Huawei Wireless Access Controller Unit2 Brochure-Detailed Huawei Wireless Access Controller Unit2 Brochure-Detailed Huawei Access Controller Unit 2 (ACU2) is a WLAN service unit installed on Huawei S12700/S9700/S7700 switches, and provides Access Controller (AC) functions. The ACU2 can be used to provide wireless services on large enterprise or campus networks. It features large capacity, high reliability, various types of services, and works with Huawei wireless Access Points (APs) to deliver large-scale, high-density access services. High access capacity and processing capability • An ACU2 can manage a maximum of 2048 APs and 32K STAs. • The ACU2 provides a nearly 40 Gbit/s line-speed forwarding capability. Flexible user policy management and authorization control capability • The ACU2 implements per-user access control based on ACLs, VLAN IDs, and bandwidth limits sent from the RADIUS server. • You can define user groups for users of different roles and apply access control policies to the user groups. Access of users in a user group is controlled based on the ACL, user isolation policy, and bandwidth limit applied to the user group. You can configure inter-group user isolation or intragroup user isolation as required to implement access control. A WLAN can be built rapidly by adding ACU2s to wired network switches. This shortens WLAN construction costs and time, and reduces the Total Cost of Ownership (TCO). Huawei ACU2 leads the industry with the capacity to manage 2,048 APs. It provides Independent service unit, facilitating centralized deployment and capacity expansion flexible data forwarding, fine-grained user group • The ACU2, as a switch card, provides both wired and wireless service capabilities, reducing space occupied and cables in equipment rooms and lowering network construction cost. management, and end-to-end QoS guarantees. • Multiple ACU2s can be installed on a switch to manage N x 2,048 APs (N is the number of ACU2s). 802.11ac-Compatible Visualized WLAN network management and maintenance Huawei ACU2 is compatible with Huawei 802.11ac • wireless APs, permitting users to seamlessly expand The ACU2 and APs establish Fit AP + AC networking for centralized AP management, facilitating network management and maintenance. Huawei AC and AP products support the standard Link Layer Discovery Protocol (LLDP), which helps display topologies of wired and wireless networks for visualized management and maintenance. 1 WLAN Product Characteristics management control policies, comprehensive radio wireless networks without incurring additional administrative or equipment expense. Typical Networking The ACU 2 can be installed on switches as a WLAN service unit. It can be deployed in the following modes: • Inline mode The ACU2 is installed on the aggregation switch to manage downstream APs or APs connected to access switches. • Bypass mode The ACU2 is installed on the aggregation switch, but the ACU2 and APs are located in different areas. APs communicate with the aggregation switch through Layer 3 routing. ACU2 topology Service management layer eSight Internet Aggregation switch Service access layer User layer Aggregation switch ACU2 Access switch Access switch WLAN 2 Physical Specifications Parameter Description Board dimensions 35.56 mm x 380.00 mm x 378.45 mm (height x width x depth) Maximum power consumption 168 w Board weight 3.2 kg Performance Specifications 3 WLAN Parameter Speciﬁcations Forwarding capability 40 Gbit/s Number of managed APs 2048 Number of access users • Entire device: 32K • Single AP: a maximum of 256 (depending on the AP model) Number of MAC address entries 32K Number of VLANs 4K Number of routing entries 16K Number of ARP entries 48K Number of multicast forwarding entries 2K Number of DHCP IP address pools 256 IP address pools, each of which contains a maximum of 16K IP addresses Number of local users 1000 Number of ACLs 32K Number of ESSIDs 8K User group management • 128 user groups • Each user group can reference a maximum of eight ACLs. • Each user group can associate with a maximum of 128 ACL rules. Feature List Switching and forwarding features Feature Description Ethernet • • • • • VLAN • Access modes of access, trunk, and hybrid • Default VLAN MAC • • • • ARP • Static and dynamic ARP entries • ARP in a VLAN • Aging of ARP entries LLDP • LLDP MSTP • • • • • STP RSTP MSTP BPDU protection, root protection, and loop protection Partitioned STP IPv4 features • • • • ARP and RARP ARP proxy Auto-detection NAT Ethernet features Ethernet loop protection IPv4 forwarding • • • • Unicast routing • features • • • • Multicast routing features • • • • Jumbo frames Link aggregation Load balancing among links of a trunk Interface isolation and forwarding restriction Broadcast storm suppression Automatic learning and aging of MAC addresses Static, dynamic, and blackhole MAC address entries Packet filtering based on source MAC addresses Interface-based MAC learning limiting Static route RIP-1 and RIP-2 OSPF BGP IS-IS Routing policies and policy-based routing URPF check DHCP server and relay DHCP snooping IGMPv1, IGMPv2, and IGMPv3 PIM-SM Multicast routing policies RPF WLAN 4 Feature Description IPv6 features IPv6 forwarding • ND Protocol • • • Unicast routing • features • • • Static route RIPng OSPFv3 BGP4+ IS-IS IPv6 DHCPv6 DHCPv6 Snooping Multicast routing features • MLD Device reliability BFD • BFD Layer 2 multicast features Layer 2 multicast • • • • IGMP snooping Prompt leave Multicast traffic control Inter-VLAN multicast replication EFM OAM • • • • Neighbor discovery Link monitoring Fault notification Remote loopback Traffic classification • Traffic classification based on the combination of the L2 protocol header, IP 5-tuple, and 802.1p priority Action • • • • • Access control after traffic classification Traffic policing based on traffic classification Re-marking packets based on traffic classifiers Class-based packet queuing Associating traffic classifiers with traffic behaviors Queue scheduling • • • • • PQ scheduling DRR scheduling PQ+DRR scheduling WRR scheduling PQ+WRR scheduling Congestion avoidance • SRED • WRED Ethernet OAM QoS features 5 WLAN Feature Description • • Terminal service • • • File system Configuration and maintenance • File systems • Directory and file management • File uploading and downloading using FTP and TFTP • Unified management over logs, alarms, and debugging information • Electronic labels Debugging and • User operation logs maintenance • Detailed debugging information for network fault diagnosis • Network test tools such as traceroute and ping commands • Interface mirroring and flow mirroring Version upgrade Security and management Configurations using command lines Error message and help information in English Configurations using Web Platform Login through console and Telnet terminals Send function and data communications between terminal users • Device software loading and online software loading • BIOS online upgrade • In-service patching • Different user levels for commands, preventing unauthorized users from accessing device • SSHv2.0 • RADIUS and HWTACACS authentication for login users • ACL filtering System security • DHCP packet filtering (with the Option 82 field) • Defense against control packet attacks • Defenses against attacks such as source address spoofing, Land, SYN flood (TCP SYN), Smurf, ping flood (ICMP echo), Teardrop, and Ping of Death attacks • IPSec Network management • • • • ICMP-based ping and traceroute SNMPv1, SNMPv2c, and SNMPv3 Standard MIB RMON Wireless networking capabilities Feature Description Networking between APs and ACs • APs and ACs can be connected through a Layer 2 or Layer 3 network. • APs can be directly connected to an AC. • APs are deployed on a private network, while ACs are deployed on the public network to implement NAT traversal. • ACs can be used for Layer 2 bridge forwarding or Layer 3 routing. WLAN 6 Feature Description Forwarding mode • Direct forwarding (distributed forwarding or local forwarding) • Tunnel forwarding (centralized forwarding) • Centralized authentication and distributed forwarding Before users are authenticated, tunnel forwarding is used. After users are authenticated, local forwarding is used. Wireless networking mode WDS bridging: • Point-to-point (P2P) wireless bridging • Point-to-multipoint (P2MP) wireless bridging • Automatic topology detection and loop prevention (STP) Wireless mesh network • Access authentication for mesh devices • Mesh routing algorithm • Go-online without configuration AC discovery • An AP can obtain the device's IP address in any of the following ways: - Static configuration - DHCP - DNS • The AC uses DHCP or DHCPv6 to allocate IP addresses to APs. • DHCP or DHCPv6 relay is supported. • On a Layer 2 network, APs can discover the AC by sending broadcast CAPWAP packets. CAPWAP tunnel • Centralized CAPWAP • CAPWAP control tunnel and data tunnel (optional) • CAPWAP tunnel forwarding and direct forwarding in an extended service set (ESS) • Datagram Transport Layer Security (DTLS) encryption, which is enabled by default for the CAPWAP control tunnel • Heartbeat detection and tunnel reconnection Active and standby ACs • • • • Enables and disables the switchback function. Supports load balancing. Supports 1+1 hot backup. Supports N+1 backup. AP management 7 WLAN Feature Description AP access control • Displays MAC addresses or SNs of APs in the whitelist. • Adds a single AP or multiple APs (by specifying a range of MAC addresses or SNs) to the whitelist. • Automatically discovering and manually confirming APs. • Automatically discovering APs without manually confirming them. Feature Description AP region management • Supports three AP region deployment modes: - Distributed deployment: APs are deployed independently. An AP is equivalent to a region and does not interfere with other APs. APs work at the maximum power and do not perform radio calibration. - Common deployment: APs are loosely deployed. The transmit power of each radio is less than 50% of the maximum transmit power. - Centralized deployment: APs are densely deployed. The transmit power of each radio is less than 25% of the maximum transmit power. • Specifies the default region to which automatically discovered APs are added. AP profile management • Specifies the default AP profile that is applied to automatically discovered APs. AP type management • Manages AP attributes including the number of interfaces, AP types, number of radios, radio types, maximum number of virtual access points (VAPs), maximum number of associated users, and radio gain (for APs deployed indoors). • Provides default AP types. • Supports user-defined AP types. Network topology management Supports LLDP topology detection. Radio management Feature Description Radio proﬁle management • The following parameters can be configured in a radio profile: - Radio working mode and rate - Automatic or manual channel and power adjustment mode - Radio calibration interval • The radio type can be set to 802.11n, 802.11b/g/n, 802.11a/n, or 802.11ac. • You can bind a radio to a specified radio profile. Unified static configuration of parameters Radio parameters such as the channel and power of each radio are configured on the AC and then delivered to APs. Dynamic management • APs can automatically select working channels and power when they go online. • In an AP region, APs automatically adjust working channels and power in the event of signal interference: - Partial calibration: The optimal working channel and power of a specified AP can be adjusted. - Global calibration: The optimal working channels and power of all the APs in a specified region can be adjusted. • When an AP is removed or goes offline, the AC increases the power of neighboring APs to compensate for the coverage hole. • Automatic selection and calibration of radio parameters in AP regions are supported. WLAN 8 Feature Description Enhanced service capabilities • The AC supports 802.1a/b/g/n/ac. These modes can be used independently or jointly (a\n, b\g, b\g\n, and g\n). • The AC preferentially uses the 5 GHz frequency band for STAs. • 2.4 GHz and 5 GHz frequency load balancing WLAN service management 9 WLAN Feature Description ESS management • Allows you to enable SSID broadcast, set the maximum number of access users, and set the association aging time in an ESS. • Isolates APs at Layer 2 in an ESS. • Maps an ESS to a service VLAN. • Associates an ESS with a security profile or a QoS profile. • Enables IGMP for APs in an ESS. VAP-based service management • Adds multiple VAPs at a time by binding radios to ESSs. • Displays information about a single VAP, VAPs with a specified ESS, or all VAPs. • Supports configuration of offline APs. • Creates VAPs according to batch delivered service provisioning rules in automatic AP discovery mode. Service provisioning management • Supports service provisioning rules configured for a specified radio of a specified AP type. • Adds automatically discovered APs to the default AP region. The default AP region is configurable. • Applies a service provisioning rule to a region to enable APs in the region to go online. Multicast service management • Supports IGMP snooping. • Supports IGMP proxy. Load balancing • Performs load balancing among radios in a load balancing group. • Supports two load balancing modes: - Based on the number of STAs connected to each radio - Based on the traffic volume on each radio BYOD (Bring Your Own Device) • Identification of device types according to the OUI in the MAC address • Identification of device types according to the user agent (UA) field in an HTTP packet • Identification of device types according to DHCP Option information • Carrying of device type information in RADIUS authentication and accounting packets Positioning services • Locating AeroScout and Ekahau tags • Locating Wi-Fi terminals Feature Description Spectrum analysis • Identification of the following interference sources: bluetooth, microwave ovens, cordless phones, ZigBee, game controller, 2.4 GHz/5 GHz wireless audio and video devices, and baby monitors. • Working with the eSight to locate the interference sources and display spectrum. WLAN user management Feature Description Address allocation of wireless users Functions as a DHCP server to assign IP addresses to wireless users. WLAN user management • Supports user blacklist and whitelist. • Controls the number of access users: - Based on APs - Based on SSIDs • Logs out users in any of the following ways: - Using RADIUS DM messages - Using commands • Supports various methods to view information: - Allows you to view the user status by specifying the user MAC address, AP ID, radio ID, or WLAN ID. - Displays the number of online users in an ESS, AP, or radio. - Collects packet statistics on air interface based on user. • Supports intra-AC Layer 2 roaming. NOTE WLAN user roaming Users can roam between APs connected to different physical ports on an AC. • Supports inter-VLAN Layer 3 roaming on an AC. • Supports roaming between ACs. • Supports fast key negotiation in 802.1x authentication. • Authenticates users who request to reassociate with the AC and rejects the requests of unauthorized users. • Delays clearing user information after a user goes offline so that the user can rapidly go online again. User group management • Supports ACLs. • Supports user isolation: - Inter-group isolation - Intra-group isolation WLAN security profile management • Manages authentication and encryption modes using WLAN security profiles. • Binds security profiles to ESS profiles. WLAN 10 11 WLAN Feature Description Authentication modes • Open system authentication with no encryption • WEP authentication/encryption • WPA/WPA2 authentication and encryption: - WPA/WPA2-PSK+TKIP - WPA/WPA2-PSK+CCMP - WPA/WPA2-802.1x+TKIP - WPA/WPA2-802.1x+CCMP • WAPI authentication and encryption: - Supports centralized WAPI authentication. - Supports three-certificate WAPI authentication, which is compatible with traditional two-certificate authentication. - Issues a certificate file together with a private key. • Allows users to use MAC addresses as accounts for authentication by the RADIUS server. • Portal authentication: - Allows an AC to function as a portal gateway. - Prohibits an AC from functioning as a portal gateway. - Supports only Layer 2 portal. Combined authentication • Combined MAC authentication: - PSK+MAC authentication • MAC+portal authentication: - MAC authentication is used first. When MAC authentication fails, portal authentication is used. - This type of authentication applies only to centralized forwarding. AAA • Local authentication/local accounts (MAC addresses and accounts) • RADIUS authentication • Multiple authentication servers: - Supports backup authentication servers. - Specifies authentication servers based on account. - Configures authentication servers based on account. - Binds user accounts to SSIDs. Security isolation • Port-based isolation • User group-based isolation WIDS Rouge device scan, identification, defense, and countermeasures, which includes dynamic blacklist configuration and detection of rogue APs, STAs, and network attacks. Authority control ACL limit based on the following: • Port • User group • User Other security features • �SSID hiding • �IP source guard: - �Configures IP and MAC binding entries statically. - �Generates IP and MAC binding entries dynamically. WLAN QoS Feature Description WMM proﬁle management • Enables or disables Wi-Fi Multimedia (WMM). • Allows a WMM profile to be applied to radios of multiple APs. Traffic profile management • Manages traffic from APs and maps packet priorities according to traffic profiles. • Applies a QoS policy to each ESS by binding a traffic profile to each ESS. AC traffic control • Manages QoS profiles. • Uses ACLs to perform traffic classification. • Limits incoming and outgoing traffic rates for each user based on inbound and outbound CAR parameters. • Limits the traffic rate based on ESSs or VAPs. AP traffic control • Controls traffic of multiple users and allows users to share bandwidth. • Limits the rate of a specified VAP. Packet priority configuration • Sets the QoS priority (IP precedence or DSCP priority) for CAPWAP control channels. • Sets the QoS priority for CAPWAP data channels: - Allows you to specify the CAPWAP header priority. - Maps 802.1p priorities of user packets to ToS priorities of tunnel packets. Airtime scheduling • Allocates equal time to users for occupying the channel, which improves users' Internet access experience. Professional Service and Support Huawei WLAN planning tools deliver expert network design and optimization services using the most professional simulation platform in the industry. Backed by fifteen years of continuous investment in wireless technologies, extensive network planning and optimization experience, as well as rich expert resources, Huawei helps customers: • Design, deploy, and operate a high-performance network that is reliable and secure. • Maximize return on investment and reduce operating expenses. More Information For more information, please visit http://e.huawei.com or contact your local Huawei office. Enterprise Services 13 WLAN Product Overview Marketing Documentation WLAN 14 Copyright © Huawei Technologies Co., Ltd. 2014. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademark Notice , HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd. Other trademarks, product, service and company names mentioned are the property of their respective owners. General Disclaimer The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project