558 , select the class name class1 in the list, select the ACL IPv4
option, and select ACL 3000 in the following list.
Click Apply. d.
A progress dialog box appears.
Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
529
Figure 558 Defining classification rules
6.
Add a traffic behavior: a.
Select QoS > Behavior from the navigation tree. b. c. d.
Click the Add tab.
On the page as shown in Figure 559 , enter the behavior name behavior1.
Click Add.
530
Figure 559 Adding a traffic behavior
7.
Configure actions for the traffic behavior: a. b.
Click the Setup tab.
On the page as shown in Figure 560 , select behavior1 in the list, select the Filter option, and
then select Deny in the following list. c. d.
Click Apply.
A progress dialog box appears.
Click Close when the progress dialog box prompts that the configuration succeeds.
531
Figure 560 Configuring actions for the behavior
8.
Add a policy: a.
Select QoS > QoS Policy from the navigation tree. b. c. d.
Click the Add tab.
On the page as shown in Figure 561 , enter the policy name policy1.
Click Add.
532
Figure 561 Adding a policy
9.
Configure classifier-behavior associations for the policy: a. b. c.
Click the Setup tab.
On the page as shown in
, select policy1, select class1 in the Classifier Name list, and select behavior1 in the Behavior Name list.
Click Apply.
Figure 562 Configuring classifier-behavior associations for the policy
10.
Apply the QoS policy in the inbound direction of the wireless service named service1: a.
Select QoS > Service Policy from the navigation tree. b. c. d.
Click the icon for wireless service service1.
On the page as shown in
, select the Inbound Policy option, and select policy1 from the following list.
Click Apply.
533
Figure 563 Applying the QoS policy in the inbound direction of WLAN service service1
Verifying the configuration
After you complete these configurations, the QoS policy is successfully applied to the wireless service named service1, and the wireless clients cannot access the FTP server at IP address 10.1.1.1/24 from
8:00 to 18:00 every day, but they can do that at any other time.
Configuration guidelines
When you configure an ACL and QoS, follow these guidelines:
•
You cannot add a ACL rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
•
You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.
• When you configure line rate and traffic policing for a behavior, make sure the ratio of CBS to CIR is more than 100:16. Otherwise, the handling for bursty traffic may be affected.
•
If an ACL is referenced by a QoS policy for defining traffic classification rules, the operation of the
QoS policy varies by interface (the definition of software/hardware interface varies with device models). The specific process is as follows:
If the QoS policy is applied to a software interface and the referenced ACL rule is a deny clause, the ACL rule does not take effect and packets go to the next classification rule.
If the QoS policy is applied to a hardware interface, packets matching the referenced ACL rule are organized as a class and the behavior defined in the QoS policy applies to the class regardless of whether the referenced ACL rule is a deny or permit clause.
• If a QoS policy is applied in the outbound direction of a port, the QoS policy cannot influence local packets. Local packets refer to the important protocol packets that maintain the normal operation of the device. QoS must not process such packets to avoid packet drop. Commonly used local packets are: link maintenance packets, ISIS packets, OSPF packets, RIP packets, BGP packets, LDP packets,
RSVP packets, and SSH packets and so on.
• When you configure queuing for a traffic behavior:
534
In a policy, a traffic behavior with EF configured cannot be associated with the default class, and a traffic behavior with WFQ configured can only be associated with the default class.
In a policy, the total bandwidth assigned to the AF and EF classes cannot be greater than the available bandwidth of the interface to which the policy applies; the total bandwidth percentage assigned to the AF and EF classes cannot be greater than 100%.
In the same policy, the same bandwidth unit must be used to configure bandwidth for AF classes and EF classes, either absolute bandwidth value or percent.
535
Configuring wireless QoS
Overview
An 802.11 network offers wireless access based on the carrier sense multiple access with collision avoidance (CSMA/CA) channel contention. All clients accessing the WLAN have equal channel contention opportunities, and all applications carried on the WLAN use the same channel contention parameters. A live WLAN, however, is required to provide differentiated access services to address diversified requirements of applications for bandwidth, delay, and jitter.
When IEEE 802.11e was being standardized, Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM) standard to allow QoS provision devices of different vendors to interoperate. WMM makes a WLAN network capable of providing QoS services.
Terminology
WMM
WMM is a wireless QoS protocol designed to preferentially transmit packets with high priority, and guarantees better QoS services for voice and video applications in a wireless network.
EDCA
Enhanced distributed channel access (EDCA) is a channel contention mechanism designed by WMM to preferentially transmit packets with high priority and allocate more bandwidth to such packets.
AC
WMM uses access categories (ACs) for handling channel contentions. WMM assigns WLAN data into four access categories: AC-VO (voice), AC-VI (video), AC-BE (best-effort), and AC-BK (background), in the descending order of priority. Each access category uses an independent priority queue for transmitting data. When contention occurs, WMM guarantees that a high-priority access category preempts a low-priority access category.
CAC
Connection admission control (CAC) limits the number of clients that are using high-priority access categories (AC-VO and AC-VI) to guarantee sufficient bandwidth for existing high-priority traffic.
U-APSD
Unscheduled automatic power-save delivery (U-APSD) is a new power saving mechanism defined by
WMM to enhance the power saving capability of clients.
SVP
SpectraLink voice priority (SVP) is a voice priority protocol designed by the Spectralink company to guarantee QoS for voice traffic.
WMM protocol overview
The distributed coordination function (DCF) in 802.11 stipulates that access points (APs) and clients use the CSMA/CA access mechanism. APs or clients listen to the channel before they hold the channel for
536
data transmission. When the specified idle duration of the channel times out, APs or clients randomly select a backoff slot within the contention window to perform backoff. The device that finishes backoff first gets the channel. With 802.11, all devices have the same idle duration and contention window. They are equal when contending for a channel. In WMM, this fair contention mechanism is changed.
EDCA parameters
WMM assigns data packets to four access categories. By allowing a high-priority access category to have more channel contention opportunities than a low-priority access category, WMM offers different service levels to access categories.
WMM define a set of EDCA parameters for each access category, covering the following:
•
Arbitration inter-frame spacing number (AIFSN)—Different from the 802.11 protocol where the idle duration (set using DIFS) is a constant value, WMM can define an idle duration per access category.
The idle duration increases as the AIFSN value increases (see
for the AIFS durations).
•
Exponent of CWmin (ECWmin) and exponent of CWmax (ECWmax)—Determine the average
backoff slots, which increases as the two values increase (see Figure 564
for the backoff slots).
• Transmission opportunity limit (TXOPLimit)—Indicates the maximum time for which a user can hold a channel after a successful contention. The greater the TXOPLimit is, the longer the user can hold the channel. The value 0 indicates that the user can send only one packet each time it holds the channel.
Figure 564 Per-AC channel contention parameters in WMM
CAC admission policies
CAC requires that a client obtain permission of the AP before it can use a high-priority access category for transmission, and guarantees bandwidth to the clients that have gained access. CAC controls real time traffic (AC-VO and AC-VI traffic) but not common data traffic (AC-BE and AC-BK traffic).
To use a high-priority access category, a client must send a request to the AP. The AP returns a positive or negative response based on either of the following admission control policy:
•
Channel utilization-based admission policy—The AP calculates the total time that the existing high-priority access categories occupy the channel in one second, and then calculates the time that the requesting traffic will occupy the channel in one second. If the sum of the two values is smaller
537
than or equal to the maximum hold time of the channel, the client can use the requested access category. Otherwise, the request is rejected.
•
Users-based admission policy—If the number of clients using high-priority access categories plus the requesting clients is smaller than or equal to the maximum number of high-priority access category clients, the request is accepted. Otherwise, the request is rejected. During calculation, a client is counted once even if it is using both AC-VO and AC-VI.
U-APSD power-save mechanism
U-APSD improves the 802.11 APSD power saving mechanism. When associating clients with access categories, specify some access categories as trigger-enabled, some access categories as delivery-enabled, and the maximum number of data packets that can be delivered after receiving a trigger packet. Both the trigger attribute and the delivery attribute can be modified when flows are established using CAC. When a client sleeps, the delivery-enabled AC packets destined for the client are buffered. The client needs to send a trigger-enabled AC packet to get the buffered packets. After the AP receives the trigger packet, packets in the transmit queue are sent. The number of sent packets depends on the agreement made when the client was admitted. Access categories without the delivery attribute store and transmit packets as defined in the 802.11 protocol.
SVP service
SVP service implements differentiated treatment of SVP packets by mapping each SVP packet (IP protocol number 119) to an access category, which corresponds to a transmit queue with certain priority.
ACK policy
WMM defines the following ACK policies:
• No ACK—When the no acknowledgement (No ACK) policy is used, the recipient does not acknowledge received packets during wireless packet exchange. This policy can improve transmission efficiency in the environment where communication quality is fine and interference is weak. However, in the environment where communication quality is poor, it can cause increased packet loss and deteriorated communication quality.
• Normal ACK—When the Normal ACK policy is used, the recipient acknowledges each received unicast packet.
Enabling wireless QoS
1.
Select QoS > Wireless QoS from the navigation tree.
By default, the Wireless QoS tab is displayed, as shown in Figure 565
.
Figure 565 Wireless QoS
2.
3.
Select the option in front of the radio unit to be configured.
Click Enable.
538
By default, wireless QoS is enabled.
NOTE:
The WMM protocol is the foundation of the 802.11n protocol. When the radio works in 802.11n (5 GHz) or 802.11n (2.4 GHz) radio mode, you must enable WMM. Otherwise, the associated 802.11n clients may fail to communicate.
Setting the SVP service
NOTE:
SVP mapping is applicable only to non-WMM clients.
1.
Select QoS > Wireless QoS from the navigation tree.
By default, the Wireless QoS tab is displayed, as shown in
Figure 566 Mapping SVP service to an access category
2.
Click the icon in the Operation column for the desired AP to enter the page for mapping SVP service to an access category, as shown in
Figure 567 Mapping SVP service to an access category
3.
4.
Configure SVP mapping, as described in
Click Apply.
Table 180 Configuration items
Item Description
AP Name Displays the selected AP.
539
Item Description
Radio Displays the selected AP's radio.
SVP Mapping
Select the option before SVP Mapping, and then select an access category for SVP service:
•
AC-VO.
•
AC-VI.
•
AC-BE.
•
AC-BK.
Setting CAC admission policy
1.
2.
Select QoS > Wireless QoS from the navigation tree.
By default, the Wireless QoS tab is displayed.
Click the icon in the Operation column for the desired AP to enter the page for setting CAC
admission policy, as shown in Figure 568
.
Figure 568 Setting CAC admission policy
3.
4.
Configure the CAC admission policy, as described in
.
Click Apply.
Table 181 Configuration items
Item Description
Client Number
Users-based admission policy, or the maximum number of clients allowed to be connected. A client is counted only once, even if it is using both AC-VO and AC-VI.
By default, the users-based admission policy applies, with the maximum number of users being 20.
Channel Utilization
Channel utilization-based admission policy, or the rate of the medium time of the accepted AC-VO and AC-VI traffic to the valid time during the unit time. The valid time is the total time during which data is transmitted.
Setting radio EDCA parameters for APs
1.
Select QoS > Wireless QoS from the navigation tree.
By default, the Wireless QoS tab is displayed.
540
2.
3.
Click the icon in the Operation column for the desired AP to enter the page for configuring wireless QoS.
On the radio EDCA list, click the icon in the Operation column for the desired priority type
(AC_BK, for example) to enter the page for setting radio EDCA parameters.
Figure 569 Setting radio EDCA parameters
4.
5.
Configure the radio EDCA parameters, as described in
Click Apply.
Table 182 Configuration items
Item Description
AP Name Displays the selected AP.
Radio Displays the selected AP's radio.
Priority type
AIFSN
TXOP Limit
ECWmin
Displays the priority type.
Arbitration inter-frame spacing number used by the AP.
Transmission opportunity limit used by the AP.
Exponent of CWmin used by the AP.
ECWmax Exponent of CWmax used by the AP.
No ACK
If you select the option before No ACK, the No ACK policy is used by the AP.
By default, the normal ACK policy is used by the AP.
Table 183 Default radio EDCA parameters
Access category TXOP Limit AIFSN ECWmin ECWmax
AC-BK 0 7 4 10
AC-BE 0 3 4 6
AC-VI 94 1 3 4
AC-VO 47 1 2 3
NOTE:
•
ECWmin cannot be greater than ECWmax.
•
On an AP operating in 802.11b radio mode, H3C recommends that you set the TXOP-Limit to 0, 0, 188, and 102 for AC-BK, AC-BE, AC-VI, and AC-VO.
541
Setting client EDCA parameters for wireless clients
1.
2.
Select QoS > Wireless QoS from the navigation tree.
By default, the Wireless QoS tab is displayed.
Click the icon in the Operation column for the desired AP to enter the page for configuring wireless QoS.
3.
On the client EDCA list, click the icon in the Operation column for the desired priority type
(AC_BK, for example) to enter the page for setting client EDCA parameters.
Figure 570 Setting client EDCA parameters
4.
5.
Configure the client EDCA parameters, as described in
Click Apply.
Table 184 Configuration items
Item Description
AP Name Displays the selected AP.
Radio Displays the selected AP's radio.
Priority type
AIFSN
TXOP Limit
ECWmin
Displays the priority type.
Arbitration inter-frame spacing number used by clients.
Transmission opportunity limit used by clients.
Exponent of CWmin used by clients.
ECWmax Exponent of CWmax used by clients.
CAC
Enable CAC:
•
Enable—Enable CAC.
•
Disable—Disable CAC.
AC-VO and AC-VI support CAC, which is disabled by default. This item is not available for AC-BE or AC-BK, because they do not support CAC.
Table 185 Default EDCA parameters for clients
Access category TXOP Limit AIFSN ECWmin ECWmax
AC-BK 0 7 4 10
AC-BE 0 3 4 10
AC-VI 94 2 3 4
542
Access category TXOP Limit AIFSN
AC-VO 47 2
ECWmin
2
ECWmax
3
NOTE:
•
ECWmin cannot be greater than ECWmax.
•
If all clients operate in 802.11b radio mode, set TXOPLimit to 188 and 102 for AC-VI and AC-VO.
• If some clients operate in 802.11b radio mode and some clients operate in 802.11g radio mode in the network, H3C recommends the TXOPLimit parameters in
.
•
Once you enable CAC for an access category, it is enabled automatically for all higher priority access categories. For example, if you enable CAC for AC-VI, CAC is also enabled for AC-VO. However, enabling CAC for AC-VO does not enable CAC for AC-VI.
Displaying the radio statistics
1.
2.
3.
Select QoS > Wireless QoS from the navigation tree.
Click the Radio Statistics tab to enter the page displaying radio statistics.
Click an AP to see its details.
Figure 571 Displaying the radio statistics
Table 186 Filed description
Field
AP ID
AP Name
Description
AP ID.
AP name.
Client EDCA update count Number of client EDCA parameter updates.
543
Field
QoS mode
Description
QoS mode:
•
WMM—Indicates that the client is a QoS client.
•
None—Indicates that the client is a non-QoS client.
Radio chip QoS mode
Radio chip max AIFSN
Radio chip's support for the QoS mode.
Maximum AIFSN allowed by the radio chip.
Radio chip max ECWmin Maximum ECWmin allowed by the radio chip.
Radio chip max TXOPLimit Maximum TXOPLimit allowed by the radio chip.
Radio chip max ECWmax Maximum ECWmax allowed by the radio chip.
Client accepted
Total request mediumtime(us)
Calls rejected due to insufficient resource
Number of clients that have been admitted to access the radio, including the number of clients that have been admitted to access the AC-VO and the AC-VI queues.
Total requested medium time, including that of the AC-VO and the AC-VI queues.
Number of requests rejected due to insufficient resources.
Calls rejected due to invalid parameters
Calls rejected due to invalid mediumtime
Calls rejected due to invalid delaybound
Number of requests rejected due to invalid parameters.
Number of requests rejected due to invalid medium time.
Number of requests rejected due to invalid delay bound.
Displaying the client statistics
1.
2.
3.
Select QoS > Wireless QoS from the navigation tree.
Click the Client Statistics tab to enter the page displaying client statistics.
Click a client name to see its details.
544
Figure 572 Displaying the client statistics
Table 187 Field description
Field
MAC address
SSID
QoS Mode
Max SP length
Description
MAC address of the client.
Service set ID (SSID)
QoS mode:
•
WMM—Indicates that QoS mode is enabled.
•
None—Indicates that QoS mode is not enabled.
Maximum service period.
State
APSD attribute of an access category:
•
T—The access category is trigger-enabled.
•
D—The access category is delivery-enabled.
•
T | D—The access category is both trigger-enabled and delivery-enabled.
•
L—The access category is of legacy attributes.
Assoc State
Uplink CAC packets
APSD attribute of the four access categories when a client accesses the AP.
Number of uplink CAC packets.
Uplink CAC bytes Number of uplink CAC bytes.
Downlink CAC packets Number of downlink CAC packets.
Downlink CAC bytes
Downgrade packets
Downgrade bytes
Discard packets
Discard bytes
Number of downlink CAC bytes.
Number of downgraded packets.
Number of downgraded bytes.
Number of dropped packets.
Number of dropped bytes.
545
Setting rate limiting
The WLAN provides limited bandwidth for each AP. Because the bandwidth is shared by wireless clients attached to the AP, aggressive use of bandwidth by a client will affect other clients. To ensure fair use of bandwidth, rate limit traffic of clients in either of the following approaches:
•
Configure the total bandwidth shared by all clients in the same BSS. This is called "dynamic mode".
The rate limit of a client is the configured total rate/the number of online clients. For example, if the configure total rate is 10 Mbps and five clients are online, the rate of each client is 2 Mbps.
•
Configure the maximum bandwidth that can be used by each client in the BSS. This is called "static mode". For example, if the configured rate is 1 Mbps, the rate limit of each user online is 1 Mbps.
When the set rate limit multiplied by the number of access clients exceeds the available bandwidth provided by the AP, no clients can get the guaranteed bandwidth.
Setting wireless service-based client rate limiting
You can configure the access controller to limit client rates for a service within a BSS.
To set wireless service-based client rate limiting:
1.
Select QoS > Wireless QoS from the navigation tree on the left.
2.
3.
Click the Client Rate Limit tab.
Click Add in the Service-Based Configuration area to enter the page for setting wireless
service-based client rate limits, as shown in Figure 573
.
Figure 573 Setting wireless service-based client rate limiting
4.
5.
Configure service-based client rate limiting, as described in
Click Apply.
Table 188 Configuration items
Item Description
Wireless Service Select an existing wireless service.
Direction
Set the traffic direction:
•
Inbound—Traffic from client to AP.
•
Outbound—Traffic from AP to client.
•
Both—Both inbound and outbound traffic.
546
Item Description
Mode
Set a rate limiting mode:
•
Static—Limits the rate of each client to a fixed value.
•
Dynamic—Limits the total rate of all clients to a fixed value.
Rate
Set the rate of the clients.
•
If you select the static mode, Per-Client Rate is displayed, and the rate is the rate of each client.
•
If you select the dynamic mode, Total Rate is displayed, and the rate is the total rate of all clients.
Setting radio-based client rate limiting
You can configure the access controller to limit client rates for a radio.
To set radio-based client rate limiting:
1.
Select QoS > Wireless QoS from the navigation tree on the left.
2.
3.
Click the Client Rate Limit tab.
Click Add in the Radio-Based Configuration area to enter the page for setting radio-based client
rate limiting, as shown in Figure 573
.
Figure 574 Setting radio-based client rate limiting
4.
5.
Configure radio-based client rate limiting, as described in
Click Apply.
547
Table 189 Configuration items
Item Description
Radio List
List of radios available. You can create the rate limiting rules for one or multiple radios.
Direction
Traffic direction:
•
Inbound—Traffic from clients to the AP.
•
Outbound—Traffic from the AP to clients.
•
Both—Includes inbound traffic (traffic from clients to the AP) and outbound traffic
(traffic from the AP to clients)
Mode
Rate
Rate limiting mode:
•
Static—Limits the rate of each client to a fixed value.
•
Dynamic—Limits the total rate of all clients to a fixed value.
Set the rate of the clients:
•
If you select the static mode, Per-Client Rate is displayed, and the rate is the rate of each client.
•
If you select the dynamic mode, Total Rate is displayed, and the rate is the total rate of all clients.
Configuring the bandwidth guarantee function
When traffic is heavy, a BSS without any rate limitation may aggressively occupy the available bandwidth for other BSSs. If you limit the rate of the BSS, it cannot use the idle bandwidth of other BSSs.
To improve bandwidth use efficiency when ensuring bandwidth use fairness among wireless services, use the bandwidth guarantee function. Bandwidth guarantee makes sure all traffic from each BSS can pass through freely when the network is not congested, and each BSS can get the guaranteed bandwidth when the network is congested.
For example, suppose you guarantee SSID1, SSID2, and SSID3 25%, 25%, and 50% of the bandwidth.
When the network is not congested, SSID1 can use all idle bandwidth in addition to its guaranteed bandwidth. When the network is congested, SSID1 can use at least its guaranteed bandwidth, 25% of the bandwidth.
NOTE:
Bandwidth guarantees apply only to the traffic from AP to client.
Setting the reference radio bandwidth
1.
Select QoS > Wireless QoS from the navigation tree.
2.
Click the Bandwidth Guarantee tab to enter the page for configuring bandwidth guarantees, as
.
548
Figure 575 Setting the reference radio bandwidth
3.
4.
Set the reference radio bandwidth, as described in
Click Apply.
NOTE:
The reference radio bandwidth modification does not immediately take effect on the radios with the bandwidth guarantee function enabled. To make the modification take effect, disable and then enable the radios.
Table 190 Configuration items
Item Description
802.11a Mode
802.11b Mode
Set the reference radio bandwidth.
802.11g Mode
IMPORTANT:
Set the reference radio bandwidth slightly lower than the maximum available bandwidth..
802.11n Mode
Setting guaranteed bandwidth percents
1.
Select a radio from the radio list, and click the icon for the radio in the Operation column to enter the page for setting guaranteed bandwidth, as shown in
.
549
Figure 576 Setting guaranteed bandwidth
2.
3.
Set the guaranteed bandwidth, as described in
Click Apply.
Table 191 Configuration items
Item Description
Guaranteed Bandwidth
Percent (%)
Allocate guaranteed bandwidth as a percentage of the radio bandwidth to each wireless service. The total guaranteed bandwidth cannot exceed 100% of the ratio bandwidth.
Enabling bandwidth guaranteeing
To validate the bandwidth guarantee settings for a radio unit, enable its bandwidth guarantee function.
To enable the bandwidth guarantee function:
1.
2.
Select QoS > Wireless QoS from the navigation tree on the left.
Click the Bandwidth Guarantee tab to enter the page for configuring bandwidth guarantee.
3.
4.
Select the AP and the corresponding radio mode for which you want to enable bandwidth guarantee on the list under the Bandwidth Guarantee title bar.
Click Enable.
Figure 577 Enabling the bandwidth guarantee function
550
Displaying guaranteed bandwidth settings
1.
Select QoS > Wireless QoS from the navigation tree on the left.
2.
3.
Click Bandwidth Guarantee.
Click the specified radio unit of the AP on the list under the Bandwidth Guarantee title bar to view the wireless services bound to the radio unit and the guaranteed bandwidth setting for each wireless service.
Figure 578 Displaying guaranteed bandwidth settings
CAC service configuration example
Network requirements
As shown in
Figure 579 , a WMM-enabled AP accesses the Ethernet.
Enable CAC for AC-VO and AC-VI on the AP. To guarantee high priority clients (AC-VO and AC-VI clients) sufficient bandwidth, use the user number-based admission policy to limit the number of access users to
10.
Figure 579 Network diagram
Configuring the wireless service
1.
Configure the AP, and establish a connection between the AC and the AP.
For related configurations, see "Configuring access services." Follow the steps in the related configuration example to establish a connection between the AC and the AP.
Configuring wireless QoS
1.
Select QoS > Wireless QoS from the navigation tree.
By default, the Wireless QoS tab is displayed.
551
2.
Make sure WMM is enabled.
Figure 580 Wireless QoS configuration page (1)
3.
4.
5.
6.
, select the AP to be configured on the list and click the icon for the AP in the Operation column to enter the page for configuring wireless QoS.
On the Client EDCA list, select the priority type (AC_VO, for example) to be modified, and click the
icon for the priority type in the Operation column to enter the page for setting client EDCA parameters.
Select Enable from the CAC list.
Click Apply.
Figure 581 Enabling CAC
7.
8.
9.
10.
11.
Enable CAC for AC_VI in the same way. (Details not shown.)
Select QoS > Wireless QoS from the navigation tree.
By default, the Wireless QoS tab is displayed.
Click the icon in the Operation column for the desired AP to enter the page for configuring wireless QoS.
Select the Client Number option, and then enter 10.
Click Apply.
552
Figure 582 Setting CAC client number
Verifying the configuration
If the number of existing clients in the high-priority access categories plus the number of clients requesting for high-priority access categories is smaller than or equal to the user-defined maximum number of users allowed in high-priority access categories, which is 10 in this example, the request is allowed. Otherwise, the request is rejected.
Wireless service-based static rate limiting configuration example
Network requirements
As shown in
, two wireless clients access the WLAN through a SSID named service1.
Limit the maximum bandwidth per wireless client to 128 kbps for traffic from the wireless clients to the AP.
Figure 583 Network diagram
Configuring the wireless service
For the configuration procedure, see "Configuring access services."
Configuring static rate limiting
1.
2.
Select QoS > Wireless QoS from the navigation tree.
Click Client Rate Limit.
553
3.
4.
5.
Click Add in the Service-Based Configuration area to enter the page for configuring wireless service-based rate limit settings for clients, as shown in
.
Configure static rate limiting: a. b.
Select service1 from the Wireless Service list.
Select Inbound from the Direction list. c. d.
Select Static from the Mode list.
Enter 128 in the Per-Client Rate field.
Click Apply.
Figure 584 Configuring static rate limiting
Verifying the configuration
1.
Client1 and Client2 access the WLAN through the SSID named service1.
2.
Check that traffic from Client1 is rate limited to around 128 kbps, so is traffic from Client2.
Wireless service-based dynamic rate limiting configuration example
Network requirements
As shown in
, wireless clients access the WLAN through a SSID named service2.
Configure all wireless clients to share 8000 kbps of bandwidth in any direction.
Figure 585 Network diagram
554
Configuring the wireless service
For the configuration procedure, see "Configuring access services."
Configuring dynamic rate limiting
1.
Select QoS > Wireless QoS from the navigation tree.
2.
3.
4.
5.
Click Client Rate Limit.
Click Add in the Service-Based Configuration area to enter the page for configuring wireless service-based rate limit settings for clients, as shown in
.
Configure dynamic rate limiting: a. b.
Select service2 from the Wireless Service list.
Select Both from the Direction list.
Select Dynamic from the Mode list. c. d.
Enter 8000 in the Total Rate field.
Click Apply.
Figure 586 Configuring dynamic rate limiting
Verifying the configuration
Check that:
1.
When only Client1 accesses the WLAN through SSID service2, its traffic can pass through at a rate as high as 8000 kbps.
2.
When both Client1 and Client2 access the WLAN through SSID service2, their traffic flows can each pass through at a rate as high as 4000 kbps.
Bandwidth guarantee configuration example
Network requirements
As shown in
Figure 587 , three wireless clients use wireless services research, office, and entertain to
access the wireless network.
To make sure the enterprise network works properly, guarantee the office service 20% of the bandwidth, the research service 80%, and the entertain service none.
555
Figure 587 Network diagram
Configuring the wireless services
For the configuration procedure, see "Configuring access services." Follow the related configuration example to configure the wireless services.
Configuring bandwidth guaranteeing
1.
2.
3.
4.
Select QoS > Wireless QoS from the navigation tree.
Click Bandwidth Guarantee to enter the page for configuring bandwidth guarantee, as shown
Use the default reference radio bandwidth for 802.11a.
Click Apply.
556
Figure 588 Setting the reference radio bandwidth
5.
6.
7.
Click the icon in the Operation column for 802.11a to enter the page for setting guaranteed
bandwidth, as shown in Figure 589 .
Set the guaranteed bandwidth: a. b.
Set the guaranteed bandwidth percent to 80 for wireless service research.
Set the guaranteed bandwidth percent to 20 for wireless service office. c.
Set the guaranteed bandwidth percent to 0 for wireless service entertain.
Click Apply.
After you apply the guaranteed bandwidth settings, the page for enabling bandwidth guarantee
appears, as shown in Figure 590
.
557
Figure 589 Setting guaranteed bandwidth
8.
9.
Select the option specific to 802.11a.
Click Enable.
558
Figure 590 Enabling bandwidth guarantee
Verifying the configuration
•
Send traffic from the AP to the three wireless clients at a rate lower than 30000 kbps. The rate of traffic from the AP to the three wireless clients is not limited.
• Send traffic at a rate higher than 6000 kbps from the AP to Client 1 and at a rate higher than
24000 kbps from the AP to Client 2. The total rate of traffic rate from the AP to the two wireless clients exceeds 30000 kbps. Because you have enabled bandwidth guarantee for wireless services research and office, the AP forwards traffic to Client 1 and Client 2 respectively at 6000 kbps and
24000 kbps, and limits the traffic to Client 3.
NOTE:
• Guaranteed bandwidth in kbps = reference radio bandwidth × guaranteed bandwidth percent.
•
Set the reference radio bandwidth slightly lower than the available maximum bandwidth.
•
The guaranteed bandwidth configuration applies to only the traffic from the AP to clients.
559
Advanced settings
Advanced settings overview
Country/Region code
Radio frequencies for countries and regions vary based on country regulations. A country/region code determines characteristics such as frequency range, channel, and transmit power level. Configure the valid country/region code for a WLAN device to meet the specific country regulations.
1+1 AC backup
NOTE:
Support for the 1+1 backup feature may vary depending on your device model. For more information, see
"Feature matrixes."
Dual-link backup
1.
Dual links
Dual links allow for AC backup. An AP establishes links with two different ACs. The active AC provides services for APs in the network and the standby AC provides backup service for the active
AC. If the active AC fails, the standby AC takes over to provide services for the APs.
Figure 591 Dual link topology
AC 1 is operating in active mode and providing services to AP 1, AP 2, AP 3, and AP 4. AC 2 is operating in standby mode. APs are connected to AC 2 through backup links. When AC 1 is down,
AC 2 converts to operate in active mode even when AC 1 is up again, in which case, AC 1 is in standby mode. However, this is not so if an AC is configured as the primary AC. For more information about primary AC, see "
."
560
2.
3.
Using fast link fault detection, you can configure 1+1 fast backup (see " 1+1 fast backup
") to provide uninterrupted services.
Primary AC recovery
Primary AC provides a mechanism to make sure the primary AC is chosen in precedence by APs as an active AC. When the primary AC goes down, the APs switch to connect to the standby AC.
As soon as the active AC recovers, the APs automatically connect to the primary AC again.
Figure 592 Primary AC recovery
AC 1 is the primary AC with the connection priority of 7, and it establishes a connection with the
AP. AC 2 acts as the secondary AC. If AC 1 goes down, AC 2 takes over to provide services to
AP until AC 1 recovers. Once the primary AC is reachable again, the AP automatically establishes a connection with the primary AC. For more information about priority configuration, see
" Configuring AP connection priority ."
1+1 fast backup
Fast link fault detection allows two ACs in 1+1 backup to detect the failure of each other in time. To achieve this, a heartbeat detection mechanism is used. When the active AC goes down, the standby AC can quickly detect the faults and become the new active AC.
NOTE:
Support for the 1+1 fast backup feature may vary depending on your device model. For more information, see "Feature matrixes."
1+N AC backup
1+N AC backup allows an AC to operate as a backup for multiple ACs. The active ACs independently provide services for APs that connect to them, and the only one standby AC provides backup service for the active ACs. If an active AC goes down, the APs connecting to it can detect the failure quickly and make connections to the standby AC. As soon as the active AC recovers, the APs automatically connect to the original active AC again. This makes sure the standby AC operates as a dedicated backup for the active ACs. 1+N AC backup delivers high reliability and saves network construction cost greatly.
561
Continuous transmitting mode
The continuous transmitting mode is used for test only. Do not use the function unless necessary.
Channel busy test
The channel busy test is a tool to test how busy a channel is. It tests channels supported by the country/region code one by one, and provides a busy rate for each channel. This avoids the situation that some channels are heavily loaded and some are idle.
During a channel busy test, APs do not provide any WLAN services. All the connected clients are disconnected and WLAN packets are discarded.
WLAN load balancing
WLAN load balancing dynamically adjusts loads among APs to ensure adequate bandwidth for clients.
It is mainly used in high-density WLAN networks.
Requirement of WLAN load-balancing implementation
, Client 6 wants to associate with AP 3. AP 3 has reached its maximum load, so it rejects the association request. Then, Client 6 tries to associate with AP 1 or AP 2, but it cannot receive signals from these two APs, so it has to resend an association request to AP 3.
Therefore, to implement load-balancing, the APs must be managed by the same AC, and the clients can find the APs.
Figure 593 Requirement of WLAN load-balancing implementation
Load-balancing modes
The AC supports two load balancing modes, session mode and traffic mode.
• Session mode load-balancing
Session-mode load balancing is based on the number of clients associated with the AP/radio.
, Client 1 is associated with AP 1, and Client 2 through Client 6 are associated with AP 2. The AC has session-mode load balancing configured: the maximum number
562
of sessions is 5 and the maximum session gap is 4. Then, Client 7 sends an association request to
AP 2. The maximum session threshold and session gap have been reached on AP 2, so it rejects the request. At last, Client 7 associates with AP 1.
Figure 594 Network diagram for session-mode load balancing
•
Traffic mode load-balancing
Traffic snapshot is considered for traffic mode load balancing.
As shown in
, Client 1 and Client 2 that run 802.11g are associated with AP 1. The AC has traffic-mode load balancing configured: the maximum traffic threshold is 10% and the maximum traffic gap is 20%. Then, Client 3 wants to access the WLAN through AP 1. The maximum traffic threshold and traffic gap (between AP 1 and AP 2) have been reached on AP 1, so it rejects the request. At last, Client 3 associates with AP 2.
Figure 595 Network diagram for traffic-mode load balancing
563
Load-balancing methods
The AC supports AP-based load balancing and group-based load balancing.
1.
AP-based load balancing
AP-based load balancing can be either implemented among APs or among the radios of an AP.
AP-based load balancing—APs can carry out either session-mode or traffic-mode load balancing as configured. An AP starts load balancing when the maximum threshold and gap are reached, and does not accept any association requests unless the load decreases below the maximum threshold or the gap is less than the maximum gap. However, if a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate to any other AP and accepts the association request from the client.
2.
Radio-based load balancing—The radios of an AP that is balanced can carry out either session-mode or traffic-mode load balancing as configured. A radio starts load balancing when the maximum threshold and gap are reached and will reject any association requests unless the load decreases below the maximum threshold or the gap is less than the maximum gap. However, if a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate to any other AP and accepts the association request from the client.
Group-based load balancing
To balance loads among the radios of different APs, you can add them to the same load balancing group.
The radios in a load balancing group can carry out either session-mode or traffic-mode load balancing as configured. The radios that are not added to any load balancing group do not carry out load balancing. A radio in a load balancing group starts load balancing when the maximum threshold and gap are reached on it, and the radio does not accept any association requests unless the load decreases below the maximum threshold or the gap is less than the maximum gap.
However, if a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate to any other AP and accepts the association request from the client.
AP version setting
A fit AP is a zero-configuration device. It can automatically discover an AC after power-on. To make sure a fit AP can associate with an AC, their software versions must be consistent by default, which complicates maintenance. This task allows you to designate the software version of an AP on the AC, so that they can associate with each other even if their software versions are inconsistent.
Switching to fat AP
You can switch the working mode of an AP between the fit mode and the fat mode.
Wireless location
Wireless location is a technology to locate, track and monitor specified devices by using WiFi-based
Radio Frequency Identification (RFID) and sensors. With this function enabled, APs send Tag or MU messages to an AeroScout Engine (referred to as AE hereinafter), which performs location calculation and then sends the data to the graphics software. You can get the location information of the assets by maps, forms, or reports. Meanwhile, the graphics software provides the search, alert and query functions to facilitate your operations.
564
Wireless location can be applied to medical monitoring, asset management, and logistics, helping users effectively manage and monitor assets.
Architecture of the wireless location system
A wireless location system is composed of three parts: devices or sources to be located, location information receivers and location systems.
•
Devices or sources to be located, which can be Tags (small, portable RFIDs, which are usually placed or glued to the assets to be located) of Aero Scout or Mobile Units (MU). The MUs are wireless terminals or devices running 802.11. The tags and MUs can send wireless messages periodically.
•
Location information receivers, for example, 802.11 APs, and AeroScout Exciters that are standard compliant Tags to send wireless messages but do not collect location information.
• Location systems, including location server, AE calculation software, and different types of graphics software.
Wireless locating process
A wireless location system can locate wireless clients, APs, rogue APs, rogue clients, Tags and other devices supporting WLAN protocols. Except Tags, all wireless devices will be identified as MUs by the wireless location system.
1.
Send Tag and MU messages
2.
A Tag message is a message sent by an RFID. A Tag message contains the channel number so that an AP can filter Tag messages whose channel numbers are not consistent with the AP's operating channel. To make sure more Tags can be detected by the AP, a Tag sends messages on different channels. A Tag periodically sends messages on one or multiple pre-configured channels, and then sends location messages on channels 1, 6, and 11 in turn periodically.
MU messages are sent by standard wireless devices. An MU message does not contain the channel number, so an AP cannot filter MU messages whose channel numbers are not consistent with the AP's operating channel or illegal packets, which is done by the location server according to a certain algorithm and rules.
Collect Tag and MU messages
The working mode of an AP determines how it collects Tag and MU messages:
When the AP operates in monitor mode or hybrid mode, it can locate wireless clients or other wireless devices that are not associated with it.
When the AP operates in normal mode, it can only locate wireless clients associated with it.
The wireless location system considers wireless clients associated with the AP as wireless clients, and considers wireless clients or other wireless devices not associated with the AP as unknown devices.
NOTE:
•
For more information about monitor mode and hybrid mode, see "WLAN security configuration."
• An AP operates in normal mode when it functions as a WLAN access point. For more information, see
"Configuring access services."
After the processes, the AP begins to collect Tag and MU messages.
• Upon receiving Tag messages (suppose that the Tags mode has been configured on the AC, and the location server has notified the AP to report Tag messages), the AP checks the Tag messages, encapsulates those passing the check and reports them to the location server. The AP encapsulates
565
Tag messages by copying all the information (message header and payload inclusive) except the multicast address, and adding the BSSID, channel, timestamp, data rate, RSSI, SNR and radio mode of the radio on which the relevant Tag messages were received.
• Upon receiving MU messages (suppose that the MUs mode has been configured on the AC, and the location server has notified the AP to report MU messages), the AP checks the messages, encapsulates those that pass the check and reports the messages to the location server. The AP encapsulates an MU message by copying its source address, Frame Control field and Sequence
Control field, and adding the BSSID, channel, timestamp, data rate, RSSI, SNR and radio mode of the radio on which the relevant Tag messages were received.
3.
Calculate the locations of Tags or MUs
After receiving Tag and MU messages from APs, the location server uses an algorithm to calculate the locations of the Tag and MU devices according to the RSSI, SNR, radio mode and data rate carried in the messages, and displays the locations on the imported map. Typically, a location server can calculate the locations as long as more than 3 APs operating in monitor or hybrid report
Tag or MU messages.
Wireless sniffer
In a wireless network, it is difficult to locate signal interference or packet collision by debugging information or terminal display information of WLAN devices. To facilitate the troubleshooting, configure an AP as a packet sniffer to listen to, capture, and record wireless packets. The sniffed packets are recorded in the .dmp file for troubleshooting.
As shown in
, enable wireless sniffer on the Capture AP. The Capture AP is able to listen to the wireless packets in the network, including the packets from other APs, rouge APs, and clients.
Administrators can download the .dmp file to the PC and make further analysis.
Figure 596 Network diagram
Client
AP 1
Switch
AC
Capture AP
Rogue AP
AP 2
PDA
PC
Band navigation
The 2.4 GHz band is often congested. Band navigation enables APs to accept dual-band (2.4 GHz and
5 GHz) clients on their 5 GHz radio, increasing overall network performance.
When band navigation is enabled, the AP directs clients to its 2.4 GHz or 5 GHz radio by following these principles:
•
For a 2.4 GHz client, the AP associates to the client after rejecting it several times.
566
• For a dual-band client, the AP directs the client to its 5 GHz radio.
•
For a 5 GHz- client, the AP associates to the client on its 5 GHz radio.
The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz radio. If the RSSI is lower than the value, the AP does not direct the client to the 5 GHz band.
If the number of clients on the 5 GHz radio reaches the upper limit, and the gap between the number of clients on the 5 GHz radio and that on the 2.4 GHz radio reaches the upper limit, the AP denies the client’s association to the 5 GHz radio, and allows new clients to associate to the 2.4 GHz radio. If a client has been denied more than the maximum times on the 5 GHz radio, the AP considers that the client is unable to associate to any other AP, and allows the 5 GHz radio to accept the client.
Configuring WLAN advanced settings
Setting a country/region code
1.
Select Advanced > Country/Region Code from the navigation tree to enter the page for setting a country/region code.
Figure 597 Setting a country/region code
2.
3.
Configure a country/region code as described in
Click Apply.
Table 192 Configuration items
Item Description
Country/Region Code
Select a country/region code.
Configure the valid country/region code for a WLAN device to meet the country regulations.
If the list is grayed out, the setting is preconfigured to meet the requirements of the target market and is locked. It cannot be changed.
If you do not specify a country/region code for an AP, the AP uses the global country/region code configured on this page. For how to specify the country/region code for an AP, see "Quick start." If an
AP is configured with a country/region code, the AP uses its own country code.
Some ACs and fit APs have fixed country/region codes, whichever is used is determined as follows: An
AC's fixed country/region code cannot be changed, and all managed fit APs whose country/region codes are not fixed must use the AC's fixed country/region code. A fit AP's fixed country/region code cannot be changed and the fit AP can only use the country/region code. If an AC and a managed fit AP use different fixed country/region codes, the fit AP uses its own fixed country/region code.
567
Configuring 1+1 AC backup
Configuring AP connection priority
1.
2.
3.
Select AP > AP Setup from the navigation tree.
Click the icon corresponding to the target AP to enter the configuration page.
Expand the Advanced Setup area.
Figure 598 Configuring connection priority
4.
5.
Configure an AP connection priority as described in
Click Apply.
Table 193 Configuration items
Item Description
AP Connection Priority Set the priority for the AP connection to the AC.
Configure 1+1 AC backup
1.
Select Advanced > AC Backup from the navigation tree.
568
Figure 599 Configuring AC backup
2.
3.
Configure an IP address and switch delay time for the backup AC as described in
Click Apply.
Table 194 Configuration items
Item Description
IPv4
Select IPv4, and enter the IPv4 address of the backup AC.
IPv6
Select IPv6, and enter the IPv6 address of the backup AC.
If the backup AC is configured on the page you enter by selecting
AP > AP Setup, the configuration is used in precedence. For more information, see "AP configuration."
The access mode configuration on the two ACs should be the same.
Specify the IP address of one AC on the other AC in an AC backup.
Switch Delay Time
Configuring 1+1 fast backup
1.
Delay time for the AP to switch from the primary AC to the backup AC.
Select Advanced > AC Backup from the navigation tree.
569
Figure 600 Configuring fast backup
2.
3.
Configure fast backup as described in
.
Click Apply.
Table 195 Configuration items
Item Description
Fast Backup Mode
• disable—Disable fast backup.
• enable—Enable fast backup.
By default, fast backup is disabled.
Hello Interval
VLAN ID
Heartbeat interval for an AC connection. If no heartbeat is received during the continuous three intervals, the device considers the peer is down.
The value range varies with devices. For more information, see "Feature matrixes."
ID of the VLAN to which the port where the backup is performed belongs.
Backup Domain ID ID of the domain to which the AC belongs.
Displaying status information of 1+1 fast backup
1.
2.
Select Advanced > AC Backup from the navigation tree.
Click the Status tab to enter the page as shown in Figure 601 .
570
Figure 601 Status information
Table 196 Field description
Field Description
AP Name Select to display the AP connecting to the AC.
Status Current status of the current AC.
Vlan ID
Domain ID
Link State
ID of the VLAN to which the port belongs.
Domain to which the AC belongs.
Link status of the AC connection:
•
Close—No connection is established.
•
Init—The connection is being set up.
•
Connect—The connection has been established.
Peer Board MAC
Peer Board State
Hello Interval
MAC address of the peer AC.
Status of the peer AC.
•
Normal—The peer AC is normal.
•
Abnormal—The peer AC is malfunctioning.
•
Unknown—No connection is present.
Heartbeat interval for an AC connection.
Configuring 1+N AC backup
Configuring AP connection priority
1.
2.
3.
Select AP > AP Setup from the navigation tree.
Click the icon corresponding to the target AP to enter the configuration page.
Expand Advanced Setup.
571
Figure 602 Configuring connection priority
4.
5.
Configure a connection priority as described in Table 197
.
Click Apply.
Table 197 Configuration items
Item Description
AP Connection Priority Set the priority for the AP connection to the AC.
Configuring 1+N AC backup
1.
2.
3.
Select AP > AP Setup from the navigation tree.
Click the icon corresponding to the target AP to enter the configuration page.
Expand Advanced Setup.
572
Figure 603 Configuring 1+N AC backup
4.
5.
Configure 1+N back as described in Table 198
.
Click Apply.
Table 198 Configuration items
Item Description
Backup AC IPv4 Address
Set the IPv4 address of the backup
AC.
Backup AC IPv6 Address
Set the IPv6 address of the backup
AC.
If the global backup AC is also configured on the page you enter by selecting Advanced > AC Backup, this configuration is used in precedence.
Configuring continuous transmitting mode
1.
Select Advanced > Continuous Transmit from the navigation tree to enter the continuous transmitting mode configuration page.
573
Figure 604 Configuring continuous transmitting mode
2.
Click the icon corresponding to the target radio to enter the page for configuring transmission rate. The transmission rate varies with radio mode.
When the radio mode is 802.11a/b/g, the page as shown in Figure 605
appears. Select a transmission rate from the list.
Figure 605 Selecting a transmission rate (802.11b/g)
When the radio mode is 802.11n, the page as shown in Figure 606
appears. Select an MCS index value to specify the 802.11n transmission rate. For more information about MCS, see
"Radio configuration."
Figure 606 Selecting an MCS index (802.11n)
3.
Click Apply.
To stop the continuous transmitting mode, click the icon of the target radio. After the continuous
transmit is stopped, the transmission rate value on the page as shown in Figure 605
displays as 0.
NOTE:
When the continuous transmit is enabled, do not make any operations other than transmission rate configuration.
Configuring a channel busy test
1.
Select Advanced > Channel Busy Test from the navigation tree to enter the channel busy test configuration page.
574
Figure 607 Configuring channel busy test
2.
Click the icon corresponding to a target AP to enter channel busy testing page.
Figure 608 Test busy rate of channels
3.
4.
Configure channel busy test as described in
Click Start to start the testing.
Table 199 Configuration items
Item Description
AP Name Display the AP name.
Radio Unit Display the radio unit of the AP.
Radio Mode
Test time per channel
Display the radio mode of the AP.
Set a time period in seconds within which a channel is tested.
It defaults to 3 seconds.
NOTE:
•
During a channel busy test, the AP does not provide any WLAN services. All the connected clients are disconnected.
•
Before the channel busy test completes, do not start another test for the same channel.
575
Configuring load balancing
Band navigation and load balancing can be used simultaneously.
Configuration prerequisites
Before you configure load balancing, make sure:
•
The target APs are associated with the same AC.
•
The clients can find the APs.
• The fast association function is disabled. By default, the fast association function is disabled. For more information about fast association, see "Configuring access services."
Recommended configuration procedure
Task Remarks
1. Configuring a load balancing mode
Required.
2. Configuring AP-based load balancing Required.
3. Configuring group-based load balancing
Use either approach.
•
AP-based load balancing—After you complete
Configuring a load balancing mode , the AC adopts AP-based load
balancing by default.
•
Group-based load balancing—H3C recommends that you complete
Configuring a load balancing mode first. A load
balancing group takes effect only when a load balancing mode is configured.
4. Configuring parameters that affect load balancing
Optional.
This configuration takes effect for both AP-based load balancing and radio group based load balancing.
Configuring a load balancing mode
NOTE:
If the AC has a load balancing mode configured but has no load balancing group created, it uses
AP-based load balancing by default.
1.
Configure session-mode load balancing a.
Select Advanced > Load Balance from the navigation tree to enter the page for setting load balancing. b. c.
Select Session from the Loadbalance Mode list.
Click Apply.
576
Figure 609 Setting session-mode load balancing
Table 200 Configuration items
Item Description
Loadbalance Mode
Select Session.
The function is disabled by default.
Threshold
Load balancing is carried out for a radio when the session threshold and session gap threshold are reached.
Gap
Load balancing is carried out for a radio when the session threshold and session gap threshold are reached.
2.
Configure traffic-mode load balancing a.
Select Advanced > Load Balance from the navigation tree to enter the page for setting load balancing. b. c.
Select Traffic from the Loadbalance Mode list.
Click Apply.
Figure 610 Setting traffic-mode load balancing
577
Table 201 Configuration items
Item Description
Loadbalance Mode
Select Traffic.
The function is disabled by default.
Traffic
Gap
Load balancing is carried out for a radio when the traffic threshold and traffic gap threshold are reached.
Load balancing is carried out for a radio when the traffic threshold and traffic gap threshold (the traffic gap between the two APs) are reached.
NOTE:
If you select the traffic-mode load balancing, the maximum throughput of 802.11g/802.11a is 30 Mbps.
Configuring group-based load balancing
NOTE:
H3C recommends you to complete
Configuring a load balancing mode
on the Load Balance tab page.
A load balancing group takes effect only when a load balancing mode is configured.
1.
2.
3.
Select Advanced > Load Balance from the navigation tree.
Click the Load Balance Group tab to enter the page for configuring a load balancing group.
Click Add.
Figure 611 Configuring a load balancing group
4.
5.
Configure a load balancing group as described in Table 202
.
Click Apply.
578
Table 202 Configuration items
Item Remarks
Group ID Display the ID of the load balancing group
Description
Radio List
Configure a description for the load balancing group.
By default, the load balancing group has no description.
•
In the Radios Available area, select the target radios, and then click << to add them into the Radios Selected area.
•
In the Radios Selected area, select the radios to be removed, and then click >> to remove them from the load balancing group.
Configuring parameters that affect load balancing
1.
2.
3.
Select Advanced > Load Balance from the navigation tree. See Figure 609 .
Configure parameters that affect load balancing as described in
Click Apply.
Table 203 Configuration items
Item Remarks
Max Denial Count
Maximum denial count of client association requests.
If a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate to any other AP and accepts the association request from the client.
RSSI Threshold
Load balancing RSSI threshold.
A client may be detected by multiple APs. An AP considers a client whose RSSI is lower than the load balancing RSSI threshold as not detected. If only one AP can detect the client, the AP increases the access probability for the client even if it is over-loaded.
Configuring AP
Upgrading AP version
1.
2.
3.
Select Advanced > AP from the navigation tree.
On the AP Module tab, select the desired AP.
Click Version Update to enter the page for AP version upgrade.
Figure 612 AP version update
4.
Configure AP upgrade as described in
579
5.
Click Apply.
Table 204 Configuration items
Item Description
AP Model Display the selected AP model.
Software Version Enter the software version of the AC in a correct format.
Switching to fat AP
1.
2.
3.
4.
Select Advanced > AP Setup from the navigation tree.
Click the Switch to Fat AP tab.
Select the desired AP.
Click Switch to Fat AP to perform AP working mode switchover.
Figure 613 Switching to fat AP
NOTE:
Before you switch the work mode, you must download the fat AP software to the AP.
Configuring wireless location
1.
Select Advanced > Wireless Location from the navigation tree to enter the page for displaying and configuring wireless location on an AC.
580
Figure 614 Configuring wireless location
2.
3.
Configure wireless location as described in
Click Apply.
Table 205 Configuration items
Item Description
•
Enable—Enables the wireless location function globally. The device begins to listen to packets when wireless location is enabled.
•
Disable—Disables wireless location globally.
Location Function
To ensure the location function, complete the configuration on the location server and AC:
•
On the location server—Configure whether to locate Tags or MUs, Tag message multicast address, and dilution factor on the location server. These settings will be notified to the APs through the configuration message. For more information about location server and configuration parameters, see the location server manuals.
•
On the AC—Configure the AP mode settings, and enable the wireless location function.
When configurations are correctly made, APs wait for the configuration message sent by the location server, and after receiving that message, start to receive and report Tag and MU messages.
Vendor Port
Tag Mode
MU Mode
Set listening port number for vendors. The port number must be the same as that defined in AE.
Select this option to enable the Tag report function on the radio (you also need to enable Tags mode on the AE).
Select this option to enable the MU report function on the radio (you also need to enable the MUs mode on the AE).
581
An AP reports IP address change and device reboot events to the location server so that the location server is able to respond in time. The AP reports a reboot message according to the IP address and port information of the location server recorded in its flash.
• The AP updates the data in the flash after receiving a configuration message. To protect the flash, the AP does not update the flash immediately after receiving a configuration message, but waits for
10 minutes. If receiving another configuration message within 10 minutes, the AP only updates the configuration information in the cache, and when the 10-minute timer is reached, saves the cache information in the flash.
•
If the AP reboots within 10 minutes after receiving the first configuration message, and no configuration is saved in the flash, it does not send a reboot message to the location server.
Configuring wireless sniffer
1.
Select Advanced > Wireless Sniffer from the navigation tree to enter the wireless sniffer configuration page.
Figure 615 Configuring wireless sniffer
2.
To enable the wireless sniffer function for a specified radio, click the icon of the radio.
Before you enable wireless sniffer, make sure the AP operates in normal mode and in run state.
Wireless sniffer can be enabled for only one radio configured with a fixed channel.
When you configure wireless sniffer, follow these guidelines:
• Auto APs do not support wireless sniffer.
•
Wireless sniffer can be enabled for one radio at one time.
•
When the Capture AP is capturing packets, if the radio for which the wireless sniffer is disabled, the
Capture AP is deleted, the Capture AP is disconnected from the AC, or the number of captured packets reaches the upper limit, the sniffer operation is stopped and the packets are saved to the specified .dmp file. The default storage medium varies with device models.
•
You can click Stop to stop the wireless sniffer, and choose whether to save the packets to a CAP file.
If not, no CAP file is generated.
582
• The working mode of the AP cannot be changed when it is capturing packets.
NOTE:
Do not enable or run wireless services for the radio with wireless sniffer enabled. Disable all wireless services before enabling wireless sniffer.
3.
4.
Configure wireless sniffer as described in
Click Apply.
Table 206 Configuration items
Item Description
The maximum number of packets that can be captured. Once the limit is exceeded, the device stops capturing packets.
Capture Limit
IMPORTANT:
You cannot change the value when the device is capturing packets.
Name of the CAP file to which the packets are saved.
By default, the name is SnifferRecord.
Filename
IMPORTANT:
You cannot change the fine name when the device is capturing packets.
Configuring band navigation
When band navigation is enabled, the client association efficiency is affected, so this feature is not recommended in a scenario where most clients use 2.4 GHz.
Band navigation is not recommended in a delay-sensitive network.
Band navigation and load balancing can be used simultaneously.
Configuration prerequisites
To enable band navigation to operate properly, make sure of the following:
•
The fast association function is disabled. By default, the fast association function is disabled. For more information about fast association, see "Configuring access services."
•
Band navigation is enabled for the AP. By default, band navigation is enabled for the AP.
•
The SSID is bound to the 2.4 GHz and 5 GHz radios of the AP.
Configuring band navigation
1.
Select Advance > Band Navigation from the navigation tree.
583
Figure 616 Configuring band navigation
2.
3.
Configure band navigation as described in Table 207
.
Click Apply.
Table 207 Configuration items
Item Description
Band Navigation
•
Enable—Enable band navigation.
•
Disable—Disable band navigation.
By default, band navigation is disabled globally.
Session Threshold
Gap
•
Session Threshold—Session threshold for clients on the 5 GHz band.
•
Gap—Session gap, which is the number of clients on the 5 GHz band minus the number of clients on the 2.4 GHz band.
If the number of clients on the 5 GHz radio has reached the upper limit, and the gap between the number of clients on the 5 GHz radio and that on the 2.4 GHz radio has reached the upper limit, the AP denies the client’s association to the 5 GHz radio, and allows new clients to associate to the 2.4 GHz radio.
When band navigation is enabled, the value is 0 by default. To restore the default value
0, delete the configured number.
Max Denial Count
RSSI Threshold
Maximum denial count of client association requests.
If a client has been denied more than the maximum times on the 5 GHz radio, the AP considers that the client is unable to associate to any other AP, and allows the 5 GHz radio to accept the client.
When band navigation is enabled, the value is 0 by default. To restore the default value
0, delete the configured number.
Band navigation RSSI threshold.
The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz radio. If the RSSI is lower than the value, the AP does not direct the client to the 5 GHz band.
584
Item Description
Aging Time
Client information aging time.
The AP records the client information when a client tries to associate to it. If the AP receives the probe request or association request sent by the client before the aging time expires, the AP refreshes the client information and restarts the aging timer. If not, the AP removes the client information, and does not count the client during band navigation.
Advanced settings configuration examples
1+1 fast backup configuration example
Network requirements
As shown in
Figure 617 , AC 1 and AC 2 backing up each other, with AC 1 acting as the active AC.
When the active AC fails, the standby AC takes over to provide services, ensuring no service interruption.
• Assign a higher priority to the AP connection to AC 1, 6 in this example, to make sure AP will first establish a connection with AC 1. In this way, AC 1 acts as the active AC.
•
When AC 1 is down, AC 2 becomes the new active AC.
• When the AC 1 recovers, no switchover to AC 1 occurs, in which case AC 2 remains the active and
AC 1 acts as the standby AC. This is because the AP connection priority on AC 1 is not the highest.
Figure 617 Network diagram
Configuring AC 1
1.
2.
3.
4.
5.
6.
Configure AP to establish a connection between AC 1 and AP. For more information about configurations, see "Configuring access services."
Select AP > AP Setup from the navigation tree.
Click the icon corresponding to the target AP to enter the configuration page.
Expand Advanced Setup.
Set the connection priority to 6.
Click Apply.
585
Figure 618 Configuring the AP connection priority
7.
8.
9.
Select Advance > AC Backup from the navigation tree.
On the page that appears, set the IP address of the backup AC to 1.1.1.5 and select enable to enable the fast backup mode.
Click Apply.
Figure 619 Configuring the IP address of the backup AC
586
Configuring AC 2
2.
3.
4.
1.
5.
Configure AP to establish a connection between AC 2 and AP.
For more information about configurations, see "Configuring access services."
Leave the default value of the AP connection priority unchanged. (Details not shown.)
Select Advanced > AC Backup from the navigation tree.
On the page that appears, set the address of the backup AC to 1.1.1.4 and select enable to enable the fast backup mode.
Click Apply.
Figure 620 Configuring the address of the backup AC
Verifying the configuration
1.
When AC 1 operates properly, view the AP status on AC 1 and AC 2 respectively. The AP connection priority on AC 1 is set to 6, the higher one, so AC 1 become the active AC. The AP establishes a connection to AC 1 in precedence. a.
On AC 1, select Advanced > AC Backup from the navigation tree. b.
Click the Status tab to enter the page as shown in
The status information shows that AC 1 is the active AC.
587
Figure 621 Displaying the AP status on AC 1 c. d.
On AC 2, select Advanced > AC Backup from the navigation tree.
Click the Status tab.
The information shows that AC 1 is acting as the standby AC.
Figure 622 Displaying the AP status on AC 2
2.
When AC 1 operates properly, display the client status on AC 1 and AC 2. Client establish connections with the AP through AC 1 and AC 2 has backed up the client status. a.
On AC 1, select Summary > Client from the navigation tree. b. c.
Click the Detail Information tab.
Click the name of the specified client to view the detailed information of the client.
The information shows that Client is running and is connecting to AC 1 through an active link.
588
Figure 623 Displaying the client information on AC 1 d. e. f.
On AC 2, select Summary > Client from the navigation tree.
Click the Detail Information tab.
Click the name of the specified client to view the detailed information of the client.
The information shows that Client is running and is connecting to AC 2 through a standby link.
Figure 624 Displaying the client information on AC 2
3.
When AC 1 goes down, the standby AC, AC 2 detects the failure immediately through the heartbeat detection mechanism. Then AC 2 takes over to become the new active AC, providing services to AP.
On AC 2 (the new active AC), display the AP status. (Details not shown.)
The information shows that AC 2 has become the active AC.
On AC 2, display the client information. (Details not shown.)
589
4.
The value for the State field becomes Running, which indicates that Client is connecting to AC
2 through an active link.
When AC 1 recovers, AC 2 still acts as the active AC and AC 1 becomes the standby AC. AC 1 establishes a backup link with the AP and backs up the client status.
Configuration guidelines
•
The wireless services configured on the two ACs should be consistent.
•
Specify the IP address of the backup AC on each AC.
• AC backup has no relation with the access authentication method; however, the authentication method of the two ACs must be the same.
1+N backup configuration example
Network requirements
As shown in
, AC 1 and AC 2 are active ACs and AC 3 acts as the standby AC. When an active AC fails, AC 3, the standby AC, takes over to provide services. As soon as the active AC recovers, the AP connects to the original active AC again.
• AP connects to AC 1, AC 2, and AC 3 through a Layer 2 switch. The IP addresses of AC 1, AC 2 and
AC 3 are 1.1.1.3, 1.1.1.4, and 1.1.1.5 respectively.
•
Assign the highest AP connection priority of 7 on AC 1 and AC 2, to make sure AP 1 establishes a connection with AC 1, and AP 2 establishes a connection with AC 2.
•
If any of the two active AC is down, AC 3 becomes the new active AC.
•
When the faulty AC recovers, AP that connects to AC 3 automatically connects to the original active
AC. This is because the AP connection priority on the active AC is the highest. In this way, AC 3 can always act as a dedicated standby AC to provide backup services for AC 1 and AC 2.
Figure 625 Network diagram
Configuring AC 1
1.
2.
3.
4.
5.
6.
Configure AC 1 so that a connection is set up between AC 1 and AP 1.
For more information about configurations, see "Configuring access services."
Select AP > AP Setup from the navigation tree.
Click the icon corresponding to the target AP to enter the configuration page.
Expand Advanced Setup.
Set the connection priority to 7.
Click Apply.
590
Figure 626 Configuring the AP connection priority for AP 1
Configuring AC 2
1.
2.
3.
Configure AC 2 so that a connection is set up between AC 2 and AP 2.
For more information about configurations, see "Configuring access services."
Set the AP connection priority to 7.
The configuration steps are the same as those on AC 1 (Details not shown.).
Configure AC 3 (the backup AC) a.
Configure the related information of AP 1 and AP 2. b.
For more information about configurations, see "Configuring access services."
Select AP > AP Setup from the navigation tree. c. d. e. f.
Click the icon corresponding to the target AP to enter the configuration page.
Expand Advanced Setup.
Enter 1.1.1.3 in the Backup AC IPv4 Address field.
Click Apply.
591
Figure 627 Backing up the IP address of AC 1 h. i. j. k. g.
Select AP > AP Setup from the navigation tree.
Click the icon corresponding to the target AP to enter the configuration page.
Expand Advanced Setup.
Enter 1.1.1.4 in the Backup AC IPv4 Address field.
Click Apply.
592
Figure 628 Backing up the IP address of AC 2
Verifying the configuration
1.
2.
When AC 1 goes down, AC 3 becomes the new active AC.
When AC 1 recovers, the AP connecting to AC 3 connects to AC 1 again. This is because the highest AP connection priority of 7 on AC 1 ensures an automatic switchover.
AP-based session-mode load balancing configuration example
Network requirements
•
As shown in Figure 629 , all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client
2 through Client 6 are associated with AP 2.
• Configure session-mode load balancing on the AC. The threshold, that is, the maximum number of sessions, is 5, and the session gap is 4.
593
Figure 629 Network diagram
Configuration procedure
1.
2.
Before you configure load balancing, configure AP 1 and AP 2 on the AC to establish a connection between the AC and each AP.
For the related configuration, see "Configuring access services."
Configure session-mode load balancing: a.
Select Advanced > Load Balance from the navigation tree. b.
On the Load Balance tab, select the Session mode, enter the threshold 5, and use the default value for the gap. c. d.
Use the default values for Max Denial Count and RSSI Threshold.
Click Apply.
Figure 630 Setting session-mode load balancing
594
Verifying the configuration
Client 1 is associated with AP 1, and Client 2 through Client 6 are associated with AP 2. Because the number of clients associated with AP 1 reaches 5, and the session gap between AP 2 and AP 1 reaches
4, Client 7 is associated with AP 1.
Configuration guidelines
An AP starts session-mode load balancing only when both the maximum sessions and maximum session gap are reached.
AP-based traffic-mode load balancing configuration example
Network requirements
•
As shown in Figure 631 , all APs operate in 802.11g mode. Client 1 and Client 2 are associated with
AP 1, and no client is associated with AP 2.
•
Configure traffic-mode load balancing on the AC. The traffic threshold is 3 Mbps that corresponds to the threshold value of 10 in percentage, and the traffic gap is 12 Mbps that corresponds to the traffic gap value 40 in percentage.
Figure 631 Network diagram
Configuration procedure
1.
2.
Before you configure load balancing, configure AP 1 and AP 2 on the AC to establish a connection between the AC and each AP.
For the related configuration, see "Configuring access services."
Configure traffic-mode load balancing: a. b.
Select Advanced > Load Balance from the navigation tree.
On the Load Balance tab, select the Traffic mode, enter the threshold 10, and the traffic gap
40. c. d.
Use the default values for Max Denial Count and RSSI Threshold.
Click Apply.
595
Figure 632 Setting traffic-mode load balancing
Verifying the configuration
Client 1 and Client 2 are associated with AP 1. Add Client 3 to the network. When the maximum traffic threshold and traffic gap are reached on AP 1, Client 3 is associated with AP 2.
Configuration guidelines
An AP starts traffic-mode load balancing only when both the maximum traffic threshold and maximum traffic gap are reached.
Group-based session-mode load balancing configuration example
Network requirements
•
, all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client
2 through Client 6 are associated with AP 2, and no client is associated with AP 3.
•
Configure session-mode load balancing on the AC. The maximum number of sessions is 5 and the maximum session gap is 4.
• Session-mode load balancing is required on only radio 2 of AP 1 and radio 2 of AP 2. Therefore, add them into a load balancing group.
596
Figure 633 Network diagram
AC
L2 Switch
Client 1
AP 1
AP 3
AP 2
Client 2 Client 5
Client 7
Client 3 Client 4
Configuration procedure
1.
2.
Before you configure load balancing, configure AP 1 and AP 2 on the AC to establish a connection between the AC and each AP.
For the related configuration, see "Configuring access services."
Configure load balancing: a. b. c. d.
Select Advanced > Load Balance from the navigation tree.
On the Load Balance tab, select Session from the Loadbalance Mode list, enter the threshold 5, and use the default value for the gap.
Use the default values for Max Denial Count and RSSI Threshold.
Click Apply..
Figure 634 Configuring session-mode load balancing
3.
Configure a load balancing group:
597
a. b. c. d.
Select Advanced > Load Balance from the navigation tree.
Click the Load Balance Group tab to enter the load balancing group configuration page.
Click Add.
On the page that appears, select ap1. radio 2 and ap2. radio 2 in the Radios Available area, and click << to add them into the Radios Selected area and click Apply.
Figure 635 Configuring a load balancing group
Verifying the configuration
• Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group, and the radio of AP
3 does not belong to any load balancing group. Because load balancing takes effect on only radios in a load balancing group, AP 3 does not take part in load balancing.
• Assume Client 7 wants to associate with AP 2. The number of clients associated with radio 2 of AP
2 reaches 5 and the session gap between radio 2 of AP 2 and AP 1 reaches 4, so Client 7 is associated with AP 1.
Group-based traffic-mode load balancing configuration example
Network requirements
•
, all APs operate in 802.11g mode. Client 1 and Client 2 are associated with
AP 1, and no client is associated with AP 2 and AP 3.
•
Configure traffic-mode load balancing on the AC. The maximum traffic threshold is 10% and the maximum traffic gap is 20%.
• Traffic-mode load balancing is required on only radio 2 of AP 1 and radio 2 of AP 2. Therefore, add them to a load balancing group.
598
Figure 636 Network diagram
Configuration procedure
1.
2.
Before you configure load balancing, configure AP 1 and AP 2 on the AC to establish a connection between the AC and each AP.
For the related configuration, see "Configuring access services."
Configure load balancing: a.
Select Advanced > Load Balance from the navigation tree. b. c. d.
On the Load Balance tab, select Traffic from the Loadbalance Mode list, enter the threshold 10 and the gap 40.
Use the default values for Max Denial Count and RSSI Threshold.
Click Apply.
599
Figure 637 Configuring traffic load balancing
3.
Configure a load balancing group: a. b.
Select Advanced > Load Balance from the navigation tree.
Click the Load Balance Group tab to enter the load balancing group configuration page. c. d.
Click Add.
On the page that appears, select ap1. radio 2 and ap2. radio 2 in the Radios Available area, click << to add them into the Radios Selected area, and click Apply.
Figure 638 Configuring a load balancing group
Verifying the configuration
• Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group, and the radio of AP
3 does not belong to any load balancing group. Because load balancing takes effect on only radios in a load balancing group, AP 3 does not take part in load balancing.
600
• Assume Client 3 wants to associate with AP 1. Because the maximum traffic threshold and traffic gap have been reached on radio 2 of AP 1, Client 3 is associated with AP 2.
Wireless location configuration example
Network requirements
MU messages to an AE (the location server), which performs location calculation and then sends the data to the graphics software. You can get the location information of the rogue AP, APs, and clients by maps, forms or reports.
Figure 639 Network diagram
AE (location server)
AP 1
Client
AC
Switch
AP 2
Rogue AP
AP 3
AP
Configuring the AE
1.
2.
Configure the IP addresses of AP 1, AP 2, and AP 3 on the AE, or select broadcast for the AE to discover APs.
Perform configuration related to wireless location on the AE.
Configuring AP 1 to operate in monitor mode
AP 1, AP 2, and AP 3 are configured similarly, and the following only describes how to configure AP 1 for illustration.
1.
2.
3.
Select AP > AP Setup from the navigation tree.
Click Add.
On the page that appears, enter the AP name ap1, select the model WA2620-AGN, select manual from the Serial ID list, enter the AP serial ID in the field, and click Apply.
601
Figure 640 Creating an AP
4.
5.
6.
7.
Select Security > Rogue Detection
from the navigation tree.
On the AP Monitor tab, click the icon corresponding to the target AP to enter the page for configuring the work mode.
Select the work mode Monitor.
Click Apply.
Figure 641 Setting the work mode
Enabling 802.11n
1.
2.
3.
Select Radio > Radio from the navigation tree to enter the page for configuring radio.
Select the target AP.
Click Enable.
Figure 642 Enabling 802.11n (2.4 GHz)
602
Enabling wireless location.
1.
2.
3.
Select Advanced > Wireless Location from the navigation tree.
On the page that appears, select Enable, select the tag mode and MU mode for 802.11n (2.4
GHz).
Click Apply.
Figure 643 Enabling wireless location
Verifying the configuration
You can display the location information of the rogue AP, APs, and clients by maps, forms or reports.
Configuration guidelines
•
Before you enable the wireless location function, make sure at least three APs operate in monitor or hybrid mode so that the APs can detect Tags and clients not associated with them, and the AE can implement location calculation.
•
An AP monitors clients on different channels periodically, so if the Tag message sending interval is configured as 1 second, the AP scans and reports Tag messages every half a minute. If higher location efficiency is required, you can set the Tag sending interval to the smallest value, 124 milliseconds.
Wireless sniffer configuration example
Network requirements
, configure a Capture AP, and enable wireless sniffer on this AP to capture wireless packets. The captured packets are then saved in a .dmp file for troubleshooting.
603
Figure 644 Network diagram
Client
AP 1
Switch
AC
Capture AP
Rogue AP
AP 2
PDA
PC
Configuring Capture_AP
1.
2.
3.
Select AP > AP Setup from the navigation tree.
Click Add.
On the page that appears, enter the AP name capture_ap, select the model WA2620-AGN., select manual from the Serial ID list, enter the AP serial ID in the field, and click Apply.
Figure 645 Creating a Capture AP
4.
5.
6.
7.
Select Radio > Radio from the navigation tree.
Click the icon of the Capture_AP to enter the radio configuration page.
Select 6 from the Channel list.
Click Apply.
604
Figure 646 Setting the channel
8.
9.
10.
Select Radio > Radio from the navigation tree.
Select the target AP.
Click Enable.
Figure 647 Enabling 802.11n (2.4 GHz)
Configuring and enabling wireless sniffer
1.
2.
3.
Select Advanced > Wireless Sniffer from the navigation tree.
On the page that appears, enter the capture limit 5000, enter the file name CapFile, and click
Apply.
Click the icon corresponding to the target radio to enable wireless sniffer for the radio.
605
Figure 648 Configuring and enabling wireless sniffer
Verifying the configuration
•
Capture AP captures wireless packets and saves the packets to a CAP file in the default storage medium. Administrators can download the file to the PC and get the packet information by using tools like Ethereal.
•
When the total number of captured packets reaches the upper limit, Capture AP stops capturing packets.
Band navigation configuration example
Network requirements
As shown in
Figure 649 , Client 1 through Client 4 try to associate to AP 1, and the two radios of AP 1
operate at 5 GHz and 2.4 GHz. Client 1, Client 2, and Client 3 are dual-band clients, and Client 4 is a single-band (2.4 GHz) client. Configure band navigation to direct clients to different radios of the AP.
606
Figure 649 Network diagram
Configuring the AC
To enable band navigation to operate properly, make sure of the following:
• The fast association function is disabled. By default, the fast association function is disabled.
•
Band navigation is enabled for the AP. By default, band navigation is enabled for the AP.
1.
Create an AP: a.
Select AP > AP Setup from the navigation tree. b. c.
Click New.
On the page that appears, enter the AP name ap 1, select the model WA2620E-AGN, select manual from the Serial ID list, and enter the AP serial ID in the field.
2. d.
Click Apply.
Configure wireless service: a.
Select Wireless Service > Access Service from the navigation tree. b. c.
Click Add.
On the page that appears, set the service name to band-navigation, select the wireless service type Clear, and click Apply.
3.
4.
Enable wireless service: a.
Select Wireless Service > Access Service from the navigation tree. b. c.
Set the band-navigation box.
Click Enable.
Bind an AP radio to the wireless service: a. b. c. d.
Select Wireless Service > Access Service from the navigation tree.
Click the icon for the wireless service band-navigation to enter the page for binding an AP radio.
Select the boxes before ap1 with radio types 802.11n(2.4GHz) and 802.11n(5GHz).
Click Bind.
607
Figure 650 Binding an AP radio
5.
6.
Enable 802.11n(2.4GHz) and 802.11n(5GHz) radios: a. b. c.
Select Radio > Radio Setup from the navigation tree.
Select the boxes before ap1 with the radio mode 802.11n(2.4GHz) and 802.11n(5GHz).
Click Enable.
Configure band navigation: a.
Select Advance > Band Navigation from the navigation tree. b. c.
On the page that appears, click Enable, and type the Session Threshold 2 and Gap 1. Use the default values for other options.
Click Apply.
Figure 651 Configuring band navigation
Verifying the configuration
Client 1 and Client 2 are associated to the 5 GHz radio of AP 1, and Client 4 can only be associated to the 2.4 GHz radio of AP 1. Because the number of clients on the 5 GHz radio has reached the upper limit
2, and the gap between the number of clients on the 5 GHz radio and 2.4 GHz radio has reached the session gap 1, Client 3 will be associated to the 2.4 GHz radio of AP 1.
608
Configuring stateful failover
NOTE:
Support for the stateful failover feature may vary depending on your device model. For more information, see "Feature matrixes."
Overview
Introduction to stateful failover
Some customers require their wireless networks to be highly reliable to ensure continuous data transmission. In
Figure 652 , deploying only one AC (even with high reliability) risks a single point of
failure and therefore cannot meet the requirement.
Figure 652 Network with one AC deployed
The stateful failover feature (supporting portal service) was introduced to meet the requirement. In
, two ACs that are enabled with stateful failover are deployed in the network. You need to specify a
VLAN on the two ACs as the backup VLAN, and add the interfaces between the ACs to the backup
VLAN. The backup VLAN is like a failover link, through which the two ACs exchange state negotiation messages periodically. After the two ACs enter the synchronization state, they back up the service entries of each other to make sure that the service entries on them are consistent. If one AC fails, the other AC, which has already backed up the service information, can take over the services, thus avoiding service interruption.
609
Figure 653 Network diagram for stateful failover
Introduction to stateful failover states
The stateful failover states include:
• Silence: Indicates that the device has just started, or is transiting from synchronization state to independence state.
•
Independence: Indicates that the silence timer has expired, but no failover link is established.
•
Synchronization: Indicates that the device has completed state negotiation with the other device and is ready for data backup.
The following figure shows state relations.
Figure 654 Stateful failover state diagram
Configuring stateful failover
1.
2.
Select High reliability > Stateful Failover from the navigation tree to enter the stateful failover configuration page, as shown in
.
View the current stateful failover state at the lower part of the page as described in
610
Figure 655 Stateful failover configuration page
3.
4.
Configure stateful failover parameters at the upper part of the page as described in
Click Apply.
Table 208 Configuration items
Item Description
Enable Stateful Failover Enable/disable the stateful failover feature.
Backup Type
Select whether to support asymmetric path.
•
Unsupport Asymmetric Path. In this mode, sessions enter and leave the internal network through one device. The two devices work in the active/standby mode.
•
Support Asymmetric Path. In this mode, sessions enter and leave the internal network through different devices to achieve load sharing. The two devices work in the active/active mode.
Set the backup VLAN.
After a VLAN is configured as a backup VLAN, the interface(s) in the VLAN is used to transmit stateful failover packets.
Backup VLAN
Table 209 Field description
IMPORTANT:
•
A device uses VLAN tag+protocol number to identify stateful failover packets, and broadcasts stateful failover packets to the peer within the backup VLAN.
Therefore, H3C does not recommend that you configure other services (such as voice VLAN) for a backup VLAN to avoid impact on the operation of stateful failover.
•
An interface added to the backup VLAN can transmit other packets besides stateful failover packets.
Field Description
Current Status Displays the failover state of the device.
Stateful failover configuration example
Network requirements
In
, the IP address of VLAN-interface 1 on AC 1 is 8.190.1.60/16, and that on AC 2 is
8.190.1.61/16. The client and AP each obtain an IP address from the DHCP server at 8.190.0.13/16, and
611
the ACs perform portal authentication through the IMC server. Configure stateful failover on AC 1 and
AC 2 so that when one AC fails, the other AC can take over portal and other services.
Figure 656 Network diagram
NOTE:
The portal group configuration on the two ACs must be consistent.
Configuring AC 1
1.
Configure the backup AC and enable fast backup: a. b. c.
Select Advanced > AC Backup from the navigation tree to enter the default Setup page, as
Select the IPv4 box and type the IP address of AC 2 (8.190.1.61) as the backup AC address, and select enable from the Fast Backup Mode list.
Click Apply.
612
Figure 657 Setup page
2.
Configure stateful failover: a.
Select High reliability > Stateful Failover from the navigation tree, as shown in Figure 658
. b. c.
Select the Enable Stateful Failover box, select Unsupport Asymmetric Path from the Backup
Type list, and Type 2 for Backup VLAN.
Click Apply.
Figure 658 Configuring stateful failover
3.
Configure RADIUS scheme system: a.
Select Authentication > RADIUS from the navigation tree. b.
Click Add to enter the RADIUS scheme configuration page. c. d.
Type system for Scheme Name, select Extended for Server Type, and select Without domain name for Username Format.
Click Add in the RADIUS Server Configuration field to enter the page as shown in Figure 659
. e. f. g.
Select Primary Authentication for Server Type, specify an IPv4 address 8.1.1.16 and 1812 as the port number.
Type expert for Key and expert for Confirm Key.
Click Apply.
613
Figure 659 Configuring a primary RADIUS authentication server h. i. j. k.
Click Add in the RADIUS Server Configuration field to enter the page as shown in Figure 660
.
Select Primary Accounting for Server Type, and specify an IPv4 address 8.1.1.16 and 1813 as the port number.
Type expert for Key and expert for Confirm Key.
Click Apply.
Figure 660 Configuring a RADIUS accounting server l.
After the configurations are complete, the RADIUS scheme configuration page is as shown in
. Click Apply.
614
Figure 661 RADIUS scheme configuration page
4.
Configure AAA authentication scheme for ISP domain system: a.
Click the Authentication tab. b. c.
Select system from the Select an ISP domain list, and select the Default AuthN box.
Select RADIUS from the list, and system from the Name list. d. e.
Click Apply.
A dialog box appears, showing the configuration progress.
After the configuration is successfully applied, click Close.
Figure 662 Configuring AAA authentication scheme for the ISP domain
615
5.
Configure AAA authorization scheme for ISP domain system: a.
Click the Authorization tab. b. c.
Select system from the Select an ISP domain list, and select the Default AuthZ box.
Select RADIUS from the list and system from the Name list. d. e.
Click Apply.
A dialog box appears, showing the configuration progress.
After the configuration is successfully applied, click Close.
Figure 663 Configuring AAA authorization scheme for the ISP domain
6.
Configure AAA accounting scheme for ISP domain system: a.
Click the Accounting tab. b. c. d.
Select system from the Select an ISP domain list, and select the Accounting Optional box.
Select Enable from the list, and select the Default Accounting box.
Select RADIUS from the list and system from the Name list. e. f.
Click Apply.
A dialog box appears, showing the configuration progress.
After the configuration is successfully applied, click Close.
616
Figure 664 Configuring AAA accounting scheme for the ISP domain
7.
Configure portal authentication: a.
Select Authentication > Portal from the navigation tree to enter the default Portal Server configuration page as shown in
b. c. d. e.
Click Add .
Select Vlan-interface1 from the Interface list, Add from the Portal Server list, and Direct from the
Method list, and select system for Authentication Domain.
Type newpt for Server Name, 8.1.1.16 for IP, expert for Key, 50100 for Port, and http://8.1.1.16:8080/portal for URL.
Click Apply.
617
Figure 665 Configuring a portal server
8.
Add a portal-free rule: a.
Click the Free Rule tab. b. c. d.
Click Add.
Type 0 for Number, and select GigabitEthernet1/0/1 as the source interface.
Click Apply.
618
Figure 666 Adding a portal-free rule
9.
Configure portal to support stateful failover at the command line interface (CLI):
# Specify AC 1's device ID to be used in stateful failover mode as 1, and specify portal group 2 for interface VLAN-interface 1.
<AC1>system-view
[AC1]nas device-id 1
[AC1]interface Vlan-interface 1
[AC1-Vlan-interface1]portal backup-group 2
# Configure the virtual IP address of VRRP group 1 as 8.190.1.100, and specify the priority of AC
1 as 200. AC 2 uses the default priority.
[AC1-Vlan-interface1]vrrp vrid 1 virtual-ip 8.190.1.100
[AC1-Vlan-interface1]vrrp vrid 1 priority 200
[AC1-Vlan-interface1]quit
# Configure the source IP address for RADIUS packets as 8.190.1.100.
[AC1]radius nas-ip 8.190.1.100
# Configure the source IP address for portal packets as 8.190.1.100 (same as the AC's IP address configured on the IMC server for portal authentication).
[AC1-Vlan-interface1]portal nas-ip 8.190.1.100
Configuring AC 2.
The configuration on AC 2 is similar to that on AC 1 except that:
•
When you configure AC backup, specify AC 1's IP address as the backup AC address.
• Specify the device ID to be used in stateful failover mode as 2.
For more information, see the configuration on AC 1.
Configuration guidelines
When you configure stateful failover, follow these guidelines:
•
You must configure the 1+1 AC backup function to make sure that the traffic can automatically switch to the other device if one device fails. For more information, see "Advanced settings."
619
• To back up portal related information from the active device to the standby device, you must configure portal to support stateful failover besides the configurations described in this chapter. For more information, see WX Series Access Controllers Security Configuration Guide.
• Stateful failover can be implemented only between two devices rather than among more than two devices.
620
Index
A B C D E F G I L M N O P Q R S T U V W
A
AAA configuration example, 414
AC-AP connection,
Access control methods,
Access controller module network scenario, 2
Access controller network scenario, 2
ACL and QoS configuration example,
Adding a DNS server address,
Adding a domain name suffix, 199
Adding a license,
Admin configuration,
Advanced settings configuration examples,
Advanced settings overview, 560
AP connection priority configuration example, 221
AP group,
Auto AP configuration example, 256
Automatic power adjustment configuration example,
B
Backing up the configuration,
Bandwidth guarantee configuration example, 555
Basic configuration,
C
CAC service configuration example, 551
Certificate management configuration example, 461
Clearing dynamic DNS cache,
Common Web interface elements, 35
Configuration examples,
Configuring a MAC address entry, 129
Configuring a QoS policy,
Configuring a RADIUS scheme,
Configuring a user profile,
Configuring access service, 230
Configuring an ACL,
Configuring an AP,
Configuring an AP group,
Configuring an SNMP view,
Configuring and displaying clients' IP-to-MAC
Configuring ARP detection, 149
Configuring authorized IP, 491
Configuring calibration,
Configuring channel scanning, 360
Configuring data transmit rates, 356
Configuring DHCP snooping functions on an
Configuring dynamic domain name resolution, 197
Configuring enhanced licenses, 65
Configuring gratuitous ARP,
Configuring IGMP snooping on a port,
621
Configuring IGMP snooping on a VLAN, 154
Configuring other ARP attack protection functions, 150
Configuring PKI,
Configuring portal authentication, 386
Configuring rogue device detection,
Configuring service management, 205
Configuring stateful failover, 610
Configuring static name resolution table,
Configuring the bandwidth guarantee function,
Configuring the blacklist and white list functions, 480
Configuring the priority trust mode of a port,
Configuring user isolation, 488
Configuring Web idle timeout period,
Configuring WLAN advanced settings,
Configuring WLAN roaming,
Creating a DHCP server group,
Creating a dynamic address pool for the DHCP server,
Creating a static address pool for the DHCP server, 175
Creating a static ARP entry, 142
Creating a VLAN,
Creating an interface,
Creating an IPv4 static route,
Creating an IPv6 static route,
D
DHCP relay agent configuration example,
DHCP server configuration example, 188
DHCP snooping configuration example,
Displaying clients' IP-to-MAC bindings,
Displaying IGMP snooping multicast entry information,
Displaying information about assigned IP
Displaying interface information and statistics, 87
622
Displaying SNMP packet statistics,
Displaying the client statistics,
Displaying the IPv4 active route table, 163
Displaying the IPv6 active route table, 165
Displaying the radio statistics,
Displaying the system time,
Displaying WLAN service,
DNS configuration example, 199
Dynamic WEP encryption-802.1X authentication configuration example,
E
Enabling DHCP and configuring advanced
parameters for the DHCP relay agent, 180
Enabling IGMP snooping globally, 153
Enabling the DHCP relay agent on an interface, 183
Enabling the DHCP server on an interface,
Enabling wireless QoS,
F
Feature matrix for the WX3024E, 8
Feature matrix for the WX5000 series,
Feature matrix for the WX6000 series,
G
Generating the diagnostic information file,
I
IGMP snooping configuration examples,
Initializing the configuration,
Inter-AC roaming configuration example,
Interface management configuration example, 97
Interface management overview,
Intra-AC roaming configuration example, 338
Introduction to port mirroring,
Introduction to portal authentication, 385
Introduction to the Web interface,
Introduction to the Web-based NM functions,
IP configuration,
IPv4 static route configuration example, 167
IPv6 static route configuration example, 168
L
Local EAP service configuration example, 433
Local MAC authentication configuration example, 268
Logging in to the Web interface,
Logging out of the Web interface,
Loopback operation,
M
MAC address configuration example,
Manual channel adjustment configuration example,
Mesh DFS configuration example,
Mesh overview,
Mesh point-to-multipoint configuration example, 331
Modifying a Layer 2 interface, 92
Modifying a Layer 3 interface, 95
Modifying a VLAN,
N
Normal WLAN mesh configuration example,
O
P
PKI overview,
Port mirroring configuration task list,
Portal authentication configuration example, 397
Portal configuration,
Q
Quick start wizard home page,
R
Radio group configuration example,
Radio overview,
623
Radio setup,
RADIUS configuration,
RADIUS configuration example, 425
Rebooting the device,
Recommended configuration procedure, 133
Recommended configuration procedure, 153
Recommended configuration procedure, 195
Recommended configuration procedure (for DHCP
Recommended configuration procedure (for DHCP
Recommended configuration procedure (for DHCP
Remote 802.1X authentication configuration
Remote MAC authentication configuration
Removing ARP entries,
Restoring the configuration,
Rogue detection configuration example,
S
Setting buffer capacity and refresh interval, 80
Setting CAC admission policy, 540
Setting client EDCA parameters for wireless clients, 542
Setting radio EDCA parameters for APs,
Setting the log host,
Setting the super password, 106
SNMP configuration example,
SNMP configuration task list,
SNMP overview,
Specifying the main boot file, 86
Stateful failover configuration example,
Static ARP configuration example, 144
Subway WLAN mesh configuration example, 330
Switching the user access level to the management
System time configuration example, 76
T
Tri-radio mesh configuration example,
Troubleshooting Web browser,
U
Uploading a file,
User isolation configuration example, 489
User isolation overview,
V
VLAN configuration examples, 137
W
Web user level,
Wireless configuration,
Wireless service configuration example, 253
Wireless service-based dynamic rate limiting configuration example,
Wireless service-based static rate limiting configuration example,
Wireless switch network scenario, 3
WLAN roaming configuration examples, 338
WLAN RRM overview,
WPA-PSK authentication configuration example, 263
624
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 1 Title Page
- 3 Preface
- 3 Audience
- 3 Conventions
- 3 GUI conventions
- 4 Symbols
- 4 Network topology icons
- 4 Port numbering in examples
- 4 About the H3C WX Series documentation set
- 5 Obtaining documentation
- 5 Technical support
- 5 Documentation feedback
- 6 Contents
- 17 Models of WX series access controllers
- 18 Typical network scenarios
- 18 Access controller network scenario
- 18 Access controller module network scenario
- 19 Wireless switch network scenario
- 20 Feature matrixes
- 20 Feature matrix for the WX5000 series
- 21 Feature matrix for the WX6000 series
- 24 Feature matrix for the WX3024E
- 25 Quick Start
- 25 Quick start wizard home page
- 25 Basic configuration
- 26 Admin configuration
- 27 IP configuration
- 28 Wireless configuration
- 29 RADIUS configuration
- 31 Portal configuration
- 32 Encryption configuration
- 33 AP configuration
- 35 Configuration summary
- 36 Web overview
- 36 Logging in to the Web interface
- 37 Logging out of the Web interface
- 37 Introduction to the Web interface
- 38 Web user level
- 39 Introduction to the Web-based NM functions
- 51 Common Web interface elements
- 51 Common buttons and icons
- 51 Content display by pages
- 52 Searching function
- 54 Sorting function
- 55 Configuration guidelines
- 56 Troubleshooting Web browser
- 56 Failure to access the device through the Web interface
- 56 Symptom
- 56 Analysis
- 56 Configuring the Internet Explorer settings
- 57 Configuring Firefox Web browser settings
- 59 Summary
- 59 Device information
- 60 Device info
- 60 System resource state
- 60 Device interface information
- 61 Recent system logs
- 61 Displaying WLAN service
- 61 Displaying detailed information of WLAN service
- 64 Displaying statistics of WLAN service
- 64 Displaying connection history information of WLAN service
- 65 Displaying AP
- 65 Displaying WLAN service information of an AP
- 65 Displaying AP connection history information
- 66 Displaying AP radio information
- 68 Displaying AP detailed information
- 73 Displaying clients
- 73 Displaying client detailed information
- 76 Displaying client statistics
- 77 Displaying client roaming information
- 78 Displaying RF ping information
- 80 License management
- 80 Configuring licenses
- 80 Adding a license
- 81 Displaying license information
- 81 Configuring enhanced licenses
- 81 Registering an enhanced license
- 82 Displaying registered enhanced licenses
- 83 Device basic information configuration
- 83 Configuring system name
- 83 Configuring Web idle timeout period
- 85 Device maintenance
- 85 Software upgrade
- 86 Rebooting the device
- 87 Generating the diagnostic information file
- 89 System time
- 89 Displaying the system time
- 89 Configuring the system time
- 90 Configuring the network time
- 92 System time configuration example
- 92 Network requirements
- 92 Configuring the switch
- 92 Configuring the AC
- 93 Verifying the configuration
- 93 Configuration guidelines
- 94 Log management
- 94 Displaying syslog
- 95 Setting the log host
- 96 Setting buffer capacity and refresh interval
- 98 Configuration management
- 98 Backing up the configuration
- 98 Restoring the configuration
- 99 Saving the configuration
- 99 Fast
- 100 Common
- 100 Initializing the configuration
- 101 File management
- 101 Displaying file list
- 102 Downloading a file
- 102 Uploading a file
- 102 Removing a file
- 102 Specifying the main boot file
- 103 Interface management
- 103 Interface management overview
- 103 Displaying interface information and statistics
- 105 Creating an interface
- 108 Modifying a Layer 2 interface
- 111 Modifying a Layer 3 interface
- 113 Interface management configuration example
- 113 Network requirements
- 113 Configuration procedure
- 115 Port mirroring
- 115 Introduction to port mirroring
- 116 Port mirroring configuration task list
- 116 Adding a mirroring group
- 117 Configuring ports for a mirroring group
- 118 Configuration examples
- 118 Network requirements
- 118 Adding a mirroring group
- 119 Configuring the mirroring ports
- 120 Configuring the monitor port
- 120 Configuration guidelines
- 121 User management
- 121 Creating a user
- 122 Setting the super password
- 123 Switching the user access level to the management level
- 124 SNMP configuration
- 124 SNMP overview
- 124 SNMP configuration task list
- 124 SNMPv1 or SNMPv2c configuration task list
- 125 SNMPv3 configuration task list
- 125 Enabling SNMP
- 127 Configuring an SNMP view
- 127 Creating an SNMP view
- 128 Adding rules to an SNMP view
- 129 Configuring an SNMP community
- 130 Configuring an SNMP group
- 132 Configuring an SNMP user
- 134 Configuring SNMP trap function
- 135 Displaying SNMP packet statistics
- 136 SNMP configuration example
- 136 Network requirements
- 136 Configuring the agent
- 140 Configuring the NMS
- 141 Verifying the configuration
- 142 Loopback
- 142 Loopback operation
- 143 Configuration guidelines
- 144 MAC address configuration
- 144 Overview
- 145 Configuring a MAC address entry
- 146 Setting the aging time of MAC address entries
- 147 MAC address configuration example
- 147 Network requirements
- 147 Configuration procedure
- 149 VLAN configuration
- 149 Overview
- 149 Recommended configuration procedure
- 149 Creating a VLAN
- 150 Modifying a VLAN
- 151 Modifying a port
- 153 VLAN configuration examples
- 153 Network requirements
- 153 Configuring AC
- 156 Configuring Switch
- 156 Configuration guidelines
- 157 ARP configuration
- 157 Overview
- 157 Introduction to ARP
- 157 Introduction to gratuitous ARP
- 157 Gratuitous ARP packets
- 157 Learning of gratuitous ARP packets
- 157 Displaying ARP entries
- 158 Creating a static ARP entry
- 159 Removing ARP entries
- 159 Configuring gratuitous ARP
- 160 Static ARP configuration example
- 160 Network requirements
- 160 Configuration procedure
- 164 ARP attack protection configuration
- 164 ARP detection
- 164 Source MAC address based ARP attack detection
- 164 ARP active acknowledgement
- 165 ARP packet source MAC address consistency check
- 165 Configuring ARP detection
- 166 Configuring other ARP attack protection functions
- 168 IGMP snooping configuration
- 168 Overview
- 169 Recommended configuration procedure
- 169 Enabling IGMP snooping globally
- 170 Configuring IGMP snooping on a VLAN
- 171 Configuring IGMP snooping on a port
- 173 Displaying IGMP snooping multicast entry information
- 174 IGMP snooping configuration examples
- 174 Network requirements
- 174 Configuring IP addresses
- 174 Configuring Router A
- 174 Configuring the AC
- 177 Verifying the configuration
- 179 IPv4 and IPv6 routing configuration
- 179 Overview
- 179 Displaying the IPv4 active route table
- 180 Creating an IPv4 static route
- 181 Displaying the IPv6 active route table
- 182 Creating an IPv6 static route
- 183 IPv4 static route configuration example
- 183 Network requirements
- 183 Configuration outlines
- 183 Configuration procedure
- 184 Verifying the configuration
- 184 IPv6 static route configuration example
- 184 Network requirements
- 185 Configuration outlines
- 185 Configuration procedure
- 186 Verifying the configuration
- 186 Configuration guidelines
- 188 DHCP overview
- 188 Introduction to DHCP snooping
- 189 Recording IP-to-MAC mappings of DHCP clients
- 189 Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
- 189 Recommended configuration procedure (for DHCP server)
- 190 Enabling DHCP
- 191 Creating a static address pool for the DHCP server
- 192 Creating a dynamic address pool for the DHCP server
- 194 Enabling the DHCP server on an interface
- 194 Displaying information about assigned IP addresses
- 195 Recommended configuration procedure (for DHCP relay agent)
- 196 Enabling DHCP and configuring advanced parameters for the DHCP relay agent
- 198 Creating a DHCP server group
- 199 Enabling the DHCP relay agent on an interface
- 200 Configuring and displaying clients' IP-to-MAC bindings
- 201 Recommended configuration procedure (for DHCP snooping)
- 201 Enabling DHCP snooping
- 202 Configuring DHCP snooping functions on an interface
- 203 Displaying clients' IP-to-MAC bindings
- 204 DHCP server configuration example
- 204 Network requirements
- 204 Configuration procedure
- 206 DHCP relay agent configuration example
- 206 Network requirements
- 206 Configuration procedure
- 208 DHCP snooping configuration example
- 208 Network requirements
- 208 Configuration procedure
- 211 DNS configuration
- 211 Overview
- 211 Static domain name resolution
- 211 Dynamic domain name resolution
- 211 DNS proxy
- 211 Recommended configuration procedure
- 211 Configuring static name resolution table
- 212 Configuring dynamic domain name resolution
- 212 Configuring DNS proxy
- 212 Configuring static name resolution table
- 213 Configuring dynamic domain name resolution
- 214 Configuring DNS proxy
- 214 Adding a DNS server address
- 215 Adding a domain name suffix
- 215 Clearing dynamic DNS cache
- 215 DNS configuration example
- 215 Network requirements
- 216 Configuring the DNS server
- 217 Configuring the AC
- 219 Verifying the configuration
- 220 Service management
- 220 Overview
- 220 FTP service
- 220 Telnet service
- 220 SSH service
- 220 SFTP service
- 220 HTTP service
- 220 HTTPS service
- 221 Configuring service management
- 223 Diagnostic tools
- 223 Ping
- 223 Trace route
- 224 Ping operation
- 224 IPv4 ping operation
- 225 IPv6 ping operation
- 227 Trace route operation
- 229 AP configuration
- 229 AC-AP connection
- 229 Auto AP
- 229 AP group
- 230 Configuring an AP
- 230 Creating an AP
- 230 Configuring an AP
- 232 Configuring advanced settings
- 234 Configuring auto AP
- 234 Enabling auto AP
- 235 Renaming an AP
- 235 Batch switch
- 236 Configuring an AP group
- 236 Creating an AP group
- 236 Configuring an AP group
- 237 Applying the AP group
- 237 AP connection priority configuration example
- 237 Network requirements
- 237 Configuring AC 1
- 238 Configuring AC 2
- 238 Verifying the configuration
- 239 Configuring access services
- 239 Access service overview
- 239 Terminology
- 239 Wireless client
- 239 Access point (AP)
- 239 Access controller (AC)
- 239 SSID
- 239 Client access
- 240 Scanning
- 241 Authentication
- 242 Association
- 242 WLAN data security
- 243 Client access authentication
- 245 802.11n
- 246 Configuring access service
- 246 Recommended configuration procedure
- 246 Creating a WLAN service
- 247 Configuring clear type wireless service
- 247 Configuring basic settings for a clear type wireless service
- 248 Configuring advanced settings for the clear type wireless service
- 249 Configuring security settings for a clear type wireless service
- 256 Configuring crypto type wireless service
- 256 Configuring basic settings for a crypto type wireless service
- 257 Configuring advanced settings for a crypto type wireless service
- 259 Configuring security settings for a crypto type wireless service
- 263 Security parameter dependencies
- 263 Enabling a wireless service
- 264 Binding an AP radio to a wireless service
- 264 Binding an AP radio to a wireless service
- 264 Binding an AP radio to a VLAN
- 265 Enabling a radio
- 266 Displaying the detailed information of a wireless service
- 266 Displaying the detailed information of a clear-type wireless service
- 267 Displaying the detailed information of a crypto-type wireless service
- 269 Wireless service configuration example
- 269 Network requirements
- 269 Configuring the AC
- 271 Verifying the configuration
- 272 Configuration guidelines
- 272 Auto AP configuration example
- 272 Network requirements
- 272 Configuring the AC
- 276 Verifying the configuration
- 277 Configuration guidelines
- 277 802.11n configuration example
- 277 Network requirements
- 278 Configuring the AC
- 278 Verifying the configuration
- 279 Configuration guidelines
- 279 WPA-PSK authentication configuration example
- 279 Network requirements
- 279 Configuring the AC
- 282 Configuring the client
- 284 Verifying the configuration
- 284 Local MAC authentication configuration example
- 284 Network requirements
- 284 Configuring the AC
- 288 Configuring the client
- 289 Verifying the configuration
- 289 Remote MAC authentication configuration example
- 289 Network requirements
- 290 Configuring the AC
- 296 Configuring the RADIUS server (IMCv3)
- 298 Configuring the RADIUS server (IMC v5)
- 299 Verifying the configuration
- 300 Remote 802.1X authentication configuration example
- 300 Network requirements
- 300 Configuring the AC
- 305 Configuring the RADIUS server (IMCv3)
- 308 Configuring the RADIUS server (IMC v5)
- 309 Configuring the wireless client
- 313 Verifying the configuration
- 313 Dynamic WEP encryption-802.1X authentication configuration example
- 313 Network requirements
- 314 Configuration procedure
- 316 Configuring the wireless client
- 319 Verifying the configuration
- 320 Configuring mesh services
- 320 Mesh overview
- 320 Basic concepts in WLAN mesh
- 321 Advantages of WLAN mesh
- 321 Deployment scenarios
- 321 Normal WLAN mesh deployment
- 323 Subway WLAN mesh deployment
- 324 WLAN mesh security
- 324 Mobile link switch protocol
- 325 MLSP advantages
- 325 Operation of MLSP
- 325 Formation of dormant links
- 326 Selection of active link
- 326 Mesh network topologies
- 326 Point to point connection
- 326 Point to multi-point connection
- 327 Self topology detection and bridging connection
- 327 Configuring mesh service
- 327 Configuring mesh service
- 327 Creating a mesh service
- 328 Configuring a mesh service
- 330 Binding an AP radio to a mesh service
- 330 Enabling a mesh service
- 331 Displaying the detailed information of a mesh service
- 332 Configuring a mesh policy
- 332 Creating a mesh policy
- 332 Configuring a mesh policy
- 334 Binding an AP radio to a mesh policy
- 334 Displaying the detailed information of a mesh policy
- 336 Mesh global setup
- 336 Mesh basic setup
- 336 Enabling mesh portal service
- 337 Configuring a working channel
- 337 Manual
- 338 Auto
- 338 Enabling radio
- 338 Configuring a peer MAC address
- 339 Mesh DFS
- 339 Displaying radio information
- 340 Displaying channel switch information
- 341 Displaying the mesh link status
- 341 Mesh link monitoring
- 341 Mesh link test
- 342 Normal WLAN mesh configuration example
- 342 Network requirements
- 343 Configuring the AC
- 346 Verifying the configuration
- 346 Subway WLAN mesh configuration example
- 346 Network requirements
- 347 Configuring the AC
- 347 Mesh point-to-multipoint configuration example
- 347 Network requirements
- 347 Configuration considerations
- 348 Configuring the AC
- 348 Tri-radio mesh configuration example
- 348 Network requirements
- 348 Configuration considerations
- 349 Configuration procedure
- 349 Mesh DFS configuration example
- 349 Network requirements
- 349 Configuration considerations
- 349 Configuration procedure
- 351 Verifying the configuration
- 352 WLAN roaming configuration
- 352 Configuring WLAN roaming
- 352 Configuring a roaming group
- 353 Adding a group member
- 354 Displaying client information
- 354 WLAN roaming configuration examples
- 354 Intra-AC roaming configuration example
- 354 Network requirements
- 355 Configuring the AC
- 356 Verifying the configuration
- 358 Configuration guidelines
- 358 Inter-AC roaming configuration example
- 358 Network requirements
- 359 Configuring AC 1 and AC 2
- 360 Verifying the configuration
- 362 Configuration guidelines
- 363 Radio configuration
- 363 Radio overview
- 363 WLAN RRM overview
- 363 Dynamic frequency selection
- 364 Transmit power control
- 366 Radio setup
- 366 Configuring radio parameters
- 370 Enabling a radio
- 371 Locking the channel
- 372 Locking the power
- 372 Configuring data transmit rates
- 372 Configuring 802.11a/802.11b/802.11g rates
- 374 Configuring 802.11n MCS
- 374 Introduction to MCS
- 375 Configuring 802.11n rates
- 376 Configuring channel scanning
- 377 Configuring calibration
- 377 Parameter setting
- 381 Configuring a radio group
- 383 Calibration operations
- 383 Displaying channel status
- 383 Displaying neighbor information
- 384 Displaying history information
- 385 Antenna
- 386 Manual channel adjustment configuration example
- 386 Network requirements
- 386 Configuration procedure
- 387 Verifying the configuration
- 388 Configuration guidelines
- 388 Automatic power adjustment configuration example
- 388 Network requirements
- 388 Configuration procedure
- 389 Verifying the configuration
- 389 Radio group configuration example
- 389 Network requirements
- 390 Configuration procedure
- 392 Verifying the configuration
- 393 Configuring 802.1X
- 393 802.1X architecture
- 393 Access control methods
- 394 Configuring 802.1X
- 394 Configuration prerequisites
- 394 Recommended configuration procedure
- 394 Configuring 802.1X globally
- 397 Configuring 802.1X on a port
- 399 Configuring an 802.1X guest VLAN
- 399 Configuring an Auth-Fail VLAN
- 401 Configuring portal authentication
- 401 Introduction to portal authentication
- 402 Configuring portal authentication
- 402 Configuration prerequisites
- 402 Recommended configuration procedure
- 403 Configuring the portal service
- 407 Configuring advanced parameters for portal authentication
- 408 Configuring a portal-free rule
- 410 Customizing authentication pages
- 410 Rules on file names
- 411 Rules on page requests
- 411 Rules on Post request attributes
- 411 Rules on page file compression and saving
- 411 Rules on file size and contents
- 412 Logging off a user who closes the logon success or online page
- 412 Redirecting authenticated users to a specified web page
- 413 Portal authentication configuration example
- 413 Network requirements
- 413 Configuration prerequisites
- 413 Configuring the AC
- 421 Verifying the configuration
- 422 Configuring AAA
- 422 AAA overview
- 422 Configuring AAA
- 422 Configuration prerequisites
- 423 Recommended configuration procedure
- 423 Configuring an ISP domain
- 424 Configuring authentication methods for the ISP domain
- 426 Configuring authorization methods for the ISP domain
- 428 Configuring accounting methods for the ISP domain
- 430 AAA configuration example
- 430 Network requirements
- 431 Configuration procedure
- 435 Configuring RADIUS
- 435 RADIUS overview
- 435 Configuring a RADIUS scheme
- 441 RADIUS configuration example
- 441 Network requirements
- 441 Configuration procedure
- 446 Verifying the configuration
- 446 Configuration guidelines
- 448 Configuring the local EAP service
- 448 Configuration procedure
- 449 Local EAP service configuration example
- 449 Network requirements
- 450 Configuration procedure
- 455 Verifying the configuration
- 456 Configuring users
- 456 Overview
- 456 Local user
- 456 User group
- 456 Guest
- 456 User profile
- 457 Configuring a local user
- 459 Configuring a user group
- 460 Configuring a guest
- 460 Procedure for a management level administrator to configure a guest
- 462 Procedure for a guest administrator to configure a guest
- 463 Configuring a user profile
- 466 Managing certificates
- 466 PKI overview
- 466 Configuring PKI
- 467 Recommended configuration procedure for manual request
- 468 Recommended configuration procedure for automatic request
- 469 Creating a PKI entity
- 470 Creating a PKI domain
- 473 Generating an RSA key pair
- 474 Destroying the RSA key pair
- 474 Retrieving and displaying a certificate
- 475 Requesting a local certificate
- 476 Retrieving and displaying a CRL
- 477 Certificate management configuration example
- 477 Network requirements
- 478 Configuring the CA server
- 478 Configuring the AC
- 482 Verifying the configuration
- 482 Configuration guidelines
- 483 WLAN security configuration
- 483 WLAN security overview
- 483 Terminology
- 483 Detecting rogue devices
- 484 Taking countermeasures against rogue device attacks
- 485 Functionalities supported
- 485 WIDS attack detection
- 485 Flood attack detection
- 486 Spoofing attack detection
- 486 Weak IV detection
- 486 Blacklist and white list
- 487 Configuring rogue device detection
- 487 Recommended configure procedure
- 487 Configuring AP operating mode
- 488 Configuring detection rules
- 491 Configuring detection rule lists
- 492 Enabling countermeasures and configuring aging time for detected rogue devices
- 493 Displaying monitor record
- 494 Displaying history record
- 495 Configuring WIDS
- 495 Configuring WIDS
- 495 Displaying history record
- 496 Displaying statistics information
- 496 Configuring the blacklist and white list functions
- 497 Configuring dynamic blacklist
- 497 Configuring static blacklist
- 499 Configuring white list
- 500 Rogue detection configuration example
- 500 Network requirements
- 500 Configuration procedure
- 502 Configuration guidelines
- 503 User isolation
- 503 User isolation overview
- 503 Before user isolation is enabled
- 504 After user isolation is enabled
- 504 Configuring user isolation
- 504 Configuring user isolation
- 505 Displaying user isolation information
- 505 User isolation configuration example
- 505 Network requirements
- 506 Configuration procedure
- 507 Authorized IP
- 507 Overview
- 507 Configuring authorized IP
- 509 Configuring ACL and QoS
- 509 ACL overview
- 509 QoS overview
- 509 Traditional packet forwarding services
- 510 New requirements from new applications
- 510 Configuring an ACL
- 510 Recommend configuration procedures
- 510 Recommended IPv4 ACL configuration procedure
- 511 Recommended IPv6 ACL configuration procedure
- 511 Adding a time range
- 512 Adding an IPv4 ACL
- 513 Configuring a rule for a basic IPv4 ACL
- 514 Configuring a rule for an advanced IPv4 ACL
- 517 Configuring a rule for an Ethernet frame header ACL
- 519 Adding an IPv6 ACL
- 520 Configuring a rule for a basic IPv6 ACL
- 522 Configuring a rule for an advanced IPv6 ACL
- 524 Configuring line rate
- 525 Configuring the priority trust mode of a port
- 525 Priority mapping overview
- 525 Configuring priority mapping
- 526 Approach 1
- 527 Approach 2
- 528 Configuring a QoS policy
- 528 Recommended QoS policy configuration procedure
- 528 Class
- 529 Traffic behavior
- 529 Policy
- 529 Adding a class
- 530 Configuring classification rules
- 533 Adding a traffic behavior
- 534 Configuring actions for a traffic behavior
- 537 Adding a policy
- 537 Configuring classifier-behavior associations for the policy
- 538 Applying a policy to a port
- 539 Applying a QoS policy to a WLAN service
- 541 ACL and QoS configuration example
- 541 Network requirements
- 541 Configuration procedure
- 550 Verifying the configuration
- 550 Configuration guidelines
- 552 Configuring wireless QoS
- 552 Overview
- 552 Terminology
- 552 WMM
- 552 EDCA
- 552 AC
- 552 CAC
- 552 U-APSD
- 552 SVP
- 552 WMM protocol overview
- 553 EDCA parameters
- 553 CAC admission policies
- 554 U-APSD power-save mechanism
- 554 SVP service
- 554 ACK policy
- 554 Enabling wireless QoS
- 555 Setting the SVP service
- 556 Setting CAC admission policy
- 556 Setting radio EDCA parameters for APs
- 558 Setting client EDCA parameters for wireless clients
- 559 Displaying the radio statistics
- 560 Displaying the client statistics
- 562 Setting rate limiting
- 562 Setting wireless service-based client rate limiting
- 563 Setting radio-based client rate limiting
- 564 Configuring the bandwidth guarantee function
- 564 Setting the reference radio bandwidth
- 565 Setting guaranteed bandwidth percents
- 566 Enabling bandwidth guaranteeing
- 567 Displaying guaranteed bandwidth settings
- 567 CAC service configuration example
- 567 Network requirements
- 567 Configuring the wireless service
- 567 Configuring wireless QoS
- 569 Verifying the configuration
- 569 Wireless service-based static rate limiting configuration example
- 569 Network requirements
- 569 Configuring the wireless service
- 569 Configuring static rate limiting
- 570 Verifying the configuration
- 570 Wireless service-based dynamic rate limiting configuration example
- 570 Network requirements
- 571 Configuring the wireless service
- 571 Configuring dynamic rate limiting
- 571 Verifying the configuration
- 571 Bandwidth guarantee configuration example
- 571 Network requirements
- 572 Configuring the wireless services
- 572 Configuring bandwidth guaranteeing
- 575 Verifying the configuration
- 576 Advanced settings
- 576 Advanced settings overview
- 576 Country/Region code
- 576 1+1 AC backup
- 576 Dual-link backup
- 577 1+1 fast backup
- 577 1+N AC backup
- 578 Continuous transmitting mode
- 578 Channel busy test
- 578 WLAN load balancing
- 578 Requirement of WLAN load-balancing implementation
- 578 Load-balancing modes
- 580 Load-balancing methods
- 580 AP version setting
- 580 Switching to fat AP
- 580 Wireless location
- 581 Architecture of the wireless location system
- 581 Wireless locating process
- 582 Wireless sniffer
- 582 Band navigation
- 583 Configuring WLAN advanced settings
- 583 Setting a country/region code
- 584 Configuring 1+1 AC backup
- 584 Configuring AP connection priority
- 584 Configure 1+1 AC backup
- 585 Configuring 1+1 fast backup
- 586 Displaying status information of 1+1 fast backup
- 587 Configuring 1+N AC backup
- 587 Configuring AP connection priority
- 588 Configuring 1+N AC backup
- 589 Configuring continuous transmitting mode
- 590 Configuring a channel busy test
- 592 Configuring load balancing
- 592 Configuration prerequisites
- 592 Recommended configuration procedure
- 592 Configuring a load balancing mode
- 594 Configuring group-based load balancing
- 595 Configuring parameters that affect load balancing
- 595 Configuring AP
- 595 Upgrading AP version
- 596 Switching to fat AP
- 596 Configuring wireless location
- 598 Configuring wireless sniffer
- 599 Configuring band navigation
- 599 Configuration prerequisites
- 599 Configuring band navigation
- 601 Advanced settings configuration examples
- 601 1+1 fast backup configuration example
- 601 Network requirements
- 601 Configuring AC 1
- 603 Configuring AC 2
- 603 Verifying the configuration
- 606 Configuration guidelines
- 606 1+N backup configuration example
- 606 Network requirements
- 606 Configuring AC 1
- 607 Configuring AC 2
- 609 Verifying the configuration
- 609 AP-based session-mode load balancing configuration example
- 609 Network requirements
- 610 Configuration procedure
- 611 Verifying the configuration
- 611 Configuration guidelines
- 611 AP-based traffic-mode load balancing configuration example
- 611 Network requirements
- 611 Configuration procedure
- 612 Verifying the configuration
- 612 Configuration guidelines
- 612 Group-based session-mode load balancing configuration example
- 612 Network requirements
- 613 Configuration procedure
- 614 Verifying the configuration
- 614 Group-based traffic-mode load balancing configuration example
- 614 Network requirements
- 615 Configuration procedure
- 616 Verifying the configuration
- 617 Wireless location configuration example
- 617 Network requirements
- 617 Configuring the AE
- 617 Configuring AP 1 to operate in monitor mode
- 618 Enabling 802.11n
- 619 Enabling wireless location.
- 619 Verifying the configuration
- 619 Configuration guidelines
- 619 Wireless sniffer configuration example
- 619 Network requirements
- 620 Configuring Capture_AP
- 621 Configuring and enabling wireless sniffer
- 622 Verifying the configuration
- 622 Band navigation configuration example
- 622 Network requirements
- 623 Configuring the AC
- 624 Verifying the configuration
- 625 Configuring stateful failover
- 625 Overview
- 625 Introduction to stateful failover
- 626 Introduction to stateful failover states
- 626 Configuring stateful failover
- 627 Stateful failover configuration example
- 627 Network requirements
- 628 Configuring AC 1
- 635 Configuring AC 2.
- 635 Configuration guidelines
- 637 Index