H3C WX Series Access Controllers

H3C WX Series Access Controllers
Web-Based Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Software version: WX3000-CMW520-R3308 (WX3024E)
WX5004-CMW520-R2308 (WX5000 series)
WX6103-CMW520-R2308 (WX6000 series)
Document version: 6W106-20120824
Copyright © 2008-2012, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
, TOP G,
, IRF, NetPilot, Neocean, NeoVTL,
H3C,
, Aolynk,
, H3Care,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C WX Series Access Controllers Web-Based Configuration Guide describes the web functions of
the WX series, such as quick start, web overview, wireless service configuration, security and
authentication related configurations, QoS configuration, and advanced settings.
NOTE:
• Support of the H3C WX series access controllers for features may vary by device model. For the feature
matrixes, see the chapter “Feature Matrixes”.
• The interface types and output information may vary by device model.
• The grayed-out functions and parameters on the web interface are unavailable or not configurable.
This preface includes:
•
Audience
•
Conventions
•
About the H3C WX Series documentation set
•
Obtaining documentation
•
Technical support
•
Documentation feedback
Audience
This documentation is intended for:
•
Network planners
•
Field technical support and servicing engineers
•
Network administrators working with the WX series
Conventions
This section describes the conventions used in this documentation set.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For
example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention
Description
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
An alert that calls attention to essential information.
An alert that contains additional or supplementary information.
NOTE
TIP
An alert that provides helpful information.
Network topology icons
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Represents an access controller, an access controller module, or a switching engine on a
unified switch.
Represents an access point.
Represents a mesh access point.
Represents omnidirectional signals.
Represents directional signals.
Port numbering in examples
The port numbers in this document are for illustration only and might be unavailable on your device.
About the H3C WX Series documentation set
The H3C WX series documentation set includes:
Category
Product description and
specifications
Documents
Purposes
Marketing brochures
Describe product specifications and benefits.
Technology white papers
Provide an in-depth description of software features
and technologies.
Category
Hardware specifications
and installation
Software configuration
Operations and
maintenance
Documents
Purposes
Card manuals
Provide the hardware specifications of cards and
describe how to install and remove the cards.
Installation guide
Provides a complete guide to hardware installation
and hardware specifications.
Getting started guide
Guides you through the main functions of your
device, and describes how to install and log in to
your device, perform basic configurations, maintain
software, and troubleshoot your device.
Configuration guides
Describe software features and configuration
procedures.
Command references
Provide a quick reference to all available
commands.
Web-based configuration
guide
Describes configuration procedures through the web
interface.
Release notes
Provide information about the product release,
including the version history, hardware and
software compatibility matrix, version upgrade
information, technical support information, and
software upgrading.
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with the
software version.
Technical support
service@h3c.com
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Contents
Models of WX series access controllers ····················································································································· 1 Typical network scenarios ··········································································································································· 2 Access controller network scenario ································································································································· 2 Access controller module network scenario ··················································································································· 2 Wireless switch network scenario ··································································································································· 3 Feature matrixes ··························································································································································· 4 Feature matrix for the WX5000 series ··························································································································· 4 Feature matrix for the WX6000 series ··························································································································· 5 Feature matrix for the WX3024E ···································································································································· 8 Quick Start ···································································································································································· 9 Quick start wizard home page········································································································································ 9 Basic configuration ··························································································································································· 9 Admin configuration ······················································································································································ 10 IP configuration ······························································································································································ 11 Wireless configuration··················································································································································· 12 RADIUS configuration ···················································································································································· 13 Portal configuration ························································································································································ 15 Encryption configuration ··············································································································································· 16 AP configuration····························································································································································· 17 Configuration summary ················································································································································· 19 Web overview ···························································································································································· 20 Logging in to the Web interface··································································································································· 20 Logging out of the Web interface ································································································································ 21 Introduction to the Web interface································································································································· 21 Web user level ······························································································································································· 22 Introduction to the Web-based NM functions ············································································································· 23 Common Web interface elements ································································································································ 35 Configuration guidelines ··············································································································································· 39 Troubleshooting Web browser ····································································································································· 40 Failure to access the device through the Web interface ··················································································· 40 Summary ····································································································································································· 43 Device information ························································································································································· 43 Device info ····························································································································································· 44 System resource state ············································································································································ 44 Device interface information ································································································································ 44 Recent system logs················································································································································· 45 Displaying WLAN service ············································································································································· 45 Displaying detailed information of WLAN service ···························································································· 45 Displaying statistics of WLAN service················································································································· 48 Displaying connection history information of WLAN service ··········································································· 48 Displaying AP ································································································································································· 49 Displaying WLAN service information of an AP ······························································································· 49 Displaying AP connection history information···································································································· 49 Displaying AP radio information ························································································································· 50 Displaying AP detailed information····················································································································· 52 Displaying clients ··························································································································································· 57 i
Displaying
Displaying
Displaying
Displaying
client detailed information ················································································································ 57 client statistics ····································································································································· 60 client roaming information ················································································································ 61 RF ping information ··························································································································· 62 License management ·················································································································································· 64 Configuring licenses ······················································································································································ 64 Adding a license ···························································································································································· 64 Displaying license information ····························································································································· 65 Configuring enhanced licenses ···································································································································· 65 Registering an enhanced license ························································································································· 65 Displaying registered enhanced licenses ············································································································ 66 Device basic information configuration ···················································································································· 67 Configuring system name ·············································································································································· 67 Configuring Web idle timeout period ························································································································· 67 Device maintenance ··················································································································································· 69 Software upgrade ·························································································································································· 69 Rebooting the device ····················································································································································· 70 Generating the diagnostic information file ·················································································································· 71 System time ································································································································································· 73 Displaying the system time ············································································································································ 73 Configuring the system time ································································································································· 73 Configuring the network time ······························································································································· 74 System time configuration example ····························································································································· 76 Configuration guidelines ··············································································································································· 77 Log management ························································································································································ 78 Displaying syslog ··························································································································································· 78 Setting the log host························································································································································· 79 Setting buffer capacity and refresh interval ················································································································ 80 Configuration management······································································································································· 82 Backing up the configuration ········································································································································ 82 Restoring the configuration ··········································································································································· 82 Saving the configuration ··············································································································································· 83 Initializing the configuration ········································································································································· 84 File management ························································································································································ 85 Displaying file list ··························································································································································· 85 Downloading a file ························································································································································ 86 Uploading a file ····························································································································································· 86 Removing a file······························································································································································· 86 Specifying the main boot file ········································································································································ 86 Interface management ··············································································································································· 87 Interface management overview ·································································································································· 87 Displaying interface information and statistics ··········································································································· 87 Creating an interface ····················································································································································· 89 Modifying a Layer 2 interface ······································································································································ 92 Modifying a Layer 3 interface ······································································································································ 95 Interface management configuration example ··········································································································· 97 Port mirroring······························································································································································ 99 Introduction to port mirroring ········································································································································ 99 Port mirroring configuration task list ·························································································································· 100 ii
Adding a mirroring group ·································································································································· 100 Configuring ports for a mirroring group ··········································································································· 101 Configuration examples ·············································································································································· 102 Configuration guidelines ············································································································································· 104 User management ··················································································································································· 105 Creating a user····························································································································································· 105 Setting the super password ········································································································································· 106 Switching the user access level to the management level ······················································································· 107 SNMP configuration ··············································································································································· 108 SNMP overview···························································································································································· 108 SNMP configuration task list ······································································································································· 108 Enabling SNMP ··················································································································································· 109 Configuring an SNMP view ········································································································································ 111 Creating an SNMP view····································································································································· 111 Adding rules to an SNMP view ························································································································· 112 Configuring an SNMP community ····················································································································· 113 Configuring an SNMP group ····························································································································· 114 Configuring an SNMP user ································································································································ 116 Configuring SNMP trap function ······················································································································· 118 Displaying SNMP packet statistics ····························································································································· 119 SNMP configuration example ···································································································································· 120 Loopback ································································································································································· 126 Loopback operation ····················································································································································· 126 Configuration guidelines ············································································································································· 127 MAC address configuration ··································································································································· 128 Overview······································································································································································· 128 Configuring a MAC address entry ····························································································································· 129 Setting the aging time of MAC address entries ······························································································· 130 MAC address configuration example ························································································································ 131 VLAN configuration ················································································································································ 133 Overview······································································································································································· 133 Recommended configuration procedure···················································································································· 133 Creating a VLAN·························································································································································· 133 Modifying a VLAN ······················································································································································· 134 Modifying a port ·························································································································································· 135 VLAN configuration examples ···································································································································· 137 Configuration guidelines ············································································································································· 140 ARP configuration ··················································································································································· 141 Overview······································································································································································· 141 Introduction to ARP ·············································································································································· 141 Introduction to gratuitous ARP ···························································································································· 141 Displaying ARP entries················································································································································· 141 Creating a static ARP entry ········································································································································· 142 Removing ARP entries ·················································································································································· 143 Configuring gratuitous ARP ········································································································································· 143 Static ARP configuration example ······························································································································ 144 ARP attack protection configuration ······················································································································ 148 ARP detection ······················································································································································· 148 Source MAC address based ARP attack detection ·························································································· 148 ARP active acknowledgement ···························································································································· 148 iii
ARP packet source MAC address consistency check ······················································································ 149 Configuring ARP detection ·········································································································································· 149 Configuring other ARP attack protection functions ··································································································· 150 IGMP snooping configuration ································································································································ 152 Overview······································································································································································· 152 Recommended configuration procedure···················································································································· 153 Enabling IGMP snooping globally ····························································································································· 153 Configuring IGMP snooping on a VLAN··················································································································· 154 Configuring IGMP snooping on a port ······················································································································ 155 Displaying IGMP snooping multicast entry information ··························································································· 157 IGMP snooping configuration examples ··················································································································· 158 IPv4 and IPv6 routing configuration ······················································································································ 163 Overview······································································································································································· 163 Displaying the IPv4 active route table ······················································································································· 163 Creating an IPv4 static route······································································································································· 164 Displaying the IPv6 active route table ······················································································································· 165 Creating an IPv6 static route······································································································································· 166 IPv4 static route configuration example ····················································································································· 167 IPv6 static route configuration example ····················································································································· 168 Configuration guidelines ············································································································································· 170 DHCP overview ······················································································································································· 172 Introduction to DHCP snooping ························································································································· 172 Recommended configuration procedure (for DHCP server) ···················································································· 173 Enabling DHCP ···························································································································································· 174 Creating a static address pool for the DHCP server ································································································ 175 Creating a dynamic address pool for the DHCP server ·························································································· 176 Enabling the DHCP server on an interface ················································································································ 178 Displaying information about assigned IP addresses······························································································· 178 Recommended configuration procedure (for DHCP relay agent) ··········································································· 179 Enabling DHCP and configuring advanced parameters for the DHCP relay agent ············································· 180 Creating a DHCP server group ·································································································································· 182 Enabling the DHCP relay agent on an interface ······································································································ 183 Configuring and displaying clients' IP-to-MAC bindings ························································································· 184 Recommended configuration procedure (for DHCP snooping) ··············································································· 185 Enabling DHCP snooping ··········································································································································· 185 Configuring DHCP snooping functions on an interface ··························································································· 186 Displaying clients' IP-to-MAC bindings ······················································································································ 187 DHCP server configuration example ·························································································································· 188 DHCP relay agent configuration example················································································································· 190 DHCP snooping configuration example ···················································································································· 192 DNS configuration ·················································································································································· 195 Overview······································································································································································· 195 Static domain name resolution··························································································································· 195 Dynamic domain name resolution ····················································································································· 195 DNS proxy ··························································································································································· 195 Recommended configuration procedure···················································································································· 195 Configuring static name resolution table ·········································································································· 195 Configuring dynamic domain name resolution ································································································ 196 Configuring DNS proxy ······································································································································ 196 Configuring static name resolution table ··················································································································· 196 Configuring dynamic domain name resolution ········································································································ 197 Configuring DNS proxy ·············································································································································· 198 iv
Adding a DNS server address ··································································································································· 198 Adding a domain name suffix ···································································································································· 199 Clearing dynamic DNS cache ···································································································································· 199 DNS configuration example ······································································································································· 199 Service management ·············································································································································· 204 Overview······································································································································································· 204 Configuring service management ······························································································································ 205 Diagnostic tools ······················································································································································· 207 Ping ······································································································································································· 207 Trace route ··························································································································································· 207 Ping operation ······························································································································································ 208 IPv4 ping operation············································································································································· 208 IPv6 ping operation············································································································································· 209 Trace route operation ·················································································································································· 211 AP configuration······················································································································································ 213 AC-AP connection ························································································································································ 213 Auto AP ········································································································································································· 213 AP group ······································································································································································· 213 Configuring an AP ······················································································································································· 214 Creating an AP ···················································································································································· 214 Configuring an AP ·············································································································································· 214 Configuring advanced settings ·························································································································· 216 Configuring auto AP ···················································································································································· 218 Enabling auto AP ················································································································································· 218 Renaming an AP ·················································································································································· 219 Batch switch ························································································································································· 219 Configuring an AP group ············································································································································ 220 Creating an AP group········································································································································· 220 Configuring an AP group ··································································································································· 220 Applying the AP group ······································································································································· 221 AP connection priority configuration example ·········································································································· 221 Configuring access services ··································································································································· 223 Access service overview ·············································································································································· 223 Terminology ························································································································································· 223 Client access ························································································································································ 223 WLAN data security ··········································································································································· 226 Client access authentication ······························································································································· 227 802.11n ······························································································································································· 229 Configuring access service ········································································································································· 230 Recommended configuration procedure ··········································································································· 230 Creating a WLAN service ·································································································································· 230 Configuring clear type wireless service ············································································································ 231 Configuring crypto type wireless service ·········································································································· 240 Security parameter dependencies ····················································································································· 247 Enabling a wireless service ································································································································ 247 Binding an AP radio to a wireless service ········································································································ 248 Enabling a radio ················································································································································· 249 Displaying the detailed information of a wireless service ·············································································· 250 Wireless service configuration example ···················································································································· 253 Auto AP configuration example·································································································································· 256 802.11n configuration example ································································································································ 261 WPA-PSK authentication configuration example ······································································································ 263 v
Local MAC authentication configuration example ··································································································· 268 Remote MAC authentication configuration example································································································ 273 Remote 802.1X authentication configuration example ··························································································· 284 Dynamic WEP encryption-802.1X authentication configuration example ····························································· 297 Configuring mesh services······································································································································ 304 Mesh overview ····························································································································································· 304 Basic concepts in WLAN mesh ·························································································································· 304 Advantages of WLAN mesh ······························································································································ 305 Deployment scenarios ········································································································································· 305 WLAN mesh security··········································································································································· 308 Mobile link switch protocol ································································································································ 308 Mesh network topologies ··································································································································· 310 Configuring mesh service ············································································································································ 311 Configuring mesh service ··································································································································· 311 Configuring a mesh policy ································································································································· 316 Mesh global setup ··············································································································································· 320 Configuring a working channel ························································································································· 321 Enabling radio ····················································································································································· 322 Configuring a peer MAC address ····················································································································· 322 Mesh DFS ····························································································································································· 323 Displaying the mesh link status ·························································································································· 325 Normal WLAN mesh configuration example ··········································································································· 326 Subway WLAN mesh configuration example ··········································································································· 330 Mesh point-to-multipoint configuration example ······································································································· 331 Tri-radio mesh configuration example ······················································································································· 332 Mesh DFS configuration example ······························································································································ 333 WLAN roaming configuration ······························································································································· 336 Configuring WLAN roaming ······································································································································ 336 Configuring a roaming group ···························································································································· 336 Adding a group member ···································································································································· 337 Displaying client information······························································································································ 338 WLAN roaming configuration examples··················································································································· 338 Intra-AC roaming configuration example ·················································································································· 338 Inter-AC roaming configuration example ·················································································································· 342 Radio configuration ················································································································································ 347 Radio overview····························································································································································· 347 WLAN RRM overview·················································································································································· 347 Dynamic frequency selection ····························································································································· 347 Transmit power control ······································································································································· 348 Radio setup ··································································································································································· 350 Configuring radio parameters ··························································································································· 350 Enabling a radio ················································································································································· 354 Locking the channel ············································································································································· 355 Locking the power ··············································································································································· 356 Configuring data transmit rates ·································································································································· 356 Configuring 802.11a/802.11b/802.11g rates ···························································································· 356 Configuring 802.11n MCS································································································································ 358 Configuring channel scanning···································································································································· 360 Configuring calibration ··············································································································································· 361 Parameter setting ················································································································································· 361 Configuring a radio group ································································································································· 365 Calibration operations ········································································································································ 367 Antenna ········································································································································································· 369 vi
Manual channel adjustment configuration example ································································································ 370 Automatic power adjustment configuration example ······························································································· 372 Radio group configuration example ·························································································································· 373 Configuring 802.1X ··············································································································································· 377 802.1X architecture ····················································································································································· 377 Access control methods ··············································································································································· 377 Configuring 802.1X ···················································································································································· 378 Configuration prerequisites ································································································································ 378 Recommended configuration procedure ··········································································································· 378 Configuring 802.1X globally ····························································································································· 378 Configuring 802.1X on a port··························································································································· 381 Configuring portal authentication ·························································································································· 385 Introduction to portal authentication ·························································································································· 385 Configuring portal authentication ······························································································································ 386 Configuration prerequisites ································································································································ 386 Recommended configuration procedure ··········································································································· 386 Configuring the portal service···························································································································· 387 Configuring advanced parameters for portal authentication ········································································· 391 Configuring a portal-free rule····························································································································· 392 Customizing authentication pages ···················································································································· 394 Portal authentication configuration example ············································································································· 397 Configuring AAA ···················································································································································· 406 AAA overview ······························································································································································ 406 Configuring AAA ························································································································································· 406 Configuration prerequisites ································································································································ 406 Recommended configuration procedure ··········································································································· 407 Configuring an ISP domain ································································································································ 407 Configuring authentication methods for the ISP domain ················································································· 408 Configuring authorization methods for the ISP domain ·················································································· 410 Configuring accounting methods for the ISP domain ······················································································ 412 AAA configuration example ······································································································································· 414 Network requirements ········································································································································· 414 Configuration procedure ···································································································································· 415 Configuring RADIUS ··············································································································································· 419 RADIUS overview ························································································································································· 419 Configuring a RADIUS scheme ··································································································································· 419 RADIUS configuration example ·································································································································· 425 Network requirements ········································································································································· 425 Configuration procedure ···································································································································· 425 Verifying the configuration ································································································································· 430 Configuration guidelines ············································································································································· 430 Configuring the local EAP service·························································································································· 432 Configuration procedure ············································································································································· 432 Local EAP service configuration example ·················································································································· 433 Network requirements ········································································································································· 433 Configuration procedure ···································································································································· 434 Verifying the configuration ································································································································· 439 Configuring users ···················································································································································· 440 Overview······································································································································································· 440 Configuring a local user ·············································································································································· 441 Configuring a user group ············································································································································ 443 vii
Configuring a guest ····················································································································································· 444 Configuring a user profile ··········································································································································· 447 Managing certificates ············································································································································· 450 PKI overview ································································································································································· 450 Configuring PKI ···························································································································································· 450 Recommended configuration procedure for manual request·········································································· 451 Recommended configuration procedure for automatic request······································································ 452 Creating a PKI entity ··········································································································································· 453 Creating a PKI domain ······································································································································· 454 Generating an RSA key pair ······························································································································ 457 Destroying the RSA key pair ······························································································································ 458 Retrieving and displaying a certificate ············································································································· 458 Requesting a local certificate ····························································································································· 459 Retrieving and displaying a CRL························································································································ 460 Certificate management configuration example ······································································································· 461 Configuration guidelines ············································································································································· 466 WLAN security configuration ································································································································· 467 WLAN security overview ············································································································································· 467 Terminology ························································································································································· 467 WIDS attack detection ········································································································································ 469 Blacklist and white list ········································································································································· 470 Configuring rogue device detection··························································································································· 471 Recommended configure procedure ················································································································· 471 Configuring AP operating mode ······················································································································· 471 Configuring detection rules ································································································································ 472 Configuring detection rule lists··························································································································· 475 Enabling countermeasures and configuring aging time for detected rogue devices ··································· 476 Displaying monitor record ·································································································································· 477 Displaying history record···································································································································· 478 Configuring WIDS ······················································································································································· 479 Configuring WIDS ··············································································································································· 479 Displaying history record···································································································································· 479 Displaying statistics information························································································································· 480 Configuring the blacklist and white list functions ····································································································· 480 Configuring dynamic blacklist ··························································································································· 481 Configuring static blacklist ································································································································· 481 Configuring white list ·········································································································································· 483 Rogue detection configuration example ···················································································································· 484 User isolation ··························································································································································· 487 User isolation overview ··············································································································································· 487 Before user isolation is enabled ························································································································· 487 After user isolation is enabled ··························································································································· 488 Configuring user isolation ··········································································································································· 488 Configuring user isolation ·································································································································· 488 Displaying user isolation information ················································································································ 489 User isolation configuration example ························································································································ 489 Authorized IP ··························································································································································· 491 Overview······································································································································································· 491 Configuring authorized IP ··········································································································································· 491 Configuring ACL and QoS ····································································································································· 493 ACL overview ······························································································································································· 493 QoS overview ······························································································································································· 493 viii
Configuring an ACL ····················································································································································· 494 Recommend configuration procedures·············································································································· 494 Adding a time range··········································································································································· 495 Adding an IPv4 ACL ··········································································································································· 496 Configuring a rule for a basic IPv4 ACL ··········································································································· 497 Configuring a rule for an advanced IPv4 ACL································································································· 498 Configuring a rule for an Ethernet frame header ACL ···················································································· 501 Adding an IPv6 ACL ··········································································································································· 503 Configuring a rule for a basic IPv6 ACL ··········································································································· 504 Configuring a rule for an advanced IPv6 ACL································································································· 506 Configuring line rate ···················································································································································· 508 Configuring the priority trust mode of a port ············································································································ 509 Priority mapping overview ································································································································· 509 Configuring priority mapping ···························································································································· 509 Configuring a QoS policy ··········································································································································· 512 Recommended QoS policy configuration procedure ······················································································ 512 Adding a class ····················································································································································· 513 Configuring classification rules ·························································································································· 514 Adding a traffic behavior ··································································································································· 517 Configuring actions for a traffic behavior ········································································································ 518 Adding a policy ··················································································································································· 521 Configuring classifier-behavior associations for the policy ············································································ 521 Applying a policy to a port ································································································································ 522 Applying a QoS policy to a WLAN service ····································································································· 523 ACL and QoS configuration example························································································································ 525 Network requirements ········································································································································· 525 Configuration procedure ···································································································································· 525 Verifying the configuration ································································································································· 534 Configuration guidelines ············································································································································· 534 Configuring wireless QoS ······································································································································ 536 Overview······································································································································································· 536 Terminology ························································································································································· 536 WMM protocol overview ··································································································································· 536 Enabling wireless QoS ················································································································································ 538 Setting the SVP service ················································································································································ 539 Setting CAC admission policy ···································································································································· 540 Setting radio EDCA parameters for APs ···················································································································· 540 Setting client EDCA parameters for wireless clients ································································································· 542 Displaying the radio statistics ····································································································································· 543 Displaying the client statistics ····································································································································· 544 Setting rate limiting ······················································································································································ 546 Setting wireless service-based client rate limiting ···························································································· 546 Setting radio-based client rate limiting·············································································································· 547 Configuring the bandwidth guarantee function ········································································································ 548 Setting the reference radio bandwidth ············································································································· 548 Setting guaranteed bandwidth percents ··········································································································· 549 Enabling bandwidth guaranteeing ···················································································································· 550 Displaying guaranteed bandwidth settings ······································································································ 551 CAC service configuration example ·························································································································· 551 Network requirements ········································································································································· 551 Configuring the wireless service ························································································································ 551 Configuring wireless QoS ·································································································································· 551 Verifying the configuration ································································································································· 553 Wireless service-based static rate limiting configuration example ········································································· 553 ix
Network requirements ········································································································································· 553 Configuring the wireless service ························································································································ 553 Configuring static rate limiting ··························································································································· 553 Verifying the configuration ································································································································· 554 Wireless service-based dynamic rate limiting configuration example ··································································· 554 Network requirements ········································································································································· 554 Configuring the wireless service ························································································································ 555 Configuring dynamic rate limiting ····················································································································· 555 Verifying the configuration ································································································································· 555 Bandwidth guarantee configuration example ··········································································································· 555 Network requirements ········································································································································· 555 Configuring the wireless services ······················································································································ 556 Configuring bandwidth guaranteeing··············································································································· 556 Verifying the configuration ································································································································· 559 Advanced settings ··················································································································································· 560 Advanced settings overview ······································································································································· 560 Country/Region code ········································································································································· 560 1+1 AC backup ·················································································································································· 560 1+N AC backup·················································································································································· 561 Continuous transmitting mode ···························································································································· 562 Channel busy test ················································································································································ 562 WLAN load balancing ······································································································································· 562 AP version setting ················································································································································ 564 Switching to fat AP ·············································································································································· 564 Wireless location ················································································································································· 564 Wireless sniffer ···················································································································································· 566 Band navigation ·················································································································································· 566 Configuring WLAN advanced settings ······················································································································ 567 Setting a country/region code ··························································································································· 567 Configuring 1+1 AC backup ····························································································································· 568 Configuring 1+N AC backup ···························································································································· 571 Configuring continuous transmitting mode ······································································································· 573 Configuring a channel busy test ························································································································ 574 Configuring load balancing ······························································································································· 576 Configuring AP ···················································································································································· 579 Configuring wireless location ···························································································································· 580 Configuring wireless sniffer ································································································································ 582 Configuring band navigation····························································································································· 583 Advanced settings configuration examples ··············································································································· 585 1+1 fast backup configuration example··········································································································· 585 1+N backup configuration example ················································································································· 590 AP-based session-mode load balancing configuration example ···································································· 593 AP-based traffic-mode load balancing configuration example ······································································ 595 Group-based session-mode load balancing configuration example ····························································· 596 Group-based traffic-mode load balancing configuration example ································································ 598 Wireless location configuration example ········································································································· 601 Wireless sniffer configuration example············································································································· 603 Band navigation configuration example··········································································································· 606 Configuring stateful failover ··································································································································· 609 Overview······································································································································································· 609 Introduction to stateful failover ··························································································································· 609 Introduction to stateful failover states ················································································································ 610 Configuring stateful failover ········································································································································ 610 x
Stateful failover configuration example ····················································································································· 611 Configuration guidelines ············································································································································· 619 Index ········································································································································································ 621 xi
Models of WX series access controllers
H3C WX series access controllers include the WX3000E series wireless switches, and WX5000 and
WX6000 series access controllers. Table 1 shows the models of WX series.
Table 1 Models of WX series access controllers
Product
Model
WX3000E series wireless switches
WX3024E wireless switch
WX5002V2 access controller
WX5000 series access controllers
•
•
•
•
•
•
•
•
•
•
WX6103 access controller
WX6000 series access controllers
WX5004 access controller
LSWM1WCM10 access controller module
LSWM1WCM20 access controller module
LSQM1WCMB0 access controller module
LSQM1WCMD0 access controller module
LSBM1WCM2A0 access controller module
LSRM1WCM2A1 access controller module
LSRM1WCM3A1 access controller module
NOTE:
The WX6103 access controller supports EWPX1WCMB0
and EWPX1WCMD0 main control boards.
1
Typical network scenarios
Access controller network scenario
As shown in Figure 1, the AC connects to a Layer 2 or Layer 3 switch through GE1/0/1, the switch is
connected to APs directly or over an IP network, and clients access the network through the APs.
Figure 1 AC networking
Access controller module network scenario
As shown in Figure 2, the AC is installed on a Layer 2 or Layer 3 switch, the switch is connected to APs
directly or over an IP network, and clients access the network through the APs.
2
Figure 2 Access controller module networking
Scheme 2
Access
controller
module
Server
Switch
IP network
AP 1
AP 2
Client A
Client B
Wireless switch network scenario
As shown in Figure 3, the wireless switch that has both AC and switch functions is connected to APs
directly or over an IP network, and clients access the network through the APs.
Figure 3 Unified switch networking diagram
Scheme 3
Server
Wireless switch
IP network
AP 1
AP 2
Client A
Client B
3
Feature matrixes
In this document, Yes means a feature is supported, and No means not supported.
Feature matrix for the WX5000 series
NOTE:
The LSWM1WCM10 and LSWM1WCM20 access controller modules of the WX5000 series adopt the OAP architecture. They work as OAP cards to
exchange data and status and control information with the switch through their internal interfaces. Do not configure services such as QoS rate limiting and
802.1X authentication on XGE 1/0/1 of the LSWM1WCM10, and the logical aggregate interface BAGG1 formed by GE 1/0/1 and GE 1/0/2 of the
LSWM1WCM20.
Table 2 Feature matrix for the WX5000 series
Module
Device
Network
Feature
WX5002V2
WX5004
LSWM1WCM10
LSWM1WCM20
License management
Supports 32 concurrent
APs by default, and can
be extended to support
64 concurrent APs.
Supports 64 concurrent
APs by default, and can
be extended to support
256 concurrent APs.
Supports 64 concurrent
APs by default, and can
be extended to support
256 concurrent APs.
Supports 32 concurrent
APs by default, and can
be extended to support
128 concurrent APs.
File management
CF Yes
CF Yes
CF Yes
Flash Yes
Port mirroring
Yes
Yes
No
No
Loopback test
Yes on GE interfaces
Yes on GE interfaces
Internal loopback testing
Yes on XGE interfaces
only
Internal loopback testing
Yes on GE interfaces
only
IGMP Snooping
The maximum number of
multicast groups ranges
from 1 to 256 and
defaults to 256.
The maximum number of
multicast groups ranges
from 1 to 256 and
defaults to 256.
The maximum number of
multicast groups ranges
from 1 to 256 and
defaults to 256.
The maximum number of
multicast groups ranges
from 1 to 256 and
defaults to 256.
4
Module
Feature
WX5002V2
WX5004
LSWM1WCM10
LSWM1WCM20
AP
AP group (Licenses must
be fully configured to
reach the maximum
number of group IDs)
The number of group IDs
ranges from 1 to 64.
The number of group IDs
ranges from 1 to 256.
The number of group IDs
ranges from 1 to 256.
The number of group IDs
ranges from 1 to 128.
Access service
The maximum number of
associated users per
SSID is 124 and defaults
to 64.
The maximum number of
associated users per
SSID is 124 and defaults
to 64.
The maximum number of
associated users per
SSID is 124 and defaults
to 64.
The maximum number of
associated users per
SSID is 124 and defaults
to 64.
AC hot backup
Yes
Yes
Yes
No
Fast backup (Hello
interval)
Yes (The hello interval
ranges from 100 to
2000 and defaults to
2000.)
Yes (The hello interval
ranges from 100 to
2000 and defaults to
2000.)
Yes (The hello interval
ranges from 100 to
2000 and defaults to
2000.)
No
1+1 AC backup
Yes
Yes
Yes
No
1+1 fast backup
Yes
Yes
Yes
No
Stateful failover
Yes
Yes
Yes
No
Wireless Service
Advanced settings
High availability
Feature matrix for the WX6000 series
NOTE:
• The switch interface board of the WX6103 adopts OAP architecture and is installed on the slot with purple paint at slot sides. The WX6103 supports
EWPX1WCMB0 and EWPX1WCMD0 main control boards. The switch interface board exchanges data, and state and control information with the main
control board through internal interfaces. Do not configure services such as QoS rate limiting and 802.1X authentication on the internal interfaces.
• For configuration information about the switch interface board of the WX6103, see the H3C WX6103 Access Controller Switch Interface Board
Configuration Guide and H3C WX6103 Access Controller Switch Interface Board Command Reference.
• The LSQM1WCMB0/LSQM1WCMD0/LSBM1WCM2A0/LSRM1WCM2A1/LSRM1WCM3A1 of the WX6000 series are OAP cards. Each OAP card is
installed on the expansion slot of the switch and exchanges data and status and control information with the switch through internal interfaces. Do not
configure services such as QoS rate limiting and 802.1X authentication on the internal interfaces.
5
Table 3 Feature matrix for the WX6000 series
Module
Feature
WX6103
LSQM1WCMB0
LSQM1WCMD0
LSBM1WCM2A
0
LSRM1WCM2A
1
LSRM1WCM3A
1
License
management
EWPX1WCMB0
supports 128
concurrent APs by
default, and can
be extended to
support 640
concurrent APs.
EWPX1WCMD0
supports 128
concurrent APs by
default, and can
be extended to
support 1024
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 640
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 1024
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 640
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 640
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 1024
concurrent APs.
File management
CF and USB
supported
CF and USB
supported
CF and USB
supported
CF and USB
supported
CF and USB
supported
CF and USB
supported
Port mirroring
No
No
No
No
No
No
Loopback test
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
IGMP Snooping
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
Device
Network
6
Module
AP
Wireless Service
Advanced
settings
High availability
Feature
WX6103
LSQM1WCMB0
LSQM1WCMD0
LSBM1WCM2A
0
LSRM1WCM2A
1
LSRM1WCM3A
1
AP group
(Licenses must be
fully configured to
reach the
maximum number
of group IDs)
On
EWPX1WCMB0,
the number of
group IDs ranges
from 1 to 640.
On
EWPX1WCMD0,
the number of
group IDs ranges
from 1 to 1024.
The number of
group IDs ranges
from 1 to 640.
The number of
group IDs ranges
from 1 to 1024.
The number of
group IDs ranges
from 1 to 640.
The number of
group IDs ranges
from 1 to 640.
The number of
group IDs ranges
from 1 to 1024.
Access service
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
AC backup
Yes
Yes
Yes
Yes
Yes
Yes
Fast backup
(Hello interval)
Yes (The hello
interval ranges
from 30 to 2000
and defaults to
2000.)
Yes (The hello
interval ranges
from 30 to 2000
and defaults to
2000.)
Yes (The hello
interval ranges
from 30 to 2000
and defaults to
2000.)
Yes (The hello
interval ranges
from 30 to 2000
and defaults to
2000.)
Yes (The hello
interval ranges
from 30 to 2000
and defaults to
2000.)
Yes (The hello
interval ranges
from 30 to 2000
and defaults to
2000.)
1+1 AC backup
Yes
Yes
Yes
Yes
Yes
Yes
Stateful failover
Yes
Yes
Yes
Yes
Yes
Yes
7
Feature matrix for the WX3024E
NOTE:
• The access controller engine and switching engine of the WX3024E adopt the OAP architecture. The switching engine is integrated on the access controller
engine and adopts OAP architecture. You actually log in to the access controller engine when you log in to the switch by default. The GE 1/0/1 and GE
1/0/2 interfaces of the access controller engine form a logical interface BAGG1, and the GE1/0/29 and GE1/0/30 interfaces of the switching engine
form a logical interface BAGG1. The two BAGG1 interfaces exchange data, status, and control information. Do not configure services such as QoS rate
limiting and 802.1X authentication on these internal interfaces.
• For configuration information about the switching engine of the WX3024E, see the H3C WX3024E Wireless Switch Switching Engine Configuration Guide
and H3C WX3024E Wireless Switch Switching Engine Command Reference.
Table 4 Feature matrix for the WX3024E
Module
Feature
WX3024E
License management
Supports 24 concurrent APs by default, and can be extended to support 60
concurrent APs.
File management
Flash supported
Port mirroring
No
Loopback test
Internal loopback testing supported on GE interfaces only
Network
IGMP Snooping
The maximum number of multicast groups ranges from 1 to 64 and defaults to 64.
AP
AP group (Licenses must be fully configured to reach the
maximum number of group IDs)
The number of group IDs ranges from 1 to 60.
Wireless Service
Access service
The maximum number of associated users per SSID is 124, and defaults to 64.
AC backup
No
Fast backup (Hello interval)
No
1+1 AC backup
No
Stateful failover
No
Device
Advanced settings
High availability
8
Quick Start
Quick start wizard home page
From the navigation tree, select Quick Start to enter the home page of the Quick Start wizard, as shown
in Figure 4.
Figure 4 Home page of the quick start wizard
Basic configuration
On the home page of the Quick Start wizard, click start to enter the basic configuration page, as shown
in Figure 5.
9
Figure 5 Basic configuration page
Table 5 Configuration items
Item
System Name
Description
Specify the name of the current device.
By default, the system name of the device is H3C.
Country/Region Code
Select the code of the country where you are. This field defines the radio frequency
characteristics such as the power and the total number of channels for frame
transmission. Before configuring the device, you need to configure the country
code correctly. If the Country Code field is grayed out, it cannot be modified.
Time Zone
Select a time zone for the system.
Time
Specify the current time and date.
Admin configuration
On the basic configuration page, click Next to enter the admin configuration page, as shown in Figure
6.
10
Figure 6 Admin configuration page
Table 6 Configuration items
Item
Description
Password
Specify the password for user Admin to use to log into the device, in cipher text.
Confirm Password
Enter the password again to confirm the password.
IP configuration
On the Admin Configuration page, click Next to enter the IP configuration page, as shown in Figure 7.
11
Figure 7 IP configuration page
Table 7 Configuration items
Item
Description
IP Address
Specify the IP address of VLAN-interface 1. This IP address is used for logging into
the device.
The default is 192.168.0.100.
Mask
Default Gateway
Specify the IP address mask of VLAN-interface 1.
By default, the mask is 24-bit long.
Specify the IP address of the default gateway that connects the device to the
network.
By default, the IP address of the default gateway is not specified.
Wireless configuration
On the IP configuration page, click Next to enter the wireless configuration page, as shown in Figure 8.
12
Figure 8 Wireless configuration page
Table 8 Configuration items
Item
Description
Select the authentication type for the wireless service, which can be:
Primary Service
Authentication type
• None: Performs no authentication.
• User authentication (802.1X): Performs 802.1X authentication.
• Portal: Performs Portal authentication.
Wireless Service
Specify the Service Set Identifier (SSID).
Select this box to go to the 7/13: Encryption Configuration step.
Encrypt
By default, no encryption is performed. If this option is not selected, the 7/13:
Encryption Configuration step is skipped.
RADIUS configuration
On the wireless configuration page, select User authentication (802.1X) or Portal for the Primary Service
Authentication Type field, and then click Next to enter the RADIUS configuration page, as shown
in Figure 9.
13
Figure 9 RADIUS configuration page
Table 9 Configuration items
Item
Description
Select the type of the RADIUS server.
Two types are available: standard and enhanced:
• extended—Specifies extended RADIUS server, which is usually an IMC server.
Service Type
In this case, the RADIUS client (access device) and the RADIUS server exchange
packets based on the specifications and packet format definitions of a private
RADIUS protocol.
• standard—Specifies the standard RADIUS server. In this case, the RADIUS
client (access device) and the RADIUS server exchange packets based on the
specifications and packet format definitions of the standard RADIUS protocols
(RFC 2138, RFC 2139, and the updates).
Authentication IP
Enter the IP address of the RADIUS authentication server.
Authentication UDP Port
Enter the port number of the RADIUS authentication server.
Authentication Key
Enter the shared key of the RADIUS authentication server.
Accounting IP
Enter the IP address of the RADIUS accounting server.
Accounting UDP Port
Enter the port number of the RADIUS accounting server.
Accounting Key
Enter the shared key of the RADIUS accounting server.
14
Portal configuration
On the wireless configuration page, select Portal for the Primary Service Authentication Type field, and
then click Next to enter the RADIUS configuration page. After you complete RADIUS configuration, click
Next to enter the portal configuration page, as shown in Figure 10.
Figure 10 Portal configuration page
Table 10 Configuration items
Item
Description
Server-name
Specify the system name of the portal server.
Server-IP
Enter the IP address of the portal server.
Port
Enter the port number of the portal server.
Redirect-URL
Enter the URL of the portal authentication server.
15
Item
Description
Specify the portal authentication method to be used, which can be:
• Direct—Before authentication, a user manually configures an IP address or
directly obtains a public IP address through DHCP, and can access only the
portal server and predefined free websites. After passing authentication, the
user can access the network resources. The authentication process of direct
authentication is relatively simple than that of the re-DHCP authentication.
Method
• Layer3—Layer 3 authentication is similar to direct authentication but allows
Layer 3 forwarding devices to be present between the authentication client and
the access device.
• Redhcp—Before authentication, a user gets a private IP address through DHCP
and can access only the portal server and predefined free websites. After
passing authentication, the user is allocated a public IP address and can access
the network resources.
Encryption configuration
On the wireless configuration page, select User authentication (802.1X) for Primary Service
Authentication Type and click Next to enter the encryption configuration page, as shown in Figure 11.
Figure 11 Encryption configuration page
16
Table 11 Configuration items
Item
Description
Specify whether to use WEP keys provided automatically or use static WEP keys.
• Enable: Use WEP keys provided automatically.
• Disable: Use static WEP keys.
Provide Key
Automatically
By default, static WEP keys are used.
After you select Enable, WEP104 is displayed for WEP.
IMPORTANT:
Automatically provided WEP keys must be used together with 802.1X authentication.
Therefore, This option is available only after you select User authentication (802.1X)
for Primary Service Authentication type on the wireless configuration page.
WEP
Key ID
Select the key type of the WEP encryption mechanism, which can be WEP40,
WEP104 and WEP 128.
Select the WEP key index, which can be 1, 2, 3, or 4. Each number represents one
of the four static keys of WEP. The selected key index will be used for frame
encryption and decryption.
IMPORTANT:
If you select to enable Provide Key Automatically, only 1, 2, and 3 are available for
the Key ID option.
Select the key length.
• When the key type is WEP40, the key length can be five alphanumeric
characters or ten hexadecimal characters.
Key Length
• When the key type is WEP104, the key length can be 13 alphanumeric
characters or 26 hexadecimal characters.
• When the key type is WEP128, the key length can be 16 alphanumeric
characters or 32 hexadecimal characters.
WEP Key
Enter the WEP key.
AP configuration
On the guest service configuration page, click Next to enter the AP configuration page, as shown
in Figure 12. You can configure an AP and click Add. You can configure multiple APs on the page. The
section at the bottom of the page displays all existing APs.
17
Figure 12 AP configuration page
Table 12 Configuration items
Item
Description
AP Name
Enter the name of the AP.
Model
Select the model of the AP.
Specify the serial ID of the AP.
• If the Auto box is not selected, you need to manually enter a serial ID.
• If the Auto box is selected, the AC automatically searches the serial ID of the AP.
Serial ID
This option needs to cooperate with the auto AP function to implement
automatic AP discovery so that the AP can connect with the AC automatically.
If there are a large number of APs, the automatic AP discovery function can
avoid repeated configuration of AP serial numbers. For how to configure auto
AP, see "AP configuration."
Select a country/region code for the AP.
Country/Region Code
By default, no country/region code is configured for the AP and the AP uses the
global country/region code (which is configured on the AC). If the country/region
code is specified on this page, the AP uses this configuration. For information
about the country/region code configured on the AC, see "Advanced settings."
Radio
Radio unit of the AP.
Mode
Select the radio mode. The radio mode depends on the AP model.
18
Item
Description
Select the working channel.
The channel list for the radio depends on the country/region code and radio
mode, and varies with device models.
Channel
Auto: Specifies the automatic channel mode. With Auto specified, the AC
evaluates the quality of channels in the wireless network, and selects the best
channel as the working channel.
After the channel is changed, the power list is refreshed.
Select the transmission power.
Power
The maximum power of the radio depends on the country/region code, working
channel, AP model, radio mode, and antenna type. If 802.11n is specified as the
radio mode, the maximum power of the radio also depends on the bandwidth
mode.
Configuration summary
On the AP configuration page, click Next to enter the configuration summary page, as shown in Figure
13. The configuration summary page displays all configurations you have made. Click finish to save your
configurations.
Figure 13 Configuration summary page
19
Web overview
The device provides Web-based configuration interfaces for visual device management and
maintenance.
Figure 14 Web-based network management operating environment
Logging in to the Web interface
You can use the following default settings to log in to the Web interface through HTTP:
•
Username—admin
•
Password—admin
•
IP address of VLAN-interface 1 of the device—192.168.0.100.
To log in to the Web interface of the device from a PC:
1.
Connect the Ethernet port of the device to the PC by using a crossover Ethernet cable.
By default, all ports belong to VLAN 1.
2.
Configure an IP address for the PC and make sure that the PC and the device can reach each
other.
For example, assign the PC an IP address (for example, 192.168.0.2) within the network segment
192.168.0.0/24 (except for 192.168.0.100).
3.
Open the browser and input the login information:
a. Type the IP address http://192.168.0.100 in the address bar and press Enter.
The login page of the Web interface (see Figure 15) appears.
b. Enter the username and password admin, and the verification code, select the language
(English and Chinese are supported at present), and click Login.
Figure 15 Login page of the Web interface
20
c.
After you click Login, you will enter the following page. Select a country/region code from the
Country/Region list, and click Apply.
Figure 16 Selecting a country/region code
The PC where you configure the device is not necessarily the Web-based network management terminal.
A Web-based network management terminal is a PC (or another terminal) used to log in to the Web
interface and is required to be reachable to the device.
After logging in to the Web interface, you can create a new user and configure the IP address of the
interface connecting the user and the device.
If you click the verification code displayed on the Web login page, you can get a new verification code.
Up to 24 users can concurrently log in to the device through the Web interface.
Logging out of the Web interface
As shown in Figure 17, click Logout in the upper-right corner of the Web interface to quit Web-based
network management.
The system does not save the current configuration before you log out of the Web interface. H3C
recommends you to save the current configuration before logout.
CAUTION:
A logged-in user cannot automatically log out by directly closing the browser.
Introduction to the Web interface
The Web interface comprises three parts: navigation tree, title area, and body area.
21
Figure 17 Web-based configuration interface
(1) Navigation area
(2) Body area
(3) Title area
•
Navigation area—Organizes the Web-based NM function menus in the form of a navigation tree,
where you can select function menus as needed. The result is displayed in the body area. The Web
network management functions not supported by the device are not displayed in the navigation
area.
•
Body area—The area where you can configure and display a function.
•
Title area—On the left, displays the path of the current configuration interface in the navigation
area; on the right, provides the Save button to quickly save the current configuration, the Help button
to display the Web related help information, and the Logout button to log out of the Web interface.
Web user level
Web user levels, ranging from low to high, are visitor, monitor, configure, and management. A user with
a higher level has all the operating rights of a user with a lower level.
•
Visitor—Users of this level can perform the ping and traceroute operations, but they can neither
access the device data nor configure the device.
•
Monitor—Users of this level can only access the device data but cannot configure the device.
•
Configure—Users of this level can access data from the device and configure the device, but they
cannot upgrade the host software, add/delete/modify users, or back up/restore the application
file.
•
Management—Users of this level can perform any operations for the device.
22
Introduction to the Web-based NM functions
NOTE:
• Support for the configuration items depends on the device model. For more information, see "Feature
matrixes."
• A user level in Table 13 indicates that users of this level or users of a higher level can perform the
corresponding operations.
Table 13 Description for Web-based NM functions
Function menu
Description
User level
Quick Start
Perform quick configuration of the
device.
Configure
Device Info
Display and refresh system resource
state, device information, device
interface information, and recent
system operation logs.
Monitor
Wireless Service
Display the information of the queried
WLAN service, including the detailed
information, statistics, and connection
history.
Monitor
Display the information of the queried
AP, including wireless service,
connection history, radio, and detailed
information.
Monitor
Reboot an AP.
Configure
Display the detailed information,
statistics, and roaming information of
the client.
Monitor
Clear statistics of the client, disconnect
the connection, and add the client into
the blacklist.
Configure
Display license information.
Monitor
Add licenses.
Configure
Display enhanced license information.
Monitor
Register enhanced licenses.
Configure
System Name
Display and configure the system
name.
Configure
Web Idle Timeout
Display and configure the idle timeout
period for a logged-in user.
Configure
Software Upgrade
Upload the file to be upgraded from the
local host to upgrade the system
software.
Management
Reboot
Reboot the device.
Management
Summary
AP
Client
License
License
Enhanced License
Device
Basic
Device
Maintenance
23
Function menu
Description
User level
Generate a diagnostic information file,
view the file, or save the file to the local
host.
Management
Display the system date and time.
Monitor
Manually set the system time.
Configure
Set local and external clock sources
and system time zone.
Monitor
Set the network time.
Configure
Display and refresh system logs.
Monitor
Clear system logs.
Configure
Loghost
Display and configure the loghost.
Configure
Log Setup
Display and configure the buffer
capacity, and refresh interval for
displaying system logs.
Configure
Backup
Back up the configuration file for the
next startup to the host of the current
user.
Management
Restore
Upgrade the configuration file on the
host of the current user to the device for
the next startup.
Management
Save
Save the current configuration to the
configuration file for the next startup.
Configure
Initialize
Restore the system to factory defaults.
Configure
Manage files on the device, including
displaying file list, downloading a file,
uploading a file, removing a file, and
setting the main boot file.
Management
Display interface information and
statistics.
Monitor
Create, modify, and delete an
interface, and clear interface statistics.
Configure
Summary
Display the configuration information
of a port mirroring group.
Monitor
Add
Create a port mirroring group.
Configure
Remove
Remove a port mirroring group.
Configure
Modify Port
Configure ports for a mirroring group.
Configure
Summary
Display brief information of FTP and
Telnet users.
Monitor
Super Password
Configure the password for a
lower-level user to switch from the
current access level to the management
level.
Management
Create
Create an FTP or Telnet user.
Management
Diagnostic
Information
System Time
System Time
Net Time
Loglist
Syslog
Configuration
File management
Interface
Port
Mirroring
Users
24
Function menu
Description
User level
Modify
Modify FTP or Telnet user information.
Management
Remove
Remove an FTP or a Telnet user.
Management
Switch To
Management
Switch the current user level to the
management level.
Monitor
Setup
Display and refresh SNMP
configuration and statistics
information.
Monitor
Configure SNMP.
Configure
Display SNMP community information.
Monitor
Create, modify, and delete an SNMP
community.
Configure
Display SNMP group information.
Monitor
Create, modify, and delete an SNMP
group.
Configure
Display SNMP user information.
Monitor
Create, modify, and delete an SNMP
user.
Configure
Display the status of the SNMP trap
function and information about target
hosts.
Monitor
Enable or disable the SNMP trap
function, or create, modify, and delete
a target host.
Configure
Display SNMP view information.
Monitor
Create, modify, and delete an SNMP
view.
Configure
Perform the loopback test on Ethernet
interfaces.
Configure
Display MAC address information.
Monitor
Create or remove MAC addresses.
Configure
Display and configure MAC address
aging time.
Configure
Display all VLANs on the device and
information about their member ports.
Monitor
Create, modify, and delete VLANs.
Configure
Display VLANs to which a port on the
device belongs.
Monitor
Modify the VLANs to which a port
belongs.
Configure
Display ARP table information.
Monitor
Add, modify, or delete an ARP entry.
Configure
Community
Group
SNMP
User
Trap
View
Loopback
MAC
MAC
Setup
VLAN
Network
VLAN
Port
ARP
Management
ARP Table
25
Function menu
Description
User level
Display configuration information of
gratuitous ARP.
Monitor
Configure gratuitous ARP.
Configure
Display the configuration information
of ARP detection.
Monitor
Configure ARP detection.
Configure
Display the configuration information
of source MAC address based ARP
attack detection, ARP active
acknowledgement, and ARP packet
source MAC address consistency
check.
Monitor
Configure source MAC address based
ARP attack detection, ARP active
acknowledgement, and ARP packet
source MAC address consistency
check.
Configure
Display global IGMP Snooping
configuration information and the
IGMP Snooping configuration
information in a VLAN, and view the
IGMP Snooping multicast entry
information.
Monitor
Configure IGMP Snooping globally
and in a VLAN.
Configure
Display the IGMP Snooping
configuration information on a port.
Monitor
Configure IGMP Snooping on a port.
Configure
Summary
Display the IPv4 active route table.
Monitor
Create
Create an IPv4 static route.
Configure
Remove
Delete the selected IPv4 static routes.
Configure
Summary
Display the IPv6 active route table.
Monitor
Create
Create an IPv6 static route.
Configure
Remove
Delete the selected IPv6 static routes.
Configure
Display the DHCP service status, the
DHCP address pool information, the
DHCP server status on an interface,
and addresses in use.
Monitor
Set the DHCP service status, add,
modify, or delete a DHCP address
pool, and modify the DHCP server
status on an interface.
Configure
Gratuitous ARP
ARP Detection
ARP
Anti-Attack
Advanced
Configuration
Basic
IGMP
Snooping
Advance
IPv4 Routing
IPv6 Routing
DHCP
DHCP Server
26
Function menu
Description
User level
Display the status of a DHCP service
and advanced configuration
information of DHCP relay, display
information of a DHCP group, and
status of the DHCP relay agent on an
interface, and view the DHCP relay
user information.
Monitor
Configure the status of a DHCP service
and advanced configuration
information of DHCP relay, add or
delete a DHCP group, and modify the
status of the DHCP relay agent on an
interface.
Configure
Display the status of the DHCP
Snooping function, and the trusted and
untrusted attributes of a port, and view
the DHCP Snooping user information.
Monitor
Configure the status of the DHCP
Snooping function, and modify the
trusted and untrusted attributes of a
port.
Configure
Static
Display, create, modify, or delete a
static host name-to-IP address
mapping.
Configure
Dynamic
Display and configure related
parameters for dynamic domain name
resolution. Display, create, or delete an
IP address and the domain name suffix.
Configure
Display the states of the services:
enabled or disabled.
Configure
Specify whether to enable various
services, and set related parameters.
Management
IPv4 Ping
Ping an IPv4 address or host and
display the result.
Visitor
IPv6 Ping
Ping an IPv6 address or host and
display the result.
Visitor
Trace Route
Perform trace route operations and
display the result.
Visitor
Display AP-related information,
including AP name, AP IP address,
serial ID, model and status.
Monitor
Add an AP and modify the AP
configuration.
Configure
Display auto AP information after auto
AP is enabled, including AP name,
model, serial ID and IP address.
Monitor
Enable auto AP.
Configure
DHCP Relay
DHCP Snooping
DNS
Service
Diagnostic
Tools
AP Setup
AP
Auto AP
27
Function menu
AP Group
Access Service
Mesh Service
Mesh Policy
WLAN
Service
Mesh
Service
Global Setup
Mesh Channel
Optimize
Mesh Link Info
Mesh Link Test
Roam Group
Roam
Roam Client
Radio
Radio
Rate
28
Description
User level
Display AP group information.
Monitor
Create and configure an AP group.
Configure
Display an access service, including
security type, detailed information,
service status and binding status.
Monitor
Create and configure an access
service, map an access service to an
AP radio, and add a MAC
authentication list.
Configure
Display a mesh service, including its
detailed information, status, and
binding information.
Monitor
Create and configure a mesh service,
including security settings.
Configure
Display mesh policies.
Monitor
Create and configure a mesh policy.
Configure
Display mesh global setting, including
basic setting, mesh DFS, and mesh
portal service.
Monitor
Configure mesh global setting,
including basic setting, mesh DFS, and
mesh portal service.
Configure
Display radio information and channel
switch information in a mesh network.
Monitor
Configure mesh channel optimization.
Configure
Display mesh link status information.
Monitor
Monitor mesh link status and refresh
mesh link status information.
Configure
Display mesh link test results.
Monitor
Test mesh links and refresh mesh link
test results.
Configure
Display a roaming group and its
members.
Monitor
Configure a roaming group and add a
group member.
Configure
Display client information, including
MAC address, BSSID, VLAN ID, home
AC and roaming direction.
Monitor
Display radio status, including radio
mode and radio status.
Monitor
Configure radio parameters, including
802.11n settings.
Configure
Display rate settings.
Monitor
Function menu
Channel Scan
Operation
Calibration
Parameters
Radio Group
Antenna Switch
802.1X
Portal Server
Portal
Authenticat
ion
Free Rule
Domain Setup
AAA
Authentication
Authorization
29
Description
User level
Configure 802.11n rates, including
MCS index.
Configure
Display channel scanning, including
scanning mode, scanning type and
scanning interval.
Monitor
Configure channel scanning, including
scanning mode and scanning type.
Configure
Display or refresh AP status, including
channel status, neighbor information,
and history information.
Monitor
Manual calibration
Configure
Display basic setup, channel setup and
power setup.
Monitor
Configure channel calibration
parameters.
Configure
Display radio group configuration.
Monitor
Configure a radio group.
Configure
Configure the antenna of an AP.
Configure
Display the global 802.1X information
and 802.1X information of a port.
Monitor
Display the global 802.1X features
and 802.1x features of a port.
Configure
Display configuration information
about the portal server and advanced
parameters for portal authentication.
Monitor
Add and delete a portal server, and
modify advanced parameters for portal
authentication.
Configure
Display the portal-free rule
configuration information.
Monitor
Add and delete a portal-free rule.
Configure
Display ISP domain configuration
information.
Monitor
Add and remove ISP domains.
Management
Display the authentication method
configuration information of an ISP
domain.
Monitor
Specify authentication methods for an
ISP domain.
Management
Display the authorization method
configuration information of an ISP
domain.
Monitor
Function menu
Accounting
RADIUS
Local EAP Server
Local User
User Group
Users
Guest
User Profile
Entity
Domain
Certificate
Management
Certificate
CRL
30
Description
User level
Specify authorization methods for an
ISP domain.
Management
Display the accounting method
configuration information of an ISP
domain.
Monitor
Specify accounting methods for an ISP
domain.
Management
Display and add, modify, and delete a
RADIUS scheme.
Management
Display the configuration information
of the local EAP service.
Monitor
Configure the local EAP service.
Configure
Display local users' configuration
information.
Monitor
Add, modify, and remove local users.
Management
Display user groups' configuration
information.
Monitor
Add, modify, and remove user groups.
Management
Display guest users' configuration
information.
Monitor
Add, modify, and remove guest users.
Management
Display user profile configuration
information.
Monitor
Add, modify, remove, enable, and
disable user profiles.
Configure
Display information about PKI entities.
Monitor
Add, modify, and delete a PKI entity.
Configure
Display information about PKI
domains.
Monitor
Add, modify, and delete a PKI domain.
Configure
Display the certificate information of
PKI domains and view the contents of a
certificate.
Monitor
Generate a key pair, destroy a key
pair, retrieve a certificate, request a
certificate, and delete a certificate.
Configure
Display the contents of the CRL.
Monitor
Receive the CRL of a domain.
Configure
Function menu
Description
User level
Display AP operating mode.
Monitor
Configure AP operating mode.
Configure
Display list types for the rogue device
detection and the detection rules.
Monitor
Configure list types for rogue device
detection and the rules.
Configure
Display monitor record of rogue device
detection.
Monitor
Clear monitor record of rogue device
detection, and add rogue devices to
blacklist.
Configure
Display rogue device detection history.
Monitor
Clear history of rogue device detection
and add rogue devices to blacklist.
Configure
Display IDS configuration.
Monitor
Configure IDS detection, including
flood attack detection, spoofing attack
detection, and weak IV detection.
Configure
Display IDS attack detection history.
Monitor
Clear history record of IDS attack
detection and add the detected devices
that initiate attacks to blacklist.
Configure
Display statistics of IDS attack
detection.
Monitor
Clear the statistics.
Configure
Display dynamic and static blacklists.
Monitor
Clear dynamic blacklist and static
blacklist; enable dynamic blacklist;
add entries to the static blacklist.
Configure
Display white list.
Monitor
Clear white list and add entries to the
white list.
Configure
Summary
Display the configurations of the
authorized IP, the associated IPv4 ACL
rule list, and the associated IPv6 ACL
rule list.
Management
Setup
Configure the authorized IP.
Configure
Display, add, modify, and remove user
isolation configuration.
Management
AP Monitor
Rule List
Rogue
detection
Monitor Record
History Record
WIDS Setup
Security
WIDS
History Record
Statistics
Blacklist
Filter
White List
Authorized IP
User Isolation
31
Function menu
Time Range
ACL IPv4
ACL IPv6
QoS
Description
User level
Summary
Display time range configuration
information.
Monitor
Add
Create a time range.
Configure
Remove
Delete a time range.
Configure
Summary
Display IPv4 ACL configuration
information.
Monitor
Add
Create an IPv4 ACL.
Configure
Basic Setup
Configure a rule for a basic IPv4 ACL.
Configure
Advanced Setup
Configure a rule for an advanced IPv4
ACL.
Configure
Link Setup
Create a rule for an Ethernet frame
header ACL.
Configure
Remove
Delete an IPv4 ACL or its rules.
Configure
Summary
Display IPv6 ACL configuration
information.
Monitor
Add
Create an IPv6 ACL.
Configure
Basic Setup
Configure a rule for a basic IPv6 ACL.
Configure
Advanced Setup
Configure a rule for an advanced IPv6
ACL.
Configure
Remove
Delete an IPv6 ACL or its rules.
Configure
Display wireless QoS, including SVP
mapping, CAC admission policy,
radio EDCA and client EDCA.
Monitor
Configure wireless QoS, including SVP
mapping, CAC admission policy,
radio EDCA and client EDCA.
Configure
Display radio statistics, including
WMM status and detailed radio
information.
Monitor
Display radio statistics, including
WMM status and detailed radio
information, and clear the radio
statistics.
Configure
Display client statistics, including
WMM status and detailed client
information.
Monitor
Display client statistics, including
WMM status and detailed client
information, and clear the client
statistics.
Configure
Display the configured client rate limit
information.
Monitor
Wireless QoS
Radio Statistics
Wireless
QoS
Client Statistics
Client Rate Limit
32
Function menu
Description
User level
Configure and modify client rate
limiting mode, direction and rate.
Configure
Display bandwidth settings for different
radio types.
Monitor
Configure bandwidth guarantee
settings.
Configure
Summary
Display line rate configuration
information.
Monitor
Setup
Configure the line rate.
Configure
Display the priority and trust mode of a
port.
Monitor
Modify the priority and trust mode of a
port.
Configure
Display priority trust mode
configuration information.
Management
Configure the priority trust mode.
Management
Summary
Display classifier configuration
information.
Monitor
Add
Create a class.
Configure
Setup
Configure the classification rules for a
class.
Configure
Remove
Delete a class or its classification rules.
Configure
Summary
Display traffic behavior configuration
information.
Monitor
Add
Create a traffic behavior.
Configure
Setup
Configure actions for a traffic
behavior.
Configure
Remove
Delete a traffic behavior.
Configure
Summary
Display QoS policy configuration
information.
Monitor
Add
Create a QoS policy.
Configure
Setup
Configure the classifier-behavior
associations for a QoS policy.
Configure
Remove
Delete a QoS policy or its
classifier-behavior associations.
Configure
Summary
Display the QoS policy applied to a
port.
Monitor
Setup
Apply a QoS policy to a port.
Configure
Remove
Remove the QoS policy from the port.
Configure
Display the QoS policy applied to a
WLAN-ESS port.
Monitor
Bandwidth
Guarantee
Line Rate
Port Priority
Trust Mode
Classifier
Behavior
QoS Policy
Port Policy
Service Policy
33
Function menu
Description
User level
Configure the QoS policy applied to a
WLAN-ESS port.
Configure
Display the country/region code.
Monitor
Modify the country/region code.
Configure
Display the address of the backup AC.
Monitor
Setup
Configure the address of the backup
AC.
Configure
Status
Display the status of the AC.
Monitor
Display the continuous transmitting
mode of an AP.
Monitor
Switch the continuous transmitting
mode of an AP.
Configure
Display channel busy rate test results.
Monitor
Test busy rate of channels, and output
test results.
Configure
Display the load balancing mode and
the current connection status.
Monitor
Configure the load balancing mode
and refresh the current connection
status.
Configure
Display load balancing group
configuration.
Monitor
Configure a load balancing group.
Configure
Display the AP version, including the
AP model and software version.
Monitor
Upgrade the software.
Configure
Display the model and IP address of the
AP.
Monitor
Switch to fat AP.
Configure
Display wireless location settings.
Monitor
Configure, enable, and disable
wireless location.
Configure
Display wireless sniffer configuration.
Monitor
Configure, enable, and disable
wireless sniffer parameters.
Configure
Country/Region Code
AC Backup
Continuous Transmit
Channel Busy Test
Advanced
Load Balance
Load
Balancing
Load Balance Group
AP Module
AP
Switch to fat AP
Wireless Location
Wireless Sniffer
34
Function menu
Description
User level
High
Reliability
Display stateful failover information.
Monitor
Modify stateful failover configuration.
Configure
Stateful Failover
Common Web interface elements
Common buttons and icons
Table 14 Common buttons and icons
Button and icon
Description
Bring the configuration on the current page into effect.
Cancel the configuration on the current page, and go to the corresponding
display page or device information page.
Refresh the information on the current page.
Clear all statistics or items in a list.
Enter the page for adding an entry.
Delete entries on a list.
Select all the entries on a list or all ports on a device panel.
Clear all the entries on a list or all ports on a device panel.
Restore the values of all the entries on the current page to the default.
Typically locating at a configuration procedure page of the configuration
wizard, it allows you to save the configuration of the current configuration
procedure (not bring it into effect) and go to the page of the next
configuration procedure.
Typically locating at a configuration procedure page of the configuration
wizard, it allows you to save the configuration of the current configuration
procedure (not bring it into effect) and return to the page of the previous
configuration procedure.
Typically locating at a configuration procedure page of the configuration
wizard, it allows you to bring all configurations into effect.
Typically locating at the Operation column of a display page, it allows you
to enter the modify page of a corresponding entry so as to display or
modify the configurations of the entry.
Typically locating at the Operation column of a display page, it allows you
to remove an entry.
Content display by pages
The Web interface can display contents by pages, as shown in Figure 18. You can set the number of
entries displayed per page, and view the contents on the first, previous, next, and last pages, or go to any
page that you want to check.
35
Figure 18 Content display by pages
Searching function
The Web interface provides you with the basic and advanced searching functions to display only the
entries that match specific searching criteria.
•
Basic search—As shown in Figure 18, input the keyword in the text box above the list, select a
search item from the list and click Search to display the entries that match the criteria. Figure 19
shows an example of searching for entries with 00e0 included in the MAC address.
Figure 19 Basic search function example
36
•
Advanced search—Advanced search function: As shown in Figure 18, you can click the Advanced
Search link to open the advanced search page, as shown in Figure 20. Specify the search criteria,
and click Apply to display the entries that match the criteria.
Figure 20 Advanced search
Take the ARP table shown in Figure 18 as an example. If you want to search for the ARP entries with 000f
at the beginning of the MAC address, and IP address range being 192.168.1.50 to 192.168.1.59, follow
these steps:
1.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 21, and click Apply. The ARP entries with 000f at the beginning of the MAC address are
displayed.
Figure 21 Advanced search function example (I)
2.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 22, and click Apply. The ARP entries with 000f at the beginning of the MAC address and
IP address range 192.168.1.50 to 192.168.1.59 are displayed as shown in Figure 23.
37
Figure 22 Advanced search function example (II)
Figure 23 Advanced search function example (III)
Sorting function
The Web interface provides you with the basic functions to display entries in certain orders.
On a list page, you can click the blue heading item of each column to sort the entries based on the
heading item you selected. After your clicking, the heading item is displayed with an arrow beside it as
shown in Figure 24. The upward arrow indicates the ascending order, and the downward arrow
indicates the descending order.
38
Figure 24 Basic sorting function example (based on IP address in the descending order)
Configuration guidelines
•
The Web-based configuration interface supports the operating systems of Windows XP, Windows
2000, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition,
Windows Vista, Linux, and MAC OS.
•
The Web-based configuration interface supports the browsers of Microsoft Internet Explorer 6.0
SP2 and higher, Mozilla Firefox 3.0 and higher, Google Chrome 2.0.174.0 and higher.
•
The Web-based configuration interface does not support the Back, Next, and Refresh buttons.
Using these buttons may result in abnormal display of Web pages.
•
The Windows firewall limits the number of TCP connections, so when you use IE to log in to the Web
interface, sometimes you may be unable to open the Web interface. To avoid this problem, turn off
the Windows firewall before login.
•
If the software version of the device changes, clear the cache data on the browser before logging
in to the device through the Web interface; otherwise, the Web page content may not be displayed
correctly.
•
You can display at most 20,000 entries that support content display by pages.
39
Troubleshooting Web browser
Failure to access the device through the Web interface
Symptom
You can ping the device successfully, and log in to the device through telnet. HTTP is enabled and the
operating system and browser version meet the Web interface requirements. However, you cannot
access the Web interface of the device.
Analysis
•
If you use the Microsoft Internet Explorer, you can access the Web interface only when these
functions are enabled: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for
scripting and active scripting.
•
If you use the Mozilla Firefox, you can access the Web interface only when JavaScript is enabled.
Configuring the Internet Explorer settings
1.
Open the Internet Explorer, and then select Tools > Internet Options.
2.
Click the Security tab, and then select a Web content zone to specify its security settings.
Figure 25 Internet Explorer setting (I)
3.
Click Custom Level, and a dialog box Security Settings appears.
40
4.
As shown in Figure 26, set the enable these functions: Run ActiveX controls and plug-ins, script
ActiveX controls marked safe for scripting and active scripting.
Figure 26 Internet Explorer setting (II)
5.
Click OK in the Security Settings dialog box.
Configuring Firefox Web browser settings
1.
Open the Firefox Web browser, and then select Tools > Options.
2.
Click the Content tab, select Enable JavaScript, and click OK.
41
Figure 27 Firefox Web browser setting
42
Summary
Device information
You can view the following information on the Device Info menu:
•
Device information
•
System resource state
•
Device interface information
•
Recent system logs (at most five)
After logging in to the Web interface, you enter the Summary > Device Info page.
Figure 28 Device info page
Select the refresh mode from the Refresh Period list.
•
If you select a specific refresh period (for example, 1 minute), the system periodically refreshes the
Device Info page according to the selected refresh period.
•
If you select Manual, you need to click Refresh to refresh the page.
43
Device info
Table 15 Field description
Field
Description
Device Name
Display the device model.
Product Information
Display the product information.
Display the location of the device.
Device Location
To configure the device location information, select Device > SNMP > Setup; for
more information, see "SNMP configuration."
Display the contact information for device maintenance.
Contact Information
To configure the contact information, select Device > SNMP > Setup; for more
information, see "SNMP configuration."
SerialNum
Display the serial number of the device.
Software Version
Display the software version of the device.
Hardware Version
Display the hardware version of the device.
Bootrom Version
Display the Boot ROM version of the device.
Running Time
Display the running time after the latest boot of the device.
System resource state
Table 16 Field description
Field
Description
CPU Usage
Display the real-time CPU usage.
Memory Usage
Display the real-time memory usage and the total memory size.
Temperature
Display the temperature of the device.
Device interface information
Table 17 Field description
Field
Description
Interface
Display interface name and interface number.
IP Address/Mask
Display the IP address and mask of an interface.
Display interface status.
Status
•
•
•
—The interface is up and is connected.
—The interface is up, but not connected.
—The interface is down.
44
NOTE:
For more information about device interfaces, click the More hyperlink under the Device Interface
Information area to enter the Device > Interface page to view and operate the interfaces. For more
information, see "Interface management."
Recent system logs
Table 18 Field description
Field
Description
Time
Display the time when the system logs are generated.
Level
Display the level of the system logs.
Description
Display the contents of the system logs.
NOTE:
For more information about system logs, click the More hyperlink under the Recent System Operation
Logs area to enter the Device > Syslog > Loglist page to view the logs. For more information, see "Log
management."
Displaying WLAN service
1.
Select Summary > Wireless Service from the navigation tree
2.
Click the specified WLAN service to view the detailed information, statistics, or connection history.
Displaying detailed information of WLAN service
The detailed information of WLAN service (clear type) is as shown in Figure 29. For the description of the
fields, see Table 19.
45
Figure 29 Display detailed information of WLAN service (clear type)
Table 19 Field description
Field
Description
Service Template Number
Service template number.
SSID
Service set identifier (SSID) for the ESS.
Binding Interface
Name of the interface bound with the service template.
Service Template Type
Service template type.
Type of authentication used.
Authentication Method
SSID-hide
WLAN service of the clear type only uses open system
authentication.
• Disable—The SSID is advertised in beacon frames.
• Enable—Disables the advertisement of the SSID in beacon
frames.
Forwarding mode:
Bridge Mode
• Local forwarding—Uses local forwarding in the service
template.
• Remote forwarding—Uses AC remote forwarding in the
service template.
Status of service template:
Service Template Status
• Enable—Enables WLAN service.
• Disable—Disables WLAN service.
Maximum clients per BSS
Maximum number of associated clients per BSS.
The detailed information of WLAN service (crypto type) is as shown in Figure 30. For the description of
the fields in the detailed information, see Table 20.
46
Figure 30 Display detailed information of WLAN service (crypto type)
Table 20 Field description
Field
Description
Service Template Number
Service template number.
SSID
SSID for the ESS.
Binding Interface
Name of the interface bound with the service template.
Service Template Type
Service template type.
Security IE
Security IE: WPA or WPA2 (RSN)
Authentication Method
Authentication method: open system or shared key.
SSID-hide
• Disable—The SSID is advertised in beacon frames.
• Enable—Disables the advertisement of the SSID in beacon frames.
Cipher Suite
Cipher suite: AES-CCMP, TKIP, WEP40, WEP104, or WEP128.
TKIP Countermeasure Time(s)
TKIP countermeasure time in seconds.
PTK Life Time(s)
PTK lifetime in seconds.
GTK Rekey
GTK rekey configured.
GTK Rekey Method
GTK rekey method configured: packet based or time based.
Time for GTK rekey in seconds.
GTK Rekey Time(s)
• If Time is selected, the GTK will be refreshed after a specified period
of time.
• If Packet is selected, the GTK will be refreshed after a specified
number of packets are transmitted.
Forwarding mode:
Bridge Mode
• Local forwarding—Uses local forwarding in the service template.
• Remote forwarding—Uses AC remote forwarding in the service
template.
47
Field
Description
Status of service template:
Service Template Status
• Enable—Enables WLAN service.
• Disable—Disables WLAN service.
Maximum clients per BSS
Maximum number of associated clients per BSS.
Displaying statistics of WLAN service
The statistics of WLAN service are as shown in Figure 31.
Figure 31 Displaying WLAN service statistics
Displaying connection history information of WLAN service
The connection history information of WLAN service is as shown in Figure 32.
48
Figure 32 Displaying the connection history information of WLAN service
Displaying AP
Select Summary > AP from the navigation tree to enter the AP page, as shown in Figure 33. You can
display the WLAN service information, connection history, radio and detailed information of an AP by
clicking the tabs on the page.
Displaying WLAN service information of an AP
The WLAN service information of an AP is as shown in Figure 33.
Figure 33 Displaying WLAN service information
Displaying AP connection history information
The connection history information of an AP is as shown in Figure 34.
49
Figure 34 Displaying AP connection history information
Displaying AP radio information
Select Summary > AP from the navigation tree to enter the AP page, click the Radio tab on the page, and
click the name of the specified AP to view the radio statistics of an AP.
The radio statistics of an AP are as shown in Figure 35. For the description of the fields in the AP radio
statistics, see Table 21.
50
Figure 35 Displaying AP radio information
NOTE:
• The Noise Floor item in the table indicates various random electromagnetic waves during the wireless
communication. For the environment with a high noise floor, you can improve the signal-to-noise ratio
(SNR) by increasing the transmit power or reducing the noise floor.
• The Service Type item in the table has two options: Access and Mesh.
• Res Using Ratio represents the resource utilization of a radio within a certain period. For example, in a
period of 10 seconds, if a radio has occupied the channel for five seconds, the resource utilization of the
radio is 5 seconds divided by 10 seconds: 50%.
Table 21 Field description
Field
Description
AP name
Access point name.
Radio Id
Radio ID.
Transmitted Frames Statistics
Statistics of transmitted frames.
Total Frames
Unicast Frames
Total number of frames (probe response frames and beacon frames)
transmitted.
Total Frames = Unicast Frames + Broadcast/Multicast Frames +
Others.
Number of unicast frames (excluding probe response frames)
transmitted.
51
Field
Description
Broadcast/Multicast Frames
Number of broadcast or multicast frames (excluding beacon frames)
transmitted.
Others
Total number of other type of frames transmitted.
Discard Frames
Number of frames discarded.
Retry Count
Number of transmission retries.
Multiple Retry Count
Number of frames that have been retransmitted.
Authentication Frames
Number of authentication responses transmitted.
Failed RTS
Number of RTS failed during transmission.
Successful RTS
Number of RTS transmitted successfully.
Failed ACK
Number of transmitted frames for which no acknowledgement is
received.
Association Frames
Number of association responses transmitted.
Received Frames Statistics
Statistics of received frames.
Total Frames
Number of frames received.
Unicast Frames
Number of unicast frames received.
Broadcast/Multicast Frames
Number of broadcast or multicast frames received.
Fragmented Frames
Number of fragmented frames received.
FCS Failures
Number of frames dropped due to FCS failure.
Authentication Frames
Number of authentication requests received.
Duplicate Frames
Number of duplicate frames received.
Decryption Errors
Number of frames dropped due to decryption error.
Association Frames
Number of association requests received.
Displaying AP detailed information
Select Summary > AP from the navigation tree to enter the AP page, click the Detail tab on the page, and
click the name of the specified AP to view the detailed information of an AP.
The detailed information of an AP is as shown in Figure 36. For the description of the fields in the AP
detailed information, see Table 22.
52
Figure 36 Displaying AP detailed information
Table 22 Field description
Field
Description
APID
Access point identifier.
AP System Name
Access point name.
Map Configuration
Configuration file mapped to the AP.
Current state of the AP:
• ImageDownload—The AP is downloading the version. If the
ImageDownload state persists, check the following: 1) The version of the
fit AP saved on the AC matches with the version that the AC requires; 2)
The space of the flash is enough.
• Idle—The AP is idle. If the Idle state persists, check the following: 1) If the
State
fields of Latest IP Address and Tunnel Down Reason are displayed as
-NA-, it indicates that the AP has never connected to the AC successfully.
You need to check the network cable, power supply of the fit AP, and the
AP serial number if the serial number was manually input. 2) If the fields
of Latest IP Address and Tunnel Down Reason are displayed as other
contents, it indicates that the AP has connected to the AC successfully.
See the output of the Tunnel Down Reason field for the detailed reason.
• Run—The AP is operating. It indicates that the AP has connected to the
AC successfully.
• Config—The AC is delivering configuration file to the fit AP, and the fit AP
is collecting radio information through the radio interface and reporting
to the AC. This state is an instantaneous state.
Up Time(hh:mm:ss)
Time duration for which the AP has been connected to the AC. NA indicates
AP is not connected to the AC.
Model
AP model name.
53
Field
Description
Serial-ID
Serial ID of the AP.
IP Address
IP address of the AP.
H/W Version
Hardware version of the AP.
S/W Version
Software version of the AP.
Boot-Rom version
Boot ROM version of the AP.
Description
Description of the AP.
Connection Type
AP connection type: "Master" or "Backup"
Peer AC MAC Address
Peer AC MAC address in case of AC backup.
Priority Level
AP connection priority.
Echo Interval(s)
Interval for sending echo requests, in seconds.
Statistics report Interval(s)
Interval for sending statistics information messages, in seconds.
Cir (Kbps)
Committed information rate in kbps.
Cbs (Bytes)
Committed burst size in bytes.
Jumboframe Threshold
Threshold value of jumbo frames.
Transmitted control packets
Number of transmitted control packets.
Received control packets
Number of received control packets.
Transmitted data packets
Number of transmitted data packets.
Received data packets
Number of received data packets.
Configuration Failure Count
Count of configuration request message failures.
Last Failure Reason
Last configuration request failure reason.
Last reboot reason of the AP:
Last Reboot Reason
• Normal—The AP was powered off.
• Crash—The AP crashed, and the information is needed for analysis.
• Tunnel Initiated—The reset wlan ap command is executed on the AC (in
this case, the Tunnel Down Reason is displayed as Reset AP).
• Tunnel Link Failure—The fit AP rebooted abnormally because an error
occurred when the AP was establishing a connection with the AC.
Latest IP Address
IP address of the last AP.
The tunnel between the AC and the AP is down when one of the following
occurs:
• Neighbor Dead Timer Expire—The AC does not receive an Echo request
from the AP within three times the handshake interval.
Tunnel Down Reason
• Response Timer Expire—The AC sends a control packet to the AP but
does not receive any response within the specified waiting time.
• Reset AP—The AP is rebooted by the execution of a command on the AC.
• AP Config Change: The corresponding configurations are modified on
the AC.
• No Reason—Other reasons.
54
Field
Description
Connection count between the AP and AC. This field is reset in one of the
following situations:
Connection Count
• AC is rebooted.
• You re-configure an AP template after deleting the old one.
If you click Reboot on this page to reboot the AP, the connection count will
not be reset.
AP Mode
Mode supported by the AP. Currently only the split MAC mode is supported.
AP operation mode
Operation mode of AP. Currently Normal and Monitor modes are
supported.
Portal Service
Whether the portal service is enabled or not.
Device Detection
Whether device detection is enabled or not.
Maximum Number of Radios
Maximum number of radios supported by the AP.
Current Number of Radios
Number of radios in use on the AP.
Client Keep-alive Interval
Interval to detect clients segregated from the system due to various reasons
such as power failure or crash, and disconnect them from the AP.
Client Idle Interval(s)
If the client is idle for more than the specified interval, that is, if the AP does
not receive any data from the client within the specified interval, the client
will be removed from the network.
Broadcast-probe Reply Status
Whether the AP is enabled to respond to broadcast probe requests or not.
Basic BSSID
MAC address of the AP.
Current BSS Count
Number of BSSs connected with the AP.
Running Clients Count
Number of clients currently running.
Wireless Mode
Wireless mode: 802.11a, 802.11b, or 802.11g.
Client Dot11n-only
• Enabled—Only 802.11n clients can be associated with the AP.
• Disabled—802.11a/b/g/n clients can be associated with the AP.
Channel Band-width
Channel bandwidth, 20 MHz or 40 MHz.
Secondary channel information for 802.11n radio mode:
• SCA (Second Channel Above)—The AP operates in 40 MHz bandwidth
Secondary channel offset
mode, and the secondary channel is above the primary channel.
• SCB (Second Channel Below)—The AP operates in 40 MHz bandwidth
mode, and the secondary channel is below the primary channel.
• SCN—The AP operates in 20 MHz bandwidth mode.
55
Field
Description
802.11n protection modes:
• no protection mode(0)—The clients associated with the AP, and the
wireless devices within the coverage of the AP operate in 802.11n mode,
and all the clients associated with the AP operate in either 40 MHz or 20
MHz mode.
HT protection mode
• Non-member mode(1)—The clients associated with the AP operate in
802.11n mode, but non-802.11n wireless devices exist within the coverage
of the AP.
• 20 MHz mode(2)—The radio mode of the AP is 40 MHz. The clients
associated with the AP and the wireless devices within the coverage of the
AP operate in 802.11n mode, and at least one 802.11n client operating in
20 MHz mode is associated with the radio of the AP.
• Non-HT mix mode(3)—All situations except the above three.
Short GI for 20MHz
Whether the AP supports short GI when it operates in 20 MHz mode.
Short GI for 40MHz
Whether the AP supports short GI when it operates in 40 MHz mode.
Mandatory MCS Set
Mandatory MCS for the AP.
Supported MCS Set
Supported MCS for the AP.
A-MSDU
Status of the A-MSDU function: enable or disable.
A-MPDU
Status of the A-MPDU function: enable or disable.
Operating channel:
• If the channel is manually configured, the configured channel number is
displayed.
Configured Channel
• If the channel is automatically selected, auto(channel) is displayed, where
channel is the optimal channel automatically selected by the AC.If the AP
operates in 802.11n radio mode and 40 MHz bandwidth mode, this field
displays the primary channel.
Transmission power on the radio.
• If one-time (transmit power control) is adopted, the configured transmit
Configured Power(dBm)
power is displayed.
• If auto TPC is adopted, two values are displayed, with the first being the
maximum power, and the second auto (number), where number in the
brackets represents the actual power.
Interference (%)
Interference observed on the operating channel, in percentage.
Channel Load (%)
Load observed on the operating channel, in percentage.
Utilization (%)
Utilization rate of the operating channel, in percentage.
Co-channel Neighbor Count
Number of neighbors found on the operating channel.
Channel Health
Status of the channel.
Preamble Type
Type of preamble that the AP can support: short or long.
Radio Policy
Radio policy used.
Service Template
Service template number.
SSID
SSID for the ESS.
Port
WLAN-DBSS interface associated with the service template.
Mesh Policy
Mesh policy adopted.
56
Field
Description
ANI Support
ANI (Adaptive Noise Immunity) status: enabled or disabled.
11g Protection
11.g protection status: enable or disable.
Admin State
Administrative state of the radio.
Physical State
Physical state of the radio.
Operational Rates (Mbps)
Operational rates in Mbps.
Radar detected Channels
Channels on which radar signals are detected.
Displaying clients
Select Summary > Client from the navigation tree to enter the page as shown in Figure 37. For the
description of the fields in the client information, see Table 23.
Figure 37 Displaying clients
Table 23 Field description
Field
Description
Refresh
Refresh the current page.
Add to Blacklist
Add the selected client to the static blacklist, which you can display by
selecting Security > Filter from the navigation tree.
Reset Statistic
Clear statistics of the specified client.
Disconnect
Log off the selected client.
Displaying client detailed information
Select Summary > Client from the navigation tree to enter the Client page, click the Detail Information tab
on the page, and click the name of the specified client to view the detailed information of the client.
The detailed information of a client is as shown in Figure 38. For the description of the fields in the client
detailed information, see Table 24.
57
Figure 38 Displaying client detailed information
Table 24 Field description
Field
Description
MAC address
MAC address of the client.
AID
Association ID of the client.
Username of the client.
• The field is displayed as –NA– if the client adopts plain-text
User Name
authentication or an authentication method that does not require a
username.
• The field is irrelevant to the portal authentication method. If the client
uses the portal authentication method, the field does not display the
portal username of the client.
AP Name
Name of the AP.
Radio Id
Radio ID of the client.
SSID
SSID of the AP.
BSSID
BSSID of the AP.
Port
WLAN-DBSS interface associated with the client.
VLAN
VLAN to which the client belongs.
State
State of the client.
Backup indicates a backup client.
Power Save Mode
Client's power save mode: active or sleep.
Wireless Mode
Wireless mode such as 802.11a, 802.11b, 802.11g, 802.11an, or
803.11gn.
58
Field
Description
Channel Band-width
Channel bandwidth, 20 MHz or 40 MHz.
SM Power Save Enable
Short GI for 20MHz
Short GI for 40MHz
Support MCS Set
SM Power Save enables a client to have one antenna in active state,
and others in sleep state to save power.
• Enabled: SM Power Save is supported.
• Disabled: SM Power Save is not supported.
Whether the client supports short GI when its channel bandwidth is 20
MHz.
• Not Supported.
• Supported.
Whether the client supports short GI when its channel bandwidth is 40
MHz.
• Not Supported.
• Supported.
MCS supported by the client.
BLOCK ACK is negotiated based on QoS priority ID 0:
BLOCK ACK-TID 0
• OUT—Outbound direction.
• IN— Inbound direction.
• BOTH—Both directions.
BLOCK ACK is negotiated based on QoS priority ID 1:
BLOCK ACK-TID 1
• OUT—Outbound direction.
• IN—Inbound direction.
• BOTH—Both directions.
BLOCK ACK is negotiated based on QoS priority ID 2:
BLOCK ACK-TID 2
• OUT—Outbound direction.
• IN—Inbound direction.
• BOTH—Both directions.
BLOCK ACK is negotiated based on QoS priority ID 3:
BLOCK ACK-TID 3
• OUT—Outbound direction.
• IN—Inbound direction.
• BOTH—Both directions.
QoS Mode
Whether the AP supports the WMM function.
Listen Interval (Beacon Interval)
Specifies how often the client wakes up to receive frames saved in the
AP and is expressed in units of beacon interval.
RSSI
Received signal strength indication. This value indicates the client
signal strength detected by the AP.
Rx/Tx Rate
Represents the frame reception/transmission rate of the client,
including data, management, and control frames. For the AC + fit AP
mode, there is delay because Rx Rate is transmitted from AP to AC
periodically depending on the statistics interval.
Client Type
Client type such as RSN, WPA, or Pre-RSN.
Authentication Method
Authentication method such as open system or shared key.
AKM Method
AKM suite used, such as Dot1X or PSK.
59
Field
Description
Displays either of the 4-way handshake states:
4-Way Handshake State
•
•
•
•
IDLE—Displayed in initial state.
PTKSTART—Displayed when the 4–way handshake is initialized.
PTKNEGOTIATING—Displayed after valid message 3 was sent.
PTKINITDONE—Displayed when the 4-way handshake is successful.
Displays the group key state:
Group Key State
• IDLE—Displayed in initial state.
• REKEYNEGOTIATE—Displayed after the AC sends the initial
message to the client.
• REKEYESTABLISHED—Displayed when re-keying is successful.
Encryption Cipher
Encryption password: clear or crypto.
Roam Status
Displays the roaming status: Normal or Fast Roaming.
Roaming count of the client, including intra-AC roaming and inter-AC
roaming.
Roam Count
• For intra-AC roaming, this field is reset after the client is
de-associated with the AP connected to the AC.
• For inter-AC roaming, this field is reset after the client leaves the
mobility group to which the AC belongs.
Up Time
Time for which the client has been associated with the AP.
Displaying client statistics
Select Summary > Client from the navigation tree to enter the Client page, click the Statistic Information
tab on the page, and click the name of the specified client to view the statistics of the client.
The statistics of a client is as shown in Figure 39. For the description of the fields in the client statistic
information, see Table 25.
Figure 39 Displaying client statistics
60
Table 25 Field description
Field
Description
AP Name
Name of the associated access point.
Radio Id
Radio ID.
SSID
SSID of the AP.
BSSID
BSSID of the AP.
MAC Address
MAC Address of the client.
RSSI
Received signal strength indication. This value indicates the client signal
strength detected by the AP.
Transmitted Frames
Number of transmitted frames.
Back Ground(Frames/Bytes)
Statistics of background traffic, in frames or in bytes.
Best Effort(Frames/Bytes)
Statistics of best effort traffic, in frames or in bytes.
Video(Frames/Bytes)
Statistics of video traffic, in frames or in bytes.
Voice(Frames/Bytes)
Statistics of voice traffic, in frames or in bytes.
Received Frames
Number of received frames.
Discarded Frames
Number of discarded frames.
NOTE:
You can collect statistics of priority queues such as Back Ground, Best Effort, Video and Voice on a QoS
client only. Traffic including SVP packets sent and received on a client where QoS is not enabled falls into
Best Effort priority queue. Therefore, the queues collected may be different from the queues actually sent.
You can collect statistics of priority queues carried in Dot11E or WMM packets; otherwise, statistics
collection of priority queues on the receive end may fail.
Displaying client roaming information
Select Summary > Client from the navigation tree to enter the Client page, click the Roam Information tab
on the page, and click the name of the specified client to view the roaming information of the client.
Client roaming information is as shown in Figure 40. For the detailed description of the fields in the client
roaming information, see Table 26.
61
Figure 40 Displaying client roaming information
Table 26 Field description
Field
Description
BSSID
BSSID of the AP associated with the client.
Online-time
Online time of the client.
AC-IP-address
The IP address of the AC connected with the client. When the configured roaming
channel type is IPv6, the IPv6 address of the AC is displayed.
Displaying RF ping information
Radio Frequency Ping (RF Ping) is a ping function performed on wireless links. This function enables you
to get the connection information between the AP and its associated clients, such as signal strength,
packet re-transmission attempts, and round trip time (RTT).
Select Summary > Client from the navigation tree to enter the Client page, click the Link Test Information
tab on the page, and click the name of the specified client to view the link test information of the client,
as shown in Figure 41. For the description of the fields in the client link test information, see Table 27.
62
Figure 41 View link test information
Table 27 Field description
Field
Description
No./MCS
• Rate number for a non-802.11n client.
• MCS value for an 802.11n client.
Rate(Mbps)
Rate at which the radio interface sends wireless ping frames.
TxCnt
Number of wireless ping frames that the radio interface sent.
RxCnt
Number of wireless ping frames that the radio interface received from the client.
RSSI
Received signal strength indication. This value indicates the client signal strength
detected by the AP.
Retries
Total number of retransmitted ping frames.
RTT(ms)
Round trip time.
63
License management
Configuring licenses
A license controls the maximum number of online APs. You can add a license on a device to increase the
maximum number of online APs that the device supports. However, the upper limit of online APs that a
device supports is restricted by its specification and varies by device model. For more information, see
"Feature matrixes."
Adding a license
CAUTION:
• After adding a license, you must reboot the device to validate the license.
• You can also increase the maximum number of online APs by adding an enhanced license. For more
information about enhanced license, see "Enhanced license management."
1.
Select Device > License from the navigation tree.
The License page appears.
Figure 42 License
2.
In the Add License area, configure the license information as described in Table 28.
3.
Click Add.
Table 28 Configuration items
Item
Description
License Key
Enter the license key.
Activation Key
Enter the activation key for the license.
64
Displaying license information
1.
Select Device > License from the navigation tree
The page Figure 42 in appears.
2.
View the license information in the License area.
Table 29 Field description
Field
Description
default AP number
Maximum number of APs that the device supports by default.
max AP number
Upper limit of APs that the device supports.
current AP number
Maximum number of APs that the device currently supports.
License Key
License key of the license.
Activation Key
Activation key of the license.
AP Number
Number of APs that the license supports.
Configuring enhanced licenses
Some features of the device can be used only after you register them by using an enhanced license. The
enhanced license required for registration can be a beta version or an official version. A beta version has
a lifetime, and the features registered by using the version cannot be used any more after the version
expires. An official version, obtained by purchasing the features, provides the serial number for
registering the features and presents a description of the features.
Registering an enhanced license
CAUTION:
After registering an enhanced license, you must reboot the device to validate the newly added features.
You can also increase the number of allowed APs by adding a license. For more information about
license, see "License management."
1.
Select Device > License from the navigation tree.
2.
Click the Enhanced License tab.
The Enhanced License tab page appears.
65
Figure 43 Enhanced license
3.
Configure enhanced license information as described in Table 30.
4.
Click Add.
Table 30 Configuration items
Item
Feature Name
Serial Number
Description
Select the name of the feature to be registered.
For example, AP allows you to increase the number of APs.
Type the serial number of the license.
Displaying registered enhanced licenses
1.
Select Device > License from the navigation tree.
2.
Click the Enhanced License tab
The page in Figure 43 appears.
3.
View the registered enhanced licenses at the lower part of the page.
Table 31 Field description
Filed
Description
Feature Name
Name of the feature registered.
Serial Number
Serial number of the license.
Available Time Left
AP Number
Left time of the license. After the time elapses, the license expires.
The value Forever means that the license is an official version.
Number of APs that the license supports.
66
Device basic information configuration
The device basic information feature provides you the following functions:
•
Set the system name of the device. The configured system name will be displayed on the top of the
navigation bar.
•
Set the idle timeout period for a logged-in user. That is, the system logs an idle user off the Web for
security purpose after the configured period.
Configuring system name
1.
Select Device > Basic from the navigation tree
The page for configuring the system name appears.
Figure 44 System name
2.
Set the system name for the device.
3.
Click Apply.
Configuring Web idle timeout period
1.
Select Device > Basic from the navigation tree.
2.
Click the Web Idle Timeout tab.
The page for configuring Web idle timeout period appears.
Figure 45 Configuring Web idle timeout period
67
3.
Set the Web idle timeout period for a logged-in user.
4.
Click Apply.
68
Device maintenance
Software upgrade
A boot file, also known as the system software or device software, is an application file used to boot the
device. Software upgrade allows you to obtain a target application file from the local host and set the file
as the boot file to be used at the next reboot. In addition, you can select whether to reboot the device to
bring the upgrade software into effect.
CAUTION:
• A software upgrade takes some time. Avoid performing any operation on the Web interface during the
upgrading procedure. Otherwise, the upgrade operation may be interrupted.
• You can keep the original file name or change it to another one (extension name not changed) after you
get the target application file from the local host.
1.
Select Device > Device Maintenance from the navigation tree.
The software upgrade configuration page appears.
Figure 46 Software upgrade configuration page
2.
Configure the software upgrade parameters as described in Table 32.
3.
Click Apply.
Table 32 Configuration items
Item
Description
File
Specify the path of the local application file, which must be
with an extension .app or .bin.
69
Item
Description
Specify the type of the boot file for the next boot:
• Main—Boots the device.
• Backup—Boots the device when the main boot file is
File Type
unavailable.
Specify whether to overwrite the file with the same name.
If a file with the same name already exists,
overwrite it without any prompt
Reboot after the upgrade is finished.
If you do not select the option, when a file with the same name
exists, the system prompts "The file has existed.", and you
cannot upgrade the software.
Specify whether to reboot the device to make the upgraded
software take effect after the application file is uploaded.
Rebooting the device
CAUTION:
• Before rebooting the device, save the configuration. Otherwise, all unsaved configurations are lost after
device reboot.
• Re-log in to the Web interface after the device reboots.
1.
Select Device > Device Maintenance from the navigation tree.
2.
Click the Reboot tab.
The reboot tab page appears.
Figure 47 Device reboot page
3.
Clear the box before "Check whether the current configuration is saved in the next startup
configuration file" or keep it selected.
4.
Click Apply.
A confirmation dialog box appears.
5.
Click OK.
If you select the box before "Check whether the current configuration is saved in the next startup
configuration file", the system checks the configuration before rebooting the device. If the check
succeeds, the system reboots the device; if the check fails, the system displays a dialog box to
inform you that the current configuration and the saved configuration are inconsistent, and
70
does not reboot the device. In this case, you must save the current configuration manually
before you can reboot the device.
If you do not select the box, the system reboots the device directly.
Generating the diagnostic information file
Each functional module has its own running information, and generally, you need to view the output
information for each module one by one. To receive as much information as possible in one operation
during daily maintenance or when system failure occurs, the device supports generating diagnostic
information. When you perform the diagnostic information generation operation, the system saves the
running statistics of multiple functional modules to a file named default.diag, and then you can locate
problems faster by checking this file.
To generate the diagnostic information file:
1.
Select Device > Device Maintenance from the navigation tree.
2.
Click the Diagnostic Information tab.
The diagnostic information tab page appears.
Figure 48 Diagnostic information
3.
Click Create Diagnostic Information File.
The system begins to generate diagnostic information file, and after the file is generated, the page
in Figure 49 appears.
Figure 49 The diagnostic information file is created
4.
Click Click to Download.
The File Download dialog box appears. You can select to open this file or save this file to the local
host.
71
NOTE:
• The generation of the diagnostic file will take a period of time. During this process, do not perform any
operation on the Web page.
• To view this file after the diagnostic file is generated successfully, select Device > File Management, or
download this file to the local host. For more information, see "File management configuration."
72
System time
You need to configure a correct system time so that the device can work with other devices properly.
System time allows you to display and set the device system time on the Web interface.
The device supports setting system time through manual configuration and automatic synchronization of
NTP server time.
An administrator cannot keep time synchronized among all the devices within a network by changing the
system clock on each device, because this is time-consuming task and cannot guarantee clock precision.
Defined in RFC 1305, the Network Time Protocol (NTP) synchronizes timekeeping among distributed
time servers and clients.
NTP can keep consistent timekeeping among all clock-dependent devices within the network and ensure
a high clock precision so that the devices can provide diverse applications based on consistent time.
Displaying the system time
1.
Select Device > System Time from the navigation tree.
The page for configuring system time appears.
Figure 50 System time page
2.
View the current system time on the top of the page.
Configuring the system time
1.
Select Device > System Time from the navigation tree.
The page in Figure 50 appears.
2.
Click the System Time Configuration field.
The calendar page appears.
73
Figure 51 Calendar page
3.
Modify the system time either in the System Time Configuration field, or through the calendar
page.
You can perform the following operations on the calendar page:
a. Click Today to set the current date on the calendar to the current system date of the local host,
and the time keeps unchanged.
b. Set the year, month, date and time, and then click OK.
4.
Click Apply in the system time configuration page to save your configuration.
Configuring the network time
1.
Select Device > System Time from the navigation tree.
2.
Click Net Time.
The network time page appears.
74
Figure 52 Network time
3.
Configure system time parameters as described in Table 33.
4.
Click Apply.
Table 33 Configuration items
Item
Description
Clock status
Display the synchronization status of the system clock.
Set the IP address of the local clock source to 127.127.1.u, where u
ranges from 0 to 3, representing the NTP process ID.
• If the IP address of the local clock source is specified, the local clock
Local Reference Source
is used as the reference clock, and thus can provide time for other
devices.
• If the IP address of the local clock source is not specified, the local
clock is not used as the reference clock.
Set the stratum level of the local clock.
Stratum
The stratum level of the local clock decides the precision of the local
clock. A higher value indicates a lower precision. A stratum 1 clock has
the highest precision, and a stratum 16 clock is not synchronized and
cannot be used as a reference clock.
Set the source interface for an NTP message.
Source Interface
If you do not want the IP address of a certain interface on the local
device to become the destination address of response messages, you
can specify the source interface for NTP messages, so that the source IP
address in the NTP messages is the primary IP address of this interface.
If the specified source interface is down, the source IP address of the
NTP messages sent is the primary IP address of the outbound interface.
75
Item
Description
Set NTP authentication key.
The NTP authentication feature should be enabled for a system running
NTP in a network where there is a high security demand. This feature
enhances the network security by means of client-server key
authentication, which prohibits a client from synchronizing with a
device that has failed authentication.
Key 1
You can set two authentication keys, each of which is composed of a
key ID and key string.
Key 2
• ID is the ID of a key.
• Key string is a character string for MD5 authentication key.
NTP Server
1/Reference
Key ID
You can configure two NTP servers. The clients will choose the optimal
reference source.
External
Reference Source
NTP Server
2/Reference
Key ID
TimeZone
Specify the IP address of an NTP server, and configure the
authentication key ID used for the association with the NTP server. The
device synchronize its time to the NTP server only if the key provided by
the server is the same with the specified key.
IMPORTANT:
The IP address of an NTP server is a unicast address, and cannot
be a broadcast or a multicast address, or the IP address of the
local clock source.
Set the time zone for the system.
System time configuration example
Network requirements
•
As shown in Figure 53, the local clock of Switch is set as the reference clock.
•
AC operates in client mode, and uses Switch as the NTP server.
•
NTP authentication is configured on both AC and Switch.
Figure 53 Network diagram
Configuring the switch
Configure the local clock as the reference clock, with the stratum of 2, configure authentication, with the
key ID of 24, and trusted key as aNiceKey. (Details not shown.)
Configuring the AC
To configure Switch as the NTP server of AC:
1.
Select Device > System Time from the navigation tree.
2.
Click the Net Time tab.
The Net Time tab page appears.
76
Figure 54 Configuring Switch as the NTP server of AC
3.
Enter 24 for the ID of key 1, and aNiceKey for the key string. Enter 1.0.1.12 in the NTP Server 1
box and 24 in the Reference Key ID box.
4.
Click Apply.
Verifying the configuration
After the above configuration, the current system time displayed on the System Time page is the same for
AC and Switch.
Configuration guidelines
•
A device can act as a server to synchronize the clock of other devices only after its clock has been
synchronized. If the clock of a server has a stratum level higher than or equal to that of a client's
clock, the client will not synchronize its clock to the server's.
•
The synchronization process takes a period of time. The clock status may be displayed as
unsynchronized after your configuration. In this case, you can refresh the page to view the clock
status later on.
•
If the system time of the NTP server is ahead of the system time of the device, and the difference
between them exceeds the Web idle time specified on the device, all online Web users are logged
out because of timeout.
77
Log management
System logs contain a large amount of network and device information, including running status and
configuration changes. System logs are an important way for administrators to know network and device
status. With system logs, administrators can take corresponding actions against network problems and
security problems.
The system sends system logs to the following destinations:
•
Console
•
Monitor terminal, which is a user terminal that has login connections through the AUX, VTY, or TTY
user interface.
•
Log buffer
•
Loghost
•
Web interface
Displaying syslog
The Web interface provides abundant search and sorting functions. You can view syslogs through the
Web interface conveniently.
To display syslog:
1.
Select Device > Syslog from the navigation tree.
The page for displaying syslog appears.
Figure 55 Displaying syslog
78
TIP:
• You can click Reset to clear all system logs saved in the log buffer on the Web interface.
• You can click Refresh to manually refresh the page, or you can set the refresh interval on the Log Setup
page to enable the system to automatically refresh the page periodically. For more information, see
"Setting buffer capacity and refresh interval."
2.
View system logs.
Table 34 Field description
Field
Description
Time/Date
Display the time/date when system logs are generated.
Source
Display the module that generates system logs.
Display the system information levels. The information is classified into eight levels
by severity:
Level
•
•
•
•
•
•
•
•
Emergency—The system is unusable.
Alert—Action must be taken immediately.
Critical—Critical conditions.
Error—Error conditions.
Warning—Warning conditions.
Notification—Normal but significant condition.
Informational—Informational messages.
Debug—Debug-level messages.
Digest
Display the brief description of system logs.
Description
Display the contents of system logs.
Setting the log host
You can set the loghost on the Web interface to enable the system to output syslogs to the log host. You
can specify at most four different log hosts.
To set the log host:
1.
Select Device > Syslog from the navigation tree.
2.
Click the Loghost tab
The loghost configuration page appears.
79
Figure 56 Setting loghost
3.
Configure the log host as described in Table 35.
4.
Click Apply.
Table 35 Configuration items
Item
Description
IPv4/Domain
IPv6
Set the IPv4 address, domain, or IPv6 address of the loghost..
Loghost IP/Domain
Setting buffer capacity and refresh interval
1.
Select Device > Syslog from the navigation tree.
2.
Click the Log Setup tab.
The syslog configuration page appears.
80
Figure 57 Syslog configuration page
3.
Configure buffer capacity and refresh interval as described in Table 36.
4.
Click Apply.
Table 36 Configuration items
Item
Description
Buffer Capacity
Set the number of logs that can be stored in the log buffer of the Web interface.
Set the refresh period on the log information displayed on the Web interface.
You can select manual refresh or automatic refresh:
Refresh Interval
• Manual—Click Refresh to refresh the Web interface when displaying log
information.
• Automatic—You can select to refresh the Web interface every 1 minute, 5
minutes, or 10 minutes.
81
Configuration management
NOTE:
When backing up a configuration file, back up the configuration file with the extension .xml. Otherwise
some configuration information may not be restored in some cases (for example, when the configuration
is removed).
Backing up the configuration
Configuration backup provides the following functions:
•
Open and view the configuration file (.cfg file or .xml file) for the next startup
•
Back up the configuration file (.cfg file or .xml file) for the next startup to the host of the current user
To back up the configuration:
1.
Select Device > Configuration from the navigation tree.
The page for backing up configuration appears.
Figure 58 Backup configuration page
2.
Click the upper Backup button.
A file download dialog box appears. You can select to view the .cfg file or to save the file locally.
3.
Click the lower Backup button.
A file download dialog box appears. You can select to view the .xml file or to save the file locally.
Restoring the configuration
CAUTION:
The restored configuration file takes effect at the next device reboot.
Configuration restore provides the following functions:
•
Upload the .cfg file on the host of the current user to the device for the next startup
•
Upload the .xml file on the host of the current user to the device for the next startup, and delete the
previous .xml configuration file that was used for the next startup
To restore the configuration:
82
1.
Select Device > Configuration from the navigation tree.
2.
Click the Restore tab.
The page for restoring configuration appears.
Figure 59 Configuration restore page
3.
Click the upper Browse button.
The file upload dialog box appears. You can select the .cfg file to be uploaded.
4.
Click the lower Browse button in this figure.
The file upload dialog box appears. You can select the .xml file to be uploaded.
5.
Click Apply.
Saving the configuration
CAUTION:
• Saving the configuration takes some time.
• The system does not support the operation of saving configuration of two or more consecutive users. If
such a case occurs, the system prompts the latter users to try later.
The save configuration module provides the function to save the current configuration to the configuration
file (.cfg file or .xml file) to be used at the next startup. You can save the configuration in one of the
following ways:
Fast
Click the Save button at the upper right of the auxiliary area, and you can save the configuration to the
configuration file.
83
Figure 60 Saving configuration confirmation
Common
1.
Select Device > Configuration from the navigation tree.
2.
Click the Save tab.
The page in Figure 60 appears.
3.
Click Save Current Settings to save the current configuration to the configuration file.
Initializing the configuration
This operation restores the system to factory defaults, delete the current configuration file, and reboot the
device.
To initialize the configuration:
1.
Select Device > Configuration from the navigation tree.
2.
Click the Initialize tab.
The initialize confirmation page appears.
Figure 61 Initializing the configuration
3.
Click Restore Factory-Default Settings to restore the system to factory defaults.
84
File management
NOTE:
There are many types of storage media such as flash, compact flash (CF), and so on. Different devices
support different types of storage device. For more information, see "Feature matrixes."
The device saves useful files (such as host software, configuration file) into the storage device, and the
system provides the file management function for the users to manage those files conveniently and
effectively.
Displaying file list
1.
Select Device > File Management from the navigation tree.
The file management page appears.
Figure 62 File management
2.
Select a disk from the Please select disk list on the top of the page.
3.
View the used space, free space and capacity of the disk at the right of the list.
4.
View all files saved in this disk (in the format of path + filename), file sizes, and the boot file types
(Main or Backup is displayed if the file is an application file, that is, with the extension of .bin
or .app).
85
Downloading a file
1.
Select Device > File Management from the navigation tree.
The page in Figure 62 appears.
2.
Select a file from the list.
You can select one file at a time.
3.
Click Download File.
The File Download dialog box appears. You can select to open the file or to save the file to a
specified path.
Uploading a file
NOTE:
Uploading a file takes some time. H3C recommends you not to perform any operation on the Web
interface during the upgrading procedure.
1.
Select Device > File Management from the navigation tree.
The page in Figure 62 appears.
2.
Select the disk to save the file in the Upload File box.
3.
Click Browse to set the path and name of the file.
4.
Click Apply.
Removing a file
1.
Select Device > File Management from the navigation tree.
The page in Figure 62 appears.
2.
Select one or multiple files from the file list,
3.
Click Remove File.
NOTE:
You can also remove a file by clicking the
icon.
Specifying the main boot file
1.
Select Device > File Management from the navigation tree.
The page in Figure 62 appears.
2.
Select the box to the left of an application file (with the extension of .bin or .app).
You can set one file at a time.
3.
Click Set as Main Boot File to set the main boot file to be used at the next startup.
86
Interface management
Interface management overview
An interface is the point of interaction or communication used for exchanging data between entities.
There are two types of interfaces: physical and logical. A physical interface refers to an interface that
physically exists as a hardware component. An example is Ethernet interfaces. A logical interface refers
to an interface that can implement data switching but does not exist physically. A logical interface must
be created manually. An example is VLAN interfaces.
You can use the interface management feature on the Web-based configuration interface to manage the
following types of interfaces.
•
Layer 2 Ethernet interface—Physical interface operating on the data link layer for forwarding Layer
2 protocol packets.
•
Management Ethernet interface—Physical interface operating on the network layer. You can
configure IP addresses for a management Ethernet interface. You can log in to the device through
a management Ethernet interface to manage the device.
•
Loopback interface—A loopback interface is a software-only virtual interface. The physical layer
state and link layer protocols of a loopback interface are always up unless the loopback interface
is manually shut down. You can enable routing protocols on a loopback interface, and a loopback
interface can send and receive routing protocol packets. When you assign an IPv4 address whose
mask is not 32-bit, the system automatically changes the mask into a 32-bit mask.
•
Null interface—A null interface is a completely software-based logical interface, and is always up.
However, you cannot use it to forward data packets or configure an IP address or link layer protocol
on it. With a null interface specified as the next hop of a static route to a specific network segment,
any packets routed to the network segment are dropped. The null interface provides a simpler way
to filter packets than ACL. You can filter uninteresting traffic by transmitting it to a null interface
instead of applying an ACL.
•
VLAN interface—Virtual Layer 3 interface used for Layer 3 communications between VLANs. A
VLAN interface corresponds to a VLAN. You can assign an IP address to a VLAN interface and
specify it as the gateway of the corresponding VLAN to forward traffic destined for an IP network
segment different from that of the VLAN.
•
Virtual template (VT) interface—Template used for configuring virtual access (VA) interfaces.
•
Bridge-Aggregation interface (BAGG)—Multiple Layer 2 Ethernet interfaces can be combined to
form a Layer 2 aggregation group. The logical interface created for the group is called an
aggregate interface.
With the interface management feature, you can view interface information, create/remove logical
interfaces, change interface status, and reset interface parameters.
Displaying interface information and statistics
1.
Select Device > Interface from the navigation tree.
The interface management page appears. The page displays the interfaces' names, IP addresses,
masks, and status.
87
Figure 63 Interface management page
2.
Click an interface name in the Name column to display the statistics of that interface.
The page for displaying interface statistics appears.
88
Figure 64 Statistics on an interface
Creating an interface
1.
Select Device > Interface from the navigation tree.
The page in Figure 63 appears.
2.
Click Add.
The page for creating an interface appears.
89
Figure 65 Creating an interface
3.
Configure the interface as described in Table 37.
4.
Click Apply.
Table 37 Configuration items
Item
Description
Interface Name
Set the type and number of a logical interface.
If you are creating a Layer 3 Ethernet subinterface, set the VLANs associated with
the subinterface.
VID
This parameter is available only for Layer 3 Ethernet subinterfaces.
IMPORTANT:
Currently, this configuration item is not configurable because the device does not
support Layer 3 Ethernet subinterfaces.
Set the maximum transmit unit (MTU) of the interface.
The MTU value affects fragmentation and reassembly of IP packets.
MTU
IMPORTANT:
Support for this configuration item depends on the interface type. All Layer 3 interfaces
support MTU.
90
Item
Description
Set the maximum segment size (MSS) for IP packets on the interface.
The TCP MSS value affects fragmentation and reassembly of IP packets.
TCP MSS
IMPORTANT:
Support for this configuration item depends on the interface type. All Layer 3 interfaces
support MTU.
Set the way for the interface to obtain an IP address, include:
• None—Select this option if you do not want to assign an IP address for the
interface.
• Static Address—Select the option to manually assign an IP address and mask for
the interface. If this option is selected, you must set the IP Address and Mask
fields.
• DHCP—Select the option for the interface to obtain an IP address through DHCP
automatically.
IP Config
• BOOTP—Select the option for the interface to obtain an IP address through
BOOTP automatically.
• PPP Negotiate—Select the option for the interface to obtain an IP address
through PPP negotiation.
• Unnumbered—Select this option to borrow the IP address of another interface on
the same device for the interface. If this option is selected, you must select the
interface whose IP address you want to borrow in the Unnumbered Interfaces list.
IMPORTANT:
Support for the way of obtaining an IP address depends on the interface type.
IP Address/Mask
After selecting the Static Address option for the IP Config configuration item, you
need to set the primary IP address and mask, and secondary IP addresses and
masks for the interface.
Secondary IP
Address/Mask
• The primary and secondary IP addresses cannot be 0.0.0.0.
• For a loopback interface, the mask is fixed to 32 bits and is not configurable.
• The number of secondary IP addresses supported by the device depends on the
IMPORTANT:
device model..
Unnumbered Interface
If the Unnumbered option is selected as the way for the interface to obtain an IP
address, you must set the interface whose IP address is to be borrowed.
Set the way for the interface to obtain an IPv6 link-local address, include.
• None—Select this option if you do not want to assign an IPv6 link-local address
to the interface.
IPv6 Config
• Auto—Select this option for the system to automatically assign an IPv6 link-local
address to the interface.
• Manual—Select this option to manually assign an IPv6 link-local address to the
interface. If this option is selected, you must set the IPv6 Link Local Address field.
IPv6 Link Local Address
If the Manual option is selected as the way for the interface to obtain an IPv6
link-local address, you must set an IPv6 link-local address for the interface.
91
Modifying a Layer 2 interface
1.
Select Device > Interface from the navigation tree.
The page in Figure 63 appears.
2.
Click the
icon corresponding to a Layer 2 interface.
The page for modifying a Layer 2 interface appears.
Figure 66 Modifying a Layer 2 physical interface
3.
Modify the information about the Layer 2 physical interface as described in Table 38.
4.
Click Apply.
Table 38 Configuration items
Item
Description
Enable or disable the interface.
Port State
In some cases, modification to the interface parameters does not take effect
immediately. You need to shut down and then bring up the interface to make the
modification work.
92
Item
Description
Set the transmission rate of the interface.
Available options include:
Speed
•
•
•
•
•
•
•
•
•
10—10 Mbps.
100—100 Mbps.
1000—1000 Mbps.
Auto—Auto-negotiation.
Auto 10—The auto-negotiation rate of the interface is 10 Mbps.
Auto 100—The auto-negotiation rate of the interface is 100 Mbps.
Auto 1000—The auto-negotiation rate of the interface is 1000 Mbps.
Auto 10 100—The auto-negotiation rate of the interface is 10 Mbps or 100 Mbps.
Auto 10 1000—The auto-negotiation rate of the interface is 10 Mbps or 1000
Mbps.
• Auto 100 1000—The auto-negotiation rate of the interface is 100 Mbps or 1000
Mbps.
• Auto 10 100 1000—The auto-negotiation rate of the interface is 10 Mbps, 100
Mbps or 1000 Mbps.
Set the duplex mode of the interface.
Duplex
• Auto—Auto-negotiation.
• Full—Full duplex.
• Half—Half duplex.
Set the link type of the current interface, which can be access, hybrid, or trunk. For
more information, see Table 39.
Link Type
IMPORTANT:
To change the link type of a port from trunk to hybrid or vice versa, you must first set its
link type to access.
Set the default VLAN ID of the hybrid or trunk port.
PVID
IMPORTANT:
The trunk ports at the two ends of a link must have the same PVID.
93
Item
Description
Set the Medium Dependent Interface (MDI) mode for the interface.
Two types of Ethernet cables can be used to connect Ethernet devices: crossover
cable and straight-through cable. To accommodate these two types of cables, an
Ethernet interface on the device can operate in one of the following three MDI
modes:
• Across mode.
• Normal mode.
• Auto mode.
An Ethernet interface is composed of eight pins. By default, each pin has its
particular role. For example, pin 1 and pin 2 are used for transmitting signals; pin 3
and pin 6 are used for receiving signals. You can change the pin roles through
setting the MDI mode.
MDI
• In across mode, the default pin roles are kept, that is, pin 1 and pin 2 for
transmitting signals, and pin 3 and pin 6 for receiving signals.
• In auto mode, the pin roles are determined through auto negotiation.
• In normal mode, pin 1 and pin 2 are used for receiving signals while pin 3 and
pin 6 are used for transmitting signals.
To enable normal communication, you should connect the local transmit pins to the
remote receive pins. Therefore, you should configure the MDI mode depending on
the cable types.
• Generally, the auto mode is recommended. The other two modes are useful only
when the device cannot determine the cable types.
• When straight-through cables are used, the local MDI mode must be different
from the remote MDI mode.
• When crossover cables are used, the local MDI mode must be the same as the
remote MDI mode, or the MDI mode of at least one end must be set to auto.
Enable or disable flow control on the interface.
Flow Control
After flow control is enabled on both ends, if there is traffic congestion on the device
on the local end, it sends information to notify the peer end to stop sending packets
temporarily; upon receiving the information, the peer end stops sending packets;
and vice versa. This is used to avoid packet loss.
IMPORTANT:
Flow control can be realized only when it is enabled on both ends.
Jumbo Frame
Max MAC Count
Enable or disable the forwarding of jumbo frames.
Set the maximum number of MAC addresses the interface can learn. Available
options include:
• User Defined—Select this option to set the limit manually.
• No Limited—Select this option to set no limit.
Set broadcast suppression. You can suppress broadcast traffic by percentage or by
PPS as follows:
• ratio—Sets the maximum percentage of broadcast traffic to the total transmission
Broadcast Suppression
capability of an Ethernet interface. When this option is selected, you need to
enter a percentage in the box below.
• pps—Sets the maximum number of broadcast packets that can be forwarded on
an Ethernet interface per second. When this option is selected, you need to enter
a number in the box below.
94
Item
Description
Set multicast suppression. You can suppress multicast traffic by percentage or by PPS
as follows:
• ratio—Sets the maximum percentage of multicast traffic to the total transmission
Multicast Suppression
capability of an Ethernet interface. When this option is selected, you need to
enter a percentage in the box below.
• pps—Sets the maximum number of multicast packets that can be forwarded on an
Ethernet interface per second. When this option is selected, you need to enter a
number in the box below.
Set unicast suppression. You can suppress unicast traffic by percentage or by PPS as
follows:
• ratio—Sets the maximum percentage of unicast traffic to the total transmission
Unicast Suppression
capability of an Ethernet interface. When this option is selected, you need to
enter a percentage in the box below.
• pps—Sets the maximum number of unicast packets that can be forwarded on an
Ethernet interface per second. When this option is selected, you need to enter a
number in the box below.
Table 39 Link type description
Link type
Description
Access
An access port can belong to only one VLAN and is usually used to connect a user
device.
Hybrid
A hybrid port can be assigned to multiple VLANs to receive and send packets for
them and allows packets of multiple VLANs to pass through untagged.
Hybrid ports can be used to connect network devices, as well as user devices.
Trunk
A trunk port can be assigned to multiple VLANs to receive and send packets for them
but allows only packets of the default VLAN to pass through untagged.
Trunk ports are usually used to connect network devices.
Modifying a Layer 3 interface
1.
Select Device > Interface from the navigation tree.
The page in Figure 63 appears.
2.
Click the
icon corresponding to a Layer 3 interface.
The page for modifying a Layer 3 interface appears.
95
Figure 67 Modifying a Layer 3 physical interface
3.
Modify the information about the Layer 3 interface.
The configuration items of modifying the Layer 3 interface are similar to those of creating an
interface. Table 40 describes configuration items proper to modifying a Layer 3 interface.
4.
Click Apply.
Table 40 Configuration items
Item
Description
Interface Type
Set the interface type, which can be Electrical port, Optical port, or None.
Display and set the interface status.
• The display of Connected indicates that the current status of the interface is up and
connected. You can click Disable to shut down the interface.
• The display of Not connected indicates that the current status of the interface is up
but not connected. You can click Disable to shut down the interface.
Interface Status
• The display of Administratively Down indicates that the interface is shut down by
the administrator. You can click Enable to bring up the interface.
After you click Enable or Disable, the page displaying interface information appears.
IMPORTANT:
For an interface whose status cannot be changed, the Enable or Disable button is not
available.
Working Mode
Set the interface to work in bridge mode or router mode.
96
Interface management configuration example
Network requirements
Create VLAN-interface 100 and specify its IP address as 10.1.1.2.
Configuration procedure
1.
Create VLAN 100:
a. Select Network > VLAN from the navigation tree.
The VLAN tab page appears.
b. Click Add.
The page for creating VLANs appears.
Figure 68 Creating VLAN 100
c.
Enter VLAN ID 100.
d. Click Apply.
2.
Create VLAN-interface 100 and assign an IP address for it:
a. Select Device > Interface from the navigation tree.
b. Click Add.
The page for creating an interface appears.
97
Figure 69 Creating VLAN-interface 100
c.
Select Vlan-interface from the Interface Name list, enter the interface ID 100, select the Static
Address option in the IP Config area, enter the IP address 10.1.1.2, and select 24
(255.255.255.0) from the Mask list.
d. Click Apply.
98
Port mirroring
NOTE:
• There are two kinds of port mirroring: local port mirroring and remote port mirroring. Unless otherwise
specified, port mirroring described in this chapter all refers to local port mirroring.
• Support for the port mirroring feature depends on the device model. For more information, see "Feature
matrixes."
Introduction to port mirroring
Port mirroring is to copy the packets passing through one or multiple ports (called mirroring ports) to a
port (called the monitor port) on the local device. The monitor port is connected with a monitoring device.
By analyzing on the monitoring device the packets mirrored to the monitor port, you can monitor the
network and troubleshoot possible network problems.
Figure 70 A port mirroring implementation
Port mirroring is implemented through mirroring groups. The mirroring ports and the monitor port are in
the same mirroring group. With port mirroring enabled, the device copies packets passing through the
mirroring ports to the monitor port.
99
Port mirroring configuration task list
Table 41 Port mirroring configuration task list
Task
Remarks
Required.
Add a mirroring group
For more information, see "Adding a mirroring group."
You need to select the mirroring group type local in the Type list.
Required.
Configure the mirroring ports
For more information, see "Configuring ports for a mirroring group."
During configuration, you need to select the port type Mirror Port.
Required.
Configure the monitor port
For more information, see "Configuring ports for a mirroring group."
During configuration, you need to select the port type Monitor Port.
Adding a mirroring group
1.
Select Device > Port Mirroring from the navigation tree.
2.
Click the Add tab.
The page for adding a mirroring group appears.
Figure 71 The page for adding a mirroring group
3.
Configure the mirroring group as described in Table 42.
4.
Click Apply.
100
Table 42 Configuration items
Item
Description
Mirroring Group ID
ID of the mirroring group to be added.
Type
Specify the type of the mirroring group to be added:
Local: Adds a local mirroring group.
Configuring ports for a mirroring group
1.
Select Device > Port Mirroring from the navigation tree.
2.
Click the Modify Port tab.
The page for configuring ports for a mirroring group appears.
Figure 72 The page for configuring ports for a mirroring group
3.
Configure the port information for the mirroring group as described in Table 43.
4.
Click Apply.
The progress bar appears.
5.
Click Close after the progress bar prompts that the configuration is complete.
Table 43 Configuration items
Item
Description
Mirroring Group ID
ID of the mirroring group to be configured.
Set the types of the ports to be configured:
Port Type
• Monitor Port—Configures the monitor port for the mirroring group.
• Mirror Port—Configures mirroring ports for the mirroring group.
101
Item
Description
Set the direction of the traffic monitored by the monitor port of the mirroring group.
This configuration item is available when Mirror Port is selected is the Port Type list.
Stream Orientation
• both—Mirrors both received and sent packets on mirroring ports.
• inbound—Mirrors only packets received by mirroring port.
• outbound—Mirrors only packets sent by mirroring ports.
interface name
Select the ports to be configured from the interface name list.
Configuration examples
Network requirements
As shown in Figure 73, the customer network is as described below:
•
Packets from AP access AC through GigabitEthernet 1/0/1.
•
Server is connected to GigabitEthernet 1/0/2 of AC.
Configure port mirroring to monitor the bidirectional traffic on GigabitEthernet 1/0/1 of AC on the
server.
To satisfy the above requirement through port mirroring, perform the following configuration on AC:
•
Configure GigabitEthernet 1/0/1 of AC as a mirroring port.
•
Configure GigabitEthernet 1/0/2 of AC as the monitor port.
Figure 73 Network diagram
Adding a mirroring group
1.
Select Device > Port Mirroring from the navigation tree.
2.
Click Add.
The page for adding a mirroring group appears.
102
Figure 74 Adding a mirroring group
3.
Enter 1 for Mirroring Group ID and select Local in the Type list.
4.
Click Apply.
Configuring the mirroring ports
1.
Click Modify Port.
The page for configuring a mirroring port appears.
Figure 75 Configuring a mirroring port
2.
Select 1 – Local for Mirroring Group ID, select Mirror Port for Port Type, select both for Stream
Orientation, and select GigabitEthernet 1/0/1 from the interface name list.
3.
Click Apply.
The progress bar appears.
4.
Click Close after the progress bar prompts that the configuration is complete.
103
Configuring the monitor port
1.
Click Modify Port tab.
The page for configuring the mirroring port appears.
Figure 76 Configuring the monitor port
2.
Select 1 – Local for Mirroring Group ID, select Monitor Port for Port Type, and select
GigabitEthernet 1/0/2 from the interface name list.
3.
Click Apply.
A progress bar appears.
4.
Click Close after the progress bar prompts that the configuration is complete.
Configuration guidelines
When you configure port mirroring, follow these guidelines:
•
Depending on the device model, you can assign these types of ports to a mirroring group as
mirroring ports: Layer 2 Ethernet, Layer 3 Ethernet, POS, CPOS, serial, and MP-group.
•
Depending on the device model, you can configure these types of ports as the monitor port: Layer
2 Ethernet, Layer 3 Ethernet, and tunnel.
•
To ensure normal operation of your device, do not enable STP, MSTP, or RSTP on the monitor port.
•
On some types of devices, you can configure a member port in link aggregation as the monitor
port.
•
Other restrictions on the monitor port depend on your device model.
•
You can configure multiple mirroring ports but only one monitor port for a mirroring group.
•
A port can be assigned to only one mirroring group.
104
User management
In the user management part, you can perform the following configuration:
•
Create a local user, and set the password, access level, and service type for the user.
•
Set the super password for switching the current Web user level to the management level.
•
Switch the current Web user access level to the management level.
Creating a user
1.
Select Device > Users from the navigation tree.
2.
Click the Create tab.
The page for creating local users appears.
Figure 77 Creating a user
3.
Configure the user information as described in Table 44.
4.
Click Apply.
Table 44 Configuration items
Item
Description
Username
Set the username for a user.
105
Item
Description
Set the access level for a user. Users of different levels can perform different operations.
Web user levels, from low to high, are visitor, monitor, configure, and management.
• Visitor—Users of visitor level can perform the ping and traceroute operations, but they
can neither access the device data nor configure the device.
Access Level
• Monitor—Users of this level can only access the device data but cannot configure the
device.
• Configure—Users of this level can access data on the device and configure the
device, but they cannot upgrade the host software, add/delete/modify users, or back
up/restore the application file.
• Management—Users of this level can perform any operations on the device.
Password
Set the password for a user.
Confirm Password
Enter the same password again. Otherwise, the system prompts that the two passwords
enter are not consistent when you apply the configuration.
Service Type
Set the service type, including Web, FTP, and Telnet services. You must select one of
them.
Setting the super password
In this part, users of the management level can specify the password for a lower-level user to switch from
the current access level to the management level. If no such a password is configured, the switchover will
fail.
To set the super password:
1.
Select Device > Users from the navigation tree.
2.
Click the Super Password tab.
The super password configuration page appears.
Figure 78 Super password
3.
Set the super password as described in Table 45.
4.
Click Apply.
106
Table 45 Configuration items
Item
Description
Set the operation type:
Create/Remove
• Create—Configure or modify the super password.
• Remove—Remove the current super password.
Password
Set the password for a user to switch to the management level.
Confirm Password
Enter the same password again. Otherwise, the system prompts that the two passwords
enter are not consistent when you apply the configuration.
Switching the user access level to the management
level
This function is provided for a user to switch the current user level to the management level. Note the
following:
•
Before switching, make sure that the super password is already configured. A user cannot switch to
the management level without a super password.
•
The access level switchover of a user is valid for the current login only. The access level configured
for the user is not changed. When the user re-logs in to the Web interface, the access level of the
user is still the original level.
To switch the user access level to the management level:
1.
Select Device > Users from the navigation tree.
2.
Click the Switch To Management tab.
The access level switching page appears.
Figure 79 Switching to the management level.
3.
Enter the super password.
4.
Click Login.
107
SNMP configuration
SNMP overview
Simple Network Management Protocol (SNMP) offers the communication rules between a management
device and the managed devices on the network; it defines a series of messages, methods and syntaxes
to implement the access and management from the management device to the managed devices. SNMP
shields the physical differences between various devices and realizes automatic management of
products from different manufacturers.
An SNMP enabled network comprises the network management system (NMS) and agents.
The NMS manages agents by exchanging management information through SNMP. The NMS and
managed agents must use the same SNMP version.
SNMP agents support SNMPv1, SNMPv2c, and SNMPv3.
•
SNMPv1 uses community name for authentication. Community name defines the relationship
between an SNMP NMS and an SNMP agent. SNMP packets with community names that do not
pass the authentication on the device are simply discarded. A community name plays a similar role
as a key word and can be used to control access from NMS to the agent.
•
SNMPv2c uses community name for authentication. Compatible with SNMPv1, it extends the
functions of SNMPv1. SNMPv2c provides more operation modes such as GetBulk and
InformRequest; it supports more data types such as Counter64; and it provides various error codes,
thus being able to distinguish errors in more detail.
•
SNMPv3 offers an authentication that is implemented with a User-Based Security Model (USM).
You can set the authentication and privacy functions. The former is used to authenticate the validity
of the sending end of the authentication packets, preventing access of illegal users; the latter is used
to encrypt packets between the NMS and agents, preventing the packets from being intercepted.
USM ensures a more secure communication between SNMP NMS and SNMP agent by
authentication with privacy.
For more information about SNMP, see H3C WX Series Access Controllers Network Management and
Monitoring Configuration Guide.
SNMP configuration task list
SNMPv1 or SNMPv2c configuration task list
Perform the tasks in Table 46 to configure SNMPv1 or SNMPv2c.
Table 46 SNMPv1 or SNMPv2c configuration task list
Task
Remarks
Required.
The SNMP agent function is disabled by default.
Enabling SNMP
IMPORTANT:
If SNMP agent is disabled, all SNMP agent-related configurations are
removed.
108
Task
Remarks
Optional.
Configuring an SNMP view
After creating SNMP views, you can specify an SNMP view for an
SNMP group to limit the MIB objects that can be accessed by the
SNMP group.
Configuring an SNMP community
Required.
Optional.
Configuring SNMP trap function
Allows you to configure that the agent can send SNMP traps to the
NMS, and configure information about the target host of the SNMP
traps.
By default, an agent is allowed to send SNMP traps to the NMS.
Displaying SNMP packet statistics
Optional.
SNMPv3 configuration task list
Perform the tasks in Table 47 to configure SNMPv3.
Table 47 SNMPv3 configuration task list
Task
Remarks
Required.
The SNMP agent function is disabled by default.
Enabling SNMP
IMPORTANT:
If SNMP agent is disabled, all SNMP agent-related configurations are
removed.
Optional.
Configuring an SNMP view
After creating SNMP views, you can specify an SNMP view for an SNMP
group to limit the MIB objects that can be accessed by the SNMP group.
Required.
Configuring an SNMP group
After creating an SNMP group, you can add SNMP users to the group
when creating the users. Therefore, you can realize centralized
management of users in the group through the management of the group.
Required.
Configuring an SNMP user
Before creating an SNMP user, you need to create the SNMP group to
which the user belongs.
Optional.
Configuring SNMP trap function
Allows you to configure that the agent can send SNMP traps to the NMS,
and configure information about the target host of the SNMP traps
By default, an agent is allowed to send SNMP traps to the NMS.
Displaying SNMP packet
statistics
Optional.
Enabling SNMP
1.
Select Device > SNMP from the navigation tree.
The SNMP configuration page appears.
109
Figure 80 Set up
2.
Configure SNMP settings on the upper part of the page as described in Table 48.
3.
Click Apply.
Table 48 Configuration items
Item
Description
SNMP
Specify to enable or disable SNMP.
Configure the local engine ID.
Local Engine ID
The validity of a user after it is created depends on the engine ID of
the SNMP agent. If the engine ID when the user is created is not
identical to the current engine ID, the user is invalid.
110
Item
Description
Maximum Packet Size
Configure the maximum size of an SNMP packet that the agent can
receive/send.
Contact
Set a character string to describe the contact information for system
maintenance.
If the device is faulty, the maintainer can contact the manufacture
factory according to the contact information of the device.
Location
Set a character string to describe the physical location of the
device.
SNMP Version
Set the SNMP version run by the system.
Configuring an SNMP view
Creating an SNMP view
1.
Select Device > SNMP from the navigation tree.
2.
Click the View tab.
The view page appears.
Figure 81 View page
3.
Click Add.
The Add View window appears.
Figure 82 Creating an SNMP view (1)
111
4.
Enter the view name.
5.
Click Apply.
The page in Figure 83 appears.
Figure 83 Creating an SNMP view (2)
6.
Configure the parameters as described in Table 49.
7.
Click Add.
8.
Repeat steps 6 and 7 to add more rules for the SNMP view.
9.
Click Apply.
To cancel the view, click Cancel.
Table 49 Configuration items
Item
Description
View Name
Set the SNMP view name.
Rule
Select to exclude or include the objects in the view range
determined by the MIB subtree OID and subtree mask.
Set the MIB subtree OID (such as 1.4.5.3.1) or name (such as
system).
MIB Subtree OID
MIB subtree OID identifies the position of a node in the MIB
tree, and it can uniquely identify a MIB subtree.
Set the subtree mask.
Subtree Mask
If no subtree mask is specified, the default subtree mask (all Fs)
will be used for mask-OID matching.
Adding rules to an SNMP view
1.
Select Device > SNMP from the navigation tree.
2.
Click the View tab.
The page in Figure 84 appears.
3.
Click the
icon of the target view.
112
The Add rule for the view ViewDefault window appears.
Figure 84 Adding rules to an SNMP view
4.
Configure the parameters as described in Table 49.
5.
Click Apply.
NOTE:
You can modify the rules of a view in the page you enter by clicking the
Configuring an SNMP community
1.
Select Device > SNMP from the navigation tree.
2.
Click the Community tab.
The community tab page appears.
Figure 85 Configuring an SNMP community
3.
Click Add.
The Add SNMP Community page appears.
113
icon of that view.
Figure 86 Creating an SNMP Community
4.
Configure SNMP community settings as described in Table 50.
5.
Click Apply.
Table 50 Configuration items
Item
Description
Community Name
Set the SNMP community name.
Configure SNMP NMS access right.
• Read only—The NMS can perform read-only operations to the MIB objects
Access Right
when it uses this community name to access the agent.
• Read and write—The NMS can perform both read and write operations to
the MIB objects when it uses this community name to access the agent.
View
Specify the view associated with the community to limit the MIB objects that
can be accessed by the NMS.
ACL
Associate the community with a basic ACL to allow or prohibit the access to the
agent from the NMS with the specified source IP address.
Configuring an SNMP group
1.
Select Device > SNMP from the navigation tree.
2.
Click the Group tab.
The group tab page appears.
114
Figure 87 SNMP group
3.
Click Add.
The Add SNMP Group page appears.
Figure 88 Creating an SNMP group
4.
Configure SNMP group settings as described in Table 51.
5.
Click Apply.
Table 51 Configuration items
Item
Description
Group Name
Set the SNMP group name.
Select the security level for the SNMP group. The available security
levels are:
Security Level
• NoAuth/NoPriv—No authentication no privacy.
• Auth/NoPriv—Authentication without privacy.
• Auth/Priv—Authentication and privacy.
Read View
Select the read view of the SNMP group.
115
Item
Description
Select the write view of the SNMP group.
Write View
Notify View
If no write view is configured, the NMS cannot perform the write
operations to all MIB objects on the device.
Select the notify view of the SNMP group, that is, the view that can
send trap messages.
If no notify view is configured, the agent does not send traps to the
NMS.
Associate a basic ACL with the group to restrict the source IP address
of SNMP packets, that is, you can configure to allow or prohibit
SNMP packets with a specific source IP address, so as to restrict the
intercommunication between the NMS and the agent.
ACL
Configuring an SNMP user
1.
Select Device > SNMP from the navigation tree.
2.
Click the User tab.
The user tab page appears.
Figure 89 SNMP user
3.
Click Add.
The Add SNMP User page appears.
116
Figure 90 Creating an SNMP user
4.
Configure SNMP user settings as described in Table 52.
5.
Click Apply.
Table 52 Configuration items
Item
Description
User Name
Set the SNMP user name.
Select the security level for the SNMP group. The available security
levels are:
Security Level
• NoAuth/NoPriv—No authentication no privacy.
• Auth/NoPriv—Authentication without privacy.
• Auth/Priv—Authentication and privacy.
Select an SNMP group to which the user belongs.
• When the security level is NoAuth/NoPriv, you can select an
SNMP group with no authentication no privacy.
Group Name
• When the security level is Auth/NoPriv, you can select an
SNMP group with no authentication no privacy or
authentication without privacy.
• When the security level is Auth/Priv, you can select an SNMP
group of any security level.
Authentication Mode
Select an authentication mode (including MD5 and SHA) when the
security level is Auth/NoPriv or Auth/Priv.
117
Item
Description
Authentication Password
Set the authentication password when the security level is
Auth/NoPriv or Auth/Priv.
Confirm Authentication Password
The confirm authentication password must be the same with the
authentication password.
Privacy Mode
Select a privacy mode (including DES56, AES128, and 3DES)
when the security level is Auth/Priv.
Privacy Password
Set the privacy password when the security level is Auth/Priv.
Confirm Privacy Password
The confirm privacy password must be the same with the privacy
password.
ACL
Associate a basic ACL with the user to restrict the source IP address
of SNMP packets, that is, you can configure to allow or prohibit
SNMP packets with a specific source IP address, so as to allow or
prohibit the specified NMS to access the agent by using this user
name.
Configuring SNMP trap function
1.
Select Device > SNMP from the navigation tree.
2.
Click the Trap tab.
The trap configuration page appears.
Figure 91 Traps configuration
3.
Select the box of Enable SNMP Trap.
4.
Click Apply.
5.
Click Add.
The page for adding a target host of SNMP traps appears.
118
Figure 92 Adding a target host of SNMP traps
6.
Configure the settings for the target host as described in Table 53.
7.
Click Apply.
Table 53 Configuration items
Item
Description
Set the destination IP address or domain.
Destination IP Address
Security Name
Select the IP address type: IPv4/Domain or IPv6, and then type the
corresponding IP address or domain in the field according to the IP
address type.
Set the security name, which can be an SNMPv1 community name,
an SNMPv2c community name, or an SNMPv3 user name.
Set UDP port number.
IMPORTANT:
UDP Port
The default port number is 162, which is the SNMP-specified port used
for receiving traps on the NMS. Generally (such as using iMC or MIB
Browser as the NMS), you can use the default port number. To change
this parameter to another value, you need to make sure that the
configuration is the same with that on the NMS.
Security Model
Select the security model, that is, the SNMP version, which must be
the same with that running on the NMS; otherwise, the NMS cannot
receive any trap.
Security Level
Set the authentication and privacy mode for SNMP traps when the
security model is selected as v3. The available security levels are: no
authentication no privacy, authentication but no privacy, and
authentication and privacy.
Displaying SNMP packet statistics
1.
Select Device > SNMP from the navigation tree.
119
The page for displaying SNMP packet statistics appears.
Figure 93 SNMP packet statistics
SNMP configuration example
Network requirements
The NMS connects to the agent, an AC, through an Ethernet. The IP address of the NMS is 1.1.1.2/24.
The IP address of the VLAN interface on the AC is 1.1.1.1/24. Configure SNMP to achieve the following
purposes.
•
The NMS monitors the agent by using SNMPv3.
•
The agent reports errors or faults to the NMS.
Figure 94 Network diagram
Configuring the agent
1.
Enable SNMP agent:
a. Select Device > SNMP from the navigation tree.
The page in Figure 95 appears.
b. Select the Enable option.
c.
Select the v3 box.
d. Click Apply.
120
Figure 95 Enabling SNMP
2.
Configure an SNMP view:
a. Click the View tab.
b. Click Add.
The page in Figure 96 appears.
c. Enter view1 in the field.
d. Click Apply.
The page in Figure 97 appears.
e.
Select the Included radio box, enter the MIB subtree OID interfaces, and click Add.
f. Click Apply.
A configuration progress dialog box appears.
g. Click Close after the configuration process is complete.
Figure 96 Creating an SNMP view (1)
121
Figure 97 Creating an SNMP view (2)
3.
Configure an SNMP group:
a. Click the Group tab.
b. Click Add.
The page in Figure 98 appears.
c.
Enter group1 in the field of Group Name, select view1 from the Read View box, and select
view1 from the Write View box.
d. Click Apply.
Figure 98 Creating an SNMP group
4.
Configure an SNMP user:
a. Click the User tab.
b. Click Add.
122
The page in Figure 99 appears.
c.
Enter user1 in the field of User Name and select group1 from the Group Name box.
d. Click Apply.
Figure 99 Creating an SNMP user
5.
Enable the agent to send SNMP traps:
a. Click the Trap tab
The page in Figure 100 appears.
b. Select the Enable SNMP Trap box.
c.
Click Apply.
123
Figure 100 Enabling the agent to send SNMP traps
6.
Add target hosts of SNMP traps:
a. Click Add on the Trap tab.
The page in Figure 101 appears.
b. Select the destination IP address type as IPv4/Domain, enter the destination address 1.1.1.2,
enter the user name user1, and select v3 from the Security Model list.
c.
Click Apply.
Figure 101 Adding target hosts of SNMP traps
Configuring the NMS
CAUTION:
The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform
corresponding operations.
124
SNMPv3 adopts a security mechanism of authentication and privacy. You must configure username and
security level. According to the configured security level, you must configure the related authentication
mode, authentication password, privacy mode, privacy password, and so on.
You must also configure the aging time and retry times. After these configurations, you can configure the
device as needed through the NMS. For more information about NMS configuration, see the manual
provided for NMS.
Verifying the configuration
•
After the above configuration, an SNMP connection is established between the NMS and the agent.
The NMS can get and configure the values of some parameters on the agent through MIB nodes.
•
If an idle interface on the agent is shut down or brought up, the NMS receives a trap information
sent by the agent.
125
Loopback
You can check whether an Ethernet port works normally by performing the Ethernet port loopback test,
during which the port cannot forward data packets normally.
Ethernet port loopback test can be an internal loopback test or an external loopback test.
•
In an internal loopback test, self loop is established in the switching chip to check whether there is
a chip failure related to the functions of the port.
•
In an external loopback test, a self-loop header is used on the port. Packets forwarded by the port
will be received by itself through the self-loop header. The external loopback test can be used to
check whether there is a hardware failure on the port.
Loopback operation
1.
Select Device > Loopback from the navigation tree.
The loopback test configuration page appears.
Figure 102 Loopback test configuration page
2.
Configure the loopback test parameters as described in Table 54.
Table 54 Configuration items
Item
Testing
type
3.
Description
External
Set the loopback test type, which can be selected between External and
Internal.
Internal
Support for the test type depends on the device model.
Click Test to start the loopback test.
126
The Result box displays the test results.
Figure 103 Loopback test result
Configuration guidelines
When you perform a loopback test, follow these guidelines:
•
You can perform an internal loopback test but not an external loopback test on a port that is
physically down, while you can perform neither test on a port that is manually shut down.
•
The system does not allow Rate, Duplex, Cable Type, and Port Status configuration on a port under
a loopback test.
•
An Ethernet port operates in full duplex mode when the loopback test is performed, and restores its
original duplex mode after the loopback test.
127
MAC address configuration
NOTE:
• MAC address configurations related to interfaces apply only to Layer 2 Ethernet interfaces.
• This chapter covers only the management of static and dynamic MAC address entries, not multicast
MAC address entries.
Overview
A device maintains a MAC address table for frame forwarding. Each entry in this table indicates the
MAC address of a connected device, to which interface this device is connected and to which VLAN the
interface belongs. A MAC address table consists of two types of entries: static and dynamic. Static
entries are manually configured and never age out. Dynamic entries can be manually configured or
dynamically learned and will age out.
When a frame arrives at a port, Port A for example, the device performs the following tasks:
1.
Checks the frame for the source MAC address (MAC-SOURCE for example).
2.
Looks up the MAC address in the MAC address table.
If an entry is found, updates the entry.
If no entry is found, adds an entry for the MAC address and the receiving port (Port A) to the
MAC address table.
When receiving a frame destined for MAC-SOURCE, the device looks up the MAC address table and
forwards it from port A.
NOTE:
Dynamically learned MAC addresses cannot overwrite static MAC address entries, but the latter can
overwrite the former.
When forwarding a frame, the device adopts the following forwarding modes based on the MAC
address table:
•
Unicast mode—If an entry matching the destination MAC address exists, the device forwards the
frame directly from the sending port recorded in the entry.
•
Broadcast mode—If the device receives a frame with the destination address being all Fs, or no
entry matches the destination MAC address, the device broadcasts the frame to all the ports except
the receiving port.
128
Figure 104 MAC address table of the device
MAC address
Port
MAC A
1
MAC B
1
MAC C
2
MAC D
2
MAC A
MAC C
MAC B
MAC D
Port 1
Port 2
Configuring a MAC address entry
1.
Select Network > MAC from the navigation tree. The system automatically displays the MAC tab,
which shows all the MAC address entries on the device, as shown in Figure 105.
Figure 105 The MAC tab
2.
Click Add in the bottom to enter the page for creating MAC address entries, as shown in Figure
106.
129
Figure 106 Creating a MAC address entry
3.
Configure the MAC address entry as described in Table 55.
4.
Click Apply.
Table 55 Configuration items
Item
Description
MAC
Set the MAC address to be added.
Set the type of the MAC address entry:
• static—Static MAC address entries that never age out.
• dynamic—Dynamic MAC address entries that will age out.
• blackhole—Blackhole MAC address entries that never age out.
IMPORTANT:
Type
The tab displays the following types of MAC address entries:
• Config static—Static MAC address entries manually configured by the users.
• Config dynamic—Dynamic MAC address entries manually configured by the
users.
• Blackhole—Blackhole MAC address entries.
• Learned—Dynamic MAC address entries learned by the device.
• Other—Other types of MAC address entries.
VLAN
Set the ID of the VLAN to which the MAC address belongs.
Port
Set the port to which the MAC address belongs.
Setting the aging time of MAC address entries
1.
Select Network > MAC from the navigation tree.
2.
Click the Setup tab to enter the page for setting the MAC address entry aging time, as shown
in Figure 107.
130
Figure 107 Setting the aging time for MAC address entries
3.
Set the aging time as described in Table 56.
4.
Click Apply.
Table 56 Configuration items
Item
Description
No-aging
Specify that the MAC address entry never ages out.
Aging time
Set the aging time for the MAC address entry.
MAC address configuration example
Network requirements
Use the MAC address table management function of the Web-based NMS. Create a static MAC address
00e0-fc35-dc71 for GigabitEthernet 1/0/1 in VLAN 1.
Configuration procedure
1.
Create a static MAC address entry:
a. Select Network > MAC from the navigation tree to enter the MAC tab.
b. Click Add.
The page shown in Figure 108 appears.
c.
Enter MAC address 00e0-fc35-dc71, select static from the Type list, select 1 from the VLAN list,
and select GigabitEthernet1/0/1 from the Port list.
d. Click Apply.
131
Figure 108 Creating a static MAC address entry
132
VLAN configuration
Overview
Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect
(CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on
an Ethernet. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate
VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all broadcast
traffic is contained within it, as shown in Figure 109.
Figure 109 A VLAN diagram
VLAN 2
Switch A
Router
Switch B
VLAN 5
You can implement VLANs based on a variety of criteria. The web interface, however, is available only
for port-based VLANs, which group VLAN members by port. A port forwards traffic for a VLAN only after
it is assigned to the VLAN.
For more information about VLAN, see H3C WX Series Access Controllers Layer 2 Configuration Guide.
Recommended configuration procedure
Step
Remarks
1.
Creating a VLAN
Required.
2.
Modifying a VLAN
Required.
3.
Modifying a port
Select either task.
Configure the untagged member ports and tagged member ports
of the VLAN, or remove ports from the VLAN.
Creating a VLAN
1.
Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab
and enters the page as shown in Figure 110.
133
Figure 110 VLAN configuration page
TIP:
To easily configure a specific range of VLANs within a large number of VLANs, enter a VLAN range in the
VLAN Range field and click Select, and all undesired VLANs will be filtered out. If you click Remove, all
VLANs within this range will be deleted.
2.
Click Add to enter the page for creating a VLAN, as shown in Figure 111.
3.
Enter the ID of the VLAN you want to create.
4.
Click Apply.
Figure 111 Creating a VLAN
Modifying a VLAN
1.
Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab
and enters the page as shown in Figure 110.
2.
Click the
icon of the VLAN you want to modify to enter the page as shown in Figure 112.
134
Figure 112 Modifying a VLAN
3.
Configure the description and port members for the VLAN as described in Table 57.
4.
Click Apply.
Table 57 Configuration items
Item
Description
ID
Display the ID of the VLAN to be modified.
Set the description string of the VLAN.
Description
By default, the description string of a VLAN is its VLAN ID, such as VLAN
0001.
Untagged Member
Find the port to be modified and select the Untagged Member, Tagged
Member, or Not a Member option for the port:
• Untagged—Indicates that the port sends the traffic of the VLAN with the
VLAN tag removed.
• Tagged—Indicates that the port sends the traffic of the VLAN without
Port
Tagged Member
removing the VLAN tag.
• Not a Member—Removes the port from the VLAN.
IMPORTANT:
Not a Member
When you configure an access port as a tagged member of a VLAN, the link
type of the port is automatically changed into hybrid.
Modifying a port
1.
Select Network > VLAN from the navigation tree
2.
Click the Port tab to enter the page as shown in Figure 113.
135
Figure 113 Port configuration page
3.
Click the
icon for the port to be modified to enter the page as shown in Figure 114.
Figure 114 Modifying a port
4.
Configure the port as described in Table 58.
5.
Click Apply.
Table 58 Configuration items
Item
Description
Port
Display the port to be modified.
Untagged Member
Display the VLAN(s) to which the port belongs as an untagged member.
Tagged Member
Display the VLAN(s) to which the port belongs as a tagged member.
136
Item
Description
Untagged
Tagged
Select the Untagged, Tagged, or Not a Member option:
• Untagged—Indicates that the port sends the traffic of the VLAN with the VLAN
tag removed.
• Tagged—Indicates that the port sends the traffic of the VLAN without removing
the VLAN tag.
• Not a Member—Removes the port from the VLAN.
Member
Type
IMPORTANT:
Not a
Member
• You cannot configure an access port as an untagged member of a nonexistent
VLAN.
• When you configure an access port as a tagged member of a VLAN, or
configure a trunk port as an untagged member of multiple VLANs in bulk, the link
type of the port is automatically changed into hybrid.
• You can configure a hybrid port as a tagged or untagged member of a VLAN
only if the VLAN is an existing, static VLAN.
VLAN ID
Specify the VLAN to which the port belongs.
VLAN configuration examples
Network requirements
As shown in Figure 115:
•
GigabitEthernet 1/0/1 of AC is connected to GigabitEthernet 1/0/1 of Switch.
•
GigabitEthernet 1/0/1 on both devices are hybrid ports with VLAN 100 as their default VLAN.
•
Configure GigabitEthernet 1/0/1 to permit packets of VLAN 2, VLAN 6 through VLAN 50, and
VLAN 100 to pass through.
Figure 115 Network diagram
Configuring AC
1.
Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100:
a. Select Network > VLAN from the navigation tree to enter the VLAN tab.
b. Click Add.
c.
Enter VLAN IDs 2,6-50,100, as shown in Figure 116.
d. Click Apply.
137
Figure 116 Creating a VLAN
2.
Configure GigabitEthernet 1/0/1 as an untagged member of VLAN 100:
a. Enter 100 in the VLAN Range field, as shown in Figure 117.
b. Click Select to display only the information of VLAN 100.
Figure 117 Selecting a VLAN
c.
Click the
icon of VLAN 100.
d. Select the Untagged Member option for port GigabitEthernet 1/0/1, as shown in Figure 118.
e. Click Apply.
138
Figure 118 Modifying a VLAN
3.
Configure GigabitEthernet 1/0/1 as a tagged member of VLAN 2, and VLAN 6 through VLAN
50:
a. Select Network > VLAN from the navigation tree and then select the Port tab.
b. Click the
c.
icon of port GigabitEthernet 1/0/1.
Select the Tagged option, and enter VLAN IDs 2, 6-50, as shown in Figure 119.
Figure 119 Modifying a port
d. Click Apply. A dialog box appears asking you to confirm the operation.
e. Click OK in the dialog box.
139
Configuring Switch
The configuration on Switch is similar to that on AC.
Configuration guidelines
When you configure VLAN, follow these guidelines:
•
VLAN 1 is the default VLAN, which cannot be manually created or removed.
•
Some VLANs are reserved for special purposes. You cannot manually create or remove them.
•
Dynamic VLANs cannot be manually removed.
140
ARP configuration
Overview
Introduction to ARP
The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or
physical address).
In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding
MAC address.
For more information about ARP, see H3C WX Series Access Controllers Layer 3 Configuration Guide.
Introduction to gratuitous ARP
Gratuitous ARP packets
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the
sending device, the sender MAC address is the MAC address of the sending device, and the target MAC
address is the broadcast address ff:ff:ff:ff:ff:ff.
A device sends a gratuitous ARP packet for either of the following purposes:
•
Determine whether its IP address is already used by another device. If the IP address is already used,
the device will be informed of the conflict by an ARP reply.
•
Inform other devices of the change of its MAC address.
Learning of gratuitous ARP packets
With this feature enabled, a device, upon receiving a gratuitous ARP packet, adds an ARP entry that
contains the sender IP and MAC addresses in the packet to its ARP table. If the corresponding ARP entry
exists, the device updates the ARP entry.
With this feature disabled, the device uses the received gratuitous ARP packets to update existing ARP
entries, but not to create new ARP entries.
Displaying ARP entries
Select Network > ARP Management from the navigation tree to enter the default ARP Table page shown
in Figure 120. All ARP entries are displayed on the page.
141
Figure 120 ARP Table configuration page
Creating a static ARP entry
1.
Select Network > ARP Management from the navigation tree to enter the default ARP Table page
shown in Figure 120.
2.
Click Add to enter the New Static ARP Entry page, as shown in Figure 121.
Figure 121 Adding a static ARP entry
3.
Configure the static ARP entry as described in Table 59.
4.
Click Apply.
Table 59 Configuration items
Item
Description
IP Address
Enter an IP address for the static ARP entry.
MAC Address
Enter a MAC address for the static ARP entry.
142
Item
Description
VLAN ID
Advanced
Options
Port
Enter a VLAN ID and specify a port for the static ARP entry.
IMPORTANT:
The VLAN ID must be the ID of the VLAN that has already been created,
and the port must belong to the VLAN. The corresponding VLAN interface
must have been created.
Removing ARP entries
1.
Select Network > ARP Management from the navigation tree to enter the default ARP Table page
shown in Figure 120.
2.
Remove ARP entries:
To remove specific ARP entries, select target ARP entries, and click Del Selected.
To remove all static and dynamic ARP entries, click Delete Static and Dynamic.
To remove all static ARP entries, click Delete Static.
To remove all dynamic ARP entries, click Delete Dynamic.
Configuring gratuitous ARP
1.
Select Network > ARP Management from the navigation tree.
2.
Click the Gratuitous ARP tab to enter the page shown in Figure 122.
Figure 122 Gratuitous ARP configuration page
3.
Configure gratuitous ARP as described in Table 60.
Table 60 Configuration items
Item
Description
Disable gratuitous ARP packets
learning function
Disable learning of ARP entries according to gratuitous ARP packets.
Send gratuitous ARP packets when
receiving ARP requests from another
network segment
Enable the device to send gratuitous ARP packets upon receiving ARP
requests from another network segment.
Enabled by default.
Disabled by default.
143
Static ARP configuration example
Network requirements
To enhance communication security between the AC and the router, configure a static ARP entry on the
AC.
Figure 123 Network diagram
Configuration procedure
1.
Create VLAN 100:
a. Select Network > VLAN from the navigation tree to enter the default VLAN page.
b. Click Add.
c.
Enter 100 for VLAN ID, as shown in Figure 124.
d. Click Apply.
Figure 124 Creating VLAN 100
2.
Add GigabitEthernet 1/0/1 to VLAN 100:
a. On the VLAN page, click the
icon of VLAN 100.
b. Select the Untagged Member option for GigabitEthernet1/0/1.
c.
Click Apply.
144
Figure 125 Adding GigabitEthernet 1/0/1 to VLAN 100
3.
Configure VLAN-interface 100:
a. Select Device > Interface from the navigation tree.
b. Click Add.
c.
On the page that appears, select Vlan-interface from the Interface Name list, and enter 100,
select the Static Address option for IP Config, enter 192.168.1.2 for IP Address., and select 24
(255.255.255.0) for Mask.
d. Click Apply.
145
Figure 126 Configuring VLAN-interface 100
4.
Create a static ARP entry:
a. Select Network > ARP Management from the navigation tree to enter the default ARP Table
page.
b. Click Add.
c.
On the page that appears, enter 192.168.1.1 for IP Address, enter 00e0-fc01-0000 for MAC
Address, select the Advanced Options option, enter 100 for VLAN ID, and select
GigabitEthernet1/0/1 from the Port list.
d. Click Apply.
146
Figure 127 Creating a static ARP entry
147
ARP attack protection configuration
Although ARP is easy to implement, it provides no security mechanism and thus is prone to network
attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple
features to detect and prevent such attacks. This chapter mainly introduces these features.
ARP detection
The ARP detection feature enables access devices to block ARP packets from unauthorized clients to
prevent user spoofing and gateway spoofing attacks.
ARP detection provides the following functions:
•
User validity check—The device compares the sender IP and MAC addresses of a received ARP
packet against the static IP source guard binding entries, DHCP snooping entries, 802.1X security
entries, or OUI MAC addresses. If no match is found, the ARP packet is discarded.
•
ARP packet validity check—The device does not check ARP packets received from an ARP trusted
port. Upon receiving an ARP packet from an ARP untrusted port, the device checks the ARP packet
based on source MAC address, destination MAC address, or source and destination IP addresses.
ARP packets that fail the check are discarded.
For more information about ARP detection, see H3C WX Series Access Controllers Security
Configuration Guide.
Source MAC address based ARP attack detection
This feature allows the device to check the source MAC address of ARP packets delivered to the CPU. If
the number of ARP packets from a MAC address within five seconds exceeds the specified threshold, the
device considers this an attack and adds the MAC address to the attack detection table. Before the attack
detection entry is aged out, the device generates a log message upon receiving an ARP packet sourced
from that MAC address and filters out subsequent ARP packets from that MAC address (in filter mode),
or only generates a log message upon receiving an ARP packet sourced from that MAC address (in
monitor mode).
A gateway or critical server may send a large number of ARP packets. To prevent these ARP packets from
being discarded, you can specify the MAC address of the gateway or server as a protected MAC
address. A protected MAC address is excluded from ARP attack detection even if it is an attacker.
ARP active acknowledgement
The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP
packets.
ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid
generating any incorrect ARP entry.
148
ARP packet source MAC address consistency check
This feature enables a gateway device to filter out ARP packets with the source MAC address in the
Ethernet header different from the sender MAC address in the ARP message, so that the gateway device
can learn correct ARP entries.
Configuring ARP detection
NOTE:
If both the ARP detection based on specified objects and the ARP detection based on static IP Source
Guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses are
enabled, the former one applies first, and then the latter applies.
1.
Select Network > ARP Anti-Attack from the navigation tree to enter the default ARP Detection page
shown in Figure 128.
Figure 128 ARP Detection configuration page
2.
Configure ARP detection as described in Table 61.
3.
Click Apply.
Table 61 Configuration items
Item
Description
Select VLANs on which ARP detection is to be enabled.
VLAN Settings
To add VLANs to the Enabled VLANs list box, select one or multiple VLANs from the
Disabled VLANs list box and click the << button.
To remove VLANs from the Enabled VLANs list box, select one or multiple VLANs from the
list box and click the >> button.
149
Item
Description
Select trusted ports and untrusted ports.
Trusted Ports
To add ports to the Trusted Ports list box, select one or multiple ports from the Untrusted
Ports list box and click the << button.
To remove ports from the Trusted Ports list box, select one or multiple ports from the list box
and click the >> button.
Select ARP packet validity check modes, including:
• Discard the ARP packet whose sender MAC address is different from the source MAC
address in the Ethernet header.
• Discard the ARP packet whose target MAC address is all 0s, all 1s, or inconsistent with
ARP Packet
Validity Check
the destination MAC address in the Ethernet header.
• Discard the ARP request whose source IP address is all 0s, all 1s, or a multicast address,
and discard the ARP reply whose source and destination IP addresses are all 0s, all 1s,
or multicast addresses.
ARP packet validity check takes precedence over user validity check. If none of the above
is selected, the system does not check the validity of ARP packets.
Configuring other ARP attack protection functions
Other ARP attack protection functions include source MAC address based ARP attack detection, ARP
active acknowledgement, and ARP packet source address consistency check.
1.
Select Network > ARP Anti-Attack from the navigation tree.
2.
Click the Advanced Configuration tab to enter the page shown in Figure 129.
Figure 129 Advanced Configuration page
3.
Configure ARP attack protection parameters as described in Table 62.
4.
Click Apply.
150
Table 62 Configuration items
Item
Description
Select the detection mode for source MAC address based ARP attack
detection. The detection mode can be:
Detection Mode
• Disable—The source MAC address attack detection is disabled.
• Filter Mode—The device generates an alarm and filters out ARP packets
sourced from a MAC address if the number of ARP packets received from
the MAC address within five seconds exceeds the specified value.
• The device only generates an alarm if the number of ARP packets sent
Source
MAC
Address
Attack
Detection
from a MAC address within five seconds exceeds the specified value.
Aging Time
Enter the aging time of the source MAC address based ARP attack detection
entries.
Threshold
Enter the threshold of source MAC address based ARP attack detection.
Add a protected MAC address in the following way:
Protected MAC
Configuration
1.
Expand Protected MAC Configuration and contents are displayed as
shown in Figure 130.
2.
Enter a MAC address.
3.
Click Add.
A protected MAC address is excluded from ARP attack detection even if it is
an attacker. You can specify certain MAC addresses, such as that of a
gateway or an important server, as a protected MAC address.
Enable ARP Packet Active
Acknowledgement
Enable or disable ARP packet active acknowledgement.
Enable Source MAC Address
Consistency Check
Enable or disable source MAC address consistency check.
Figure 130 Protected MAC configuration
151
IGMP snooping configuration
Overview
Internet Group Management Protocol (IGMP) snooping is a multicast constraining mechanism that runs
on Layer 2 devices to manage and control multicast groups.
By analyzing received IGMP messages, a Layer 2 device that is running IGMP snooping establishes
mappings between ports and multicast MAC addresses and forwards multicast data based on these
mappings.
As shown in Figure 131, when IGMP snooping is not running on the switch, multicast packets are flooded
to all devices at Layer 2. However, when IGMP snooping is running on the switch, multicast packets for
known multicast groups are multicast to the receivers, rather than broadcast to all hosts, at Layer 2.
Figure 131 Multicast forwarding before and after IGMP snooping runs
IGMP snooping sends Layer 2 multicast packets to the intended receivers only. This mechanism provides
the following advantages:
•
Reducing Layer 2 broadcast packets and saving network bandwidth
•
Enhancing the security of multicast packets
•
Facilitating the implementation of accounting for each host
For more information about IGMP snooping, see H3C WX Series Access Controllers IP Multicast
Configuration Guide.
152
Recommended configuration procedure
Step
1.
Remarks
Enabling IGMP snooping globally
Required.
By default, IGMP snooping is disabled.
Required.
Enable IGMP snooping in the VLAN and configure the IGMP
snooping version and querier feature.
2.
Configuring IGMP snooping on a
VLAN
By default, IGMP snooping is disabled in a VLAN.
IMPORTANT:
• IGMP snooping must be enabled globally before it can be
enabled in a VLAN.
• When you enable IGMP snooping in a VLAN, this function takes
effect for ports in this VLAN only.
Optional.
Configure the maximum number of multicast groups allowed and the
fast leave function for ports in the specified VLAN.
3.
Configuring IGMP snooping on a
port
IMPORTANT:
• Multicast routing or IGMP snooping must be enabled globally
before IGMP snooping can be enabled on a port.
• IGMP snooping configured on a port takes effect only after IGMP
snooping is enabled in the VLAN or IGMP is enabled on the
VLAN interface.
4.
Displaying IGMP snooping
multicast entry information
Optional.
Enabling IGMP snooping globally
1.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
shown in Figure 132.
2.
Select Enable, and click Apply.
153
Figure 132 Basic IGMP snooping configurations
Configuring IGMP snooping on a VLAN
1.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
shown in Figure 132.
2.
Click the
icon corresponding to the VLAN to enter the page you can configure IGMP snooping
in the VLAN, as shown in Figure 133.
Figure 133 Configuring IGMP snooping in the VLAN
3.
Configure IGMP snooping as described in Table 63.
154
4.
Click Apply.
Table 63 Configuration items
Item
Description
VLAN ID
This field displays the ID of the VLAN to be configured.
Enable or disable IGMP snooping in the VLAN.
IGMP snooping
You can proceed with the subsequent configurations only if Enable is selected
here.
By configuring an IGMP snooping version, you actually configure the versions
of IGMP messages that IGMP snooping can process.
Version
• IGMP snooping version 2 can process IGMPv1 and IGMPv2 messages, but
not IGMPv3 messages, which will be flooded in the VLAN.
• IGMP snooping version 3 can process IGMPv1, IGMPv2, and IGMPv3
messages.
Enable or disable the function of dropping unknown multicast packets.
Unknown multicast data refers to multicast data for which no entries exist in the
IGMP snooping forwarding table.
Drop Unknown
• With the function of dropping unknown multicast data enabled, the device
drops all the unknown multicast data received.
• With the function of dropping unknown multicast data disabled, the device
floods unknown multicast data in the VLAN to which the unknown multicast
data belong.
Enable or disable the IGMP snooping querier function.
Querier
On a network without Layer 3 multicast devices, no IGMP querier-related
function can be implemented because a Layer 2 device does not support
IGMP. To address this issue, you can enable IGMP snooping querier on a
Layer 2 device so that the device can generate and maintain multicast
forwarding entries at data link layer, thereby implementing IGMP
querier-related functions.
Query interval
Configure the IGMP query interval.
General Query Source IP
Source IP address of IGMP general queries.
Special Query Source IP
Source IP address of IGMP group-specific queries.
Configuring IGMP snooping on a port
1.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.
2.
Click the Advanced tab to enter the page shown in Figure 134.
155
Figure 134 Advanced configuration
3.
Configure IGMP snooping on a port as described in Table 64.
4.
Click Apply.
Table 64 Configuration items
Item
Description
Select the port on which advanced IGMP snooping features are to be configured.
Port
VLAN ID
After a port is selected, advanced features configured on this port are displayed at
the lower part of this page.
Specify a VLAN in which you can configure the fast leave function for the port or the
maximum number of multicast groups allowed on the port.
Configure the maximum number of multicast groups that the port can join.
With this feature, you can regulate multicast traffic on the port.
IMPORTANT:
• When the number of multicast groups a port has joined reaches the configured
Group Limit
threshold, the system deletes all the forwarding entries persistent on that port from
the IGMP snooping forwarding table, and the hosts on this port must join the
multicast groups again.
• Support for the maximum number of multicast groups that a port can join may
vary depending on your device model. For more information, see "Feature
matrixes."
156
Item
Description
Enable or disable the fast leave function for the port.
Fast Leave
With the fast leave function enabled on a port, the device, when receiving an IGMP
leave message on the port, immediately deletes that port from the outgoing port list
of the corresponding forwarding table entry. Then, when receiving IGMP
group-specific queries for that multicast group, the device will not forward them to
that port. In VLANs where only one host is attached to each port, the fast leave
function helps improve bandwidth and resource usage.
IMPORTANT:
If fast leave is enabled for a port to which more than one host is attached, when one
host leaves a multicast group, the other hosts listening to the same multicast group will
fail to receive multicast data.
Displaying IGMP snooping multicast entry
information
1.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
shown in Figure 132.
2.
Click the plus sign (+) in front of Show Entries to display IGMP snooping multicast entries, as shown
in Figure 135.
Figure 135 Displaying entry information
3.
Clicking the
icon corresponding to an entry to display the detailed information of the entry, as
shown in Figure 136.
Figure 136 Detailed information of an entry
157
Table 65 Field description
Field
Description
VLAN ID
ID of the VLAN to which the entry belongs.
Source
Multicast source address, where 0.0.0.0 indicates all multicast sources.
Group
Multicast group address.
Router port
All router ports.
Member port
All member ports.
IGMP snooping configuration examples
Network requirements
•
As shown in Figure 137, Router A connects to a multicast source (Source) through Ethernet 1/2, and
to AC through Ethernet 1/1.
•
The multicast source sends multicast data to group 224.1.1.1. Host A is a receiver of the multicast
group.
•
IGMPv2 runs on Router A and IGMP snooping version 2 runs on AC.
•
The function of dropping unknown multicast packets is enabled on AC to prevent AC from flooding
multicast packets in the VLAN if no corresponding Layer 2 forwarding entry exists.
•
The fast leave function is enabled for GigabitEthernet 1/0/2 on AC to improve bandwidth and
resource usage.
Figure 137 Network diagram
Configuring IP addresses
Configure the IP address for each interface, as shown in Figure 137. (Details not shown.)
Configuring Router A
Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/1.
(Details not shown.)
Configuring the AC
1.
Create VLAN 100:
a. Select Network > VLAN from the navigation tree to enter the VLAN displaying page.
b. Click Add.
c.
Enter the VLAN ID 100, as shown in Figure 138.
d. Click Apply.
158
Figure 138 Creating VLAN 100
2.
Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as untagged members of VLAN
100:
a. Click the
icon of VLAN 100 to enter its configuration page.
b. Select the Untagged Member option for GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2,
as shown in Figure 139.
c.
Click Apply.
Figure 139 Adding a port to the VLAN
3.
Enable IGMP snooping globally:
a. Select Network > IGMP snooping from the navigation tree to enter the basic configuration
page.
b. Select the Enable option for IGMP Snooping.
c.
Click Apply.
159
Figure 140 Enabling IGMP snooping globally
4.
Enable IGMP snooping and the function of dropping unknown multicast data on VLAN 1:
a. Click the
icon corresponding to VLAN 100.
b. On the page that appears, select the Enable option for IGMP Snooping, select the 2 option for
Version, and select the Enable option for Drop Unknown.
c.
Click Apply.
Figure 141 Configuring the VLAN
5.
Enable the fast leave function for GigabitEthernet 1/0/2:
a. Click the Advanced tab.
160
b. Select GigabitEthernet 1/0/2 from the Port list, enter the VLAN ID 100, and select the Enable
option for Fast Leave.
c.
Click Apply.
Figure 142 Advanced configuration
Verifying the configuration
Display the IGMP snooping multicast entry information on AC.
1.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.
2.
Click the plus sign (+) in front of Show Entries to view IGMP snooping multicast entries, as shown
in Figure 143.
Figure 143 IGMP snooping multicast entry information displaying page
3.
Click the
icon corresponding to the multicast entry to view information about this entry, as
shown in Figure 144. The page shows that GigabitEthernet 1/0/2 of AC is added to multicast
group 224.1.1.1.
161
Figure 144 Information about an IGMP snooping multicast entry
162
IPv4 and IPv6 routing configuration
NOTE:
The term router in this document refers to routers, access controllers, unified switches, and access
controller modules.
Overview
Upon receiving a packet, a router determines the optimal route based on the destination address and
forwards the packet to the next router in the path. When the packet reaches the last router, it then
forwards the packet to the destination host. Routing provides the path information that guides the
forwarding of packets.
A router selects optimal routes from the routing table, and sends them to the forwarding information base
(FIB) table to guide packet forwarding. Each router maintains a routing table and a FIB table.
Static routes are manually configured. If a network's topology is simple, you only need to configure static
routes for the network to work properly. Static routes cannot adapt to network topology changes. If a fault
or a topological change occurs in the network, the network administrator must modify the static routes
manually.
For more information about routing table and static routing, see H3C WX Series Access Controllers Layer
3 Configuration Guide.
Displaying the IPv4 active route table
Select Network > IPv4 Routing from the navigation tree to enter the page shown in Figure 145.
Figure 145 IPv4 active route table
163
Table 66 Field description
Field
Destination IP Address
Mask
Protocol
Preference
Description
Destination IP address and subnet mask of the IPv4 route.
Protocol that discovered the IPv4 route.
Preference value for the IPv4 route.
The smaller the number, the higher the preference.
Next Hop
Next hop IP address of the IPv4 route.
Interface
Outgoing interface of the IPv4 route. Packets destined for the specified
network segment will be sent out the interface.
Creating an IPv4 static route
1.
Select Network > IPv4 Routing from the navigation tree.
2.
Click the Create tab to enter the IPv4 static route configuration page, as shown in Figure 146.
Figure 146 Creating an IPv4 static route
3.
Specify relevant information as described in Table 67.
4.
Click Apply.
Table 67 Configuration items
Item
Description
Destination IP Address
Enter the destination host or network IP address, in dotted decimal
notation.
164
Item
Description
Enter the mask of the destination IP address.
Mask
You can enter a mask length or a mask in dotted decimal
notation.
Set a preference value for the static route. The smaller the
number, the higher the preference.
Preference
For example, specifying the same preference for multiple static
routes to the same destination enables load sharing on the routes,
while specifying different preferences enables route backup.
Next Hop
Enter the next hop IP address, in dotted decimal notation.
Select the outgoing interface.
Interface
You can select any available Layer 3 interface, for example, a
virtual interface, of the device. If you select NULL 0, the
destination IP address is unreachable.
Displaying the IPv6 active route table
Select Network > IPv6 Routing from the navigation tree to enter the page shown in Figure 147.
Figure 147 IPv6 active route table
Table 68 Field description
Field
Destination IP Address
Prefix Length
Protocol
Preference
Description
Destination IP address and prefix length of the IPv6 route.
Protocol that discovered the IPv6 route.
Preference value for the IPv6 route.
The smaller the number, the higher the preference.
Next Hop
Next hop IP address of the IPv6 route.
Interface
Outgoing interface of the IPv6 route. Packets destined for the
specified network segment will be sent out the interface.
165
Creating an IPv6 static route
1.
Select Network > IPv6 Routing from the navigation tree.
2.
Click the Create tab to enter the IPv6 static route configuration page, as shown in Figure 148.
Figure 148 Creating an IPv6 static route
3.
Specify relevant information as described in Table 69.
4.
Click Apply.
Table 69 Configuration items
Item
Description
Destination IP Address
Enter the destination host or network IP address, in the X:X::X:X
format. The 128-bit destination IPv6 address is a hexadecimal
address with eight parts separated by colons (:). Each part is
represented by a 4-digit hexadecimal integer.
Prefix Length
Enter the prefix length of the destination IPv6 address.
Set a preference value for the static route. The smaller the number, the
higher the preference.
Preference
Next Hop
For example, specifying the same preference for multiple static routes
to the same destination enables load sharing on the routes, while
specifying different priorities for them enables route backup.
Enter the next hop address, in the same format as the destination IP
address.
166
Item
Description
Select the outgoing interface.
Interface
You can select any available Layer 3 interface, for example, a virtual
interface, of the device. If you select NULL 0, the destination IPv6
address is unreachable.
IPv4 static route configuration example
Network requirements
The IP addresses of devices are shown in Figure 149. IPv4 static routes must be configured on Switch A,
Switch B and AC for Host A and Host B to communicate with each other.
Figure 149 Network diagram
Configuration outlines
1.
On Switch A, configure a default route with Switch B as the next hop.
2.
On Switch B, configure one static route with Switch A as the next hop and the other with AC as the
next hop.
3.
On AC, configure a default route with Switch B as the next hop.
Configuration procedure
1.
Configure a default route with the next hop address 1.1.4.2 on Switch A.
2.
Configure two static routes on Switch B: one with destination address 1.1.2.0/24 and next hop
address 1.1.4.1, and the other with destination address 1.1.3.0/24 and next hop address
1.1.5.6.
3.
Configure a default route on AC:
a. Select Network > IPv4 Routing from the navigation tree.
b. Click the Create tab to enter the IPv4 static route configuration page, as shown in Figure 150.
c.
Enter 0.0.0.0 for Destination IP Address, 0 for Mask, and 1.1.5.5 for Next Hop.
d. Click Apply.
167
Figure 150 Configuring a default route
Verifying the configuration
1.
Display the route table:
Enter the IPv4 route page of Switch A, Switch B, and AC, respectively, to verify that the newly
configured static routes are displayed as active routes on the page.
2.
Ping Host B from Host A (assuming both hosts run Windows XP):
C:\Documents and Settings\Administrator>ping 1.1.3.2
Pinging 1.1.3.2 with 32 bytes of data:
Reply from 1.1.3.2: bytes=32 time=1ms TTL=128
Reply from 1.1.3.2: bytes=32 time=1ms TTL=128
Reply from 1.1.3.2: bytes=32 time=1ms TTL=128
Reply from 1.1.3.2: bytes=32 time=1ms TTL=128
Ping statistics for 1.1.3.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
IPv6 static route configuration example
Network requirements
The IP addresses of devices are shown in Figure 151. IPv6 static routes must be configured on Switch A,
Switch B and AC for Host A and Host B to communicate with each other.
168
Figure 151 Network diagram
Vlan-int200
4::2/64
Vlan-int300
5::2/64
Switch B
Vlan-int200
4::1/64
Vlan-int300
5::1/64
Vlan-int100
1::1/64
Host A 1::2/64
Vlan-int500
3::1/64
AC
Switch A
AP
Host B 3::2/64
Configuration outlines
1.
On Switch A, configure a default route with Switch B as the next hop.
2.
On Switch B, configure one static route with Switch A as the next hop and the other with AC as the
next hop.
3.
On AC, configure a default route with Switch B as the next hop.
Configuration procedure
1.
Configure a default route with the next hop address 4::2 on Switch A.
2.
Configure two static routes on Switch B: one with destination address 1::/64 and next hop
address 4::1, and the other with destination address 3::/64 and next hop address 5::1.
3.
Configure a default route on AC:
a. Select Network > IPv6 Routing from the navigation tree.
b. Click the Create tab to enter the IPv6 static route configuration page, as shown in Figure 152.
c.
Enter :: for Destination IP Address, select 0 for Prefix Length, and enter 5::2 for Next Hop.
d. Click Apply.
Figure 152 Configuring a default route
169
Verifying the configuration
1.
Display the route table:
Enter the IPv6 route page of Switch A, Switch B, and AC, respectively, to verify that the newly
configured static routes are displayed as active routes on the page.
2.
Ping Host B from Switch A:
<SwitchA> system-view
[SwitchA] ping ipv6 3::2
PING 3::2 : 56
data bytes, press CTRL_C to break
Reply from 3::2
bytes=56 Sequence=1 hop limit=254
time = 63 ms
Reply from 3::2
bytes=56 Sequence=2 hop limit=254
time = 62 ms
Reply from 3::2
bytes=56 Sequence=3 hop limit=254
time = 62 ms
Reply from 3::2
bytes=56 Sequence=4 hop limit=254
time = 63 ms
Reply from 3::2
bytes=56 Sequence=5 hop limit=254
time = 63 ms
--- 3::2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/62/63 ms
Configuration guidelines
When you configure a static route, follow these guidelines:
1.
If you do not specify the preference when you configure a static route, the default preference is
used. Reconfiguration of the default preference applies only to newly created static routes.
Currently, the Web interface does not support configuration of the default preference.
2.
When you configure a static route, the static route does not take effect if you specify the next hop
address first and then configure it as the IP address of a local interface, such as an Ethernet
interface and VLAN interface.
3.
When specifying the output interface, note that:
If NULL 0 or a loopback interface is specified as the output interface, there is no need to
configure the next hop address.
If a point-to-point interface is specified as the output interface, you do not need to specify the
next hop or change the configuration after the peer address has changed. For example, a PPP
interface obtains the peer's IP address through PPP negotiation, and therefore, you only need
to specify it as the output interface.
If the output interface is an NBMA or P2MP interface, which supports point-to-multipoint
networks, the IP address-to-link layer address mapping must be established. Therefore, H3C
recommends that you specify the next hop IP address when you configure it as the output
interface.
170
If you want to specify a broadcast interface (such as an Ethernet interface, virtual template, or
VLAN interface) as the output interface, which may have multiple next hops, you must specify
the next hop at the same time.
171
DHCP overview
NOTE:
• After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and
other configuration parameters from the DHCP server. This facilitates configuration and centralized
management. For more information about the DHCP client configuration, see "Interface management."
• For more information about DHCP, see H3C WX Series Access Controllers Layer 3 Configuration Guide.
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration
information to network devices.
DHCP uses the client/server model. Figure 153 shows a typical a DHCP application.
Figure 153 A typical DHCP application
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet through a DHCP relay agent.
Figure 154 DHCP relay agent application
DHCP client
DHCP client
IP network
DHCP relay agent
DHCP client
DHCP client
DHCP server
Introduction to DHCP snooping
172
NOTE:
The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between
the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.
As a DHCP security feature, DHCP snooping can implement the following:
1.
Recording IP-to-MAC mappings of DHCP clients
2.
Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
Recording IP-to-MAC mappings of DHCP clients
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record
DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports
that connect to DHCP clients, and VLANs to which the ports belong.
Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
If there is an unauthorized DHCP server on a network, DHCP clients may obtain invalid IP addresses and
network configuration parameters, and cannot normally communicate with other network devices. With
DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients to
obtain IP addresses from authorized DHCP servers.
•
Trusted—A trusted port forwards DHCP messages normally.
•
Untrusted—An untrusted port discards the DHCP-ACK or DHCP-OFFER messages received from
any DHCP server.
Recommended configuration procedure (for DHCP
server)
Step
Remarks
Required.
1.
Enabling DHCP
Enable DHCP globally.
By default, global DHCP is disabled.
Required.
Use at least one approach.
IMPORTANT:
2.
Creating an address pool for the DHCP server
Creating a static address pool for the DHCP
server
Creating a dynamic address pool for the DHCP
server
• If the DHCP server and DHCP clients are on the
same subnet, make sure the address pool is on the
same network segment as the interface with the
DHCP server enabled; otherwise, the clients will
fail to obtain IP addresses.
• If a DHCP client obtains an IP address via a DHCP
relay agent, an IP address pool on the same
network segment as the DHCP relay agent
interface must be configured; otherwise, the client
will fail to obtain an IP address.
173
Step
Remarks
Optional.
With the DHCP server enabled on an interface, upon
receiving a client's request, the DHCP server will
assign an IP address from its address pool to the
DHCP client.
3.
With DHCP enabled, interfaces work in the DHCP
server mode.
Enabling the DHCP server on an interface
IMPORTANT:
• An interface cannot serve as both the DHCP server
and the DHCP relay agent. The latest configuration
takes effect.
• The DHCP server works on interfaces with IP
addresses manually configured only.
4.
Displaying information about assigned IP
addresses
Optional.
Enabling DHCP
1.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 155.
2.
Select the Enable option on the upper part of the page to enable DHCP globally.
Figure 155 DHCP configuration page
174
Creating a static address pool for the DHCP server
1.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 155.
2.
Select the Static option in the Address Pool field to view all static address pools.
3.
Click Add to enter the page shown in Figure 156.
Figure 156 Creating a static address pool
4.
Configure the static address pool as described in Table 70.
5.
Click Apply.
Table 70 Configuration items
Item
Description
IP Pool Name
Enter the name of a static address pool.
IP Address
Mask
Enter an IP address and select a subnet mask for the static address pool.
The IP address cannot be the IP address of any interface on the DHCP server.
Otherwise, an IP address conflict may occur and the bound client cannot obtain an
IP address correctly.
You can enter a mask length or a mask in dotted decimal notation..
Client MAC Address
Configure the client MAC address or the client ID for the static address pool.
IMPORTANT:
Client ID
The client ID must be identical to the ID of the client to be bound. Otherwise, the client
cannot obtain an IP address..
Enter the domain name suffix for the client.
Client Domain Name
With the suffix assigned, the client only needs to enter part of a domain name, and
the system adds the domain name suffix for name resolution.
175
Item
Description
Enter the gateway addresses for the client.
Gateway Address
A DHCP client that wants to access an external host needs to send requests to a
gateway. You can specify gateways in each address pool and the DHCP server will
assign gateway addresses while assigning an IP address to the client.
Up to eight gateways can be specified in a DHCP address pool, separated by
commas.
Enter the DNS server addresses for the client.
DNS Server Address
To allow the client to access a host on the Internet through DNS, you need to specify
a DNS server address.
Up to eight DNS servers can be specified in a DHCP address pool, separated by
commas.
Enter the WINS server addresses for the client.
WINS Server Address
If b-node is specified for the client, you do not need to specify any WINS server
address.
Up to eight WINS servers can be specified in a DHCP address pool, separated by
commas.
NetBIOS Node Type
Select the NetBIOS node type for the client.
Creating a dynamic address pool for the DHCP
server
1.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 155.
2.
Select the Dynamic option in the Address Pool field to view all dynamic address pools.
3.
Click Add to enter the page shown in Figure 157.
176
Figure 157 Creating a dynamic address pool
4.
Configure the dynamic address pool as described in Table 71.
5.
Click Apply.
Table 71 Configuration items
Item
Description
IP Pool Name
Enter the name of a dynamic address pool.
Enter an IP address segment for dynamic allocation.
IP Address
To avoid address conflicts, the DHCP server excludes the IP
addresses used by gateways or FTP servers from dynamic
allocation.
Mask
Lease
Duration
You can enter a mask length or a mask in dotted decimal
notation.
Unlimited.
Configure the address lease duration for the address pool.
days/hours/minutes/seconds.
Unlimited indicates the infinite duration.
Enter the domain name suffix for the client.
Client Domain Name
With the suffix assigned, the client only needs to enter part of a
domain name, and the system will add the domain name suffix
for name resolution.
177
Item
Description
Enter the gateway addresses for the client.
DHCP clients that want to access hosts outside the local subnet
request gateways to forward data. You can specify gateways in
each address pool for clients and the DHCP server will assign
gateway addresses while assigning an IP address to the client.
Gateway Address
Up to eight gateways can be specified in a DHCP address pool,
separated by commas.
Enter the DNS server addresses for the client.
DNS Server Address
To allow the client to access a host on the Internet via the host
name, you need to specify DNS server addresses.
Up to eight DNS servers can be specified in a DHCP address
pool, separated by commas.
Enter the WINS server addresses for the client.
WINS Server Address
If b-node is specified for the client, you do not need to specify any
WINS server address.
Up to eight WINS servers can be specified in a DHCP address
pool, separated by commas.
NetBIOS Node Type
Select the NetBIOS node type for the client.
Enabling the DHCP server on an interface
1.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 155.
2.
Click the
3.
Select the Enable option for DHCP Server.
4.
Click Apply.
icon next to a specific interface to enter the page shown in Figure 158.
Figure 158 Configuring a DHCP server interface
Displaying information about assigned IP
addresses
1.
Select Network > DHCP > DHCP Server from the navigation tree to enter the page, as shown
in Figure 155.
2.
Click Addresses in Use in the Address In Use field on the lowest part of the page to view
information about the IP address assigned from the address pool.
178
Figure 159 Displaying addresses in use
Table 72 Field description
Field
Description
IP Address
Assigned IP address.
Client MAC Address/Client
ID
Client MAC address or client ID bound to the IP address.
Pool Name
Name of the DHCP address pool where the IP address belongs.
Lease Expiration
Lease time of the IP address.
Recommended configuration procedure (for DHCP
relay agent)
Step
1.
Remarks
Enabling DHCP and configuring
advanced parameters for the
DHCP relay agent
Required.
Enable DHCP globally and configure advanced DHCP parameters.
By default, global DHCP is disabled.
Required.
2.
Creating a DHCP server group
To improve reliability, you can specify several DHCP servers as a
group on the DHCP relay agent and correlate a relay agent interface
with the server group. When the interface receives requesting
messages from clients, the relay agent will forward them to all the
DHCP servers of the group.
179
Step
Remarks
Required.
Enable the DHCP relay agent on an interface, and correlate the
interface with a DHCP server group.
With DHCP enabled, interfaces work in the DHCP server mode by
default.
IMPORTANT:
3.
Enabling the DHCP relay agent
on an interface
• An interface cannot serve as both the DHCP server and the DHCP
relay agent. The latest configuration takes effect.
• If the DHCP relay agent is enabled on an Ethernet subinterface, a
packet received from a client on this interface must contain a VLAN
tag and the VLAN tag must be the same as the VLAN ID of the
subinterface; otherwise, the packet is discarded.
• The DHCP relay agent works on interfaces with IP addresses
manually configured only.
• If an Ethernet subinterface serves as a DHCP relay agent, it conveys
IP addresses only to subinterfaces of DHCP clients. In this case, a
PC cannot obtain an IP address as a DHCP client.
Optional.
Create a static IP-to-MAC binding, and view static and dynamic
bindings.
4.
Configuring and displaying
clients' IP-to-MAC bindings
The DHCP relay agent can dynamically record clients' IP-to-MAC
bindings after clients get IP addresses. It also supports static bindings.
In other words, you can manually configure IP-to-MAC bindings on the
DHCP relay agent, so that users can access external network using
fixed IP addresses.
By default, no static binding is created.
Enabling DHCP and configuring advanced
parameters for the DHCP relay agent
1.
Select Network > DHCP from the navigation tree.
2.
Click the DHCP Relay tab to enter the page as shown in Figure 160.
180
Figure 160 DHCP relay agent configuration page
3.
Select the Enable option for DHCP Service.
4.
Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration
field, as shown in Figure 161.
Figure 161 Advanced DHCP relay agent configuration field
5.
Configure the advanced DHCP relay agent parameters as described in Table 73.
6.
Click Apply. You must also click Apply for enabling the DHCP service.
181
Table 73 Configuration items
Item
Description
Enable or disable unauthorized DHCP server detection.
There are unauthorized DHCP servers on networks, which reply DHCP clients with
wrong IP addresses.
Unauthorized Server
Detect
With this feature enabled, upon receiving a DHCP request, the DHCP relay agent will
record the IP address of any DHCP server that assigned an IP address to the DHCP
client and the receiving interface. The administrator can use this information to check
out DHCP unauthorized servers. The device puts a record once for each DHCP
server. The administrator needs to find unauthorized DHCP servers from the log
information. After the information of recorded DHCP servers is cleared, the relay
agent will re-record server information following this mechanism.
Enable or disable periodic refresh of dynamic client entries, and set the refresh
interval.
Dynamic Bindings
Refresh
Via the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast message to
the DHCP server to relinquish its IP address. In this case the DHCP relay agent simply
conveys the message to the DHCP server, thus it does not remove the IP address from
dynamic client entries. To solve this problem, the periodic refresh of dynamic client
entries feature is introduced.
With this feature, the DHCP relay agent uses the IP address of a client and the MAC
address of the DHCP relay agent interface to periodically send a DHCP-REQUEST
message to the DHCP server.
• If the server returns a DHCP-ACK message or does not return any message within
Track Timer Interval
a specified interval, which means that the IP address is assignable now, the DHCP
relay agent will age out the client entry.
• If the server returns a DHCP-NAK message, which means the IP address is still in
use, the relay agent will not age it out.
If the Auto option is selected, the refresh interval is calculated by the relay agent
according to the number of client entries..
Creating a DHCP server group
1.
Select Network > DHCP from the navigation tree.
2.
Click the DHCP Relay tab to enter the page as shown in Figure 160.
3.
In the Server Group field, click Add to enter the page as shown in Figure 162.
Figure 162 Creating a server group
4.
Specify the DHCP server group information as described in Table 74.
5.
Click Apply.
182
Table 74 Configuration items
Item
Server Group ID
Description
Enter the ID of a DHCP server group.
You can create up to 20 DHCP server groups.
Enter the IP address of a server in the DHCP server group.
IP Address
The server IP address cannot be on the same subnet as the IP address of the DHCP
relay agent. Otherwise, the client cannot obtain an IP address.
Enabling the DHCP relay agent on an interface
1.
Select Network > DHCP from the navigation tree.
2.
Click the DHCP Relay tab to enter the page as shown in Figure 160.
3.
In the Interface Config field, click the
in Figure 163.
icon of a specific interface to enter the page as shown
Figure 163 Configuring a DHCP relay agent interface
4.
Configure the parameters as described in Table 75.
5.
Click Apply.
Table 75 Configuration items
Item
Description
Interface Name
This field displays the name of a specific interface.
Enable or disable the DHCP relay agent on the interface.
DHCP Relay
If the DHCP relay agent is disabled, the DHCP server is enabled on the
interface.
Enable or disable IP address check.
Address Match Check
Server Group ID
With this function enabled, the DHCP relay agent checks whether a requesting
client's IP and MAC addresses match a binding (dynamic or static) on the
DHCP relay agent. If not, the client cannot access outside networks via the
DHCP relay agent. This prevents invalid IP address configuration.
Correlate the interface with a DHCP server group.
A DHCP server group can be correlated with multiple interfaces.
183
Configuring and displaying clients' IP-to-MAC
bindings
1.
Select Network > DHCP from the navigation tree
2.
Click the DHCP Relay tab to enter the page as shown in Figure 160.
3.
In the User Information field, click User Information to view static and dynamic bindings, as shown
in Figure 164.
Figure 164 Displaying clients' IP-to-MAC bindings
4.
Click Add to enter the page shown in Figure 165.
Figure 165 Creating a static IP-to-MAC binding
5.
Configure static IP-to-MAC binding as described in Table 76.
6.
Click Apply.
Table 76 Configuration items
Item
Description
IP Address
Enter the IP address of a DHCP client.
MAC Address
Enter the MAC address of the DHCP client.
Select the Layer 3 interface connected with the DHCP client.
Interface Name
IMPORTANT:
The interface of a static binding entry must be configured as a DHCP relay agent.
Otherwise, address entry conflicts may occur.
184
Recommended configuration procedure (for DHCP
snooping)
Step
1.
Remarks
Enabling DHCP snooping
Required.
By default, DHCP snooping is disabled.
Required.
Specify an interface as trusted and configure DHCP snooping to support
Option 82.
2.
Configuring DHCP snooping
functions on an interface
By default, an interface is untrusted and DHCP snooping does not support
Option 82.
IMPORTANT:
You need to specify the ports connected to the authorized DHCP servers as
trusted to make sure that DHCP clients can obtain valid IP addresses. The
trusted port and the port connected to the DHCP client must be in the same
VLAN.
3.
Displaying clients' IP-to-MAC
bindings
Optional.
Display clients' IP-to-MAC bindings recorded by DHCP snooping.
Enabling DHCP snooping
1.
Select Network > DHCP from the navigation tree.
2.
Click the DHCP Snooping tab to enter the page as shown in Figure 166.
3.
Select the Enable option for DHCP Snooping.
185
Figure 166 DHCP snooping configuration page
Configuring DHCP snooping functions on an
interface
1.
Select Network > DHCP from the navigation tree.
2.
Click the DHCP Snooping tab to enter the page as shown in Figure 166.
3.
In the Interface Config field, click the
in Figure 167.
icon of a specific interface to enter the page as shown
Figure 167 DHCP snooping interface configuration page
4.
Configure the parameters as described in Table 77.
5.
Click Apply.
186
Table 77 Configuration items
Item
Description
Interface Name
This field displays the name of a specific interface.
Interface State
Configure the interface as trusted or untrusted.
Option 82 Support
Configure DHCP snooping to support Option 82 or not.
Select the handling strategy for DHCP requests containing Option 82. The strategies
include:
Option 82 Strategy
• Drop—The message is discarded if it contains Option 82.
• Keep—The message is forwarded without its Option 82 being changed.
• Replace—The message is forwarded after its original Option 82 is replaced with
the Option 82 padded in normal format.
Displaying clients' IP-to-MAC bindings
1.
Select Network > DHCP from the navigation tree.
2.
Click the DHCP Snooping tab to enter the page as shown in Figure 166.
3.
Click User Information to enter the DHCP snooping user information page, as shown in Figure
168.
Figure 168 DHCP snooping user information
4.
View clients' IP-to-MAC bindings recorded by DHCP snooping as described in Table 78.
Table 78 Configuration items
Item
Description
IP Address
This field displays the IP address assigned by the DHCP server to the client.
MAC Address
This field displays the MAC address of the client.
This field displays the client type, which can be:
Type
• Dynamic—The IP-to-MAC binding is generated dynamically.
• Static—The IP-to-MAC binding is configured manually. Currently, static
bindings are not supported.
Interface Name
This field displays the device interface to which the client is connected.
VLAN
This field displays the VLAN to which the device belongs.
Remaining Lease Time
This field displays the remaining lease time of the IP address.
187
DHCP server configuration example
Network requirements
As shown in Figure 169, the DHCP client on subnet 10.1.1.0/24 obtains an IP address dynamically from
the DHCP server (AC). The IP address of VLAN-interface 2 of the AC is 10.1.1.1/24.
In subnet 10.1.1.0/24, the address lease duration is ten days and twelve hours and the gateway address
is 10.1.1.1.
Figure 169 Network diagram
Vlan-int2
10.1.1.1/24
Host
DHCP client
AP
DHCP client
AC
DHCP server
Configuration procedure
1.
Enable DHCP:
a. Select Network > DHCP from the navigation tree to enter the default DHCP Server page.
b. Select the Enable option for DHCP Service.
Figure 170 Enabling DHCP
188
2.
Enable the DHCP server on VLAN-interface 2: (This operation can be omitted because the DHCP
server is enabled on the interface by default.)
a. In the Interface Config field, click the
icon of VLAN-interface 2.
b. Select the Enable option for DHCP Server.
c.
Click Apply.
Figure 171 Enabling the DHCP server on VLAN-interface 2
3.
Configure a dynamic address pool for the DHCP server:
a. Select the Dynamic option in the Address Pool field (default setting), and click Add.
b. On the page that appears, enter test for IP Pool Name, enter 10.1.1.0 for IP Address, enter
255.255.255.0 for Mask, enter 10 days 12 hours 0 minutes 0 seconds for Lease Duration, and
enter 10.1.1.1 for Gateway Address.
c.
Click Apply.
Figure 172 Configuring a dynamic address pool for the DHCP server
189
DHCP relay agent configuration example
Network requirements
As shown in Figure 173, VLAN-interface 1 on the DHCP relay agent (AC) connects to the network where
DHCP clients reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and the IP address of
VLAN-interface 2 is 10.1.1.1/24. VLAN-interface 2 is connected to the DHCP server whose IP address is
10.1.1.1/24.
The AC forwards messages between DHCP clients and the DHCP server.
Figure 173 Network diagram
Configuration procedure
NOTE:
Because the DHCP relay agent and server are on different subnets, you must configure a static route or
dynamic routing protocol so they can communicate.
1.
Enable DHCP:
a. Select Network > DHCP from the navigation tree.
b. Click the DHCP Relay tab.
c.
Select the Enable option for DHCP Service.
d. Click Apply.
190
Figure 174 Enabling DHCP
2.
Configure a DHCP server group:
a. In the Server Group field, click Add.
b. Enter 1 for Server Group ID, and 10.1.1.1 for IP Address.
c.
Click Apply.
Figure 175 Adding a DHCP server group
3.
Enable the DHCP relay agent on VLAN-interface 1:
a. In the Interface Config field, click the
191
icon of VLAN-interface 1.
b. Select the Enable option for DHCP Relay, and select 1 for Server Group ID.
c.
Click Apply.
Figure 176 Enabling the DHCP relay agent on an interface and correlate it with a server group
DHCP snooping configuration example
Network requirements
As shown in Figure 177, a DHCP snooping device (AC) is connected to a DHCP server through
GigabitEthernet 1/0/2, and to an AP through GigabitEthernet 1/0/1.
•
Enable DHCP snooping on the AC and configure DHCP snooping to support Option 82. Configure
the handling strategy for DHCP requests containing Option 82 as replace.
•
Enable GigabitEthernet 1/0/2 to forward DHCP server responses; disable GigabitEthernet 1/0/1
from forwarding DHCP server responses.
•
Configure the AC to record clients' IP-to-MAC address bindings in DHCP-REQUEST messages and
DHCP-ACK messages received from a trusted port.
Figure 177 Network diagram
Configuration procedure
1.
Enable DHCP snooping:
a. Select Network > DHCP from the navigation tree.
b. Click the DHCP Snooping tab.
c.
Select the Enable option for DHCP Snooping.
192
Figure 178 Enabling DHCP snooping
2.
Configure DHCP snooping functions on GigabitEthernet 1/0/2:
a. Click the
icon of GigabitEthernet 1/0/2 on the interface list.
b. Select the Trust option for Interface State.
c.
Click Apply.
Figure 179 Configuring DHCP snooping functions on GigabitEthernet 1/0/2
3.
Configure DHCP snooping functions on GigabitEthernet 1/0/1.
a. Click the
icon of GigabitEthernet 1/0/1 on the interface list.
b. To configure the DHCP snooping functions on the interface:
Select the Untrust option for Interface State.
Select the Enable option for Option 82 Support.
Select Replace from the Option 82 Strategy list.
c.
Click Apply.
193
Figure 180 Configuring DHCP snooping functions on GigabitEthernet 1/0/1
194
DNS configuration
Overview
Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain
names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in
some applications and let the DNS server translate them into correct IP addresses.
There are two types of DNS services, static and dynamic. After a user specifies a name, the device checks
the local static name resolution table for an IP address. If no IP address is available, it contacts the DNS
server for dynamic name resolution, which takes more time than static name resolution. Therefore, some
frequently queried name-to-IP address mappings are stored in the local static name resolution table to
improve efficiency.
Static domain name resolution
Configuring static domain name resolution is to set up mappings between domain names and IP
addresses manually. IP addresses of the corresponding domain names can be found in the static domain
resolution table when you use applications such as telnet.
Dynamic domain name resolution
Dynamic domain name resolution is implemented by querying the DNS server.
DNS proxy
A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server.
A DNS client considers the DNS proxy as the DNS server and sends a DNS request to the DNS proxy,
which forwards the request to the designated DNS server, and conveys the reply from the DNS server to
the client.
The DNS proxy simplifies network management. When the DNS server address is changed, you only
need to change the configuration on the DNS proxy instead of on each DNS client.
For more information about DNS, see H3C WX Series Access Controllers Layer 3 Configuration Guide.
Recommended configuration procedure
Configuring static name resolution table
Step
Remarks
Required.
Configuring static name resolution table
By default, no host name-to-IP address mappings are
configured in the static domain name resolution table.
195
Configuring dynamic domain name resolution
Step
Remarks
1.
Configuring dynamic domain name resolution
2.
Adding a DNS server address
3.
Adding a domain name suffix
4.
Clearing dynamic DNS cache
Required.
This function is disabled by default.
Required.
Not configured by default.
Optional.
Not configured by default.
Optional.
Configuring DNS proxy
Step
Remarks
1.
Configuring DNS proxy
2.
Adding a DNS server address
Required.
By default, the device is not a DNS proxy.
Required.
Not configured by default.
Configuring static name resolution table
1.
Select Network > DNS from the navigation tree to enter the default static domain name resolution
configuration page shown in Figure 181.
Figure 181 Static domain name resolution configuration page
2.
Click Add to enter the page shown in Figure 182.
196
Figure 182 Creating a static domain name resolution entry
3.
Configure the parameters as described in Table 79.
4.
Click Apply.
Table 79 Configuration items
Item
Description
Host Name
Configure the mapping between a host name and an IP address in the static domain
mane table.
Host IP Address
Each host name corresponds to only one IP address. If you configure multiple IP
addresses for a host name, the last configured one takes effect..
Configuring dynamic domain name resolution
1.
Select Network > DNS from the navigation tree.
2.
Click the Dynamic tab to enter the page shown in Figure 183.
3.
Select the Enable option for Dynamic DNS.
4.
Click Apply.
197
Figure 183 Dynamic domain name resolution configuration page
Configuring DNS proxy
1.
Select Network > DNS from the navigation tree.
2.
Click the Dynamic tab to enter the page shown in Figure 183.
3.
Select the Enable option for DNS Proxy.
4.
Click Apply.
Adding a DNS server address
1.
Select Network > DNS from the navigation tree.
2.
Click the Dynamic tab to enter the page shown in Figure 183.
3.
Click Add IP to enter the page shown in Figure 184.
4.
Enter an IP address in DNS Server IP address field.
5.
Click Apply.
198
Figure 184 Adding a DNS server address
Adding a domain name suffix
1.
Select Network > DNS from the navigation tree.
2.
Click the Dynamic tab to enter the page shown in Figure 183.
3.
Click Add Suffix to enter the page shown in Figure 185.
4.
Enter a DNS suffix in the DNS Domain Name Suffix field.
5.
Click Apply.
Figure 185 Adding a domain name suffix
Clearing dynamic DNS cache
1.
Select Network > DNS from the navigation tree.
2.
Click the Dynamic tab to enter the page shown in Figure 183.
3.
Select the Clear Dynamic DNS cache box.
4.
Click Apply.
DNS configuration example
Network requirements
As shown in Figure 186, the AC wants to access the host by using an easy-to-remember domain name
rather than an IP address, and to request the DNS server on the network for an IP address by using
dynamic domain name resolution. The IP address of the DNS server is 2.1.1.2/16 and the DNS server has
a com domain, which stores the mapping between domain name host and IP address 3.1.1.1/16.
199
AC serves as a DNS client, and uses dynamic domain name resolution and the suffix to access the host
with the domain name host.com and the IP address 3.1.1.1/16.
Figure 186 Network diagram
NOTE:
• Before performing the following configuration, make sure that the AC and the host are reachable to
each another, and the IP addresses of the interfaces are configured as shown in Figure 186.
• This configuration may vary with DNS servers. The following configuration is performed on a PC
running Windows Server 2000.
Configuring the DNS server
1.
Create zone com:
a. Select Start > Programs > Administrative Tools > DNS.
b. As shown in Figure 187, right click Forward Lookup Zones and select New Zone.
c.
Follow the instructions to create a new zone named com.
Figure 187 Creating a zone
2.
Create a mapping between host name and IP address:
a. In Figure 188, right click zone com, and then select New Host.
200
Figure 188 Adding a host
b. In the dialog box as shown in Figure 189, enter host name host and IP address 3.1.1.1.
c.
Click Add Host.
Figure 189 Adding a mapping between domain name and IP address
Configuring the AC
1.
Enable dynamic domain name resolution.
201
a. Select Network > DNS from the navigation tree.
b. Click the Dynamic tab
c.
Select the Enable option for Dynamic DNS, as shown in Figure 190.
d. Click Apply.
Figure 190 Enabling dynamic domain name resolution
2.
Configure the DNS server address:
a. Click Add IP in Figure 190 to enter the page for adding a DNS server IP address.
b. Enter 2.1.1.2 for DNS Server IP Address, as shown in Figure 191.
c.
Click Apply.
Figure 191 Adding a DNS server address
3.
Configure the domain name suffix:
•
Click Add Suffix in Figure 190.
•
Enter com for DNS Domain Name Suffix, as shown in Figure 192.
•
Click Apply.
202
Figure 192 Adding a DNS domain name suffix
Verifying the configuration
Use the ping host command on the AC to verify that the communication between the AC and the host is
normal and that the corresponding destination IP address is 3.1.1.1.
1.
Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.
2.
Enter host in the Destination IP address or host name field.
3.
Click Start to execute the ping command
4.
View the result in the Summary field.
Figure 193 Ping operation
203
Service management
Overview
The service management module provides the following types of services: FTP, Telnet, SSH, SFTP, HTTP
and HTTPS. You can enable or disable the services as needed. In this way, the performance and security
of the system can be enhanced, thus secure management of the device can be achieved.
The service management module also provides the function to modify HTTP and HTTPS port numbers,
and the function to associate the FTP, HTTP, or HTTPS service with an ACL, thus reducing attacks of illegal
users on these services.
FTP service
The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client
over a TCP/IP network.
Telnet service
The Telnet protocol is an application layer protocol that provides remote login and virtual terminal
functions on the network.
SSH service
Secure Shell (SSH) offers an approach to securely logging in to a remote device. By encryption and
strong authentication, it protects devices against attacks such as IP spoofing and plain text password
interception.
SFTP service
The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to
provide secure data transfer. The device can serve as the SFTP server, allowing a remote user to log in to
the SFTP server for secure file management and transfer. The device can also serve as an SFTP client,
enabling a user to login from the device to a remote device for secure file transfer.
HTTP service
The Hypertext Transfer Protocol (HTTP) is used for transferring web page information across the Internet.
It is an application-layer protocol in the TCP/IP protocol suite.
You can log in to the device using the HTTP protocol with HTTP service enabled, accessing and
controlling the device with Web-based network management.
HTTPS service
The Secure HTTP (HTTPS) refers to the HTTP protocol that supports the Security Socket Layer (SSL)
protocol.
The SSL protocol of HTTPS enhances the security of the device in the following ways:
•
Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal
clients;
•
Encrypts the data exchanged between the HTTPS client and the device to ensure the data security
and integrity, realizing the security management of the device;
204
Defines certificate attribute-based access control policy for the device to control the access right of
the client, in order to further avoid attacks from illegal clients.
•
Configuring service management
1.
Select Network > Service from the navigation tree to enter the service management configuration
page, as shown in Figure 194.
Figure 194 Service management
2.
Enable or disable various services on the page as described in Table 80.
3.
Click Apply.
Table 80 Configuration items
Item
Description
Enable FTP
service
FTP
ACL
Specify whether to enable the FTP service.
The FTP service is disabled by default.
Associate the FTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the FTP service.
You can view this configuration item by clicking the expanding button in
front of FTP.
Telnet
Enable Telnet
service
Specify whether to enable the Telnet service.
SSH
Enable SSH
service
Specify whether to enable the SSH service.
The Telnet service is enabled by default.
The SSH service is disabled by default.
Specify whether to enable the SFTP service.
SFTP
Enable SFTP
service
The SFTP service is disabled by default.
IMPORTANT:
When you enable the SFTP service, the SSH service must be enabled.
205
Item
Description
Enable HTTP
service
Specify whether to enable the HTTP service.
The HTTP service is disabled by default.
Set the port number for HTTP service.
HTTP
Port Number
You can view this configuration item by clicking the expanding button in
front of HTTP.
IMPORTANT:
When you modify a port, make sure that the port is not used by other service.
ACL
Enable HTTPS
service
Associate the HTTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTP service.
You can view this configuration item by clicking the expanding button in
front of HTTP.
Specify whether to enable the HTTPS service.
The HTTPS service is disabled by default.
Set the port number for HTTPS service.
Port Number
You can view this configuration item by clicking the expanding button in
front of HTTPS.
IMPORTANT:
When you modify a port, make sure that the port is not used by other service.
ACL
HTTPS
Associate the HTTPS service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTPS service.
You can view this configuration item by clicking the expanding button in
front of HTTPS.
Set the local certificate for the HTTPS service. The list displays certificate
subjects.
Certificate
You can configure the available PKI domains by selecting Authentication >
Certificate Management from the navigation tree at the left side of the
interface. For more information, see "Certificate management."
IMPORTANT:
The service management, portal authentication and local EAP service
modules always reference the same PKI domain. Changing the referenced
PKI domain in any of the three modules also changes that referenced in the
other two modules.
206
Diagnostic tools
Ping
You can use the ping function to check whether a device with a specified address is reachable, and to
examine network connectivity.
A successful execution of the ping command involves the following steps:
1.
The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device.
2.
The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source
device after receiving the ICMP echo request.
3.
The source device displays related statistics after receiving the reply.
Output of the ping command falls into the following:
•
The ping command can be applied to the destination's host name or IP address. If the destination's
host name is unknown, the prompt information is displayed.
•
If the source device does not receive an ICMP echo reply within the timeout time, it displays the
prompt information and the statistics during the ping operation. If the source device receives an
ICMP echo reply within the timeout time, it displays the number of bytes of the echo reply, the
message sequence number, Time to Live (TTL), the response time, and the statistics during the ping
operation. Statistics during the ping operation include number of packets sent, number of echo
reply messages received, percentage of messages not received, and the minimum, average, and
maximum response time.
Trace route
By using the trace route command, you can display the Layer 3 devices involved in delivering a packet
from source to destination. This function is useful for identification of failed node(s) in the event of network
failure.
The trace route command involves the following steps in its execution:
1.
The source device sends a packet with a TTL value of 1 to the destination device.
2.
The first hop (the Layer 3 device that first receives the packet) responds by sending a TTL-expired
ICMP message to the source, with its IP address encapsulated. In this way, the source device can
get the address of the first Layer 3 device.
3.
The source device sends a packet with a TTL value of 2 to the destination device.
4.
The second hop responds with a TTL-expired ICMP message, which gives the source device the
address of the second Layer 3 device.
5.
This process continues until the ultimate destination device is reached. In this way, the source
device can trace the addresses of all the Layer 3 devices involved to get to the destination device.
The traceroute command can be applied to the destination's host name or IP address. If the destination's
host name is unknown, the prompt information is displayed.
207
Ping operation
IPv4 ping operation
1.
Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.
2.
Click the expansion button before Advanced Setup to display the configurations of the advanced
parameters of IPv4 ping operation, as shown in Figure 195.
Figure 195 IPv4 ping configuration page
3.
Enter the IPv4 address or host name of the destination device in the Destination IP address or host
name field.
4.
Set the advanced parameters for the IPv4 ping operation.
5.
Click Start to execute the ping command.
6.
View the result in the Summary field.
208
Figure 196 IPv4 ping operation results
IPv6 ping operation
1.
Select Diagnostic Tools > Ping from the navigation tree.
2.
Enter the IPv6 ping configuration page (default setting).
3.
Expand Advanced Setup to display the configurations of the advanced parameters of IPv6 ping
operation, as shown in Figure 197.
209
Figure 197 IPv6 ping
4.
Enter the IPv6 address or host name of the destination device in the Destination IP address or host
name field.
5.
Set the advanced parameters for the IPv6 ping operation.
6.
Click Start to execute the ping command.
7.
View the result in the Summary field, as shown in Figure 198.
210
Figure 198 IPv6 ping operation results
Trace route operation
NOTE:
• The web interface does not support trace route on IPv6 addresses.
• Before performing the trace route operations, execute the ip ttl-expires enable command on the
intermediate device to enable the sending of ICMP timeout packets and the ip unreachables enable
command on the destination device to enable the sending of ICMP destination unreachable packets.
1.
Select Diagnostic Tools > Trace Route from the navigation tree.
2.
Click the Trace Route tab to enter the Trace Route configuration page, as shown in Figure 199.
211
Figure 199 Trace Route configuration page
3.
Enter the destination IP address or host name.
4.
Click Start to execute the trace route command.
5.
View the result in the Summary field, as shown in Figure 200.
Figure 200 Trace route operation results
212
AP configuration
The AP configuration module allows you to perform the following configurations:
•
Establish a connection between AC and AP
•
Configure auto AP
•
Configure an AP group
AC-AP connection
An AP and an AC establish a tunnel connection based on UDP.
An AP uses a data tunnel to encapsulate data packets to be sent to the AC. These packets can be raw
802.11 packets or 802.11 to 802.3 translated packets. An AC provides a control tunnel to support remote
AP configuration and management, and WLAN and mobile management.
The AC can dynamically configure an AP based on the information provided by the administrator.
Auto AP
The auto AP feature allows an AP to automatically connect to an AC. When you deploy a wireless
network with many APs, the auto AP function avoids configuration of many AP serial IDs, thus simplifying
configuration.
AP group
Some wireless service providers need to control the access positions of clients. For example, as shown in
the figure below, to meet security or billing needs, it is required to connect wireless clients 1, 2 and 3 to
the wired network through APs 1, 2 and 3 respectively. To achieve this, you can configure an AP group
that the clients can be associated with and then apply the AP group in a user profile.
Figure 201 Client access control
213
Configuring an AP
Creating an AP
1.
Select AP > AP Setup from the navigation tree.
2.
Click Add to enter the page for adding an AP.
Figure 202 Adding an AP
3.
Create the AP as described in Table 81.
4.
Click Apply.
Table 81 Configuration items
Item
Description
AP Name
AP name.
Model
AP model.
• Auto—If selected, the AC automatically searches the AP serial ID. This function is
used together with the auto AP function. For how to configure auto AP, see
"Configuring auto AP."
Serial ID
• Manual—If this mode is selected, you need to type an AP serial ID.
Configuring an AP
1.
Select AP > AP Setup from the navigation tree.
2.
Click the
icon corresponding to the target AP to enter the page for configuring an AP.
214
Figure 203 AP setup
3.
Configure the AP as described in Table 82.
4.
Click Apply.
Table 82 Configuration items
Item
Description
AP Name
Display the name of the AP selected.
Radio Number
Select the number of the radios on the AP. The value depends on the AP model.
Select the radio type, which can be one of the following values:
Radio Type
•
•
•
•
•
802.11a.
802.11b.
802.11g.
802.11n (2.4 GHz)
802.11n (5 GHz)
The value depends on the AP model and radio type.
Set a serial ID for the AP.
• Auto—If selected, the AP serial ID is automatically found. This option is used together
with the auto AP function. For how to configure auto AP, see "Configuring auto AP."
Serial ID
• Manual—You need to enter an AP serial ID.
IMPORTANT:
The serial ID is the unique identity of the AP. If the AP has connected to the AC, changing
or deleting its serial ID renders the tunnel down and the AP needs to discover the AC to
connect again.
Description
Description of the AP.
215
Item
Description
By default, no district code is configured for an AP, which uses the global district code.
An AP configured with a district code uses its own district code rather than the global
one. For how to configure the global district code, see "Advanced settings".
IMPORTANT:
District Code
Some ACs and fit APs use locked district codes, whichever is used is determined as follows:
• An AC's locked district code cannot be changed, and all managed fit APs whose
district codes are not locked must use the AC's locked district code.
• A fit AP's locked district code cannot be changed and the fit AP can only use the
district code.
• If an AC and a managed fit AP use different locked district codes, the fit AP uses its
own locked district code.
Configuring advanced settings
1.
Select AP > AP Setup from the navigation tree.
2.
Click the
3.
On the page that appears, expand Advanced Setup to enter the page for advanced AP setup.
icon corresponding to the target AP.
Figure 204 Advanced setup
4.
Configure advanced settings for the AP as described in Table 83.
5.
Click Apply.
216
Table 83 Configuration items
Item
Description
AP connection priority.
AP Connection
Priority
Specify the AP connection priority on the AC. For more information, see "AP connection
priority configuration example." It can also be used together with the backup function.
For more information, see "Advanced settings."
• Enable—Enable the AP to respond to broadcast probe requests. The AP will respond
to broadcast probe requests with the SSID null.
Broadcast Probe
• Disable—Disable the AP from responding to broadcast probe requests. The AP will
respond to broadcast probe requests with the specified SSID.
By default, this option is enabled.
Specify a name for the configuration file in the storage media and maps the specified
configuration file to the AP.
Configuration File
When local forwarding is enabled, you can use the configuration file to configure the
AP. For example, when you configure a user profile when local forwarding is enabled,
you must write the user profile, QoS policy, and ACL commands to the configuration
file, and download the configuration file to the AP.
IMPORTANT:
The commands in the configuration file must be in their complete form.
Set the maximum size of jumbo frames.
Jumbo Frame Size
When this function is enabled, the AC can send frames whose size does not exceed the
maximum size to the AP.
By default, the AC cannot send jumbo frames to the AP.
Set the interval for sending echo requests.
AP Echo Interval
There is a keep-live mechanism between AP and AC, to confirm whether the tunnel is
working or not. An AP periodically sends echo requests to an AC. The AC responds to
echo requests by sending echo responses, which indicates that the tunnel is up.
Set the client keep alive interval.
Client Alive Time
The keep-alive mechanism is used to detect clients segregated from the system due to
various reasons such as power failure or crash, and disconnect them from the AP.
By default, the client keep-alive functionality is disabled.
Client Free Time
Maximum interval for which the link between the AP and a client can be idle.
Backup AC IPv4
Address
Set the IPv4 address of the backup AC for
the AP.
Backup AC IPv6
Address
Set the IPv6 address of the backup AC for
the AP.
AP CAR
Select this box to configure CAR for the AP.
By default, no CAR is set for an AP.
217
If you configure the global backup AC
information both in Advanced Setup > AC
Backup and AP > AP Setup, the
configuration in AP > AP Setup takes
precedence. For more information about
AC backup, see "Advanced settings."
Item
Description
• Enable—Enable the remote AP function.
• Disable—Disable the remote AP function.
By default, the remote AP function is disabled.
Remote AP
With this function enabled, when the tunnel between the AP and AC is terminated, the
AP automatically enables local forwarding (despite whether or not local forwarding is
configured on the AC) to provide wireless access for logged-in clients but not allow new
clients. When a tunnel is established between the AP and AC again, the AP
automatically switches to the centralized forwarding mode and logs off all clients on the
remote AP.
IMPORTANT:
If a tunnel has been established between the remote AP and AC, when the tunnel between
the AP and AC is terminated, the remote AP uses the backup tunnel to provide wireless
access for logged-in clients. For more information about AC backup, see "Advanced
settings."
CIR
Committed information rate, in Kbps.
Committed burst size, in bits.
CBS
By default, the CBS is the number of bytes transmitted in 500 ms at the rate of CIR. For
example, if CIR is 100, CBS is 50000 bits, or, 6250 bytes by default.
Configuring auto AP
Enabling auto AP
1.
Select Advance > Auto AP from the navigation tree.
Figure 205 Configuring auto AP
2.
Enable auto AP as described in Table 84.
218
Table 84 Configuration items
Item
Description
• enable—Enable the auto AP function. You must also select Auto
from the Serial ID list on the AP setup page to use the auto AP
function.
• disable—Disable the auto AP function.
Auto AP
By default, the auto AP function is disabled.
IMPORTANT:
After using the auto AP function, H3C recommends you to disable the
auto AP function.
Renaming an AP
1.
After enabling auto AP, click Refresh.
2.
To modify the automatically found AP name, click the
icon in the Operation column.
Figure 206 Renaming an AP
3.
On the page that appears, rename the AP as described in Table 85.
4.
Click Apply.
Table 85 Configuration items
Item
Description
Old AP Name
Display the name of the automatically discovered AP.
AP Rename
Select the AP Rename check box, and type the new AP name.
For the example of configuring auto AP, see "Access service configuration."
Batch switch
If you do not need to modify the automatically found AP names, you can select the AP Name box, and
then click Transmit All AP to complete auto AP setup.
219
Configuring an AP group
Creating an AP group
1.
Select AP > AP Group from the navigation tree.
2.
Click Add.
Figure 207 Creating an AP group
3.
Create the AP group as described in Table 86.
Table 86 Configuration items
Item
Description
AP group ID.
AP Group ID
The value range varies with devices. For more information, see
"Feature matrixes."
Configuring an AP group
1.
Select AP > AP Group from the navigation tree.
2.
Click the
group.
icon corresponding to the target AP group to enter the page for configuring an AP
Figure 208 Configuring an AP group
220
3.
Configure the AP group as described in Table 87.
4.
Click Apply.
Table 87 Configuration items
Item
Description
AP Group ID
Display the ID of the selected AP group.
Description
Select this option to configure a description for the AP group.
Set the APs in the configured AP group.
• To add the APs to the Selected AP List, click the APs to be
added to the AP group, and click the > button in the AP List
area.
Exist AP List
• To delete the selected APs from the AP group, select the APs
to be deleted in the Selected AP List, and click the < button.
The APs to be added in AP Group ID should be created by
selecting AP > AP Setup first.
Applying the AP group
Select Authentication > Users from the navigation tree to apply the AP group. For the related
configuration, see "Users."
AP connection priority configuration example
Network requirements
Configure a higher AP connection priority on AC 1 to enable the AP to establish a connection with AC
1.
Figure 209 Network diagram
AC 1
Switch
AP
Client
AC 2
Configuring AC 1
1.
Configure AP-related information:
For the detailed configuration, see "Access service configuration."
2.
Configure an AP connection priority:
a. Select AP > AP Setup from the navigation tree.
b. Click the
icon corresponding to the target AP to enter the AP setup page.
221
c.
Expand Advanced Setup to enter the page shown in Figure 210 and set the AP connection
priority to 6.
d. Click Apply.
Figure 210 Configuring AP connection priority
Configuring AC 2
1.
Configure AP-related information:
For the detailed configuration, see "Access service configuration."
2.
Configure AP connection priority:
Use the default AP connection priority on AC 2.
Verifying the configuration
A higher AP connection priority is configured on AC 1, so AP must establish a connection with AC 1.
222
Configuring access services
Wireless Local Area Networks (WLAN) provide the following services:
•
Connectivity to the Internet
•
Secured WLAN access with different authentication and encryption methods
•
Seamless roaming of WLAN clients in a mobility domain
Access service overview
Terminology
Wireless client
A handheld computer or laptop with a wireless Network Interface Card (NIC) or a terminal supporting
WiFi can be a WLAN client.
Access point (AP)
An AP bridges frames between wireless and wired networks.
Access controller (AC)
An AC can control and manage APs associated with it in a WLAN. The AC communicates with an
authentication server for WLAN client authentication.
SSID
The service set identifier. A client scans all networks at first, and then selects a specific SSID to connect
to a specific wireless network.
Client access
A client access process involves three steps: active/passive scanning surrounding wireless services,
authentication, and association, as shown in Figure 211.
223
Figure 211 Establishing a client access
Scanning
Wireless clients can get the surrounding wireless network information in two ways, active scanning and
passive scanning. With active scanning, a wireless client actively sends probe requests during scanning,
and receives probe responses. With passive scanning, a wireless client listens to Beacon frames sent by
surrounding APs.
A wireless client usually uses both passive scanning and active scanning to get information about
surrounding wireless networks.
1.
Active scanning
When a wireless client operates, it periodically searches for (that is, scans) surrounding wireless
networks. Active scanning falls into two modes according to whether a specified SSID is carried in
a probe request.
•
Mode 1—A client sends a probe request without any SSID on supported channels to scan wireless
networks. APs that receive the probe request frame send a probe response frame. The client
associates with the AP with the strongest signal.
Figure 212 Active scanning (no SSID in the probe request)
Client
S
no S
with
(
t
s
ue
e re q
e
Prob
pons
e res
Pro b
AP 1
AC 1
AP 2
AC 2
ID)
Prob
e re q
uest
(with
no S
Prob
SID)
e re s
pons
e
•
Mode 2—When a wireless client is configured to access a specific wireless network or has already
been connected to a wireless network, the client periodically sends a probe request carrying the
specified SSID. When an AP that can provide the wireless service with the specified SSID receives
the probe request, it sends a probe response. This active scanning mode enables a client to access
a specified wireless network. The active scanning process is as shown in Figure 213.
224
Figure 213 Active scanning (the probe request carries the specified SSID AP 1)
2.
Passive scanning
Passive scanning is used by clients to discover surrounding wireless networks through listening to
the beacon frames periodically sent by an AP. All APs providing wireless services periodically
send beacons frames, so that wireless clients can listen to beacon frames on the supported
channels to get information about surrounding wireless networks. Passive scanning is used by a
client when it wants to save battery power. Typically, VoIP clients adopt the passive scanning
mode. The passive scanning process is as shown in Figure 214.
Figure 214 Passive scanning
Authentication
To secure wireless links, the wireless clients must be authenticated before accessing an AP. 802.11 links
define two authentication mechanisms: open system authentication and shared key authentication.
•
Open system authentication
Open system authentication is the default authentication algorithm. This is the simplest of the
available authentication algorithms. Essentially it is a null authentication algorithm. Any client that
requests authentication with this algorithm can become authenticated. Open system authentication
is not required to be successful as an AP may decline to authenticate the client. Open system
authentication involves a two-step authentication process. In the first step, the wireless client sends
a request for authentication. In the second step, the AP returns the result to the client.
225
Figure 215 Open system authentication process
Client
AC
AP
Authentication request
Authentication response
•
Shared key authentication
Figure 216 shows a shared key authentication process. The two parties have the same shared key
configured.
a. The client sends an authentication request to the AP.
b. The AP randomly generates a challenge and sends it to the client.
c.
The client uses the shared key to encrypt the challenge and sends it to the AP.
d. The AP uses the shared key to encrypt the challenge and compares the result with that received
from the client. If they are identical, the client passes the authentication. If not, the
authentication fails.
Figure 216 Shared key authentication process
Association
A client that wants to access a wireless network via an AP must be associated with that AP. Once the
client chooses a compatible network with a specified SSID and authenticates to an AP, it sends an
association request frame to the AP. The AP sends an association response to the client and adds the
client's information in its database. At a time, a client can associate with only one AP. An association
process is always initiated by the client, but not by the AP.
WLAN data security
Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN
devices share the same medium and thus every device can receive data from any other sending device.
If no security service is provided, plain-text data is transmitted over the WLAN.
To secure data transmission, 802.11 protocols provide some encryption methods to ensure that devices
without the right key cannot read encrypted data.
226
1.
WEP encryption
Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized
users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream
encryption algorithm) for confidentiality. WEP encryption falls into static and dynamic encryption
according to how a WEP key is generated.
•
Static WEP encryption
With Static WEP encryption, all clients using the same SSID must use the same encryption key. If
the encryption key is deciphered or lost, attackers will get all encrypted data. In addition,
periodical manual key update brings great management workload.
•
Dynamic WEP encryption
Dynamic WEP encryption is a great improvement over static WEP encryption. With dynamic WEP
encryption, WEP keys are negotiated between client and server through the 802.1X protocol so
that each client is assigned a different WEP key, which can be updated periodically to further
improve unicast frame transmission security.
Although WEP encryption increases the difficulty of network interception and session hijacking, it
still has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.
2.
TKIP encryption
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has many
advantages over WEP, and provides more secure protection for WLAN as follows:
First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption,
TKIP encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from
24 bits to 48 bits.
Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP
replaces a single static key with a base key generated by an authentication server. TKIP
dynamic keys cannot be easily deciphered.
Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the
MIC, the data may be tampered, and the system may be attacked. If two packets fail the MIC
in a certain period, the AP automatically takes countermeasures. It will not provide services in
a certain period to prevent attacks.
3.
CCMP encryption
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM
combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the
integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The
AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP
contains a dynamic key negotiation and management method, so that each wireless client can
dynamically negotiate a key suite, which can be updated periodically to further enhance the
security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit
packet number (PN) to ensure that each encrypted packet uses a different PN, thus improving the
security to a certain extent.
Client access authentication
1.
PSK authentication
To implement PSK authentication, the client and the authenticator must have the same shared key
configured. Otherwise, the client cannot pass pre-shared key (PSK) authentication.
2.
802.1X authentication
227
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at
the port level. A device connected to an 802.1X-enabled port of a WLAN access control device
can access the resources on the WLAN only after passing authentication.
The administrators of access devices can select to use RADIUS or local authentication to cooperate
with 802.1X for authenticating users. For more information about remote/local 802.1X
authentication, see "802.1X configuration."
3.
MAC authentication
MAC authentication provides a way for authenticating users based on ports and MAC addresses.
You can configure permitted MAC address lists to filter MAC addresses of clients. However, the
efficiency will be reduced when the number of clients increases. Therefore, MAC authentication is
applicable to environments without high security requirements, for example, SOHO and small
offices.
MAC authentication falls into two modes:
Local MAC authentication—When this authentication mode is adopted, you need to configure
a permitted MAC address list on the device. If the MAC address of a client is not in the list, its
access request will be denied.
Figure 217 Local MAC authentication
Permitted MAC
address list:
0009-5bcf-cce3
0011-9548-4007
000f-e200-00a2
Client: 0009-5bcf-cce3
Client: 0011-9548-4007
AC
L2 switch
AP
Client: 001a-9228-2d3e
Remote MAC authentication—Remote Authentication Dial-In User Service (RADIUS) based
MAC authentication. If the device finds that the current client is an unknown client, it sends an
unsolicited authentication request to the RADIUS server. After the client passes the
authentication, the client can access the WLAN network and the corresponding authorized
information.
228
Figure 218 Remote MAC authentication
When a RADIUS server is used for MAC authentication, you can specify a domain for each wireless
service, and thus send MAC authentication information of different SSIDs to different remote RADIUS
servers.
802.11n
As the next generation wireless LAN technology, 802.11n supports both 2.4GHz and 5GHz bands. It
provides higher throughput to customers by using the following methods:
1.
Increasing bandwidth: 802.11n can bond two adjacent 20-MHz channels together to form a
40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with
one acting as the primary channel and the other acting as the secondary channel or work together
as a 40-MHz channel. This provides a simple way of doubling the data rate.
2.
Improving channel utilization through the following ways:
802.11n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU
can accommodate multiple Message Protocol Data Units (MPDUs) which have their PHY
headers removed. This reduces the overhead in transmission and the number of ACK frames to
be used, and thus improves network throughput.
Similar with MPDU aggregation, multiple MAC Service Data Units (MSDU) can be aggregated
into a single A-MSDU. This reduces the MAC header overhead and thus improves MAC layer
forwarding efficiency.
To improve physical layer performance, 802.11n introduces the short GI function, which
shortens the GI interval of 800 us in 802.11a/g to 400 us. This can increase the data rate by
10 percent.
229
Configuring access service
Recommended configuration procedure
Step
Remarks
1.
Creating a WLAN service
Required.
2.
Configuring wireless service
Required.
Configuring clear type wireless service
Use either approach.
Configuring crypto type wireless service
Complete the security settings as needed.
3.
Enabling a wireless service
Required.
4.
Binding an AP radio to a wireless service
Required.
5.
Enabling a radio
Optional.
6.
Displaying the detailed information of a wireless
service
Optional.
Creating a WLAN service
1.
Select Wireless Service > Access Service from the navigation tree.
Figure 219 Configuring access service
2.
Click Add.
Figure 220 Creating a wireless service
3.
Configure the wireless service as described in Table 88.
4.
Click Apply.
230
Table 88 Configuration items
Item
Description
Set the Service Set Identifier (SSID), a case-sensitive string of 1 to 32
characters, which can include letters, digits, underlines, and spaces.
Wireless Service Name
An SSID should be as unique as possible. For security, the company
name should not be contained in the SSID. Meanwhile, it is not
recommended to use a long random string as the SSID, because a
long random string only adds payload to the header field, without
any improvement to wireless security.
Select the wireless service type:
Wireless Service Type
• clear—Indicates the SSID will not be encrypted.
• crypto—Indicates the SSID will be encrypted.
Configuring clear type wireless service
Configuring basic settings for a clear type wireless service
NOTE:
Before configuring a clear-type wireless service, disable it first and then click the corresponding
icon.
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target clear type wireless service to enter the page for
configuring wireless service.
Figure 221 Configuring clear type wireless service
3.
Configure basic settings for the clear type wireless service as described in Table 89.
4.
Click Apply.
Table 89 Configuration items
Item
Description
Wireless Service
Display the selected Service Set Identifier (SSID).
VLAN (Untagged)
Enter the ID of the VLAN whose packets are to be sent untagged. VLAN
(Untagged) indicates that the port sends the traffic of the VLAN with the
VLAN tag removed.
231
Item
Description
Set the default VLAN of a port.
Default VLAN
Delete VLAN
By default, the default VLAN of all ports is VLAN 1. After you set the
new default VLAN, VLAN 1 is the ID of the VLAN whose packets are to
be sent untagged.
Remove the IDs of the VLANs whose packets are to be sent untagged
and tagged.
• Enable—Disable the advertisement of the SSID in beacon frames.
• Disable—Enable the advertisement of the SSID in beacon frames.
By default, the SSID is advertised in beacon frames.
SSID HIDE
IMPORTANT:
• If the advertising of the SSID in beacon frames is disabled, the SSID
must be configured for the clients to associate with the AP.
• Disabling the advertising of the SSID in beacon frames does little
good to wireless security. Allowing the advertising of the SSID in
beacon frames enables a client to discover an AP more easily.
Configuring advanced settings for the clear type wireless service
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target clear type wireless service to enter the page for
configuring advanced settings for a clear type wireless service.
Figure 222 Advanced settings for the clear type wireless service
3.
Configure advanced settings for the clear type wireless service as described in Table 90.
4.
Click Apply.
232
Table 90 Configuration items
Item
Description
Local Forwarding
Local forwarding enables an AP to forward data frames between clients. In a
centralized WLAN architecture, an AP transparently transmits data frames to
an AC for processing. With the increase of clients, the forwarding load of the
AC increases either. With local forwarding enabled, an AP, rather the AC
forwards client data, greatly reducing the load of the AC.
• Enable—If local forwarding is enabled, data frames from an associated
station will be forwarded by the AP itself.
• Disable—If local forwarding is disabled, data frames from an associated
station will be handled by the AC.
Local Forwarding VLAN
Clients using the same SSID may belong to different VLANs. You can configure
a local forwarding VLAN when configuring a local forwarding policy.
Maximum number of clients of an SSID to be associated with the same radio of
the AP.
Client Max Users
IMPORTANT:
When the number of clients of an SSID to be associated with the same radio of
the AP reaches the maximum, the SSID is automatically hidden.
Web interface management right of online clients.
Management Right
• Disable—Disable the web interface management right of online clients.
• Enable—Enable the web interface management right of online clients.
• Enable—Enable the MAC VLAN feature for the wireless service.
• Disable—Disable the MAC VLAN feature for the wireless service.
MAC VLAN
IMPORTANT:
Before binding an AP radio to a VLAN, a step of enabling AP-based access
VLAN recognition, enable the MAC VLAN feature first.
• Enable—Enable fast association.
• Disable—Disable fast association.
Fast Association
By default, fast association is disabled.
When fast association is enabled, the device does not perform band
navigation and load balancing calculations for associated clients.
Configuring security settings for a clear type wireless service
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target clear type wireless service to enter the page for
configuring security settings for the clear type wireless service.
233
Figure 223 Security settings for the clear-type wireless service
3.
Configure security settings for the clear type wireless service as described in Table 91.
4.
Click Apply.
Table 91 Configuration items
Item
Description
Authentication Type
For the clear type wireless service, you can select Open-System
only.
234
Item
Description
• mac-authentication—Perform MAC address authentication on
users.
• mac-else-userlogin-secure—This mode is the combination of
the mac-authentication and userlogin-secure modes, with MAC
authentication having a higher priority. Upon receiving a
non-802.1X frame, a port in this mode performs only MAC
authentication; upon receiving an 802.1X frame, the port
performs MAC authentication and then, if MAC authentication
fails, 802.1X authentication.
• mac-else-userlogin-secure-ext—This mode is similar to the
mac-else-userlogin-secure mode, except that it supports
multiple 802.1X and MAC authentication users on the port.
• userlogin-secure—In this mode, MAC-based 802.1X
authentication is performed for users; multiple 802.1X
authenticated users can access the port, but only one user can
be online.
• userlogin-secure-or-mac—This mode is the combination of the
userlogin-secure and mac-authentication modes, with 802.1X
authentication having a higher priority. For a wireless user,
802.1X authentication is performed first. If 802.1X
authentication fails, MAC authentication is performed.
• userlogin-secure-or-mac-ext—This mode is similar to the
Port Mode
userlogin-secure-or-mac mode, except that it supports multiple
802.1X and MAC authentication users on the port.
• userlogin-secure-ext—In this mode, a port performs 802.1X
authentication on users in macbased mode and supports
multiple 802.1X users.
TIP:
There are multiple security modes. To remember them easily, follow
these rules to understand part of the port security mode names:
• userLogin indicates port-based 802.1X authentication.
• mac indicates MAC address authentication.
• The authentication mode before Else is used preferentially. If
the authentication fails, the authentication after Else may be
used depending on the protocol type of the packets to be
authenticated.
• The authentication mode before Or and that after Or have the
same priority. The device determines the authentication mode
according to the protocol type of the packets to be
authenticated. For wireless users, the 802.1X authentication
mode is used preferentially.
• userLogin together with Secure indicates MAC-based 802.1X
authentication.
• A security mode with Ext allows multiple 802.1X users to pass
the authentication. A security mode without Ext allows only
one 802.1X user to pass the authentication.
Max User
Maximum number of users that can be connected to the network
through a specific port.
a. Configure mac-authentication
235
Figure 224 mac-authentication port security configuration page
Table 92 Configuration items
Item
Description
mac-authentication—MAC-based authentication is performed on
access users.
Port Mode
Select Wireless Service > Access Service from the navigation tree,
click MAC Authentication List, and enter the MAC address of the
client.
Max User
Control the maximum number of users allowed to access the network
through the port.
MAC Authentication
Select MAC Authentication.
Select an existing domain from the list.
The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a new domain name in the Domain Name field.
Domain
• The selected domain name applies to only the current wireless
service, and all clients accessing the wireless service use this
domain for authentication, authorization, and accounting.
• Do not delete a domain name in use. Otherwise, the clients that
access the wireless service will be logged out.
b. Configure userlogin-secure/userlogin-secure-ext
236
Figure 225 userlogin-secure/userlogin-secure-ext port security configuration page (userlogin-secure is
taken for example)
Table 93 Configuration items
Item
Description
• userlogin-secure—Perform MAC-based 802.1X authentication for access users.
Port Mode
In this mode, multiple 802.1X authenticated users can access the port, but only
one user can be online.
• userlogin-secure-ext—Perform MAC-based 802.1X authentication for access
users. In this mode, the port supports multiple 802.1X users.
Max User
Control the maximum number of users allowed to access the network through the
port.
Select an existing domain from the list.
The default domain is system. To create a domain, select Authentication > AAA from
the navigation tree, click the Domain Setup tab, and enter a new domain name in
the Domain Name field.
Mandatory Domain
• The selected domain name applies to only the current wireless service, and all
clients accessing the wireless service use this domain for authentication,
authorization, and accounting.
• Do not delete a domain name in use. Otherwise, the clients that access the
wireless service will be logged out.
• EAP—Use the Extensible Authentication Protocol (EAP). With EAP authentication,
Authentication Method
the authenticator encapsulates 802.1X user information in the EAP attributes of
RADIUS packets and sends the packets to the RADIUS server for authentication;
it does not need to repackage the EAP packets into standard RADIUS packets for
authentication.
• CHAP—Use the Challenge Handshake Authentication Protocol (CHAP). By
default, CHAP is used. CHAP transmits usernames in simple text and passwords
in cipher text over the network. Therefore this method is safer.
• PAP—Use the Password Authentication Protocol (PAP). PAP transmits passwords
in plain text.
• Enable—Enable the online user handshake function so that the device can
Handshake
periodically send handshake messages to a user to check whether the user is
online. By default, the function is enabled.
• Disable—Disable the online user handshake function.
237
Item
Description
• Enable—Enable the multicast trigger function of 802.1X to send multicast trigger
messages to the clients periodically for initiating authentication. By default, the
multicast trigger function is enabled.
• Disable—Disable the 802.1X multicast trigger function.
Multicast Trigger
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the AP can discover
users and trigger authentication. Therefore, the ports do not need to send 802.1X
multicast trigger messages for initiating authentication periodically. H3C recommends
that you disable the multicast trigger function in a WLAN because the multicast trigger
messages consume bandwidth.
c.
Configure the other four port security modes
Figure 226 Port security configuration page for the other four security modes
(mac-else-userlogin-secure is taken for example)
238
Table 94 Configuration items
Item
Description
• mac-else-userlogin-secure—This mode is the combination of
the mac-authentication and userlogin-secure modes, with MAC
authentication having a higher priority. Upon receiving a
non-802.1X frame, a port in this mode performs only MAC
authentication; upon receiving an 802.1X frame, the port
performs MAC authentication and then, if MAC authentication
fails, 802.1X authentication.
• mac-else-userlogin-secure-ext—This mode is similar to the
mac-else-userlogin-secure mode, except that it supports multiple
802.1X and MAC authentication users on the port.
Port Mode
• userlogin-secure-or-mac—This mode is the combination of the
userlogin-secure and mac-authentication modes, with 802.1X
authentication having a higher priority. For a wireless user,
802.1X authentication is performed first. If 802.1X
authentication fails, MAC authentication is performed.
• userlogin-secure-or-mac-ext—This mode is similar to the
userlogin-secure-or-mac mode, except that it supports multiple
802.1X and MAC authentication users on the port.
Select Wireless Service > Access Service from the navigation tree,
click MAC Authentication List, and enter the MAC address of the
client.
Max User
Mandatory Domain
Control the maximum number of users allowed to access the
network through the port.
Select an existing domain from the list. After a mandatory domain
is configured, all 802.1X users accessing the port are forced to use
the mandatory domain for authentication, authorization, and
accounting.
The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a new domain name in the Domain Name
field.
• EAP—Use the Extensible Authentication Protocol (EAP). With
Authentication Method
EAP authentication, the authenticator encapsulates 802.1X user
information in the EAP attributes of RADIUS packets and sends
the packets to the RADIUS server for authentication; it does not
need to repackage the EAP packets into standard RADIUS
packets for authentication.
• CHAP—Use the Challenge Handshake Authentication Protocol
(CHAP). By default, CHAP is used. CHAP transmits usernames
in simple text and passwords in cipher text over the network.
Therefore this method is safer.
• PAP—Use the Password Authentication Protocol (PAP). PAP
transmits passwords in plain text.
• Enable—Enable the online user handshake function so that the
Handshake
device can periodically send handshake messages to a user to
check whether the user is online. By default, the function is
enabled.
• Disable—Disable the online user handshake function.
239
Item
Description
• Enable—Enable the multicast trigger function of 802.1X to send
multicast trigger messages to the clients periodically for
initiating authentication. By default, the multicast trigger
function is enabled.
• Disable—Disable the 802.1X multicast trigger function.
Multicast Trigger
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the AP
can discover users and trigger authentication. Therefore, the ports
do not need to send 802.1X multicast trigger messages periodically
for initiating authentication. You are recommended to disable the
multicast trigger function in a WLAN because the multicast trigger
messages consume bandwidth.
MAC Authentication
Select MAC Authentication.
Select an existing domain from the list.
Domain
The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a new domain name in the Domain Name
field.
• The selected domain name applies to only the current wireless
service, and all clients accessing the wireless service use this
domain for authentication, authorization, and accounting.
• Do not delete a domain name in use. Otherwise, the clients that
access the wireless service will be logged out.
Configuring crypto type wireless service
Configuring basic settings for a crypto type wireless service
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target crypto type wireless service to enter the page for
configuring wireless service.
Figure 227 Crypto type wireless service
3.
Configure basic settings for the crypto type wireless service as described in Table 89.
4.
Click Apply.
240
Configuring advanced settings for a crypto type wireless service
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target crypto type wireless service to enter the page for
configuring wireless service.
Figure 228 Advanced settings for the crypto type wireless service
3.
Configure advanced settings for the crypto type wireless service as described in Table 95.
4.
Click Apply.
Table 95 Configuration items
Item
Description
Local Forwarding
Local forwarding enables an AP to forward data frames between
clients. In a centralized WLAN architecture, an AP transparently
transmits data frames to an AC for processing. With the increase of
clients, the forwarding load of the AC increases either. With local
forwarding enabled, an AP, rather the AC, forwards client data,
greatly reducing the load of the AC.
• Enable—If local forwarding is enabled, data frames from an
associated station will be forwarded by the AP itself.
• Disable—If local forwarding is disabled, data frames from an
associated station will be handled by the AC.
Local Forwarding VLAN
Clients using the same SSID may belong to different VLANs. You can
configure a local forwarding VLAN when configuring a local
forwarding policy.
241
Item
Description
Maximum number of clients of an SSID to be associated with the
same radio of the AP.
Client Max Users
IMPORTANT:
When the number of clients of an SSID to be associated with the same
radio of the AP reaches the maximum, the SSID is automatically
hidden.
PTK Life Time
Set the pairwise transient key (PTK) lifetime. A PTK is generated
through a four-way handshake.
Set the TKIP countermeasure time.
By default, the TKIP countermeasure time is 0 seconds, that is, the
TKIP countermeasure policy is disabled.
TKIP CM Time
Message integrity check (MIC) is designed to avoid hacker
tampering. It uses the Michael algorithm and is extremely secure.
When failures occur to MIC, the data may have been tampered, and
the system may be under attack. With the countermeasure policy
enabled, if more than two MIC failures occur within the specified
time, the TKIP associations are disassociated and no new
associations are allowed within the TKIP countermeasure time.
Web interface management right of online clients.
Management Right
• Disable—Disable the web interface management right of online
clients.
• Enable—Enable the web interface management right of online
clients.
• Enable—Enable the MAC VLAN feature for the wireless service.
• Disable—Disable the MAC VLAN feature for the wireless service.
MAC VLAN
IMPORTANT:
Before you bind an AP radio to a VLAN, a step of enabling AP-based
access VLAN recognition, enable the MAC VLAN feature first.
• Enable—Enable fast association.
• Disable—Disable fast association.
Fast Association
By default, fast association is disabled.
When fast association is enabled, the device does not perform band
navigation and load balancing calculations for associated clients.
An AC generates a group transient key (GTK) and sends the GTK to
a client during the authentication process between an AP and the
client through group key handshake/the 4-way handshake. The
client uses the GTK to decrypt broadcast and multicast packets.
GTK Rekey Method
• If Time is selected, the GTK will be refreshed after a specified
period of time.
• If Packet is selected, the GTK will be refreshed after a specified
number of packets are transmitted.
By default, the GTK rekeying method is time-based, and the interval is
86400 seconds.
GTK User Down Status
Enable refreshing the GTK when some client goes offline.
By default, the GTK is not refreshed when a client goes off-line.
242
Configuring security settings for a crypto type wireless service
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target crypto type wireless service to enter the page for
configuring crypto type wireless service.
Figure 229 Security settings for the crypto type wireless service
3.
Configure security settings for the crypto type wireless service as described in Table 96.
4.
Click Apply.
Table 96 Configuration items
Item
Description
• Open-System—No authentication. With this authentication mode enabled, all
the clients will pass the authentication.
• Shared-Key—The two parties need to have the same shared key configured for
this authentication mode. You can select this option only when WEP encryption
mode is used.
• Open-System and Shared-Key—It indicates that you can select both
open-system and shared-key authentication.
Authentication Type
IMPORTANT:
WEP encryption can be used together with open system and shared-key
authentication.
• Open system authentication—When this authentication mode is used, a WEP
key is used for encryption only. If the two parities do not use the same key, a
wireless link can still be established, but all data will be discarded.
• Shared-key authentication—When this authentication mode is used, a WEP
key is used for both authentication and encryption. If the two parties do not use
the same key, the client cannot pass the authentication, and thus cannot access
the wireless network.
243
Item
Description
Encryption mechanisms supported by the wireless service, which can be:
Cipher Suite
• AES-CCMP—Encryption mechanism based on the AES encryption algorithm.
• TKIP—Encryption mechanism based on the RC4 algorithm and dynamic key
management.
• AES-CCMP and TKIP—It indicates that you can select both CCMP and TKIP
encryption.
Wireless service type (IE information carried in the beacon or probe response
frame):
Security IE
• WPA—Wi-Fi Protected Access.
• RSN—An RSN is a security network that allows only the creation of robust
security network associations (RSNAs). It provides greater protection than WEP
and WPA.
• WPA and RSN—It indicates that you can select both WPA and RSN..
Encryption
• Enable—A WEP key is dynamically assigned.
• Disable—A static WEP key is used.
By default, a static WEP key is used.
When you enable this function, the WEP option is automatically set to wep104.
Provide Key
Automatically
IMPORTANT:
• This function must be used together with 802.1X authentication.
• With dynamic WEP encryption configured, the WEP key used to encrypt unicast
frames is negotiated between client and server. If the WEP default key is
configured, the WEP default key is used to encrypt multicast frames. If not, the
device randomly generates a multicast WEP key.
WEP
Key ID
• wep40—Indicates the WEP40 key option.
• wep104—Indicates the WEP104 key option.
• wep128—Indicates the WEP128 key option.
•
•
•
•
1—Key index 1.
2—Key index 2.
3—Key index 3.
4—Key index 4.
There are 4 static keys in WEP. The key index can be 1, 2, 3 or 4. The key
corresponding to the specified key index will be used for encrypting and
decrypting broadcast and multicast frames.
Key length.
• For wep40, the key is a string of 5 alphanumeric characters or a 10-digit
hexadecimal number.
Key Length
• For wep104, the key is a string of 13 alphanumeric characters or a 26-digit
hexadecimal number.
• For wep128, the key is a string of 16 alphanumeric characters or a 32-digit
hexadecimal number.
WEP Key
Configure the WEP key.
244
Item
Description
See Table 91.
Parameters such as authentication type and encryption type determine the port
mode. For more information, see Table 99.
After you select the Cipher Suite option, the following three port security modes are
added:
• mac and psk—MAC-based authentication must be performed on access users
first. If MAC-based authentication succeeds, an access user has to use the
pre-configured PSK to negotiate with the device. Access to the port is allowed
only after the negotiation succeeds.
Port Security
• psk—An access user must use the pre-shared key (PSK) that is pre-configured to
negotiate with the device. The access to the port is allowed only after the
negotiation succeeds.
• userlogin-secure-ext—Perform MAC-based 802.1X authentication for access
users. In this mode, the port supports multiple 802.1X users.
a. Configure mac and psk
Figure 230 mac and psk port security configuration page
Table 97 Configuration items
Item
Description
Port Mode
mac and psk: MAC-based authentication must be performed on access
users first. If MAC-based authentication succeeds, an access user has
to use the pre-configured PSK to negotiate with the device. Access to
the port is allowed only after the negotiation succeeds.
Select Wireless Service > Access Service from the navigation tree, click
MAC Authentication List, and enter the MAC address of the client.
Max User
Control the maximum number of users allowed to access the network
through the port.
MAC Authentication
Select MAC Authentication.
245
Item
Description
Select an existing domain from the list.
The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain Setup
tab, and enter a new domain name in the Domain Name field.
Domain
• The selected domain name applies to only the current wireless
service, and all clients accessing the wireless service use this
domain for authentication, authorization, and accounting.
• Do not delete a domain name in use. Otherwise, the clients that
access the wireless service will be logged out.
• pass-phrase—Enter a PSK in the form of a character string. You must
Pre-shared Key
enter a string that can be displayed and is of 8 to 63 characters.
• raw-key—Enter a PSK in the form of a hexadecimal number. You
must enter a valid 64-bit hexadecimal number.
b. Configure psk
Figure 231 psk port security configuration page
Table 98 Configuration items
Item
Description
Port Mode
psk—An access user must use the pre-shared key (PSK) that is
pre-configured to negotiate with the device. The access to the port is
allowed only after the negotiation succeeds.
Max User
Control the maximum number of users allowed to access the network
through the port.
• pass-phrase—Enter a PSK in the form of a character string. You must
Pre-shared Key
enter a string that can be displayed and is of 8 to 63 characters.
• raw-key—Enter a PSK in the form of a hexadecimal number. You must
enter a valid 64-bit hexadecimal number.
c.
Configure userlogin-secure-ext
Perform the configurations as shown in Configure userlogin-secure/userlogin-secure-ext.
246
Security parameter dependencies
For a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are
as shown in Table 99.
Table 99 Security parameter dependencies
Service
type
Authenticati
on mode
Encryption
type
Security IE
WEP
encryption/key ID
Port mode
• mac-authentication
• mac-else-userlogin-secu
re
• mac-else-userlogin-secu
Clear
Open-System
Unavailable
Selected
Unavailable
Required
Open-System
Unselected
Crypto
Shared-Key
Unavailable
Selected
Unavailable
Unavailable
Required
Open-System
and
Shared-Key
Unselected
Unavailable
Unavailable
WEP encryption is
available
The key ID can be 2,
3, or 4.
WEP encryption is
required
The key ID can be 1,
2, or 3.
WEP encryption is
required
The key ID can be 1,
2, 3 or 4.
WEP encryption is
required
The key ID can be 1,
2, 3 or 4.
WEP encryption is
required
The key ID can be 1,
2, 3 or 4.
Enabling a wireless service
1.
Select Wireless Service > Access Service from the navigation tree.
247
re-ext
•
•
•
•
userlogin-secure
userlogin-secure-ext
userlogin-secure-or-mac
userlogin-secure-or-mac
-ext
• mac and psk
• psk
• userlogin-secure-ext
• mac-authentication
• userlogin-secure
• userlogin-secure-ext
mac-authentication
• mac and psk
• psk
• userlogin-secure-ext
• mac-authentication
• userlogin-secure
• userlogin-secure-ext
Figure 232 Enabling a wireless service
2.
Select the wireless service to be bound.
3.
Click Enable.
Binding an AP radio to a wireless service
Binding an AP radio to a wireless service
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target wireless service to enter the page for binding an AP
radio to a wireless service.
Figure 233 Binding an AP radio to a wireless service
3.
Select the AP radio to be bound.
4.
Click Bind.
A configuration progress dialog box appears.
5.
After the configuration process is complete, click Close.
Binding an AP radio to a VLAN
Traffic of different services is identified by SSIDs. Locations are identified by APs. Users at different
locations access different services. For a user roaming between different APs, you can provide services
for the user based on its access AP. The detailed requirements are as follows:
•
Users with the same SSID but accessing through different APs can be assigned to different VLANs
based on their configurations.
•
A roaming user always belongs to the same VLAN.
•
For a user roaming between ACs, if the local AC does not have a VLAN-interface, the user needs
to use an HA in the AC group for forwarding packets to avoid packet loss.
248
Figure 234 Schematic diagram for WLAN support for AP-based access VLAN recognition
RADIUS server
AC 1
HA
AC 2
IACTP tunnel
FA
VLAN 2
VLAN 3
VLAN 3
Intra AC roaming
VLAN 3
Inter AC roaming
AP 1
AP 2
AP 3
AP 4
Client 1
Client 1
Client 1
Client 2
As shown in Figure 234, Client 1 goes online through AP 1 and belongs to VLAN 3. When Client 1
roams within an AC or between ACs, Client 1 always belongs to VLAN 3. When Client 1 roams between
ACs, if FA, that is, AC 2, has VLAN-interface 3, AC 2 forwards packets from Client 1. Otherwise, packets
from Client 1 are sent to HA (AC 1) through the data tunnel and then HA forwards these packets.
Client 2 goes online through AP 4 and belongs to VLAN 2. That is, a client going online through a
different AP is assigned to a different VLAN.
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target wireless service to enter the AP radio setup page, as
shown in Figure 233.
3.
Select the box corresponding to the AP radio mode to be bound.
4.
Enter the VLAN to be bound in the Binding VLAN field.
5.
Click Bind.
Enabling a radio
1.
Select Radio > Radio from the navigation tree.
249
Figure 235 Enabling 802.11n radio
2.
Select the box of the target radio.
3.
Click Enable.
A configuration progress dialog box appears.
4.
After the configuration process is complete, click Close.
Displaying the detailed information of a wireless service
Displaying the detailed information of a clear-type wireless service
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the specified clear-type wireless service to see its detailed information.
Figure 236 Displaying the detailed information of a clear-type wireless service
250
Table 100 Field description
Field
Description
Service Template Number
Current service template number.
SSID
Service set identifier.
Binding Interface
Name of the WLAN-ESS interface bound with the service template.
Service Template Type
Service template type.
Type of authentication used.
Authentication Method
SSID-hide
A clear-type wireless service can use only Open System
authentication.
• Disable—Indicates that SSID advertisement is enabled.
• Enable—Indicates that SSID advertisement is disabled, that is,
the AP does not advertise the SSID in the beacon frames.
Forwarding mode, which can be:
Bridge Mode
• Local Forwarding—Use the local forwarding mode.
• Remote Forwarding—Use the remote forwarding mode, that is,
uses the AC to forward data.
Service template status, which can be:
Service Template Status
• Enable—Indicates that the wireless service is enabled.
• Disable—Indicates that the wireless service is disabled.
Maximum clients per BSS
Maximum number of associated clients per BSS.
Displaying the detailed information of a crypto-type wireless service
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click a crypto-type wireless service to see its detailed information.
251
Figure 237 Displaying the detailed information of a crypto-type wireless service
Table 101 Field description
Field
Description
Service Template Number
Current service template number.
SSID
Service set identifier.
Binding Interface
Name of WLAN-ESS the interface bound with the service template.
Service Template Type
Service template type.
Security IE
Security IE, which can be WPA or WPA2.
Authentication Method
Type of authentication used, which can be Open System or Shared
Key.
SSID-hide
• Disable—Indicates that SSID advertisement is enabled.
• Enable—Indicates that SSID advertisement is disabled, that is,
the AP does not advertise the SSID in the beacon frames.
Cipher Suite
Cipher suite, which can be CCMP, TKIP, or
WEP40/WEP104/WEP128.
WEP Key Index
WEP key index for encryption or de-encryption frames.
WEP key mode:
WEP Key Mode
• HEX—WEP key in hexadecimal format.
• ASCII—WEP key in the format of string.
WEP Key
WEP key.
TKIP Countermeasure Time(s)
TKIP MIC failure holdtime, in seconds.
PTK Life Time(s)
PTK lifetime in seconds.
252
Field
Description
GTK Rekey
GTK rekey configured.
GTK rekey method configured, which can be:
GTK Rekey Method
• Time-based, which displays the GTK rekey time in seconds.
• Packet-based, which displays the number of packets.
GTK Rekey Time
Time for GTK rekey in seconds.
Forwarding mode, which can be:
Bridge Mode
• Local Forwarding—Use the local forwarding mode.
• Remote Forwarding—Use the remote forwarding mode, that is,
uses the AC to forward data.
Service template status, which can be:
Service Template Status
• Enable—Indicates that the wireless service is enabled.
• Disable—Indicates that the wireless service is disabled.
Maximum clients per BSS
Maximum number of associated clients per BSS.
Wireless service configuration example
Network requirements
As shown in Figure 238, an AP is required to enable employees to access the internal resources at any
time. More specifically:
•
An AC and the AP (serial ID 210235A29G007C000020) is connected through a Layer 2 switch.
•
The AP provides clear type wireless access service with SSID service1.
•
802.11n (2.4GHz) radio mode is adopted.
Figure 238 Network diagram
Configuring the AC
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select
the serial ID manual, and enter the serial ID of the AP.
d. Click Apply.
253
Figure 239 Creating an AP
2.
Configure a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c.
On the page that appears, set the service name to service1 and select the wireless service type
clear.
d. Click Apply.
Figure 240 Creating a wireless service
3.
Enable the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. On the page that appears, select the service1 box and click Enable.
Figure 241 Enabling wireless service
4.
Bind an AP radio to a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the
icon corresponding to the wireless service service1.
254
c.
On the page that appears, select the box before ap with radio type 802.11n(2.4GHz).
d. Click Bind.
Figure 242 Binding an AP radio
5.
Enable 802.11n(2.4GHz) radio
a. Select Radio > Radio from the navigation tree.
b. Select the box before ap with the radio mode 802.11n(2.4GHz).
c.
Click Enable.
Figure 243 Enabling 802.11n(2.4GHz) radio
Verifying the configuration
•
The client can successfully associate with the AP and access the WLAN network.
•
You can view the online clients on the page that you enter by selecting Summary > Client from the
navigation tree.
255
Figure 244 Viewing the online clients
Configuration guidelines
Select a correct district code.
Auto AP configuration example
Network requirements
As shown in Figure 245, enable the auto-AP function to enable APs to automatically connect to the AC.
•
The AP provides a clear type wireless service with the SSID service1.
•
802.11n(2.4GHz) radio mode is adopted.
Figure 245 Network diagram
Configuring the AC
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select
the serial ID auto, and click Apply.
256
Figure 246 Creating an AP
2.
Configure a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c.
On the page that appears, set the service name to service1, select the wireless service type
clear, and click Apply.
Figure 247 Creating a wireless service
3.
Enable the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Select the service1 box.
c.
Click Enable.
Figure 248 Enabling the wireless service
4.
Bind an AP to a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the
icon corresponding to the wireless service service1.
257
c.
On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz), and
click Bind.
Figure 249 Binding an AP
d. To view the AP status, select AP > AP Setup from the navigation tree. You can see that the AP
is in IDLE state.
Figure 250 AP status before auto AP is enabled
5.
Enable auto AP
a. Select AP > Auto AP from the navigation tree.
b. Select enable.
c.
Click Apply.
Figure 251 Configuring auto AP
d. To view the automatically found AP (ap_0001), click Refresh.
258
Figure 252 Viewing the automatically found AP
6.
Rename the automatically found AP
If you do not need to rename the automatically found AP, select the ap_0001 box, and then
click Transmit All AP.
To rename the automatically found AP:
a. Select AP > Auto AP from the navigation tree.
b. Click the
c.
icon of the target AP.
On the page that appears, select AP Rename and enter ap1.
d. Click Apply.
Figure 253 Modifying the AP name
e. To view the renamed AP, select AP > AP Setup from the navigation tree.
259
Figure 254 Displaying AP
7.
Enable 802.11n(2.4GHz) radio
a. Select Radio > Radio from the navigation tree.
b. Select the box of the target AP.
c.
Click Enable.
Verifying the configuration
•
You can see that the AP is in the Run state on the page you enter by selecting AP > AP Setup from
the navigation tree.
•
The client can successfully associate with the AP and access the WLAN network.
•
You can view the online clients on the page that you enter by selecting Summary > Client from the
navigation tree.
260
Figure 255 Viewing the online clients
Configuration guidelines
Follow these guidelines when you configure an auto AP:
•
Select a correct district code.
•
Select the renamed AP (AP 1 in the example) rather than the auto AP (ap in the example) when
enabling the radio. If you enable the radio of the automatically found AP, the radios of all the
automatically found APs are enabled.
802.11n configuration example
Network requirements
As shown in Figure 256, deploy an 802.11n network to provide high bandwidth access for multi-media
applications.
•
The AP provides a plain-text wireless service with SSID service.
•
802.11gn is adopted to inter-work with the existing 802.11g network and protect the current
investment.
Figure 256 Network diagram
261
Configuring the AC
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c.
2.
On the page that appears, set the AP name to 11nap, select the AP model WA22610E-AGN,
select the serial ID manual, enter the serial ID of the AP, and click Apply.
Create a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c.
3.
On the page that appears, set the service name to 11nservice, select the wireless service type
clear, and click Apply.
Enable wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Select the 11nservice box.
c.
4.
Click Enable.
Bind an AP radio:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the
c.
icon corresponding to the target wireless service.
Select the 11nap box.
d. Click Bind.
5.
Enable 802.11n(2.4GHZ) radio:
a. Select Radio > Radio from the navigation tree.
b. Select the 11nap box of the target AP.
c.
Click Enable.
Verifying the configuration
•
The client can successfully associate with the AP and access the WLAN network.
•
You can view the online clients on the page you enter by selecting Summary > Client from the
navigation tree.
Figure 257 Viewing the online clients
In this example, 0014-6c8a-43ff is an 802.11g user, and 001c-f0bf-9c92 is an 802.11n user. Both of the
two users can access the WLAN network because there is no limit on the user type. If you enable client
802.11n only, only 001c-f0bf-9c92 can access the WLAN network.
262
Configuration guidelines
Follow these guidelines when you configure 802.11n:
•
Select Radio > Radio from the navigation tree, select the AP to be configured, and click
to enter
the page for configuring a radio. Then you can modify the 802.11n parameters, including
bandwidth mode, A-MPDU, A-MSDU, short GI and whether 802.11n clients are allowed.
•
Select Radio > Rate from the navigation tree to set 802.11n rates.
WPA-PSK authentication configuration example
Network requirements
As shown in Figure 258, connect the client to the wireless network through WPA-PSK authentication. The
PSK key configuration on the client is the same as that on the AC: 12345678.
Figure 258 Network diagram
Configuring the AC
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select
the serial ID manual, enter the AP serial ID, and click Apply.
Figure 259 Creating an AP
2.
Create a wireless service
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c.
On the page that appears, set the service name to psk, select the wireless service type crypto,
and click Apply.
263
Figure 260 Creating a wireless service
3.
Configure wireless service.
After you create a wireless service, you will enter the wireless service configuration page.
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select the Cipher Suite box, select ASE-CCMP and TKIP (select an encryption type as needed),
and then select WPA from the Security IE list.
c.
Select the Port Set box, and select psk from the Port Mode list.
d. Select pass-phrase from the Pre-shared Key list, and enter the key ID 12345678.
e. Click Apply.
Figure 261 Security setup
4.
Enable wireless service.
a. Select Wireless Service > Access Service from the navigation tree.
b. Select the psk[Bind] box.
c.
Click Enable.
264
Figure 262 Enabling wireless service
5.
Bind an AP radio to a wireless service
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the
c.
icon corresponding to the wireless service psk.
On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz) and
click Bind.
A configuration progress dialog box appears.
d. After the configuration progress is complete, click Close.
Figure 263 Binding an AP radio
6.
Enable 802.11n(2.4GHz) radio
a. Select Radio > Radio from the navigation tree.
b. Select the ap box before 802.11n(2.4GHz).
c.
Click Enable.
A configuration progress dialog box appears.
d. After the configuration process is complete, click Close.
265
Figure 264 Enabling 802.11n(2.4GHz) radio
Configuring the client
1.
Launch the client, and refresh the network list.
2.
Select the configured service in Choose a wireless network (PSK in this example).
3.
Click Connect.
4.
In the popup dialog box, enter the key (12345678 in this example), and then click Connect.
266
Figure 265 Configuring the client
The client has the same pre-shared PSK key as the AP, so the client can associate with the AP.
267
Figure 266 The client is associated with the AP
Verifying the configuration
•
The client can successfully associate with the AP and access the WLAN network.
•
You can view the online clients on the page you enter by selecting Summary > Client from the
navigation tree.
Local MAC authentication configuration example
Network requirements
AC is connected to AP through a Layer 2 switch, and they are in the same network. Perform MAC
authentication on the client.
Figure 267 Network diagram
Configuring the AC
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
268
c.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select
the serial ID manual, enter the AP serial ID, and click Apply.
Figure 268 Creating an AP
2.
Create a wireless service
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c.
On the page that appears, set the service name to mac-auth, select the wireless service type
clear, and click Apply.
Figure 269 Creating a wireless service
3.
Configure the wireless service:
After you have created a wireless service, you enter the wireless service configuration page.
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select the Port Set box, and select mac-authentication from the Port Mode list.
c.
Select the MAC Authentication box, and select system from the Domain list.
To create a domain, select Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a domain name in the Domain Name field.
d. Click Apply.
269
Figure 270 Security setup
4.
Enable wireless service.
a. Select Wireless Service > Access Service from the navigation tree.
b. Select the mac-auth box.
c.
Click Enable.
Figure 271 Enabling wireless service
5.
Configure a MAC authentication list
270
a. Select Wireless Service > Access Service from the navigation tree.
b. Click MAC Authentication List.
c.
On the page that appears, add a local user in the MAC Address field. 0014-6c8a-43ff is used
in this example.
d. Click Add.
Figure 272 Adding a MAC authentication list
6.
Bind an AP radio to a wireless service
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the
c.
icon corresponding to the wireless service mac-auth.
On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz) and
click Bind.
A configuration progress dialog box appears.
d. After the configuration process is complete, click Close.
Figure 273 Binding an AP radio
7.
Enable 802.11n(2.4GHz) radio
a. Select Radio > Radio from the navigation tree.
b. Select the ap 802.11n(2.4GHz) box of the target AP.
271
c.
Click Enable.
A configuration progress dialog box appears.
d. After the configuration process is complete, click Close.
Figure 274 Enabling 802.11n(2.4GHz) radio
Configuring the client
1.
Launch the client, and refresh the network list.
2.
Select the configured service in Choose a wireless network (mac-auth in this example).
3.
Click Connect.
If the MAC address of the client is in the MAC address list, the client can pass the MAC
authentication and access the wireless network.
272
Figure 275 Configuring the client
Verifying the configuration
•
The client can successfully associate with the AP and access the WLAN network.
•
You can view the online clients on the page you enter by selecting Summary > Client.
Remote MAC authentication configuration example
Network requirements
As shown in Figure 276, perform remote MAC authentication on the client.
•
Use the intelligent management center (IMC) as the RADIUS server for authentication, authorization,
and accounting (AAA). On the RADIUS server, configure the client's username and password as
the MAC address of the client and the shared key as expert. The IP address of the RADIUS server
is 10.18.1.88.
•
The IP address of the AC is 10.18.1.1. On the AC, configure the shared key for communication with
the RADIUS server as expert, and configure the AC to remove the domain name of a username
before sending it to the RADIUS server.
273
Figure 276 Network diagram
Configuring the AC
1.
Assign an IP address to the AC:
a. Select Network > VLAN to create a VLAN on the AC.
b. Select Device > Interface Management to assign an IP address to the VLAN interface.
2.
Configure a RADIUS scheme:
a. Select Authentication > RADIUS from the navigation tree.
b. Click Add.
c.
On the page that appears, add two servers in the RADIUS Server Configuration area, and
specify the key expert.
d. Enter mac-auth in the Scheme Name field.
e. Select Extended as the server type.
f.
Select Without domain name from the Username Format List.
g. Click Apply.
274
Figure 277 Configuring RADIUS
3.
Configure AAA:
a. From the navigation tree, select Authentication > AAA.
b. Optional: On the Domain Setup tab, create a new ISP domain.
This example uses the default domain system.
c.
On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box,
select the authentication mode RADIUS, select the authentication scheme mac-auth from the
Name list, and click Apply.
A configuration progress dialog box appears.
d. After the configuration process is complete, click Close.
275
Figure 278 Configuring the AAA authentication method for the ISP domain
e. On the Authorization tab, select the ISP domain system, select the LAN-access AuthZ box,
select the authorization mode RADIUS, select the authorization scheme mac-auth from the
Name list, and click Apply.
A configuration progress dialog box appears.
f.
After the configuration process is complete, click Close.
Figure 279 Configuring the AAA authorization method for the ISP domain
g. On the Accounting tab, select the ISP domain system, select the Accounting Optional box, and
select Enable from the Accounting Optional list, select the LAN-access Accounting box, select
the accounting method RADIUS, select the accounting scheme mac-auth from the Name list,
and click Apply.
A configuration progress dialog box appears.
h. After the configuration process is complete, click Close.
276
Figure 280 Configuring the AAA accounting method for the ISP domain
4.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c.
On the page that appears, set the AP name to ap., select the AP model WA2620-AGN., select
the serial ID manual, enter the AP serial ID, and click Apply.
Figure 281 AP setup
5.
Configure wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c.
On the page that appears, set the wireless service name to mac-auth, select the wireless
service type clear, and click Apply.
277
Figure 282 Creating a wireless service
6.
Configure MAC authentication:
After you create a wireless service, the wireless service configuration page appears.
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select the Port Set box, and select mac-authentication from the Port Mode list.
c.
Select the MAC Authentication box, and select system from the Domain list.
d. Click Apply.
A configuration progress dialog box appears.
e. After the configuration process is complete, click Close.
Figure 283 Security setup
7.
Enable the wireless service:
278
a. Select Wireless Service > Access Service from the navigation tree.
b. On the page that appears, select the mac-auth box.
c.
Click Enable.
A configuration progress dialog box appears.
d. After the configuration process is complete, click Close.
Figure 284 Enabling the wireless service
8.
Bind an AP radio to the wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the
c.
icon corresponding to the wireless service mac-auth.
Select the box of the AP with the radio mode 802.11n(2.4GHz).
d. Click Bind.
A configuration progress dialog box appears.
e. After the configuration process is complete, click Close.
Figure 285 Binding an AP radio to a wireless service
9.
Enable 802.11n(2.4GHz) radio:
a. Select Radio > Radio from the navigation tree.
b. Select the ap 802.11n(2.4GHz) box of the target AP.
279
c.
Click Enable.
A configuration progress dialog box appears.
d. After the configuration process is complete, click Close.
Figure 286 Enabling 802.11n(2.4GHz) radio
Configuring the RADIUS server (IMCv3)
NOTE:
The following takes the IMC (IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) as an example to
illustrate the basic configuration of the RADIUS server.
1.
Add an access device.
a. Click the Service tab in the IMC Platform.
b. Select Access Service > Access Device from the navigation tree.
c.
Click Add.
d. On the page that appears, add expert for Shared Key, add ports 1812 and 1813 for
Authentication Port and Accounting Port respectively, select LAN Access Service for Service
Type, select H3C for Access Device Type, select or manually add an access device with the IP
address 10.18.1.1, and click Apply.
280
Figure 287 Adding access device
2.
Add service.
a. Click the Service tab.
b. Select Access Service > Access Device from the navigation tree.
c.
Click Add.
d. On the page that appears, set the service name to mac, keep the default values for other
parameters, and click Apply.
Figure 288 Adding service
3.
Add account.
a. Click the User tab.
b. Select User > All Access Users from the navigation tree.
c.
Click Add.
d. On the page that appears, enter a username 00146c8a43ff, add an account and password
00146c8a43ff, select the service mac, and click Apply.
281
Figure 289 Adding account
Configuring the RADIUS server (IMC v5)
NOTE:
The following takes the IMC (IMC PLAT 5.0 and IMC UAM 5.0) as an example to illustrate the basic
configuration of the RADIUS server.
1.
Add an access device.
a. Click the Service tab in the IMC Platform.
b. Select User Access Manager > Access Device Management from the navigation tree.
c.
Click Add.
d. On the page that appears, enter 12345678 as the Shared Key, keep the default values for
other parameters, select or manually add the access device with the IP address 10.18.1.1,
and click Apply.
Figure 290 Adding access device
2.
Add service.
a. Click the Service tab.
282
b. Select User Access Manager > Service Configuration from the navigation tree.
c.
Click Add.
d. On the page that appears, set the service name to mac, keep the default values for other
parameters, and click Apply.
Figure 291 Adding service
3.
Add an account.
a. Click the User tab.
b. Select User > All Access Users from the navigation tree to enter the user page.
c.
Click Add.
d. On the page that appears, enter username 00146c8a43ff, set the account name and
password both to 00146c8a43ff, select the service mac, and click Apply.
Figure 292 Adding account
Verifying the configuration
•
During authentication, the user does not need to enter the username or password. After passing
MAC authentication, the client can associate with the AP and access the WLAN.
•
You can view the online clients on the page you enter by selecting Summary > Client from the
navigation tree.
283
Remote 802.1X authentication configuration
example
Network requirements
Perform remote 802.1X authentication on the client.
•
Use the IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username
as user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
•
On the AC, configure the shared key as expert, and configure the AC to remove the domain name
of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
Figure 293 Network diagram
Configuring the AC
1.
Assign an IP address to the AC:
a. Select Network > VLAN to create a VLAN on the AC.
b. Select Device > Interface Management to assign an IP address to the VLAN interface.
2.
Configure a RADIUS scheme:
a. Select Authentication > RADIUS from the navigation tree.
b. Click Add.
c.
On the page that appears, add two servers in the RADIUS Server Configuration, and specify
the key expert.
d. Enter 802.1x in the Scheme Name field.
e. Select the server type Extended, and select Without domain name from the Username Format
list.
f.
Click Apply.
284
Figure 294 Configuring RADIUS
3.
Configure AAA
a. Select Authentication > AAA from the navigation tree.
b. Optional: On the Domain Setup tab, create a new ISP domain.
This example uses the default domain system.
c.
On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box,
select the authentication mode RADIUS, select the authentication scheme 802.1x from the
Name list, and click Apply.
Figure 295 Configuring the AAA authentication method for the ISP domain
285
d. On the Authorization tab, select the domain name system, select the LAN-access AuthZ box,
select the authorization mode RADIUS, select the authorization scheme 802.1x from the Name
list, and click Apply.
Figure 296 Configuring the AAA authorization method for the ISP domain
e. On the Accounting tab, select the ISP domain name system, select the Accounting Optional box
and then select Enable from the Accounting Optional list, select the LAN-access Accounting box,
select the accounting method RADIUS, select the accounting scheme 802.1x from the Name list,
and click Apply.
Figure 297 Configuring the AAA accounting method for the ISP domain
4.
Create an AP.
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select
the serial ID manual, enter the AP serial ID, and click Apply.
286
Figure 298 AP setup
5.
Configure wireless service
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c.
On the page that appears, set the service name to dot1x, select the wireless service type crypto,
and click Apply.
Figure 299 Creating a wireless service
6.
Configure 802.1X authentication.
After you create a wireless service, the wireless service configuration page appears.
a. In the Security Setup area, select Open-System from the Authentication Type list, select the
Cipher Suite box, select AES-CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list.
b. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
c.
Select system from the Mandatory Domain list.
d. Select EAP from the Authentication Method list.
e. Disable Handshake and Multicast Trigger (recommended).
f.
Click Apply.
g. A progress dialog box appears. During the process, another dialog box appears asking you
whether to enable EAP authentication. Click OK.
h. After the configuration progress is complete, click Close.
287
Figure 300 Security setup
7.
Enable the wireless service
a. Select Wireless Service > Access Service from the navigation tree.
b. On the page that appears, select the dot1x box and click Enable.
Figure 301 Enabling the wireless service
8.
Bind an AP radio to the wireless service.
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the
c.
icon corresponding to the wireless service dot1x.
Select the box of the AP with the radio mode 802.11n(2.4GHz).
d. Click Bind.
288
A configuration progress dialog box appears.
e. After the configuration process is complete, click Close.
Figure 302 Binding an AP radio to a wireless service
9.
Enable 802.11n(2.4GHz) radio
a. Select Radio > Radio from the navigation tree.
b. Select the box of the target AP.
c.
Click Enable.
A configuration progress dialog box appears.
d. After the configuration process is complete, click Close.
Figure 303 Enabling 802.11n(2.4GHz) radio
Configuring the RADIUS server (IMCv3)
NOTE:
The following takes the IMC (IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) as an example to
illustrate the basic configuration of the RADIUS server.
1.
Add access device.
289
a. Click the Service tab in the IMC management platform.
b. Select Access Service > Access Device from the navigation tree.
c.
Click Add.
d. On the page that appears, enter the shared key expert, enter the authentication and
accounting ports 1812 and 1813, select LAN Access Service from the Service Type list, select
H3C from the Access Device Type list, select or manually add an access device with the IP
address 10.18.1.1, and click Apply.
Figure 304 Adding access device
2.
Add service.
a. Click the Service tab.
b. Select Access Service > Access Device from the navigation tree.
c.
Click Add.
d. On the page that appears, set the service name to dot1x, and set the Certificate Type to
EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply.
290
Figure 305 Adding service
3.
Add account.
a. Click the User tab.
b. Select User > All Access Users from the navigation tree.
c.
Click Add.
d. On the page that appears, enter a username user, add an account user and password dot1x,
and select the service dot1x, and click Apply.
Figure 306 Adding account
291
Configuring the RADIUS server (IMC v5)
NOTE:
The following takes the IMC (IMC PLAT 5.0 and IMC UAM 5.0) as an example to illustrate the basic
configuration of the RADIUS server.
1.
Add an access device.
a. Click the Service tab in the IMC platform.
b. Select User Access Manager > Access Device Management from the navigation tree.
c.
Click Add.
d. On the page that appears, enter 12345678 as the Shared Key, keep the default values for
other parameters, and select or manually add the access device with the IP address 10.18.1.1,
and click Apply.
Figure 307 Adding access device
2.
Add a service.
a. Click the Service tab.
b. Select User Access Manager > Service Configuration from the navigation tree.
c.
Click Add.
d. On the page that appears, set the service name to dot1x, and set the Certificate Type to
EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply.
292
Figure 308 Adding a service
3.
Add an account.
a. Click the User tab.
b. Select User > All Access Users from the navigation tree.
c.
Click Add.
d. On the page that appears, enter username user, set the account name to user and password
to dot1x, and select the service dot1x, and click Apply.
Figure 309 Adding account
Configuring the wireless client
1.
Double click the
icon at the bottom right corner of your desktop.
The Wireless Network Connection Status window appears.
2.
Click Properties in the General tab.
The Wireless Network Connection Properties window appears.
293
3.
In the Wireless Networks tab, select wireless network with the SSID dot1x, and then click
Properties.
The dot1x Properties window appears.
4.
In the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
5.
In the popup window, clear Validate server certificate, and click Configure.
6.
In the popup dialog box, clear Automatically use my Windows logon name and password (and
domain if any).
294
Figure 310 Configuring the wireless client (I)
295
Figure 311 Configuring the wireless client (II)
296
Figure 312 Configuring the wireless client (III)
Verifying the configuration
•
After the user enters username user and password dot1x in the popup dialog box, the client can
associate with the AP and access the WLAN.
•
You can view the online clients on the page you enter by selecting Summary > Client.
Dynamic WEP encryption-802.1X authentication
configuration example
Network requirements
Perform dynamic WEP encryption-802.1X authentication on the client. More specifically,
•
Use the IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username
as user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
•
On the AC, configure the shared key as expert, and configure the AC to remove the domain name
of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
297
Figure 313 Network diagram
Configuration procedure
1.
Assign an IP address for the AC:
See "Assign an IP address to the AC:."
2.
Configure a RADIUS scheme:
See "Configure a RADIUS scheme."
3.
Configure AAA:
See "Configure AAA."
4.
Configure the AP:
See "Create an AP.."
5.
Create a wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c.
On the page that appears, set the service name to dot1x, select the wireless service type crypto,
and click Apply.
Figure 314 Creating a wireless service
6.
Configure 802.1X authentication.
After you create a wireless service, the wireless service configuration page appears.
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select Encryption, and select Enable from the Provide Key Automatically list.
c.
Select the Cipher Suite box, select CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list.
d. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
e. Select system from the Mandatory Domain list.
f.
Select EAP from the Authentication Method list.
298
g. Disable Handshake and Multicast Trigger (recommended).
h. Click Apply.
Figure 315 Security setup
7.
Enable the wireless service.
a. Select Wireless Service > Access Service from the navigation tree.
b. On the page that appears, select the dot1x box and click Enable.
Figure 316 Enabling the wireless service
8.
Bind an AP radio to the wireless service.
a. Select Wireless Service > Access Service from the navigation tree.
299
b. Click the
c.
icon corresponding to the wireless service dot1x.
On the page that appears, select the box of the AP with the radio mode 802.11n(2.4GHz)
and click Bind.
Figure 317 Binding an AP radio to a wireless service
9.
Enable 802.11n(2.4GHz) radio:
See "Enable 802.11n(2.4GHz) radio."
10.
Configure the RADIUS server (IMCv3):
See "Configuring the RADIUS server (IMCv3)."
11.
Configure the RADIUS server (IMCv5):
See "Configuring the RADIUS server (IMC v5)."
Configuring the wireless client
1.
Double click the
icon at the bottom right corner of your desktop.
2.
The Wireless Network Connection Status window appears.
3.
Click Properties.
The Wireless Network window appears.
4.
Click Add.
5.
Click the Association tab, and enter dot1x in the Network name (SSID) field. Make sure that you
have selected The key is provided for me automatically.
300
Figure 318 Configuring the wireless client (I)
6.
On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
7.
In the popup window, clear Validate server certificate, and click Configure.
8.
In the popup dialog box, clear Automatically use my Windows logon name and password (and
domain if any), and then click OK.
301
Figure 319 Configuring the wireless client (II)
302
Figure 320 Configuring the wireless client (III)
Verifying the configuration
•
After the user enters username user and password dot1x in the popup dialog box, the client can
associate with the AP and access the WLAN.
•
You can view the online clients on the page you enter by selecting Summary > Client.
303
Configuring mesh services
Different from a traditional WLAN, a WLAN mesh network allows for wireless connections between APs,
making the WLAN more mobile and flexible. Moreover, multi-hop wireless links can be established
between APs. From the perspective of end users, a WLAN mesh network has no difference from a
traditional WLAN.
Mesh overview
Basic concepts in WLAN mesh
Figure 321 Typical WLAN mesh network
AC
MPP
MP
MP
MP
MAP
MAP
MAP
MAP
WLAN mesh network
Client
Client
Client
Client
As shown in Figure 321, the concepts involved in WLAN mesh are described below.
Concept
Description
Access controller (AC)
A device that controls and manages all the APs in the WLAN.
Mesh point (MP)
A wireless AP that connects to a mesh portal point (MPP) through a
wireless connection but cannot have any client attached.
Mesh access point (MAP)
An AP providing the mesh service and the access service concurrently.
Mesh portal point (MPP)
A wireless AP that connects to an AC through a wired connection.
Mesh link
A wireless link between MPs.
304
Advantages of WLAN mesh
The WLAN mesh technology allows operators to easily deploy wireless networks anywhere and anytime.
WLAN mesh has the following advantages:
•
High performance/price ratio—In a mesh network, only the MPPs need to connect to a wired
network. In this way, the dependency on the wired network is reduced to the minimum extent, and
the investment in wired devices, cabling, and installation is greatly reduced.
•
Excellent scalability—In a mesh network, the APs can automatically discover each other and initiate
wireless link setup. To add new APs to the mesh network, you just need to install these new APs and
perform the related configurations on them.
•
Fast deployment—Since only the MPPs need to connect to a wired network, WLAN mesh greatly
reduces the network deployment time.
•
Various application scenarios—The mesh network is applicable to enterprise, office, and campus
networks, which are common application scenarios of traditional WLANs, and also applicable to
large-sized warehouse, port, MAN, railway transportation, and crisis communication networks.
•
High reliability—In a traditional WLAN, when the wired upstream link of an AP fails, all clients
associated with the AP cannot access the WLAN. Comparatively, in a mesh network, all APs are
fully meshed. There are multiple available wireless links for a mesh AP to reach a portal node in the
wired network, thus avoiding single point failure effectively.
Deployment scenarios
This section covers deployment scenarios of WLAN mesh, which are in two categories: subway
networking and normal networking.
Normal WLAN mesh deployment
1.
Normal fit MP scenario
As shown in Figure 322, two mesh networks are controlled by the same AC. At least one MPP in
a mesh has wired connectivity with the AC. When an MP comes up, it scans the network and forms
temporary connections with all available MPs in its vicinity. Such temporary connections allow the
MP to connect to the AC for downloading its configurations. After downloading its configurations
from the AC, the MP will establish secure connections with neighbors sharing the same pre-shared
key.
305
Figure 322 Normal fit MP scenario
2.
One fit MP with two radios, each on a different mesh
As shown in Figure 323, to avoid cross-interruption between Mesh 1 and Mesh 2, you can
configure two radios for an MP, each of which is present in a different mesh network. The only
constraint is that both meshes have to be managed by the same AC.
Figure 323 Two radios on different meshes
3.
One fit MP with two radios on the same mesh
306
As shown in Figure 324, Radio 1 of MP 1 joins the mesh through the MPP. In this case, only Radio
1 can provide access for downstream MPs. Radio 2 cannot automatically access the mesh and
provide the mesh service.
Figure 324 Two radios on different meshes
If an MP supports three radios, you can configure Radio 1 as the uplink interface, Radio 2 as the
downlink interface, and Radio 3 as the multi-beam antenna. To utilize the dual-radio resources on
MPs, you can establish the network as shown in Figure 325. In such a network, when Radio 1 of
MP 1 accesses the mesh, Radio 2 on MP 1 also automatically joins the mesh. In this network, you
should apply the same mesh service to both Radio 1 and Radio 2. For more information, see
"Tri-radio mesh configuration example."
Figure 325 Two radios on the same mesh
Radio 1
AC
Radio 2
MPP
Radio 3
Radio 1 Radio 2
MP 1
Radio 3
Radio 1 Radio 2
Radio 3
Radio 1 Radio 2
MP 2
MP 2
Subway WLAN mesh deployment
A subway is an important traffic means for a modern city. In a subway system, control information must
be sent to trains to effectively manage trains and provide various services to customers.
As shown in Figure 326, a subway WLAN mesh solution has fit MPs deployed along the rail, which are
managed by the same AC. A train MP (fat AP) continuously scans new rail MPs (fit APs), and sets up
active/dormant links with the rail MPs with the best signal quality. The active mesh link is used for data
transmission, and the dormant mesh link acts as the backup link.
307
Figure 326 Subway deployment of mesh
The subway WLAN mesh deployment is based on the Mobile Link Switch Protocol (MLSP), which is used
for high-speed link switch with zero packet loss during train movement. New IEEE standard 802.11s is
adopted as the underlying protocol for link formation and communication between mobile radio (MR)
and wayside AP. Train MPs are not required to act as authenticators.
WLAN mesh security
A WLAN network uses air as the communication medium, so it is vulnerable to malicious attacks. In a
mesh network, a wireless connection passes through multiple hops, and thus a mesh network is more
vulnerable to malicious attacks. Therefore, WLAN mesh network security becomes an essential part of
WLAN mesh networks. Security involves encryption algorithms and distribution and management of keys.
Currently, PSK + CCMP combination is used for securing mesh networks.
Mobile link switch protocol
At any given time, an active link should be available between a rail MP and a train MP for data
communication. MLSP was developed to create and break links during train movement.
As shown in Figure 327, when the train is moving, it must break the existing active link with rail MP 2 and
create a new active link with another rail MP.
308
Figure 327 Diagram for MLSP
•
Active Link: Logical link through which all data communication from/to a train MP happens.
•
Dormant Link: Logical link over which no data transfer happens, but it satisfies all the criteria for
becoming an active link.
MLSP advantages
•
MLSP ensures that the link switch time is less than 30 ms.
•
MLSP works well even if the devices get saturated at high power level.
•
MLSP achieves zero packet loss during link switch.
Operation of MLSP
MLSP establishes multiple links at any given time between a train MP and multiple rail MPs to provide link
redundancy, thus ensuring high performance and good robustness for the network.
The following parameters are considered by MLSP for link switch. Based on the deployment, all these
parameters are tunable to achieve best results.
•
Link formation RSSI/link hold RSSI—This is the minimum RSSI to allow a link to be formed and held.
Therefore, the minimum RSSI must be ensured at any given point in the tunnel. Otherwise, the error
rate can be very high.
•
Link switch margin—If the RSSI of the new link is greater than that of the current active link by the
link switch margin, active link switch occurs. This mechanism is used to avoid frequent link switch.
•
Link hold time—An active link remains up within the link hold time, even if the link switch margin is
reached. This mechanism is used to avoid frequent link switch.
•
Link saturation RSSI—This is the upper limit of RSSI on the active link. If the value is reached, link
switch occurs.
Formation of dormant links
A train MP performs active scanning to find neighboring rail MPs by sending probe requests at a very
high rate. Based on probe responses received, the train MP forms a neighbor table.
After that, the train MP creates dormant links with rail MPs that have an RSSI value greater than the link
formation RSSI.
309
Selection of active link
A train MP selects the active link from dormant links based on the following rules:
1.
If no dormant link is available, the active link cannot be formed.
2.
Active link switch will not happen within the link hold time, except the following two conditions:
Condition 1—The active link RSSI exceeds the link saturation RSSI.
Condition 2—The active link RSSI is below the link hold RSSI.
3.
When the link hold timer expires, if no dormant link has RSSI greater than the active link RSSI by
the link switch margin, link switch will not happen.
4.
In normal scenarios, active link switch will happen when all of these following conditions are met:
The link hold timer expires.
The dormant link's RSSI is higher than the current active link's RSSI by the link switch margin.
The dormant link RSSI is not greater than the link saturation RSSI.
5.
Once the RSSI of the active and dormant links has gone below the link hold RSSI, links should be
broken. However, to ensure service availability in worse cases, if the active link RSSI has gone
below the link hold RSSI and no dormant links exist, the active link is not broken.
Mesh network topologies
The mesh feature supports the following three topologies. Mesh is implemented through configuration of
a peer MAC address for each AP. For more information, see "Configuring a peer MAC address."
Point to point connection
In this topology, by configuring the peer MAC address for an AP, you can determine the mesh link to be
formed.
Figure 328 Mesh point to point topology
Point to multi-point connection
In this topology, a centralized bridging device forms wireless links with multiple MPs to bridge data
among multiple LAN segments. As shown below, data transferred between different LAN segments goes
via AP 1.
310
Figure 329 Mesh point to multi-point topology
AP 2
AP 3
AC
AP 1
AP 4
AP 5
Self topology detection and bridging connection
In this topology, MPs automatically detect neighbors and form wireless links to provide wireless
connectivity between LAN segments, as shown Figure 330. Loops are easy to occur in the topology. In
the topology, you can use mesh routes to selectively block redundant links to eliminate loops, and back
up the links when the mesh links fail.
Figure 330 Self topology detection and bridging
AP 2
AC
AP 3
AP 1
AP 4
Configuring mesh service
Configuring mesh service
Creating a mesh service
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Service tab.
311
Figure 331 Mesh service configuration page
3.
Click Add.
Figure 332 Creating a mesh service
4.
Configure the mesh service as described in Table 102.
5.
Click Apply.
Table 102 Configuration items
Item
Description
Mesh Service Name
Name of the created mesh service.
Configuring a mesh service
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Service tab.
3.
Click the
service.
icon corresponding to the target mesh service to enter the page for configuring mesh
312
Figure 333 Configuring mesh service
4.
Configure the mesh service as described in Table 103.
5.
Click Apply.
Table 103 Configuration items
Item
Description
Mesh Service
Display the selected mesh service name.
VLAN (Tagged)
Enter the ID of the VLAN whose packets are to be sent tagged. VLAN (Tagged)
indicates that the port sends the traffic of the VLAN without removing the VLAN tag.
VLAN (Untagged)
Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged)
indicates that the ports send the traffic of the VLAN with the VLAN tag removed.
Set the default VLAN.
Default VLAN
By default, the default VLAN of all ports is VLAN 1. After you set the new default
VLAN, VLAN 1 is the ID of the VLAN whose packets are to be sent untagged.
Exclude VLAN
Remove the IDs of the VLANs whose packets are to be sent untagged and tagged.
Enable or disable mesh route selection algorithm:
Mesh Route
• Disable—Disable the mesh route selection algorithm.
• Enable—Enable the mesh route selection algorithm.
By default, the mesh route selection algorithm is disabled.
Link Keep Alive Interval
Configure the mesh link keep-alive interval.
Link Backhaul Rate
Configure the backhaul radio rate.
Security Configuration
Pass Phrase
Enter a pre-shared key in the format of character string.
313
Item
Description
Raw Key
Enter a pre-shared key in the format of hexadecimal digits.
Pre-shared key.
Pre-shared Key
• A string of 8 to 63 characters, or.
• A valid hexadecimal number of 64 bits.
Binding an AP radio to a mesh service
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the
3.
Select the AP radio to be bound.
4.
Click Bind.
icon to enter the page for binding an AP radio to a mesh service.
Figure 334 Binding an AP radio to a mesh service
Enabling a mesh service
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Service tab to enter the mesh service configuration page.
Figure 335 Enabling a mesh service
3.
Select the mesh service to be enabled.
4.
Click Enable.
314
Displaying the detailed information of a mesh service
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Service tab to enter the mesh service configuration page.
3.
Click a mesh service to see its detailed information.
Figure 336 Mesh service detailed information
Table 104 Field description
Field
Description
Mesh Profile Number
Mesh service number.
Mesh ID
Mesh ID of the mesh service.
Binding Interface
Mesh interface bound to the mesh service.
MKD service status, which can be:
MKD Service
• Enable—Indicates that the MKD service is enabled.
• Disable—Indicates that the MKD service is disabled.
Link Keep Alive Interval
Interval to send keep-alive packets.
Link Backhaul Rate
Link backhaul rate.
Mesh service status, which can be:
Mesh Profile Status
• Enable—Indicates that the mesh service is enabled.
• Disable—Indicates that the mesh service is disabled.
315
Configuring a mesh policy
Creating a mesh policy
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Service tab to enter the mesh policy configuration page.
Figure 337 Mesh policy configuration page
3.
Click Add.
Figure 338 Create a mesh policy
4.
Configure the mesh policy as described in Table 105.
5.
Click Apply.
Table 105 Configuration items
Item
Description
Name of the created mesh policy.
Mesh Policy Name
The created mesh policies use the contents of the
default mesh policy default_mp_plcy.
Configuring a mesh policy
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Policy tab.
3.
Click the
page.
icon corresponding to the target mesh policy to enter the mesh policy configuration
316
Figure 339 Configuring a mesh policy
4.
Configure the mesh policy as described in Table 106.
5.
Click Apply.
Table 106 Configuration items
Item
Description
Mesh Policy
Display the name of the created mesh policy.
By default, link initiation is enabled.
IMPORTANT:
Link establishment
• This feature should be disabled when you configure an MP
policy for a rail AP.
• This feature is used on train MPs in subway WLAN mesh
deployment.
Set the link hold time.
Minimum time to hold a link
An active link remains up within the link hold time, even if the link
switch margin is reached. This mechanism is used to avoid
frequent link switch.
Set the maximum number of links that an MP can form in a mesh
network.
Maximum number of links
IMPORTANT:
When configuring mesh, if the number of mesh links configured on
an AP is greater than 2, you need to configure the maximum links
that an MP can form as needed.
317
Item
Description
Set link formation/link hold RSSI (received signal strength
indicator).
Minimum rssi to hold a link
This is the minimum RSSI to allow a link to be formed and held.
Therefore, the minimum RSSI must be ensured at any given point
in the tunnel. Otherwise, the error rate can be very high.
Set the link switch margin.
Minimum margin rssi
If the RSSI of the new link is greater than that of the current active
link by the link switch margin, active link switch will happen. This
mechanism is used to avoid frequent link switch.
Set link saturation RSSI.
Maximum rssi to hold a link
This is the upper limit of RSSI on the active link. If the value is
reached, the chipset is saturated and link switch will happen.
Interval between probe requests
Set the probe request interval.
Role as authenticator
By default, whether a device plays the role of an authenticator is
based on negotiation results.
• fixed—The rate adopted is of a fixed value. It is the maximum
rate of the current radio.
• realtime—The rate adopted changes with the link quality, that
ratemode
is, the rate changes with the change of the RSSI of the current
radio.
The fixed mode is adopted by default..
The Mobile Link Switch Protocol (MLSP) implements high-speed link switch with zero packet loss during train
movement. It is applicable to subway WLAN mesh deployment only.
Proxy MAC Address
Select the Proxy MAC Address option to specify the MAC address
of the peer device.
Proxy VLAN
VLAN ID of the peer device.
Binding an AP radio to a mesh policy
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Policy tab.
3.
Click the
4.
Select the AP radio to be bound.
5.
Click Bind.
button corresponding to the target mesh policy.
Displaying the detailed information of a mesh policy
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Policy tab to enter the mesh policy configuration page.
3.
Click a mesh policy to see its detailed information.
318
Figure 340 Mesh policy detailed information
Table 107 Field description
Field
Description
MP Policy Name
Name of the mesh policy.
Mesh Link Initiation
Whether link initiation is enabled or not.
Mobile Link Switch Protocol (MLSP) status, which can be:
Mlsp
• Enable—Indicates that MLSP is enabled.
• Disable—Indicates that MLSP is disabled.
Authenticator role status, which can be:
Authenticator Role
• Enable—Indicates that the authenticator role is enabled.
• Disable—Indicates that the authenticator role is disabled.
Max Links
Maximum number of links on a device using this mesh policy.
Probe Request Interval (ms)
Interval between probe requests sent by a device using this
mesh policy.
Link Hold RSSI
Link hold RSSI.
Link Hold Time (ms)
Link hold time.
Link Switch Margin
Link switch margin.
Link saturation RSSI
Link saturation RSSI.
Method of calculating the link cost, which can be:
Link rate-mode
• Fixed—Indicates that the mesh interface rate is fixed.
• real-time—Indicates that the mesh interface rate changes
with the RSSI in real-time.
319
Mesh global setup
Mesh basic setup
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Global Setup tab to enter the mesh global setup page.
Figure 341 Mesh basic setup
3.
Configure the basic mesh settings as described in Table 108.
4.
Click Apply.
Table 108 Configuration items
Item
Description
• Make sure the MAC address configured is unused and has the correct
MKD-ID
vendor specific part.
• The MAC address of an AC should not be configured as the MKD ID.
• Manual—Select one-time dynamic channel selection (DFS) and click
Apply to enable it. After manual mode is selected, if no mesh network is
manually specified when the next calibration interval is reached, the AC
will refresh radio information of all mesh networks that it manages, and
display it on the Radio Info tab of the Mesh Channel Optimize page. You
can view the radio information and select mesh networks for which
one-time DFS will be performed on the Mesh Channel Optimize tab. After
that, if you want the AC to perform DFS for the mesh network, you have
to make this configuration again.
• Auto—Select auto-DFS and click Apply to enable it. Auto-DFS applies to
Dynamic Channel Select
all mesh networks where the working channels of the radios are
automatically selected. With auto DFS enabled, an AC makes DFS
decisions at the calibrate interval automatically.
• Close—Close DFS. At the next calibration interval, the radio information
and channel switching information on the Mesh Channel Optimize page
will be cleared.
By default, DFS for a mesh network is disabled.
IMPORTANT:
Before enabling auto or one-time DFS for a mesh network, make sure that auto
mode is selected for the working channel of radios in the mesh network. For
the related configuration, see "Radio configuration."
Enabling mesh portal service
1.
Select Wireless Service > Mesh Service from the navigation tree.
320
2.
Click the Global Setup tab to enter the mesh portal service configuration page.
Figure 342 Mesh portal service configuration page
3.
Select the AP for which mesh portal service is to be enabled.
4.
Click Enable.
Configuring a working channel
You can configure a working channel in one of the following ways:
Manual
1.
Select Radio > Radio from the navigation tree.
Figure 343 Radio configuration page
2.
On the page that appears, select a specified channel from the Channel list.
3.
Click Apply.
NOTE:
Specify a working channel for the radios of the MAP and MPP, and the working channel on the radio of
the MAP should be consistent with that on the MPP.
321
Auto
Set the working channel mode on the MPP and MAP to auto so that the working channel is automatically
negotiated when a WDS link is established between the MPP and MAP.
NOTE:
If you configure the working channel mode of the radios of the MPP and MAP as auto, the automatically
selected working channel is a non-radar channel.
Enabling radio
1.
Select Radio > Radio from the navigation tree to enter the radio setup page.
Figure 344 Enabling radio
2.
Select the radio mode to be enabled.
3.
Click Enable.
Configuring a peer MAC address
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click
3.
Select the AP radio to be bound, and click the
MAC address.
to enter the page for binding an AP radio to a mesh service.
322
icon to enter the page for configuring a peer
Figure 345 Configuring a peer MAC address
4.
Configure the peer MAC address as described in Table 109.
5.
Click Apply.
Table 109 Configuration items
Item
Description
Peer MAC Address
The mesh feature supports three topologies. For more information, see "Mesh
network topologies." The mesh feature is implemented through configuration of
peer MAC addresses for each AP.
Sets the STP cost of the mesh link to the peer. If not configured, the STP cost is
automatically calculated by STP.
cos
You can view the cost of the mesh link on the page shown in Figure 345.
Mesh DFS
Displaying radio information
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Channel Optimize tab to enter the mesh optimization tab.
3.
Click the specified mesh network, and click the Radio Info tab to enter the page shown in Figure
346 to view radio information.
323
Figure 346 Displaying radio information
Displaying channel switch information
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Channel Optimize tab to enter the mesh optimization tab.
3.
Click the mesh network, and then select the Channel Switch Info tab to enter the page shown
in Figure 347 to view the channel switching information.
Figure 347 Mesh channel switching information
NOTE:
• If you select Auto or Close for dynamic channel selection on the Global Setup tab, when you enter the
Mesh Channel Optimize page, the Channel Optimize button is grayed out, meaning you cannot
perform the operation.
• If you select manual DFS on the Global Setup tab, select mesh networks where DFS will be performed,
and then click Channel Optimize to complete DFS. In auto mode, DFS is performed at the calibration
interval; in manual mode, DFS is performed for once.
324
Table 110 Field description
Field
Description
AP
AP name in the mesh network.
Radio
Radio of the AP.
Chl(After/Before)
Channels before and after channel optimization.
Date(yyyy-mm-dd)
Date, in the format of yyyy-mm-dd.
Time(hh:mm:ss)
Time, in the format of hh:mm:ss.
Displaying the mesh link status
Mesh link monitoring
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Link Info tab to enter the mesh link monitoring page.
Figure 348 Displaying the mesh link monitoring information
You can monitor the mesh link status in real-time on the mesh link monitoring page.
Mesh link test
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Link Test tab to enter the mesh link test page.
325
Figure 349 Displaying mesh link test information
3.
Select the box of the target AP.
4.
Click Begin.
Normal WLAN mesh configuration example
Network requirements
As shown in the figure below, establish a mesh link between the MAP and the MPP.
Configure 802.11g on the MAP so that the client can access the network.
1.
Establish a mesh link between the MPP and the MAP by following these steps:
Configure MAP and MPP—Select AP > AP Setup from the navigation tree, and click Add to
configure MAP and MPP. For more information, see "Create an MAP and MPP."
Configure mesh service—After creating a mesh service and configuring a pre-shared key, you
can bind the mesh service to the AP and enable the mesh service. For more information, see
"Create a mesh service:."
Configure a mesh policy—A mesh policy exists by default. You can create a mesh policy and
bind the mesh policy to an AP. For more information, see "(Optional) Configure a mesh policy."
Mesh global setup—Configure an MKD-ID (which exists by default), enable mesh portal
service for the MPP. For more information, see "Configure mesh service globally."
Configure the same working channel, and enable the radio. For more information, see
"Configure the same working channel and enable the radio on the MAP and MPP:."
2.
Configure 802.11g service on the MAP to enable the client to access the WLAN network.
For more information, see "Wireless service configuration example."
Figure 350 Network diagram
802.11g
802.11a
AC
MPP
MAP
Client
326
Configuring the AC
1.
Create an MAP and MPP:
a. Select AP> AP Setup from the navigation tree.
b. Click Add.
c.
On the page that appears, set the AP name to map, select the AP model WA2620-AGN, select
the serial ID manual, enter the AP serial ID, and click Apply.
Figure 351 AP setup
d. Configure MPP by following the same steps.
2.
Create a mesh service:
a. Select Wireless Service > Mesh Service from the navigation tree.
b. Click the Mesh Service tab.
c.
Click Add.
d. On the page that appears, set the mesh service name to outdoor and click Apply.
After completing mesh service configuration, you enter the page shown in Figure 353.
Figure 352 Creating a mesh service
Figure 353 Configuring a pre-shared key
e. Select Pass Phrase, and set the pre-shared key to 12345678.
f.
Click Apply.
327
3.
Bind an AP radio to the mesh service.
a. Select Wireless Service > Mesh Service from the navigation tree.
b. Click the
icon corresponding to the mesh service outdoor to enter the page for binding an
AP radio to a mesh service.
c.
Select the AP radios to be bound.
d. Click Bind.
Figure 354 Binding an AP radio to a mesh service
4.
Enable the mesh service.
a. Select Wireless Service > Mesh Service from the navigation tree.
Figure 355 Enabling the mesh service
b. Select the mesh service to be enabled.
c. Click Enable.
5.
(Optional) Configure a mesh policy (by default, the default mesh policy default_mp_plcy already
exists.)
NOTE:
A mesh policy exists by default. You can create a mesh policy and bind the mesh policy to an AP as
needed. By default, the default_mp_plcy mesh policy is mapped to an AP.
6.
Configure mesh service globally:
328
a. (Optional) Select Wireless Service > Mesh Service from the navigation tree, and click the
Global Setup tab to enter the mesh global setup page to set the MKD-ID (By default, the MKD-ID
exists.)
b. Select the MPP that has wired connectivity with the AC to enable mesh portal service.
c.
Click Enable.
Figure 356 Mesh portal service configuration page
7.
Configure the same working channel and enable the radio on the MAP and MPP:
a. Select Radio > Radio from the navigation tree.
b. Click the
icon corresponding to the target MAP to enter the radio setup page.
Figure 357 Configuring the working channel
c.
Select the channel to be used from the Channel list.
d. Click Apply.
329
You can follow this step to configure the working channel for the MPP. Note that the working
channel of the radio on the MPP must be the same as that on the MAP.
8.
Enable radio:
a. Select Radio > Radio from the navigation tree.
b. Select the radio modes to be enabled for the MAP and MPP.
c.
Click Enable.
Figure 358 Enabling radio
Verifying the configuration
•
The mesh link between the MAP and the MPP has been established, and they can ping each other.
•
After 802.11n(2.4GHz) is configured on the MAP, the client can access the network through the
mesh link.
Subway WLAN mesh configuration example
Network requirements
•
As shown in Figure 359, all rail MPs are connected to an AC.
•
Configure WLAN mesh so that the train MP will form links with rail MPs during movement, among
them one link is the active link and all others are dormant links.
Subway WLAN mesh configuration is basically the same as normal WLAN mesh configuration. Note the
following guidelines when you configure subway WLAN mesh:
1.
Create a rail AP mesh policy:
Disable the link initiation function. For more information, see "Configuring a mesh policy."
Enable mesh portal service. For more information, see "Enabling mesh portal service."
2.
Create a train AP mesh policy:
Enable MLSP.
Configure MLSP proxy MAC address and VLAN information.
Disable Role as authenticator. For more information, see "Configuring a mesh policy."
330
Set the value of maximum links that an MP can form in a mesh network (the default value is 2.).
For more information, see "Configuring a mesh policy."
Figure 359 Network diagram
Configuring the AC
Subway mesh configuration differs from normal WLAN mesh configuration in the mesh policy
configuration of rail APs and train APs. Other configurations are the same. For more information, see
"Configuring the AC."
Mesh point-to-multipoint configuration example
Network requirements
AP 1 operates as an MPP to establish a mesh link with AP 2, AP 3, AP 4, and AP 5 respectively.
The mesh configuration is the same as the normal WLAN mesh configuration.
Figure 360 Network diagram
AP 2
AP 3
AC
AP 1
AP 4
AP 5
Configuration considerations
•
Configure a peer MAC address for each radio interface. Configure the MAC addresses of AP 2
through AP 5 on AP 1, and configure the MAC address of AP 1 on AP 2 through AP 5.
331
•
Set the value of maximum links that an MP can form in a mesh network (The default value is 2. It
should be set to 4 in this example.). For more information, see "Configuring a mesh policy."
Configuring the AC
Mesh configuration is the same as normal WLAN mesh configuration. For more information, see
"Configuring the AC."
Tri-radio mesh configuration example
Network requirements
As shown in Figure 361, set up mesh links between MPs and the MPP, and use radio resources to make
Radio 1 of MPP, Radio 1 and Radio 2 of MP, and Radio 1 of an MP 2 join the same mesh and use Radio
3 as the multi-beam antenna, which provides the wireless access service.
Figure 361 Network diagram
Configuration considerations
1.
Configure the mesh service:
The mesh configuration here is similar to a common wireless mesh configuration. Pay attention to
the following points:
Radios joining the same mesh must use the same mesh service. Thus, bind Radio 1 of MPP,
Radio 1 and Radio 2 of MP 1, and Radio 1 of MP 2 to the same mesh service.
Figure 362 Binding radios to the mesh service
332
On Radio 1 of the MPP, configure Radio 1 of MP 1 as the peer MAC address. Similarly,
configure Radio 1 of the MPP as the peer MAC address on MP 1. Perform the same operation
for Radio 2 of MP 1 and Radio 1 of MP 2.
2.
Configure the access service:
As the multi-beam antenna, Radio 3 provides the wireless access service. For more information,
see "Wireless service configuration example." You can strictly follow the configuration example to
configure the access service.
Configuration procedure
The mesh configuration here is similar to a common wireless mesh configuration. For more information,
see "Configuring the AC."
Mesh DFS configuration example
Network requirements
•
As shown in Figure 363, establish an 802.11a mesh link between the MAP and MPP. The working
channel is automatically selected.
•
Enable one-time DFS. After that, the AC performs DFS for the radios when certain trigger conditions
are met on the channel.
Figure 363 Network diagram
Configuration considerations
The mesh configuration in this example is similar to a common wireless mesh configuration. Note the
following guidelines:
•
Configure the working channel mode of the radios that provide mesh services as auto.
•
Do not configure any wireless service on radios that provide mesh services.
Configuration procedure
The mesh configuration is the same as the normal WLAN mesh configuration. For configuration
procedures, see "Normal WLAN mesh configuration example." Perform the following operations after
completing mesh configuration:
1.
(Optional) Set a calibration interval:
a. Select Radio > Calibration from the navigation tree.
b. Click the Parameters tab.
c.
On the page that appears, enter the calibration interval 3 and click OK.
333
Figure 364 Mesh calibration interval
2.
Configure mesh DFS:
a. Select Wireless Service > Mesh Service from the navigation tree.
b. Click the Global Setup tab.
c.
On the page that appears, select the Manual box for Dynamic Channel Select.
d. Click OK.
Figure 365 DFS
3.
Enable one time DFS for the mesh network:
a. Select Wireless Service > Mesh Service from the navigation tree.
b. Click the Mesh Channel Optimize tab.
c.
Select the outdoor mesh network.
d. Click Channel Optimize.
Figure 366 One-time mesh DFS
334
Verifying the configuration
After a next calibration interval, you can view the channel switching information:
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Channel Optimize tab to enter the Mesh Channel Optimize tab.
3.
Click the Channel Info tab.
4.
Select the target mesh network to display the radio information.
Figure 367 Displaying mesh channel switching information
335
WLAN roaming configuration
The Inter AC Tunneling Protocol (IACTP) is a proprietary protocol of H3C which defines how access
controllers (ACs) communicate with each other. IACTP provides a generic packet encapsulation and
transport mechanism between ACs to provide secure AC-AC communications based on the standard TCP
client/server model.
A mobility group is a group of ACs that communicate with each other using the IACTP protocol. A
maximum of 8 ACs can be present in a mobility group in current version. Formation and maintenance of
a mobility group is done using IACTP.
IACTP provides a control tunnel for applications such as roaming to share/exchange messages. It also
provides a data tunnel to encapsulate data packets to be transported between ACs. It can be used either
with IPv4 or with IPv6.
Whenever a station supporting key caching associates to any of the ACs in a mobility group (which
would be its Home-AC (HA)) for the first time, it goes through 802.1X authentication followed by 11 Key
exchange. The station information is synchronized across the ACs in the mobility group prior to the
roaming of the station within an AC/across ACs. When this station roams to another AC in the mobility
group (which would be its Foreign-AC (FA)), the station information is used to fast authenticate the station
by skipping 802.1X authentication, and performing only 802.11 key exchange to facilitate seamless
roaming within the mobility group.
Configuring WLAN roaming
Configuring a roaming group
NOTE:
Roaming group configuration is available only for inter-AC roaming. For the configuration example of
inter-AC roaming, see "Inter-AC roaming configuration example."
1.
Select Roam > Roam Group from the navigation tree.
Figure 368 Configuring a roaming group
2.
Configure a roaming group as described in Table 111.
3.
Click Apply.
336
Table 111 Configuration items
Item
Description
Service status
• enable—Enable IACTP service.
• disable—Disable IACTP service.
IP type
Select IPv4 or IPv6.
Source address
Source address of the IACTP protocol.
MD5—Select the MD5 authentication mode. This item is optional.
Auth mode
The control message integrity can be verified when the MD5
authentication mode is selected. The sender (an AC) calculates a digest
based on the content of a control message. On receiving such a message,
the receiver (another AC in the roaming group) will calculate the digest
again and compare it against the digest present in the message to verify
the integrity of the packet received. If the digests are the same, the packet
is not tampered.
MD5 authentication key.
Auth key
If you select the MD5 authentication mode, you need to input an
authentication key.
Adding a group member
1.
Select Roam > Roam Group from the navigation tree.
Figure 369 Adding a group member
2.
Add a group member as described in Table 112.
3.
Click Add.
4.
Click Apply.
Table 112 Configuration items
Item
Description
Add the IP address of an AC to a roaming group.
IP address
IMPORTANT:
When you configure a roaming group, the roaming group name configured
for the ACs in the same roaming group must be the same.
337
Item
VLAN
Description
Configure the VLAN to which the roaming group member belongs.
This configuration item is optional.
NOTE:
• The user profile configurations of the ACs in a roaming group must be the same. For more information,
see "User configuration."
• The ACs in a roaming group cannot be configured as hot backup ACs.
Displaying client information
1.
Select Roam > Roam Client from the navigation tree.
Figure 370 Displaying client information
By clicking a target client, you can view the detailed information and roaming information of the client.
The detailed information and roaming information of a client you can view by selecting Roam > Client
Information are the same as those you can view by selecting Summary > Client. For the related
information, see "Summary."
WLAN roaming configuration examples
Intra-AC roaming configuration example
Network requirements
As shown in Figure 371, an AC has two APs associated and all of them are in VLAN 1. A client is
associated with AP 1. Configure intra-AC roaming so that the client can associate with AP 2 when
roaming to AP 2.
338
Figure 371 Network diagram
RADIUS server
AC
L2 switch
AP 1
AP 2
000f-e27b-3d90
000f-e233-5500
VLAN 1
AP 2
VLAN 1
Roaming
Client
Configuring the AC
NOTE:
If remote authentication is required in the authentication mode you select, configure the RADIUS server.
For how to configure the RADIUS server, see "AAA configuration."
1.
Create two APs:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c.
On the page that appears, set the AP name to ap1, select the AP model WA2620-AGN, select
manual from the Serial ID list, enter the serial ID of the AP, and click Apply.
d. Follow the same steps to create the other AP.
2.
Configure wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c.
On the page that appears, set the service name to Roam. And click Apply.
NOTE:
For how to configure the authentication mode, see "Access service configuration." However, fast roaming
can be implemented only when the RSN+802.1X authentication mode is adopted.
3.
Enable wireless service:
a. Select Wireless Service > Access Service from the navigation tree.
b. Select the Roam box.
c.
4.
Click Enable.
Bind AP radios to the wireless service:
339
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the
icon corresponding to the wireless service Roam to enter the page for binding
AP radio.
c.
Select the box before ap1 with radio type 802.11n(2.4GHz), and the box before ap2 with
radio type 802.11n(2.4GHz).
d. Click Bind.
Figure 372 Binding AP radios
5.
Enable dot11g radio:
a. Select Radio > Radio Setup from the navigation tree.
b. On the page that appears, select the box before ap1 with the radio mode 802.11n(2.4GHz),
and select the box before ap2 with the radio mode 802.11n(2.4GHz).
c.
Click Enable.
Figure 373 Enabling radio
Verifying the configuration
1.
Display the roaming information of the client:
340
a. Select Summary > Client from the navigation tree.
b. Select the Roam Information tab.
c.
Click the desired client to view the roaming information of the client.
From the roaming information, you can see that the client accesses the WLAN through AP 1,
and the BSSID of AP 1 is 000f-e27b-3d90 (see Figure 374.).
Figure 374 Client status before intra-AC roaming
d. Click Refresh.
On the page that appears, you can see that the client is connected to the WLAN through AP
2, and the BSSID of AP 2 is 000f-e233-5500.
Figure 375 Client status after intra-AC roaming
2.
View the Roam Status field:
a. Select Summary > Client from the navigation tree.
341
b. Click the Detail Information tab.
c.
Click the desired client.
You can see that Intra-AC roam association is displayed in the Roam Status field.
Figure 376 Verifying intra-AC roaming
Configuration guidelines
When you configure intra-AC roaming, the SSIDs of the two APs must be the same. The same wireless
service must be bound to the radios of the two APs in Bind AP radios to the wireless service.
Inter-AC roaming configuration example
Network requirements
As shown in Figure 377, two ACs that each are connected to an AP are connected through a Layer 2
switch. Both ACs are in the same network. The IP address of AC 1 is 192.168.1.100 and that of AC 2 is
192.168.1.101. A client associates with AP 1.
Configure inter-AC roaming so that the client can associate with AP 2 when roaming to it.
342
Figure 377 Network diagram
Configuring AC 1 and AC 2
NOTE:
If remote authentication is required in the authentication mode you select, configure the RADIUS server.
For how to configure the RADIUS server, see "AAA configuration."
1.
Establish AC-AP connections:
Configure AC 1 and AC 2 so that a connection can be established between AP 1 and AC 1, and
between AP 2 and AC 2. Only after the connections are established can you see that the two APs
are in the running status. To view the AP status, select Summary > AP or AP > AP Setup.
For the related configuration, see "Access service configuration."
NOTE:
For the configuration of authentication mode, see "Access service configuration." Fast roaming
supporting key caching can be implemented only when RSN+802.1X authentication is adopted.
2.
Configure a roaming group:
a. Select Roam > Roam Group from the navigation tree.
b. On the page that appears, select enable from the Service status list, select IPv4 from the IP Type
list, enter 192.168.1.100 for Source address, the IP address of AC 1, enter the IP address of
AC 2 in the member list, and click Add.
c.
Click Apply.
343
Figure 378 Configuring a roaming group on AC 1
d. Create a roaming group on AC 2. The source address is the IP address of AC 2, and the
member address is the IP address of AC 1. (Details not shown.)
Verifying the configuration
1.
Verify the status of the roaming group:
a. On AC 1, select Roam > Roam Group from the navigation tree, and you can see that the
group member 192.168.1.101 is in Run state.
Figure 379 Verifying the roaming group state
b. On AC 2, select Roam > Roam Group from the navigation tree, and you can see that the group
member 192.168.1.100 is in Run state.
Figure 380 Verifying the roaming group state:
2.
Display the client information:
a. After the client roams from AP 1 to AP 2, select Roam > Roam Client on AC 1.
You can see that the client roams out of 192.168.1.100.
344
Figure 381 Viewing client information
b. Select Roam > Roam Client on AC 2.
You can see that the client roams in to 192.168.1.100.
3.
View connection information about the client that is associated with the AP, and the Roam Status
field in the client detailed information:
a. Before roaming, select Summary > Client from the navigation tree on AC 1.
You can see that the client is associated with AP 1.
b. After roaming: Select Summary > Client from the navigation tree on AC 1.
The client has roamed from AP 1 to AP 2, so no client information is displayed on the page.
c.
Select Summary > Client from the navigation tree on AC 2.
You can view the client information.
d. Select the Detail Information tab, and then click the desired client.
You will see that Inter-AC roam association is displayed in the Roam Status field, which
indicates that the client has roamed to AP 2.
Figure 382 Verifying inter-AC roaming
4.
View the BSSID field
a. Before roaming, select Summary > Client from the navigation tree on AC 1, select the Detail
Information tab, and click the desired client to view the roaming information of the client.
The roaming information in Figure 383 shows that the client connects to the WLAN through AP
1, and the BSSID of AP 1 is 000f-e27b-3d90.
345
Figure 383 Client status before inter-AC roaming
b. Select Summary > Client, from the navigation tree on AC 2, select the Detail Information tab,
and click the desired client to view the roaming information of the client.
The roaming information in Figure 384 shows that the client connects to the WLAN through AP
2, and the BSSID of AP 2 is 000f-e233-5500.
Figure 384 Client status after intra-AC roaming
Configuration guidelines
Follow these guidelines when you configure inter-AC roaming:
•
The SSIDs and the authentication and encryption modes of two APs should be the same.
•
A roaming group must be configured on both of the two ACs.
•
Do not configure the ACs in a roaming group as AC backup.
346
Radio configuration
Radio overview
Radio frequency (RF) refers to electrical signals that can be transferred over the space to a long distance.
802.11b/g in the IEEE 802.11 standards operates at the 2.4 GHz band, 802.11a operates at the 5 GHz
band, and 802.11n operates at both the 2.4 GHz and 5 GHz bands. Radio frequency is allocated in
bands, each of which corresponds to a range of frequencies.
WLAN RRM overview
Radio signals are susceptible to surrounding interference. The causes of radio signal attenuation in
different directions are very complex, so you need to make careful plans before deploying a WLAN
network. After WLAN deployment, the running parameters must still to be adjusted because the radio
environment is always varying due to interference from mobile obstacles, micro-wave ovens and so on.
To adapt to environment changes, radio resources such as working channels and transmit power should
be dynamically adjusted. Such adjustments are complex and require experienced personnel to
implement regularly, which brings high maintenance costs.
WLAN radio resource management (RRM) is a scalable radio resource management solution. Through
information collection (APs collect radio environment information in real time), information analysis (The
AC analyzes the collected information), decision-making (The AC makes radio resource adjustment
configuration according to analysis results), and implementation (APs implement the configuration made
by the AC for radio resource optimization), WLAN RRM delivers a real-time, intelligent, integrated radio
resource management solution, which enables a WLAN network to quickly adapt to radio environment
changes and ensures the optimal communication quality.
Dynamic frequency selection
A WLAN has limited working channels. Channel overlapping can easily occur. In addition, other radio
sources such as radar and micro-wave ovens may interfere with the operation of APs. Dynamic frequency
selection (DFS) can solve these problems.
With DFS, the AC selects an optimal channel for each AP in real time to avoid co-channel interference
and interference from other radio sources.
The following conditions determine DFS:
•
Error code rate—physical layer error code and CRC errors.
•
Interference—influence of 802.11 and non-802.11 wireless signals on wireless services.
•
Retransmission—APs retransmit data if they do not receive ACK messages from the AC.
•
Radar signal detected on a working channel—the AC immediately notifies the AP to change its
working channel.
If the first three conditions are met, the AC calculates the channel quality. The AP does not use the new
channel until the channel quality difference between the new and old channels exceeds the tolerance
level.
347
Figure 385 Dynamic channel adjustment
Transmit power control
Traditionally, an AP uses the maximum power to cover an area as large as possible. This method,
however, affects the operation of surrounding wireless devices. Transmit power control (TPC) is used to
select a proper transmission power for each AP to satisfy both coverage and usage requirements.
Whether the transmission power of an AP is increased or decreased is determined by these factors: the
maximum number of neighbors (detected neighbors that are managed by the same AC), the neighbor
AP that performs power detection, and the power adjustment threshold.
NOTE:
You cannot configure the neighbor AP that performs power detection and the power adjustment threshold
on the web interface.
As shown in Figure 386, APs 1, 2 and 3 cover an area. When AP 4 joins, the default maximum neighbor
number 3 (configurable) is reached. Then, the APs perform power adjustment. You can find from the
figure that they all reduce their transmission power.
348
Figure 386 Power reduction
As shown in Figure 387, when AP 3 fails or goes offline, the other APs increase their transmission power
to cover the signal blackhole.
349
Figure 387 Power increasing
Radio setup
Configuring radio parameters
1.
Select Radio > Radio from the navigation tree.
2.
Click the
icon of the desired AP to enter the page for AP radio setup.
350
Figure 388 Radio setup
3.
Configure the radio as described in Table 113.
Table 113 Configuration items
Item
Description
AP Name
Display the selected AP.
Radio Unit
Display the selected AP's radios.
Radio Mode
Display the selected AP's radio mode.
Transmit Power
Maximum radio transmission power, which varies with country codes,
channels, AP models, radio modes and antenna types. If you adopt the
802.11n mode, the maximum transmit power of the radio also depends on the
bandwidth mode.
Specify the working channel of the radio, which varies with radio types and
country codes. The working channel list varies with device models.
Channel
auto—The working channel is automatically selected. If you select this mode,
the AP checks the channel quality in the WLAN network, and selects the
channel of the best quality as its working channel.
If you modify the working channel configuration, the transmit power is
automatically adjusted.
802.11n
The option is available only when the AP supports 802.11n.
802.11n can bond two adjacent 20-MHz channels together to form a
40-MHz channel. During data forwarding, the two 20-MHz channels can
work separately with one acting as the primary channel and the other acting
as the secondary channel or work together as a 40-MHz channel. This
provides a simple way of doubling the data rate.
bandwidth mode
By default, the channel bandwidth of the 802.11n radio (5 GHz) is 40 MHz,
and that of the 802.11n radio (2.4GHz) is 20 MHz.
IMPORTANT:
• If the channel bandwidth of the radio is set to 40 MHz, a 40 MHz channel
is used as the working channel. If no 40 MHz channel is available, a 20
MHz channel is used. For the specifications, see IEEE P802.11n D2.00.
• If you modify the bandwidth mode configuration, the transmit power is
automatically adjusted.
client dot11n-only
If you select the client dot11n-only option, non-802.11n clients are prohibited
from access. If you want to provide access for all 802.11a/b/g clients, you
must disable this function.
351
Item
Description
Select the A-MSDU option to enable A-MSDU.
A-MSDU
Multiple MAC Service Data Units (MSDU) can be aggregated into a single
A-MSDU. This reduces the MAC header overhead and thus improves MAC
layer forwarding efficiency.
At present, only A-MSDUs can be received.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, ensure that they have the
same A-MSDU configuration.
Select the A-MPDU option to enable A-MPDU.
A-MPDU
802.11n introduces the A-MPDU frame format. By using only one PHY header,
each A-MPDU can accommodate multiple Message Protocol Data Units
(MPDUs) which have their PHY headers removed. This reduces the overhead in
transmission and the number of ACK frames to be used, and thus improves
network throughput.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, ensure that they have the
same A-MSDU configuration.
Select short GI to enable short GI.
short GI
4.
The 802.11a/g GI is 800ns. You can configure a short GI, 400 ns for
802.11n. The short GI increases the throughput by 10 percent.
Expand Advanced Setup.
Figure 389 Radio setup (advanced setup)
352
5.
Configure the radio as described in Table 114.
6.
Click Apply.
Table 114 Configuration items
Item
Description
Preamble is a pattern of bits at the beginning of a frame so that the receiver
can sync up and be ready for the real data.
• Short preamble—A short preamble improves network performance.
Preamble
Therefore, this option is always selected.
• Long preamble—A long preamble ensures compatibility between access
point and some legacy client devices. Therefore, you can select this option
to make legacy client devices support short preamble.
802.11a/802.11n (5 GHz) do not support this configuration.
Transmit Distance
Maximum coverage of a radio.
ANI
Adaptive Noise Immunity (ANI). After the ANI function is enabled, the device
automatically adjusts the noise immunity level according to the surrounding
signal environment to eliminate RF interference.
Client Max Count
Maximum number of clients that can be associated with one radio.
• Enable—Enable ANI.
• Disable—Disable ANI.
Specify the maximum length of frames that can be transmitted without
fragmentation. When the length of a frame exceeds the specified fragment
threshold value, it is fragmented.
• In a wireless network where error rate is high, you can decrease the
Fragment Threshold
fragment threshold by a rational value. In this way, when a fragment of a
frame is not received, only this fragment rather than the whole frame needs
to be retransmitted, and thus the throughput of the wireless network is
improved.
• In a wireless network where no collision occurs, you can increase the
fragment threshold by a rational value to decrease acknowledgement
packets and thus increase network throughput.
Beacon Interval
Interval for sending beacon frames. Beacon frames are transmitted at a regular
interval to allow mobile clients to join the network. Beacon frames are used for
a client to identify nearby APs or network control devices.
353
Item
Description
There are two data collision avoidance mechanisms, RTS/CTS and CTS-to-self.
• RTS/CTS—In this mode, an AP sends an RTS packet before sending data to
a client. After receiving the RTS packet, all the devices within the coverage
of the AP will not send data within the specified time. Upon receiving the
RTS packet, the client sends a CTS packet, ensuring that all the devices
within the coverage of the client will not send data within the specified time.
The RTS/CTS mechanism requires two frames to implement data collision
avoidance, and thus has a higher cost.
RTS (CTS)
• CTS-to-Self—In this mode, an AP uses its IP address to send a CTS packet
before sending data to a client, ensuring that all the devices within the
coverage of the AP will not send data within the specified time. The
CTS-to-Self mechanism uses only one frame to avoid data collision.
However, if another device is in the coverage of the client, but not in the
coverage of the AP, data collision still may occur.
Compared with RTS/CTS, CTS-to-Self reduces the number of control frames.
However, data collisions still occur when some clients are hidden and thus
cannot receive the CTS frames sent by the AP. Therefore, the RTS/CTS
mechanism can solve the data collision problem in a larger coverage than
RTS/CTS.
If a frame is larger than the RTS (CTS) threshold, the data collision avoidance
mechanism is used.
RTS (CTS) Threshold
A smaller RTS/CTS threshold causes RTS/CTS packets to be sent more often,
thus consuming more bandwidth. However, the more often RTS/CTS packets
are sent, the quicker the system can recover from collisions.
In a high-density WLAN, you can decrease the RTS threshold to reduce
collisions in the network.
IMPORTANT:
The data collision avoidance mechanism occupies bandwidth. Therefore, this
mechanism applies only to data frames larger than the RTS/CTS threshold.
DTIM Period
Number of beacon intervals between delivery traffic indication message
(DTIM) transmissions. The AP sends buffered broadcast/multicast frames when
the DTIM counter reaches 0.
Long Retry Threshold
Number of retransmission attempts for unicast frames larger than the RTS/CTS
threshold.
Short Retry Threshold
Number of retransmission attempts for unicast frames smaller than the
RTS/CTS threshold if no acknowledgment is received for it.
Max Receive Duration
Interval for which a frame received by an AP can stay in the buffer memory.
Enabling a radio
1.
Select Radio > Radio from the navigation tree to enter the radio setup page.
354
Figure 390 Enabling radio
2.
Select the box of the target radio.
3.
Click Enable.
Locking the channel
1.
Select Radio > Radio from the navigation tree to enter the page as shown in Figure 391.
Figure 391 Locking a channel
2.
Select the box of the target radio.
3.
Click Lock Channel.
Channel locking takes effect only when the AC adopts the auto mode. For more information
about automatic channel adjustment, see "Configuring radio parameters."
If you enable channel locking and then enable the radio, the AC automatically selects an
optimal channel, and then locks the channel.
When the AC detects any radar signals, it immediately selects another channel even if the
current channel is locked, and then locks the new channel.
If you lock the current channel first, and then enable channel adjustment, channel adjustment
does not work because the current channel is locked. Therefore, before enabling channel
adjustment, make sure that the current channel is not locked. If you enable channel adjustment
and then lock the current channel, the last selected channel is locked. For information about
channel adjustment, see "Dynamic frequency selection." For more information about channel
adjustment configuration, see "Parameter setting."
355
Locking the power
1.
Select Radio > Radio from the navigation tree to enter the page as shown in Figure 392.
Figure 392 Locking the current power
2.
Select the box of the target radio.
3.
Click Lock Power.
For transmission power configuration, see "Configuring radio parameters."
If you lock the current power first, and then enable power adjustment, power adjustment does
not work because the power is locked. Therefore, before enabling power adjustment, make
sure that the current power is not locked. If you enable power adjustment, and then lock the
current power, the last selected power is locked. For information about power adjustment, see
"Transmit power control." For how to configure power adjustment, see "Parameter setting."
Configuring data transmit rates
Configuring 802.11a/802.11b/802.11g rates
1.
Select Radio > Rate from the navigation tree to enter the rate setting page.
356
Figure 393 Setting 802.11a/802.11b/802.11g rates
2.
Configure 802.11a/802.11b/802.11g rates as described in Table 115.
3.
Click Apply.
Table 115 Configuration items
Item
Description
Configure rates (in Mbps) for 802.11a.
By default:
802.11a
• Mandatory rates are 6, 12, and 24.
• Supported rates are 9, 18, 36, 48, and 54.
• Multicast rate: Automatically selected from the mandatory rates. The transmission rate of
multicasts in a BSS is selected from the mandatory rates supported by all the clients.
Configure rates (in Mbps) for 802.11b.
By default:
802.11b
• Mandatory rates are 1 and 2.
• Supported rates are 5.5 and 11.
• Multicast rate: Automatically selected from the mandatory rates. The transmission rate of
multicasts in a BSS is selected from the mandatory rates supported by all the clients.
357
Item
Description
Configure rates (in Mbps) for 802.11g.
By default:
802.11g
• Mandatory rates are 1, 2, 5.5, and 11.
• Supported rates are 6, 9, 12, 18, 24, 36, 48, and 54.
• Multicast rate: Automatically selected from the mandatory rates. The transmission rate of
multicasts in a BSS is selected from the mandatory rates supported by all the clients.
Configuring 802.11n MCS
Introduction to MCS
Configuration of mandatory and supported 802.11n rates is achieved by specifying the maximum
Modulation and Coding Scheme (MCS) index. The MCS data rate table shows relations between data
rates, MCS indexes, and parameters that affect data rates. Sample MCS data rate tables for 20 MHz
and 40 MHz are shown in Table 116 and Table 117 respectively. For the entire table, see IEEE P802.11n
D2.00.
Table 116 and Table 117 indicate that MCS 0 through 7 are for one single spatial stream, and when the
MCS is 7, the data rate is the highest. MCS 8 through 15 are for two spatial streams, and when the MCS
is 15, the data rate is the highest.
Table 116 MCS index table (20 MHz)
MCS index
Number of
spatial streams
Modulation
0
1
1
Data rate (Mbps)
800ns GI
400ns GI
BPSK
6.5
7.2
1
QPSK
13.0
14.4
2
1
QPSK
19.5
21.7
3
1
16-QAM
26.0
28.9
4
1
16-QAM
39.0
43.3
5
1
64-QAM
52.0
57.8
6
1
64-QAM
58.5
65.0
7
1
64-QAM
65.0
72.2
8
2
BPSK
13.0
14.4
9
2
QPSK
26.0
28.9
10
2
QPSK
39.0
43.3
11
2
16-QAM
52.0
57.8
12
2
16-QAM
78.0
86.7
13
2
64-QAM
104.0
115.6
14
2
64-QAM
117.0
130.0
15
2
64-QAM
130.0
144.4
358
Table 117 MCS index table (40 MHz)
MCS index
Number of
spatial streams
Modulation
0
1
1
Data rate (Mbps)
800ns GI
400ns GI
BPSK
13.5
15.0
1
QPSK
27.0
30.0
2
1
QPSK
40.5
45.0
3
1
16-QAM
54.0
60.0
4
1
16-QAM
81.0
90.0
5
1
64-QAM
108.0
120.0
6
1
64-QAM
121.5
135.0
7
1
64-QAM
135.0
150.0
8
2
BPSK
27.0
30.0
9
2
QPSK
54.0
60.0
10
2
QPSK
81.0
90.0
11
2
16-QAM
108.0
120.0
12
2
16-QAM
162.0
180.0
13
2
64-QAM
216.0
240.0
14
2
64-QAM
243.0
270.0
15
2
64-QAM
270.0
300.0
For example, if you specify the maximum MCS index as 5 for mandatory rates, rates corresponding to
MCS indexes 0 through 5 are configured as 802.11n mandatory rates.
•
Mandatory rates must be supported by the AP and the clients that want to associate with the AP.
•
Supported rates allow some clients that support both mandatory and supported rates to choose
higher rates when communicating with the AP.
•
Multicast MCS: Specifies 802.11n multicast data rates.
Configuring 802.11n rates
1.
Select Radio > Rate from the navigation tree to enter the rate setting page.
Figure 394 Setting 802.11n rate
2.
Configure the 802.11n rate as described in Table 118.
3.
Click Apply.
359
Table 118 Configuration items
Item
Description
Set the maximum MCS index for 802.11n mandatory rates.
Mandatory Maximum MCS
IMPORTANT:
If you select the client dot11n-only option, you must configure the mandatory
maximum MCS.
Set the multicast MCS for 802.11n.
The multicast MCS is adopted only when all the clients use 802.11n. If a non
802.11n client exists, multicast traffic is transmitted at a mandatory MCS data
rate.
Multicast MCS
IMPORTANT:
• If you configure a multicast MCS index greater than the maximum MCS
index supported by the radio, the maximum MCS index is adopted.
• When the multicast MCS takes effect, the corresponding data rates defined
for 20 MHz are adopted no matter whether the 802.11n radio operates in
40 MHz mode or in 20 MHz mode.
Supported Maximum MCS
Set the maximum MCS index for 802.11n supported rates.
NOTE:
When 802.11n radios are used in a mesh WLAN, make sure that they have the same MCS configuration.
Configuring channel scanning
NOTE:
For more information about active passive scanning, see "WLAN service configuration."
1.
Select Radio > Scan from the navigation tree to enter the page for setting channel scanning.
Figure 395 Setting channel scanning
2.
Configure channel scanning as described in Table 119.
3.
Click Apply.
360
Table 119 Configuration items
Item
Description
Set the scan mode.
Scan Mode
• Auto—Legal channels with the scanning mode under country code are
scanned.
• All—All the channels of the radio band are scanned.
Scan Non-802.11h Channel
Some of 802.11h channels, also called radar channels, overlap some
802.11a channels. If the device operates on an overlapping channel, its
service quality may be affected. With this function enabled, the device selects
a working channel from non-802.11h channels belonging to the configured
country code to avoid channel collision.
Selecting the Scan Non-802.11h Channel option enables the function of
scanning non-802.11h channels.
By default, the scan mode is auto, that is, all channels of the country code
being set are scanned.
Set the scan type.
• Active—The active scanning mode requires a client to send a probe
request. This scanning mode enables a client to discover APs more easily.
• Passive—Passive scanning is used by a client when it wants to save battery
power. Typically, VoIP clients adopt the passive scanning mode.
Scan Type
For an AP that has the monitoring function:
• Active—The AP simulates a client to send probe requests during the
scanning process.
• Passive—The AP does not send probe requests during the scanning
process.
If you set active scanning for the AP, it is more likely to discover devices in the
WLAN.
Set the scan report interval.
• A longer scan interval enables an AP to discover more devices in the
WLAN.
Scan Interval
• A shorter scan interval enables an AP to send scanning reports to an AC
more frequently.
If an AP has the monitoring function, the scan report interval will affect whether
the scanning results can be processed in time and the frequency of message
exchanges. Therefore, you need to set the interval properly according to the
actual network conditions.
Configuring calibration
Parameter setting
1.
Select Radio > Calibration from the navigation tree.
2.
Click the Parameters tab.
361
Figure 396 Setting channel calibration
3.
Configure channel calibration as described in Table 120.
4.
Click Apply.
NOTE:
Channel switching results in temporary service interruption, so use the dynamic channel adjustment
function with caution.
Table 120 Configuration items
Item
Basic Setup
Description
Calibration
Interval
Channel and power calibration interval. A calibration interval takes effect on
both the mesh network channel calibration and channel and power
calibration of wireless services.
362
Item
Description
• RTS/CTS—Use RTS/CTS mode to implement 802.11g protection. Before
802.11g
Protection
Mode
sending data to a client, an AP sends an RTS packet to the client, ensuring
that all the devices within the coverage of the AP do not send data in the
specified time after receiving the RTS packet. Upon receiving the RTS
packet, the client will send a CTS packet again, ensuring that all the
devices within the coverage of the client do not send data in the specified
time.
• CTS-to-Self—Uses CTS-to-Self mode to implement 802.11g protection.
When an AP sends packets to a client, it uses its IP address to send a CTS
packet to inform the client that it will send a packet, ensuring that all the
devices within the coverage of the AP do not send data in the specified
time.
802.11b devices and 802.11g devices use different modulation modes, so
802.11g protection needs to be enabled for a 802.11g device to send
RTS/CTS or CTS-to-self packets to 802.11b devices, which will defer access
to the medium.
An AP running 802.11g uses the 802.11g protection function in the
following two cases:
802.11g
Protection
•
•
•
•
An 802.11b client is associated with it.
It detects APs or clients running 802.11b on the same channel.
Enable—Enable 802.11g protection.
Close—Disable 802.11g protection.
IMPORTANT:
• Enabling 802.11g protection reduces network performance.
• Enabling 802.11g protection applies to the second case only, because
802.11g protection is always enabled for the first case.
802.11n
Protection
Mode
Both RTS/CTS and CTS-to-Self modes can be adopted. The implementation
of the two modes is the same as 802.11g.
• Enable—Enables 802.11n protection. When non 802.11n wireless devices
802.11n
Protection
or non 802.11n clients exist within the coverage of the AP, you need to
enable 802.11n protection.
• Close—Disables 802.11n protection.
Note the following guidelines when configuring channel adjustment:
• Before configuring channel adjustment, make sure that the AC adopts the auto channel
adjustment mode (for more information, see "Configuring radio parameters."). Otherwise,
channel adjustment does not work.
Channel
Setup
• If you lock the channel first, and then enable channel adjustment (by selecting Dynamic
Channel Select), channel adjustment does not work because the channel is locked. Before
enabling channel adjustment, make sure that the channel is not locked.
• If you enable channel adjustment and then lock the channel, the last selected channel is
locked.
For how to lock the channel, see "Locking the channel."
363
Item
Description
• Close—Disables the DFS function.
• Auto—With auto DFS enabled, an AC performs DFS for a radio when
Dynamic
Channel Select
certain trigger conditions are met on the channel, and returns the result to
the AP after a calibration interval (the default calibration interval is 8
minutes, which can be set through the Calibration Interval option). After
that, the AC will make DFS decisions at the calibration interval
automatically.
• Manual—With one-time DFS configured for a radio, an AC performs DFS
for the radio when certain trigger conditions are met on the channel, and
returns the result to the AP after a calibration interval. After that, if you
want the AC to perform DFS for the radio, you have to make this
configuration again.
IMPORTANT:
If you select the manual mode, click Calibration on the Calibration page every
time you perform channel calibration.
CRC Error
Threshold
Set the CRC error threshold value, in percentage.
Channel
Interference
Threshold
Set the channel interference threshold value, in percentage.
Tolerance
Factor
A new channel is selected when either the configured CRC error threshold or
interference threshold is exceeded on the current channel. However, the new
channel is not applied until the quality of the current channel is worse than
that of the new channel by the tolerance threshold.
Spectrum
Management
• Enable—Enable spectrum management.
• Close—Disable spectrum management.
Note the following guidelines when configuring power adjustment:
• If you lock the power first, and then enable power adjustment (by selecting Dynamic
Channel Select), power adjustment does not work because the power is locked. Therefore,
before enabling power adjustment, make sure that the power is not locked.
• If you enable power adjustment and then lock the power, the last selected power is locked.
For how to lock the power, see "Locking the power."
• Close—Disables transmit power control (TPC).
• Auto—With auto TPC enabled, the AC performs TPC for an AP upon
certain interference and returns the result to the AP after a calibration
interval (the default calibration interval is 8 minutes, which can be set
through the Calibration Interval option). After that, the AC makes TPC
decisions at the calibration interval automatically.
Power Setup
Dynamic
Power Select
• Manual—With one-time TPC configured, an AC performs TPC for the AP
upon certain interference, and returns the result to the AP after a
calibration interval (the default calibration interval is 8 minutes, which
can be set through the Calibration Interval option). After that, if you want
the AC to perform TPC for the AP, you have to make this configuration
again.
IMPORTANT:
If you select the manual mode, click Calibration on the Calibration page every
time you perform channel calibration.
364
Item
Description
Max Neighbor
Count
Power
Constraint
Specify the maximum number of neighbors, which are managed by the same
AC.
Set the power constraint for all 802.11a radios. After power constraint is set,
the transmission power of a client is the current transmission power minus the
configured power constraint value.
IMPORTANT:
Enable spectrum management before configuring the power constraint;
otherwise, the configuration does not take effect.
Configuring a radio group
With DFS or TPC configured for a radio, the AC calculates the channel quality or power of the radio at
the calibration interval. When the result meets a trigger condition, the AC selects a new channel or
power for the radio. In an environment where interference is serious, frequent channel or power
adjustments may affect user access to the WLAN network. In this case, you can configure a radio group
to keep the channel or power of radios in the group unchanged within a specified time. The channel and
power of radios not in the radio group are adjusted normally.
After a channel or power adjustment (one-time, auto, or initial DFS or TPC), the channel or power of any
radio in the radio group keeps unchanged within the specified holddown time. When the holddown time
expires, the AC calculates the channel or power again. If the result meets a trigger condition, the channel
or power is changed, and the new channel or power keeps unchanged within the specified holddown
time. This mechanism continues.
NOTE:
Before entering the Radio Group page, configure channel or power adjustment on the Parameters tab.
1.
Select Radio > Calibration from the navigation tree.
2.
Click Radio Group.
3.
Click Add.
The Radio Group page appears.
365
Figure 397 Configuring a radio group
4.
Configure the radio group as described in Table 121.
5.
Click Apply.
Table 121 Configuration items
Item
Description
Group ID
ID of the radio group
Description
Channel
Holddown
Interval
Power
Holddown
Interval
Description of the radio group
By default, a radio group has no description.
Specify that the current channel keeps unchanged within the specified time after a channel
adjustment (manual, automatic, or initial channel selection).
IMPORTANT:
The AC immediately selects another channel when it detects any radar signals on the current
channel, and then resets the channel holddown timer.
Specify that the current power keeps unchanged within the specified time after a power
adjustment (manual or automatic power adjustment).
• Select the target radios from the Radios Available area, and then click << to add them
Radio List
into the Radios Selected area.
• Select the radios to be removed from the Radios Selected, and the click >> to remove
them from the radio group.
366
Calibration operations
NOTE:
If RRM is not enabled, or the radio to be displayed works on a fixed channel, you can only view the work
channel and the power of the radio on the Operations tab in the Radio > Calibration page. Other
information such as interference observed and the number of neighbors is displayed when RRM is
enabled, that is, dynamic power selection or automatic dynamic frequency selection is enabled. For the
configuration of RRM parameters, see "Parameter setting."
Displaying channel status
1.
Select Radio > Calibration from the navigation tree.
2.
On the Operations tab, click the Channel Status tab.
3.
Click the desired radio to enter the page for displaying channel status.
Figure 398 Channel status
Table 122 Configuration items
Item
Description
Channel No
Running channel.
Neighbor Num
Number of neighbors on a channel.
Load (%)
Load detected on a channel.
Utilization (%)
Channel utilization.
Interference (%)
Interference detected on a channel.
Packet Error Rate (%)
Error rate for packets on a channel.
Retransmission Rate (%)
Retransmission rate on a channel.
Radar Detect
Radar detection status.
Displaying neighbor information
1.
Select Radio > Calibration from the navigation tree.
2.
On the Operations tab, click the Neighbor Info tab.
3.
Click the desired radio to enter the page for displaying neighbor information.
367
Figure 399 Neighbor information
Table 123 Field description
Field
Description
AP MAC Address
MAC address of an AP.
Channel No
Running channel.
Interference (%)
Interference detected on a channel.
RSSI (dBm)
Received signal strength indication (RSSI) of AP, in dBm.
AP Type
AP type, managed or unmanaged.
Displaying history information
NOTE:
History information is available only if channel switching or power adjustment occurs after RRM is
enabled.
1.
Select Radio > Calibration from the navigation tree.
2.
On the Operations tab, click History Info.
3.
Click the desired radio to enter the page for displaying neighbor information.
368
Figure 400 History information
Table 124 Field description
Field
Description
Radio
Radio ID of the AP.
Basic BSSID
MAC address of the AP.
Chl
Channel on which the radio operates in case of the change of channel or power.
Power
Power of the radio in case of the change of channel or power.
Load
Load observed on the radio in percentage in case of the change of channel or power.
Util
Utilization of the radio in percentage in case of the change of channel or power.
Intf
Interference observed on the radio in percentage in case of the change of channel or
power.
PER
Packet error rate observed on a channel, in percentage.
Retry
Percentage of retransmission happened on the radio before/after the change of
channel or power.
Reason
Reason for the change of channel or power, such as Interference, packets discarded,
retransmission, radar or coverage.
Date
Date when the channel or power change occurred.
Time
Time when the channel or power change occurred.
Antenna
1.
Select Radio > Antenna to select an appropriate antenna for the corresponding radio.
2.
Select the antenna type, Internal Antenna, or User-Default external antenna, for a specific radio
from the Antenna list.
3.
Click Apply.
369
Figure 401 Antenna switch
Manual channel adjustment configuration example
Network requirements
As shown in Figure 402, configure manual channel adjustment on the AC so that the AC can perform
manual channel adjustment when the channel of AP 1 is unavailable.
Figure 402 Network diagram
Configuration procedure
1.
Before you configure manual channel adjustment, configure AP 1 on the AC to establish a
connection between them.
For the related configuration, see "Access service configuration."
2.
Configure manual channel adjustment:
a. Select Radio > Calibration from the navigation tree.
b. Select the Parameters tab.
c.
Select Manual from the Dynamic Channel Select list.
d. Click Apply.
370
Figure 403 Configuring manual channel adjustment
3.
Perform manual channel adjustment:
a. Select Radio > Calibration from the navigation tree.
b. On the Operation tab, select the box of the target radio.
c.
Click Channel Optimize..
Figure 404 Performing manual channel adjustment
Verifying the configuration
•
You can view the channel status on the Operation tab you enter by selecting Radio > Calibration
from the navigation tree.
371
•
After you perform manual channel calibration, the AC informs the adjusted channel to the AP after
a calibration interval.
•
You can view the detailed information, such as the specific reason for channel adjustment on the
History Info tab you enter by selecting Radio > Calibration from the navigation tree, clicking
Operation, and then clicking History Info.
Configuration guidelines
If you select manual channel adjustment, click Channel Optimize on the Operation tab every time you
perform manual channel adjustment.
Automatic power adjustment configuration
example
Network requirements
As shown in Figure 405, AP 1 through AP 3 are connected to the AC. Configure automatic power
adjustment and specify the adjacency factor as 3 on the AC. In this way, when AP 4 joins, the AC
performs automatic power adjustment to avoid interference.
Figure 405 Network diagram
Configuration procedure
1.
Before you configure automatic power adjustment, configure AP 1 through AP 3 on the AC to
establish a connection between the AC and each AP.
For the related configuration, see "Access service configuration."
2.
Configure automatic power adjustment:
a. Select Radio > Calibration from the navigation tree.
b. Click the Parameters tab.
c.
Select Auto from the Dynamic Power Select list.
d. Click Apply.
372
Figure 406 Configuring automatic power adjustment
Verifying the configuration
•
You can view the power of each AP on the Operation tab you enter by selecting Radio > Calibration
from the navigation tree.
•
When AP 4 joins (the adjacency number becomes 3), the maximum number of neighbors reaches
the upper limit (3 by default), and the AC performs power adjustment after the calibration interval.
You can view the detailed information, such as decrease of the Tx power value, on the History Info
tab you enter by selecting Radio > Calibration from the navigation tree, selecting the Operation tab,
and then selecting History Info.
Radio group configuration example
Network requirements
As shown in Figure 407, AP 1 through AP 3 are connected to the AC.
•
Configure automatic channel adjustment so that the AC can automatically switch the channel when
the signal quality on a channel is degraded to a certain level.
373
•
Configure automatic power adjustment so that the AC can automatically adjust the power when the
third neighbor is discovered (or in other words, when AP 4 joins) to avoid interference.
•
Add radio 2 of AP 1 and radio 2 of AP 2 to a radio group to prevent frequent channel or power
adjustments for the radios.
Figure 407 Network diagram
Configuration procedure
1.
Before you configure a radio group, configure AP 1 through AP 3 on the AC to establish a
connection between the AC and each AP.
For the related configuration, see "Access service configuration."
2.
Configure automatic channel and power adjustment:
a. Select Radio > Calibration from the navigation tree.
b. Click the Parameters tab.
c.
Select Auto from the Dynamic Channel Select list, select Auto from the Dynamic Power Select list,
and click Apply.
374
Figure 408 Configuring automatic channel and power adjustment
3.
Configure a radio group:
a. Select Radio > Calibration from the navigation tree.
b. Click Radio Group.
c.
Click Add.
d. On the page that appears, enter the channel holddown interval 20 and enter the power
holddown interval 30.
e. In the Radios Available area, select the target radios and click << to add them into the Radios
Selected area.
f.
Click Apply.
375
Figure 409 Configuring the radio group
Verifying the configuration
•
The working channel of radio 2 of AP 1 and that of radio 2 of AP 2 do not change within 20
minutes after each automatic channel adjustment.
•
The power of radio 2 of AP 1 and that of radio 2 of AP 2 do not change within 30 minutes after
each automatic power adjustment.
376
Configuring 802.1X
802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN
committee for the security of wireless LANs (WLANs). It has been widely used on Ethernet networks for
access control.
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
You can also configure the port security feature to perform 802.1X. Port security combines and extends
802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different
authentication methods for different users on a port. Port security is beyond the scope of this chapter. It
is described in Security Configuration Guide for the product.
802.1X architecture
802.1X operates in the client/server model. It comprises three entities: client (the supplicant), the network
access device (the authenticator), and the authentication server, as shown in Figure 410.
Figure 410 802.1X architecture
Device
Authentication server
Client
•
The client is a user terminal seeking access to the LAN. It must have 802.1X software to authenticate
to the network access device.
•
The network access device authenticates the client to control access to the LAN. In a typical 802.1X
environment, the network access device uses an authentication server to perform authentication.
•
The authentication server is the entity that provides authentication services for the network access
device. It authenticates 802.1X clients by using the data sent from the network access device, and
returns the authentication results for the network access device to make access decisions. The
authentication server is typically a Remote Authentication Dial-in User Service (RADIUS) server. In a
small LAN, you can also use the network access device as the authentication server.
For more information about the 802.1X protocol, see H3C WX Series Access Controllers Security
Configuration Guide.
Access control methods
H3C implements port-based access control as defined in the 802.1X protocol, and extends the protocol
to support MAC-based access control.
•
With port-based access control, once an 802.1X user passes authentication on a port, any
subsequent user can access the network through the port without authentication. When the
authenticated user logs off, all other users are logged off.
377
With MAC-based access control, each user is separately authenticated on a port. When a user logs
off, no other online users are affected.
•
Configuring 802.1X
Configuration prerequisites
•
Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. For
more information, see "Configuring AAA" and "Configuring RADIUS."
•
If RADIUS authentication is used, create user accounts on the RADIUS server.
•
If local authentication is used, create local user accounts on the access device and set the service
type to LAN-access.
•
If you want to use EAP relay when the RADIUS server does not support any EAP authentication
method or no RADIUS server is available, configure the EAP server function on your network access
device.
NOTE:
Configure 802.1X on a wired port. Wireless ports support only the port security feature, and the port
security is enabled by default on the wireless ports.
Recommended configuration procedure
Task
Description
Required.
1.
Configuring 802.1X globally
Enable 802.1X authentication globally and configure the authentication
method and advanced parameters.
By default, 802.1X authentication is disabled globally.
Required.
2.
Configuring 802.1X on a port
Enable 802.1X authentication on specified ports and configure 802.1X
parameters for the ports.
By default, 802.1X authentication is disabled on a port.
Configuring 802.1X globally
1.
From the navigation tree, select Authentication > 802.1X.
378
Figure 411 802.1X global configuration
2.
In the 802.1X Configuration area, select the Enable 802.1X box.
3.
Select an authentication method for 802.1X users. Options include CHAP, PAP, and EAP.
CHAP—Sets the access device to perform EAP termination and use the CHAP to communicate
with the RADIUS server.
PAP—Sets the access device to perform EAP termination and use the PAP to communicate with
the RADIUS server.
EAP—Sets the access device to relay EAP packets, and supports any of the EAP authentication
methods to communicate with the RADIUS server.
NOTE:
When you configure EAP relay or EAP termination, consider the following factors:
• Whether the RADIUS server supports EAP packets.
• The authentication methods supported by the 802.1X client and the RADIUS server.
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP
authentication initiated by an H3C iNode 802.1X client, you can use both EAP termination and EAP relay.
To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay.
4.
Click Advanced to expand the advanced 802.1X configuration area.
379
Figure 412 Advanced configuration
5.
Configure advanced 802.1X settings as described in Table 125.
6.
Click Apply.
Table 125 Configuration items
Item
Description
Specify whether to enable the quiet timer.
Quiet
The quiet timer enables the network access device to wait a period of time before it can
process any authentication request from a client that has failed an 802.1X authentication.
Quiet Period
Set the value of the quiet timer.
Set the maximum number of authentication request attempts.
Retry Times
The network access device retransmits an authentication request if it receives no response
to the request it has sent to the client within a period of time (specified by using the TX
Period option or the Supplicant Timeout Time option). The network access device stops
retransmitting the request, if it has made the maximum number of request transmission
attempts but still received no response.
Set the username request timeout timer.
• The timer starts when the device sends an EAP-Request/Identity packet to a client in
TX Period
response to an authentication request. If the device receives no response before this
timer expires, it retransmits the request.
• The timer also sets the interval at which the network device sends multicast
EAP-Request/Identity packets to detect clients that cannot actively request
authentication.
Set the handshake timer.
Handshake Period
The timer sets the interval at which the access device sends client handshake requests to
check the online status of a client that has passed authentication. If the device receives no
response after sending the maximum number of handshake requests, it considers that the
client has logged off. For information about how to enable the online user handshake
function, see "Configuring 802.1X on a port."
Set the periodic online user re-authentication timer.
Re-Authentication
Period
The timer sets the interval at which the network device periodically re-authenticates online
802.1X users. The change to the periodic re-authentication timer applies to the users that
have been online only after the old timer expires. For information about how to enable
periodic online user re-authentication on a port, see "Configuring 802.1X on a port."
380
Item
Description
Set the client timeout timer.
Supplicant Timeout
Time
The timer starts when the access device sends an
EAP-Request/MD5 Challenge packet to a client. If no
response is received when this timer expires, the access
device retransmits the request to the client.
Set the server timeout timer.
Server Timeout
Time
The timer starts when the access device sends a
RADIUS Access-Request packet to the authentication
server. If no response is received when this timer
expires, the access device retransmits the request to the
server.
TIP:
You can set the client timeout
timer to a high value in a
low-performance network, and
adjust the server timeout timer
to adapt to the performance of
different authentication
servers. In most cases, the
default settings are sufficient.
IMPORTANT:
Do not change the timer parameters of global 802.1X from their default values unless you have
determined that the changes would better the interaction process.
Configuring 802.1X on a port
1.
From the navigation tree, select Authentication > 802.1X to enter the page, as shown in Figure
411.
The Ports With 802.1X Enabled area shows the 802.1X configuration on ports.
2.
Click Add.
Figure 413 802.1X configuration on a port
3.
Configure 802.1X features on a port as described in Table 126.
4.
Click Apply.
381
Table 126 Configuration items
Item
Port
Description
Select the port to be enabled with 802.1X authentication. Only 802.1X-disabled ports
are available.
NOTE:
802.1X is mutually exclusive with link aggregation group configuration on a port.
Set the access control method for the port, which can be MAC Based or Port Based.
Port Control
NOTE:
To use both 802.1X and portal authentication on a port, you must select MAC Based.
Select the port authorization state for 802.1X.
Options include:
• Auto—Places the port initially in unauthorized state to allow only EAPOL packets to
Port Authorization
pass, and after a user passes authentication, sets the port in authorized state to allow
access to the network. You can use this option in most scenarios.
• Force-Authorized—Places the port in authorized state, enabling users on the port to
access the network without authentication.
• Force-Unauthorized—Places the port in unauthorized state, denying any access
requests from users on the port.
Max Number of
Users
Set the maximum number of concurrent 802.1X users on the port.
Specify whether to enable the online user handshake function.
Enable Handshake
The online user handshake function checks the connectivity status of online 802.1X users.
The network access device sends handshake messages to online users at the interval
specified by the Handshake Period setting. If no response is received from an online user
after the maximum number of handshake attempts (set by the Retry Times setting) has
been made, the network access device sets the user in offline state. For information about
the timers, see Table 125.
NOTE:
If the network has 802.1X clients that cannot exchange handshake packets with the network
access device, disable the online user handshake function to prevent their connections from
being inappropriately torn down.
Specify whether to enable periodic online user re-authentication on the port.
Periodic online user re-authentication tracks the connection status of online users and
updates the authorization attributes assigned by the server, such as the ACL, and VLAN.
The re-authentication interval is specified by the Re-Authentication Period setting in Table
125.
NOTE:
• The periodic online user re-authentication timer can also be set by the authentication
Enable
Re-Authentication
server in the session-timeout attribute. The server-assigned timer overrides the timer
setting on the access device, and enables periodic online user re-authentication, even
if the function is not configured. Support for the server assignment of re-authentication
timer and the re-authentication timer configuration on the server vary with servers.
• The VLAN assignment status must be consistent before and after re-authentication. If
the authentication server has assigned a VLAN before re-authentication, it must also
assign a VLAN at re-authentication. If the authentication server has assigned no VLAN
before re-authentication, it must not assign one at re-authentication. Violation of either
rule can cause the user to be logged off. The VLANs assigned to an online user before
and after re-authentication can be the same or different.
382
Item
Description
Guest VLAN
Specify an existing VLAN as the guest VLAN. For more information, see "Configuring an
802.1X guest VLAN."
Select the box to enable MAC-based VLAN.
Enable MAC VLAN
NOTE:
Only hybrid ports support the feature.
Auth-Fail VLAN
Specify an existing VLAN as the Auth-Fail VLAN to accommodate users that have failed
802.1X authentication.
For more information, see "Configuring an Auth-Fail VLAN."
Configuring an 802.1X guest VLAN
•
Configuration guidelines:
You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on
different ports can be different.
Assign different IDs for the default VLAN, and 802.1X guest VLAN on a port, so the port can
correctly process incoming VLAN tagged traffic.
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged
member. After the assignment, do not re-configure the port as a tagged member in the VLAN.
Use Table 127 when you configure multiple security features on a port.
Table 127 Relationships of the 802.1X guest VLAN and other security features
•
Feature
Relationship description
MAC authentication guest VLAN on a port that
performs MAC-based access control
Only the 802.1X guest VLAN take effect. A user that fails
MAC authentication will not be assigned to the MAC
authentication guest VLAN.
802.1X Auth-Fail VLAN on a port that performs
MAC-based access control
The 802.1X Auth-Fail VLAN has a higher priority.
Port intrusion protection on a port that performs
MAC-based access control
The 802.1X guest VLAN function has higher priority than the
block MAC action but lower priority than the shut down port
action of the port intrusion protection feature.
Configuration prerequisites:
Create the VLAN to be specified as the 802.1X guest VLAN.
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger
at the command-line interface (CLI). (802.1X multicast trigger is enabled by default.)
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid
port, enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as
an untagged member.
Configuring an Auth-Fail VLAN
•
Configuration guidelines:
Assign different IDs for the default VLAN, and 802.1X Auth-Fail VLAN on a port, so the port can
correctly process VLAN tagged incoming traffic.
Use Table 128 when you configure multiple security features on a port.
383
Table 128 Relationships of the 802.1X Auth-Fail VLAN with other features
•
Feature
Relationship description
MAC authentication guest VLAN on a port that
performs MAC-based access control
The 802.1X Auth-Fail VLAN has a high priority.
Port intrusion protection on a port that performs
MAC-based access control
The 802.1X Auth-Fail VLAN function has higher priority
than the block MAC action but lower priority than the shut
down port action of the port intrusion protection feature.
Configuration prerequisites:
Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.
(802.1X multicast trigger is enabled by default.)
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid
port, enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an
untagged member.
384
Configuring portal authentication
Introduction to portal authentication
Portal authentication helps control access to the Internet. It is also called "web authentication." A website
implementing portal authentication is called a portal website.
With portal authentication, an access device forces all users to log onto the portal website first. Every
user can access the free services provided on the portal website; but to access the Internet, a user must
pass portal authentication on the portal website.
A user can access a known portal website and enter username and password for authentication. This
authentication mode is called active authentication. There is also another authentication mode, forced
authentication, in which the access device forces a user trying to access the Internet through HTTP to log
on to a portal website for authentication.
The portal feature provides the flexibility for Internet service providers (ISPs) to manage services. A portal
website can, for example, present advertisements, and deliver community services and personalized
services. In this way, broadband network providers, equipment vendors, and content service providers
form an industrial ecological system.
A typical portal system comprises these basic components: authentication client, access device, portal
server, authentication/accounting server, and security policy server.
Figure 414 Portal system components
Authentication client
Authentication client
Security policy server
Access device
Portal server
Authentication/accounting
server
Authentication client
The components of a portal system interact in the following procedure:
1.
When an unauthenticated user enters a website address in the address bar of the browser to
access the Internet, an HTTP request is created and sent to the access device, which redirects the
HTTP request to the web authentication homepage of the portal server. For extended portal
functions, authentication clients must run the portal client software.
385
2.
On the authentication homepage/authentication dialog box, the user enters and submits the
authentication information, which the portal server then transfers to the access device.
3.
Upon receipt of the authentication information, the access device communicates with the
authentication/accounting server for authentication and accounting.
4.
After successful authentication, the access device checks whether there is a corresponding security
policy for the user. If not, it allows the user to access the Internet. Otherwise, the client
communicates with the access device and the security policy server for security check. If the client
passes security check, the security policy server authorizes the user to access the Internet
resources.
NOTE:
The web interface of the device supports configuring portal authentication only on Layer 3 interfaces. For
more information about portal authentication, see H3C WX Series Access Controllers Security
Configuration Guide.
Configuring portal authentication
Configuration prerequisites
The portal feature provides a solution for user identity authentication and security checking. However, the
portal feature cannot implement this solution by itself. RADIUS authentication needs to be configured on
the access device to cooperate with the portal feature to complete user authentication.
The prerequisites for portal authentication configuration are as follows:
•
The portal authentication-enabled interfaces of the access device are configured with valid IP
addresses or have obtained valid IP addresses through DHCP.
•
The portal server and the RADIUS server have been installed and configured properly. Local portal
authentication requires no independent portal server.
•
With re-DHCP authentication, the invalid IP address check function of DHCP relay is enabled on the
access device, and the DHCP server is installed and configured properly.
•
With RADIUS authentication, usernames and passwords of the users are configured on the RADIUS
server, and the RADIUS client configurations are performed on the access device. For information
about RADIUS client configuration, see "Configuring RADIUS."
•
To implement extended portal functions, install and configure IMC EAD, and make sure that the
ACLs configured on the access device correspond to those specified for the resources in the
quarantined area and for the restricted resources on the security policy server. For information
about security policy server configuration on the access device, see "Configuring RADIUS."
Recommended configuration procedure
Step
Remarks
Required.
1.
Configuring the portal service
Configure a portal server, apply the portal server to a Layer 3
interface, and configure the portal authentication parameters.
By default, no portal server is configured.
386
Step
2.
Remarks
Configuring advanced
parameters for portal
authentication
Optional.
Specify an auto redirection URL, set the time that the device must wait
before redirecting an authenticated user to the auto redirection URL,
and add web proxy server port numbers.
Optional.
Configure a portal-free rule, specifying the source and destination
information for packet filtering.
3.
Configuring a portal-free rule
A portal-free rule allows specified users to access specified external
websites without portal authentication. Packets matching a portal-free
rule will not trigger portal authentication and the users can directly
access the specified external websites.
By default, no portal-free policy is configured.
Configuring the portal service
1.
Select Authentication > Portal from the navigation tree.
The portal server configuration page appears.
Figure 415 Portal server configuration
387
TIP:
On the page shown in Figure 415, the portal service applied on a Layer 3 interface can be in either of the
following states:
• Running—Portal authentication has taken effect on the interface.
• Enabled—Portal authentication has been enabled on the interface but has not taken effect.
2.
Click Add to enter the portal service application page.
Figure 416 Portal service application
3.
Configure the portal application settings as described in Table 129.
4.
Click Apply.
Table 129 Configuration items
Item
Description
Interface
Specify the Layer 3 interface to be enabled with portal authentication.
Specify the portal server to be applied on the specified interface. Options include:
• Select Server—Select an existing portal server from the Portal Server list.
• New Server—If you select this option from the list, the portal server configuration area,
Portal Server
as shown in Figure 417, will be displayed at the lower part of the page. You can add
a remote portal server and apply the portal server to the interface. For detailed
configuration, see Table 130.
• Enable Local Server—If you select this option from the list, the local portal service
configuration area, as shown in Figure 418, will be displayed at the lower part of the
page. You can configure the parameters for local portal service. For detailed
configuration, see Table 131.
388
Item
Description
Specify the portal authentication mode, which can be:
• Direct—Direct portal authentication.
• Layer3—Cross-subnet portal authentication.
• Re DHCP—Re-DHCP portal authentication.
IMPORTANT:
Method
• In cross-subnet portal authentication mode, Layer 3 forwarding devices are not
required to be present between the authentication client and the access device.
However, if they are present, you must select the cross-subnet portal authentication
mode.
• In re-DHCP portal authentication mode, a client is allowed to send out packets using
a public IP address before it passes portal authentication. However, responses of the
packets are restricted.
• If the local portal server is used, you can configure the re-DHCP mode but it does not
take effect.
Auth Network IP
Network Mask
Specify the IP address and mask of the authentication subnet. This field is configurable
when you select the Layer3 mode (cross-subnet portal authentication).
By configuring an authentication subnet, you specify that only HTTP packets from users on
the authentication subnet can trigger portal authentication. If an unauthenticated user is
not on any authentication subnet, the access device discards all the user's HTTP packets
that do not match any portal-free rule.
IMPORTANT:
The authentication subnet in direct mode is any source IP address, and that in re-DHCP
mode is the private subnet to which the interface's private IP address belongs.
Specify the authentication domain for Layer 3 portal users.
Authentication
Domain
After you specify an authentication domain on a Layer 3 interface, the device will use the
authentication domain for authentication, authorization, and accounting (AAA) of the
portal users on the interface, ignoring the domain names carried in the usernames. You
can specify different authentication domains for different interfaces as needed.
The available authentication domains are those specified on the page you enter by
selecting Authentication > AAA from the navigation tree. For more information, see
"Configuring AAA."
Figure 417 Adding a portal server
389
Table 130 Configuration items
Item
Description
Server Name
Enter a name for the remote portal server.
IP
Enter the IP address of the remote portal server.
Key
Enter the shared key to be used for communication between the device and the remote
portal server.
Port
Enter the port number of the remote portal server.
Specify the URL for HTTP packets redirection, in the format http://ip-address. By default,
the IP address of the portal server is used in the URL.
URL
IMPORTANT:
Redirection URL supports domain name resolution; however, you must configure a
portal-free rule and add the DNS server address into the portal-free address range.
Figure 418 Local portal service configuration
Table 131 Configuration items
Item
Description
Server Name
Specify the local portal server name.
IP
Specify the IP address of the local portal server. You need to specify the IP address of
the interface where the local portal server is applied.
Specify the URL for HTTP packets redirection, in the format
http://ip-address/portal/logon.htm or https://ip-address/portal/logon.htm
(depending on the protocol type).
By default, the IP address of the local portal server is used in the URL.
URL
IMPORTANT:
• To use the local portal server for stateful failover in a wireless environment, you must
specify the redirection URL, and the IP address of the URL must be the virtual IP
address of the VRRP group where the VRRP downlink resides.
• URL redirection supports domain name resolution, but you need to configure a
portal-free rule and add the DNS server address into the portal-free address range.
Protocol
Specify the protocol to be used for authentication information exchange between the
local portal server and the client. It can be HTTP or HTTPS.
390
Item
Description
Specify the PKI domain for HTTPS. This field is configurable when you select HTTPS.
PKI Domain
The available PKI domains are those specified on the page you enter by selecting
Authentication > Certificate Management from the navigation tree. For more
information, see "Managing certificates."
IMPORTANT:
The service management, local portal authentication, and local EAP service modules
always reference the same PKI domain. Changing the referenced PKI domain in any of the
three modules will also change that referenced in the other two modules.
Specify the authentication page files to be bound with SSIDs as required.
SSID
Page
Custom
ization
Page File
After you bind SSIDs with authentication page files, when a user access the portal
page, the local portal server pushes the authentication pages for the user according to
the SSID of the user login interface and the bound authentication page file.
By default, an SSID is not bound with any authentication page file. In this case, the
system pushes the default authentication pages.
You can edit an authentication page file as required and save it in the root directory or
the portal directory under the root directory of the access device. For rules of
customizing authentication pages, see "Customizing authentication pages."
Configuring advanced parameters for portal authentication
1.
Select Authentication > Portal from the navigation tree.
2.
Expand the Advanced area to show the advanced parameters for portal authentication.
Figure 419 Advanced configuration
3.
Configure the advanced parameters as described in Table 132.
4.
Click Apply.
391
Table 132 Advanced portal parameters
Item
Description
Add the web proxy server ports to allow HTTP requests proxied by the specified proxy
servers to trigger portal authentication. By default, only HTTP requests that are not
proxied can trigger portal authentication.
Different clients may have different web proxy configurations. To make sure that clients
using a web proxy can trigger portal authentication, you must first complete some other
relevant configurations. When the IMC portal server is used, you must first complete the
following configurations:
• If the client does not specify the portal server's IP address as a proxy exception, ensure
the IP connectivity between the portal server and the web proxy server and perform
the following configurations on the IMC portal server:
Web Proxy Server
Ports
{
Select NAT as the type of the IP group associated with the portal device.
{
Specify the proxy server's IP address as the IP address after NAT.
{
Configure the port group to support NAT.
• If the client specifies the portal server's IP address as an exception of the web proxy
server, configure the IP group and port group to not support NAT.
IMPORTANT:
• If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover
web proxy servers, add the port numbers of the web proxy servers on the device, and
configure portal-free rules to allow user packets destined for the IP address of the
WPAD server to pass without authentication.
• If the web proxy server port 80 is added on the device, clients that do not use a proxy
server can trigger portal authentication only when they access a reachable host
enabled with the HTTP service.
Authorized ACLs to be assigned to users who have passed portal authentication must
contain a rule that permits the web proxy server's IP address. Otherwise, the user cannot
receive heartbeat packets from the remote portal server.
Specify the auto redirection URL to which users will be automatically redirected after they
pass portal authentication.
Redirection URL
Wait-Time
To access the network, an unauthenticated user either goes to or is automatically forced
to the portal authentication page for authentication. If the user passes portal
authentication and the access device is configured with an auto redirection URL, the
access device will redirect the user to the URL after a specified period of time.
Period of time that the device must wait before redirecting an authenticated portal user to
the auto redirection URL.
Configuring a portal-free rule
1.
Select Authentication > Portal from the navigation tree.
2.
Click the Free Rule tab.
392
Figure 420 Portal-free rule configuration
3.
Click Add.
The page for adding a new portal-free rule appears.
Figure 421 Adding a portal-free rule
4.
Configure the portal-free rule as described in Table 133.
5.
Click Apply.
Table 133 Configuration items
Item
Description
Number
Specify the sequence number of the portal-free rule.
Source-interface
Source IP address
Mask
Specify the source interface of the portal-free rule.
The SSIDs in the list are the corresponding SSIDs of the wireless ESS interfaces.
Specify the source IP address and mask of the portal-free rule.
Specify the source MAC address of the portal-free rule.
Source MAC
IMPORTANT:
If you configure both the source IP address and the source MAC address, make sure that
the mask of the specified source IP address is 255.255.255.255. Otherwise, the specified
source MAC address will not take effect.
393
Item
Description
Specify the source VLAN of the portal-free rule.
Source-VLAN
Destination IP
Address
IMPORTANT:
If you configure both a source interface and a source VLAN for a portal-free rule, make
sure that the source interface is in the source VLAN. Otherwise, the portal-free rule will not
take effect.
Specify the destination IP address and mask of the portal-free rule.
Mask
Customizing authentication pages
When the local portal server is used for portal authentication, the local portal server pushes
authentication pages to users. You can customize the authentication pages. If you do not customize the
authentication pages, the local portal server pushes the system default authentication pages to users.
Customized authentication pages exist in the form of HTML files. You can compress them and then
upload them to the access device. A set of authentication pages include six main pages and some page
elements. The six main pages are the logon page, the logon success page, the logon failure page, the
online page, the system busy page, and the logoff success page. The page elements are the files that the
authentication pages reference, for example, back.jpg for page Logon.htm. Each main authentication
page can reference multiple page elements. If you define only some of the main pages, the local portal
server pushes the system default authentication pages for the undefined ones to users.
For the local portal server to operate normally and steadily, you need to follow the following rules when
customizing authentication pages:
Rules on file names
The main pages of the authentication pages have predefined file names, which cannot be changed.
Table 134 Main authentication page file names
Main authentication page
File name
Logon page
logon.htm
Logon success page
logonSuccess.htm
Logon failure page
logonFail.htm
Online page
online.htm
Pushed for online state notification
System busy page
Pushed when the system is busy or the user is in the
logon process
busy.htm
Logoff success page
logoffSuccess.htm
NOTE:
You can name the files other than the main page files. The file names and directory names are case
insensitive.
394
Rules on page requests
The local portal server supports only Post and Get requests.
•
Get requests are used to get the static files in the authentication pages and allow no recursion. For
example, if file Logon.htm includes contents that perform Get action on file ca.htm, file ca.htm
cannot include any reference to file Logon.htm.
•
Post requests are used when users submit usernames and passwords, log on to the system, and log
off the system.
Rules on Post request attributes
1.
Observe the following requirements when editing a form of an authentication page:
•
An authentication page can have multiple forms, but there must be one and only one form whose
action is logon.cgi. Otherwise, user information cannot be sent to the local portal server.
•
The username attribute is fixed as PtUser, and the password attribute is fixed as PtPwd.
•
Attribute PtButton is required to indicate the action that the user requests, which can be Logon or
Logoff.
•
A logon Post request must contain PtUser, PtPwd, and PtButton attributes.
•
A logoff Post request must contain the PtButton attribute.
2.
Authentication pages logon.htm and logonFail.htm must contain the logon Post request.
The following example shows part of the script in page logon.htm.
<form action=logon.cgi method = post >
<p>User name:<input type="text" name = "PtUser" style="width:160px;height:22px"
maxlength=64>
<p>Password :<input type="password" name = "PtPwd" style="width:160px;height:22px"
maxlength=32>
<p><input type=SUBMIT value="Logon" name = "PtButton" style="width:60px;"
onclick="form.action=form.action+location.search;>
</form>
3.
Authentication pages logonSuccess.htm and online.htm must contain the logoff Post request.
The following example shows part of the script in page online.htm.
<form action=logon.cgi method = post >
<p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;">
</form>
Rules on page file compression and saving
•
A set of authentication page files must be compressed into a standard zip file. The name of a zip
file can contain only letters, digits, and underscores. The zip file of the default authentication pages
must be saved with the name defaultfile.zip.
•
The set of authentication pages must be located in the root directory of the zip file.
•
Zip files can be transferred to the device through FTP or TFTP. The default authentication pages file
must be saved in the root directory of the device, and customized authentication files can be saved
in the root directory or in the portal directory under the root directory of the device.
Rules on file size and contents
For the system to push customized authentication pages smoothly, you need comply with the following
size and content requirements on authentication pages.
395
•
The size of the zip file of each set of authentication pages, including the main authentication pages
and the page elements, must be no more than 500 KB.
•
The size of a single page, including the main authentication page and the page elements, must be
no more than 50 KB before being compressed.
•
Page elements can contain only static contents such as HTML, JS, CSS, and pictures.
Logging off a user who closes the logon success or online page
After a user passes authentication, the system pushes the logon success page logonSuccess.htm to the
user. If the user initiates another authentication through the logon page, the system pushes the online
page online.htm. You can configure the device to forcibly log off the user when the user closes either of
these two pages. To do so, add the following contents in logonSuccess.htm and online.htm:
1.
Reference to file pt_private.js.
2.
pt_unload(), the function for triggering page unloading.
3.
pt_submit(), the event handler function for Form.
4.
pt_init(), the function for triggering page loading.
The following is a script example with the added contents highlighted in gray:
<html>
<head>
<script type="text/javascript" language="javascript" src="pt_private.js"></script>
</head>
<body onload="pt_init();" onbeforeunload="return pt_unload();">
... ...
<form action=logon.cgi method = post onsubmit="pt_submit()">
... ...
</body>
</html>
Redirecting authenticated users to a specified web page
To make the device automatically redirect authenticated users to a specified web page, do the following
in logon.htm and logonSuccess.htm:
1.
In logon.htm, set the target attribute of the form object to blank.
See the contents in gray:
<form method=post action=logon.cgi target="blank">
2.
Add the function for page loading pt_init() to logonSucceess.htm.
See the contents in gray:
<html>
<head>
<title>LogonSuccessed</title>
<script type="text/javascript" language="javascript" src="pt_private.js"></script>
</head>
<body onload="pt_init();" onbeforeunload="return pt_unload();">
... ...
</body>
</html>
396
NOTE:
• H3C recommends using browser IE 6.0 or later on the authentication clients.
• Make sure that the browser of an authentication client permits pop-ups or permits pop-ups from the
access device. Otherwise, the user cannot log off by closing the logon success or online page and can
only click Cancel to return to the logon success or online page.
• If a user refreshes the logon success or online page, or jumps to another web site from either of the
pages, the device also logs off the user.
• If a user is using the Chrome browser, the device cannot log off the user when the user closes the logon
success or online page.
Portal authentication configuration example
Network requirements
As