H3C WX Series Access Controllers

Transcription

1 H3C WX Series Access Controllers WLAN Configuration Guide Hangzhou H3C Technologies Co., Ltd. Software version: WX3000-CMW520-R3308 (WX3024E) WX5004-CMW520-R2308 (WX5000 series) WX6103-CMW520-R2308 (WX6000 series) Document version: 6W

2 Copyright , Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved Trademarks No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. H3C,, Aolynk,, H 3 Care,, TOP G,, IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V 2 G, V n G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. Notice All other trademarks that may be mentioned in this manual are the property of their respective owners The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

3 Preface The H3C WX documentation set includes 11 configuration guides, which describe the software features for the H3C WX series access controllers and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios. The WLAN Configuration Guide describes WLAN service, WLAN security, WLAN roaming, WLAN RRM, WLAN QoS, WLAN IDS, WLAN mesh link, WLAN optimization, and advanced WLAN configurations. NOTE: Support of the H3C WX series access controllers for features may vary by device model. For the feature matrixes, see About the WX Series Access Controllers Configuration Guides. This preface includes: Audience Conventions About the H3C WX documentation set Obtaining documentation Technical support Documentation feedback Audience This documentation is intended for: Network planners Field technical support and servicing engineers Network administrators working with the WX series Conventions This section describes the conventions used in this documentation set. Command conventions Convention Boldface Italic Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. [ ] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x y... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.

4 Convention [ x y... ] { x y... } * [ x y... ] * &<1-n> Description Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none. The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. # A line that starts with a pound (#) sign is comments. GUI conventions Convention Boldface Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. > Multi-level menus are separated by angle brackets. For example, File > Create > Folder. Symbols Convention WARNING CAUTION IMPORTANT NOTE TIP Description An alert that calls attention to important information that if not understood or followed can result in personal injury. An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software. An alert that calls attention to essential information. An alert that contains additional or supplementary information. An alert that provides helpful information. Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, an access controller module, or a switching engine on a wireless switch. Represents an access point. Represents a mesh access point.

5 Represents omnidirectional signals. Represents directional signals. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. About the H3C WX documentation set The H3C WX documentation set includes: Category Documents Purposes Product description and specifications Hardware specifications and installation Software configuration Operations and maintenance Marketing brochures Technology white papers Card manuals Installation guide Getting started guide Configuration guides Command references Web-based configuration guide Release notes Describe product specifications and benefits. Provide an in-depth description of software features and technologies. Provide the hardware specifications of cards and describe how to install and remove the cards. Provides a complete guide to hardware installation and hardware specifications. Guides you through the main functions of your device, and describes how to install and log in to your device, perform basic configurations, maintain software, and troubleshoot your device. Describe software features and configuration procedures. Provide a quick reference to all available commands. Describes configuration procedures through the web interface. Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading. Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at

6 Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version. Technical support Documentation feedback You can your comments about product documentation to We appreciate your comments.

7 Contents Configuring WLAN interfaces 1 WLAN-ESS interface 1 Entering WLAN-ESS interface view 1 Configuring a WLAN-ESS interface 1 WLAN-DBSS interface 2 WLAN mesh interface 2 Entering WLAN mesh interface view 2 Configuring a WLAN mesh interface 2 WLAN mesh link interface 3 Displaying and maintaining a WLAN interface 3 Configuring WLAN services 4 WLAN service overview 4 Terminology 4 Wireless client access 4 IEEE overview 7 AC-AP tunnel overview 7 AC-AP tunnel link backup 7 WLAN topologies 9 Single/Multi BSS 9 Single/Multi-ESS 10 Centralized WLAN 11 Protocols and standards 12 Configuring WLAN service 12 Configuration task list 12 Enabling WLAN service 12 Configuring country code 12 Configuring software automatic update 13 Configuring a WLAN service template 13 Configuring an AP 14 Configuring auto AP 16 Configuring basic network parameters for an AP 17 Configuring AC-AP tunnel dual-link 19 Enabling CAPWAP/LWAPP tunnel encryption with IPsec 20 Configuring radio parameters 21 Configuring a radio policy 23 Enabling automatic creation of radio policies 23 Configuring n 24 Shutting down all LEDs on APs 25 Displaying and maintaining WLAN service 25 Configuring user isolation 27 Introduction to VLAN-based user isolation 27 Configuring VLAN-based user isolation 28 Introduction to SSID-based user isolation 29 Configuring SSID-based user isolation 29 Isolating broadcasts and multicasts from wired users to wireless users 29 Displaying and maintaining user isolation 30 Configuring AP group for AP based access control 30 Configuring an AP group 30 i

8 Applying the AP group in a user profile 31 Displaying and maintaining AP group 31 Configuring SSID-based access control 31 Configuring uplink detection 32 Configuring uplink detection 32 Configuring AC hot backup 33 Enabling AC hot backup 33 Configuring the VLAN ID of the port connected to the other AC 34 Configuring the interval for sending heartbeat messages 34 Configuring the delay for the AP to switch from the master AC to the backup AC 34 Displaying the AC connection state 34 WLAN service configuration examples 35 WLAN service configuration example 35 WLAN auto-ap configuration example 36 AC-AP tunnel dual-link configuration example 37 Configuration example for CAPWAP tunnel encryption with IPsec 39 Example for configuring fit APs on an AC n configuration example 43 User isolation configuration example 44 Uplink detection configuration example 45 AP group configuration examples 46 AP group configuration without roaming 46 AP group configuration for inter-ac roaming 48 Configuring WLAN security 52 Authentication modes 52 WLAN data security 53 Client access authentication 54 Protocols and standards 55 Configuring WLAN security 55 Configuration task list 55 Enabling an authentication method 55 Configuring the PTK lifetime 56 Configuring the GTK rekey method 56 Configuring security IE 57 Configuring cipher suite 58 Configuring port security 60 Displaying and maintaining WLAN security 62 WLAN security configuration examples 63 PSK authentication configuration example 63 MAC and PSK authentication configuration example X authentication configuration example 69 Dynamic WEP encryption-802.1x authentication configuration example 77 Supported combinations for ciphers 82 Configuring WLAN roaming 85 WLAN roaming overview 85 Terminology 85 WLAN roaming topologies 85 Configuring an IACTP mobility group 89 Displaying and maintaining WLAN roaming 90 WLAN roaming configuration examples 91 Intra-AC roaming configuration example 91 Inter-AC roaming configuration example 93 ii

9 Configuring WLAN RRM 98 Overview 98 Dynamic frequency selection 98 Transmit power control 98 Configuration task list 100 Configuring data transmit rates 101 Configuring a/802.11b/802.11g rates 101 Configuring n rates 101 Configuring channel exclusion 104 Configuring DFS 104 Configuring auto-dfs 104 Configuring one-time DFS 105 Configuring DFS trigger parameters 105 Configuring mesh DFS 106 Configuring automatic mesh DFS 106 Configuring one-time mesh DFS 106 Configuring TPC 107 Configuring auto-tpc 107 Configuring one-time TPC 107 Configuring TPC trigger parameters 108 Configuring the minimum transmission power 108 Configuring a radio group 109 Configuring scan parameters 110 Configuring power constraint 110 Displaying and maintaining WLAN RRM 111 Load balancing 111 Overview 111 Load balancing configuration task list 114 Configuring a load balancing mode 114 Configuring group-based load balancing 115 Configuring parameters that affect load balancing 116 Displaying and maintaining load balancing 116 Configuring band navigation 117 Configuration guidelines 117 Configuration prerequisites 117 Enabling band navigation globally 117 Enabling band navigation for an AP 118 Configuring band navigation parameters 118 Enabling g protection 119 Enabling g protection 119 Configuring g protection mode 119 Configuring n protection 120 Enabling n protection 120 Configuring n protection mode 121 Configuring the maximum bandwidth 121 WLAN RRM configuration examples 122 Configuring auto DFS 122 Configuring mesh auto DFS 123 Configuring auto TPC 124 Configuring a radio group 126 Load balancing configuration examples 128 Configuring session-mode load balancing 128 Configuring traffic-mode load balancing 129 Configuring group-based session-mode load balancing 131 iii

10 Configuring group-based traffic-mode load balancing 133 Band navigation configuration example 135 Configuring WLAN IDS 137 Terminology 137 Rogue detection 137 WIDS attack detection 138 WLAN IDS configuration task list 139 Configuring AP operating mode 139 Configuring rogue device detection 140 Configuring rogue device detection 140 Taking countermeasures against attacks from detected rogue devices 143 Displaying and maintaining rogue detection 144 Configuring IDS attack detection 145 Configuring IDS attack detection 145 Displaying and maintaining IDS attack detection 145 WLAN IDS configuration example 145 Configuring WLAN IDS frame filtering 148 Overview 148 Configuring WLAN IDS frame filtering 149 Displaying and maintaining WLAN IDS frame filtering 150 WLAN IDS frame filtering configuration example 150 Configuring WLAN QoS 152 Overview 152 Terminology 152 WMM protocol overview 152 Protocols and standards 154 Configuring WMM 154 Displaying and maintaining WMM 156 WMM configuration examples 157 WMM basic configuration example 157 CAC service configuration example 158 SVP service configuration example 159 Traffic differentiation test configuration example 160 Troubleshooting 161 EDCA parameter configuration failure 161 SVP or CAC configuration failure 161 Configuring bandwidth guaranteeing 162 Configuration procedure 162 Displaying and maintaining bandwidth guaranteeing 163 Bandwidth guaranteeing configuration example 163 Configuring client rate limiting 165 Configuration procedure 165 Displaying and maintaining client rate limiting 166 Client rate limiting configuration example 166 Configuring WLAN mesh link 168 Introduction to WLAN mesh 168 Basic concepts in WLAN mesh 168 Advantages of WLAN mesh 169 Deployment scenarios 169 WLAN mesh security 172 Mesh link metric 172 Mobile link switch protocol 173 iv

11 Protocols and standards 174 Introduction to WDS 174 Basic concepts in WDS 175 Advantages of WDS 175 Deployment scenarios 175 WLAN mesh/wds configuration task list 176 Configuring an MKD ID 177 Configuring mesh port security 177 Configuring a mesh profile 178 Configuring mesh portal service 178 Configuring an MP policy 179 Mapping a mesh profile to the radio of an MP 180 Mapping an MP policy to the radio of an MP 180 Specifying a peer MAC address on the radio 181 Disabling temporary link establishment 181 Displaying and maintaining WLAN mesh link 181 WLAN mesh configuration examples 182 Normal WLAN mesh configuration example 182 Subway WLAN mesh configuration example 184 Troubleshooting WLAN mesh link 186 Authentication process not started 186 Failed to ping MAP 186 Configuration download failed for zeroconfig device 187 Configuration download failed for MP 187 Debug error: neither local nor remote is connected to MKD 187 PMKMA delete is received by MPP for MP 188 Configuring WLAN sniffer 189 Configuring WLAN sniffer 189 Displaying and maintaining WLAN sniffer 191 WLAN sniffer configuration example 191 Configuring wireless location 193 Wireless location overview 193 Configuring wireless location 194 Displaying and maintaining wireless location 195 Wireless location configuration example 195 Optimizing WLAN 198 Rejecting wireless clients with low RSSI 198 Enabling fair scheduling 198 Ignoring weak signals 199 Enabling n packet suppression 199 Enabling traffic shaping based on link status 200 Configuring the rate algorithm 200 Enabling channel sharing adjustment 200 Enabling channel reuse adjustment 201 Disabling buffering of multicasts and broadcasts 201 Enabling multi-service optimization 202 Enabling AP blinking 202 Enabling packet-based TPC 203 Enabling the AP to trigger client re-connection 203 Enabling the AP to receive all broadcasts 203 Enabling the green-ap function 204 Configuring a power supply mode for the AP 204 WLAN optimization configuration examples 204 v

12 Optimizing a high-density WLAN 204 Optimizing a WLAN with multicast application 206 Optimizing an n WLAN 208 Optimizing some APs in a WLAN 209 Enabling packet-based TPC for a WLAN 211 Index 213 vi

13 Configuring WLAN interfaces WLAN-ESS interface The interface that allows the wireless local area net to cover all the WLAN-ESS interfaces is a virtual Layer 2 interface. This interface operates like Layer 2 access Ethernet ports with Layer 2 attributes. It also supports multiple Layer 2 protocols. A WLAN-ESS interface can also be used as a template for configuring WLAN-DBSS interfaces. A WLAN-DBSS interfaces created on a WLAN-ESS interface adopts the configuration of the WLAN-ESS interface. Entering WLAN-ESS interface view Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN-ESS interface view. 3. Restore the default settings of the WLAN-ESS interface. interface wlan-ess interface-number default If the WLAN-ESS interface does not exist, this command creates the WLAN-ESS interface first. Optional Configuring a WLAN-ESS interface You can configure the description of a WLAN-ESS interface and assign the interface to a common VLAN or multicast VLAN. This section provides general information on features supported on WLAN-ESS interfaces. For more information about these features and commands, see the corresponding chapters in the configuration guide and command reference. To configure a WLAN-ESS interface: Step Command 1. Configure the description of the interfacen/a description 2. Configure the VLAN. 3. Configure multicast. port access vlan port hybrid vlan port hybrid pvid vlan port link-type Configure multicast VLAN: port multicast-vlan Configure IPv6 multicast VLAN: port multicast-vlan ipv6 4. Configure a MAC authentication guest VLAN. mac-authentication guest-vlan 1

14 NOTE: Before executing the port access vlan command, make sure the VLAN specified by the vlanid argument already exists. You can use the vlan command to create a VLAN. For more information about the port access vlan command, see Layer 2 Command Reference. Some configurations made on (only VLAN-related configurations) a WLAN-ESS interface with WLAN-DBSS interfaces created on it cannot be modified, and the WLAN-ESS interface cannot be removed either. WLAN-DBSS interface WLAN-DBSS interfaces are virtual Layer 2 interfaces. They operate like Layer 2 Ethernet ports of the access link type. They also support multiple Layer 2 protocols and 802.1X. A WLAN-DBSS interface that has been created on a WLAN-ESS interface adopts the configuration of the WLAN-ESS interface. On a wireless switch, the WLAN module dynamically creates a WLAN-DBSS interface for each wireless access service and removes the interface after the service expires. WLAN mesh interface WLAN mesh interfaces are Layer 2 virtual interfaces. You can use them as configuration templates to make and save settings for WLAN mesh link interfaces. After a WLAN mesh link interface is created, you are not allowed to change the settings on its associated WLAN mesh interface. Entering WLAN mesh interface view Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN mesh interface view. 3. Restore the default settings of the WLAN mesh interface. interface wlan-mesh interface-number default If the specified WLAN mesh interface does not exist, this command creates the WLAN mesh interface first. Configuring a WLAN mesh interface Step 1. Configure the description of the WLAN mesh interface. 2. Configure VLAN settings. Command description port link-type port access port trunk port hybrid 2

15 WLAN mesh link interface WLAN mesh link interfaces are similar to Layer 2 virtual Ethernet interfaces and have the features of Layer 2 interfaces. They are dynamically created or deleted by the WLAN module and are responsible for local data forwarding on the mesh network. WLAN mesh link interfaces use the settings you made on their corresponding WLAN mesh interfaces and are not configurable. Displaying and maintaining a WLAN interface Task Command Remarks Display information about WLAN-ESS interfaces. Display information about WLAN-DBSS interfaces. Display information about WLAN-Mesh interfaces. display interface [ wlan-ess ] [ brief [ down ] ] [ { begin exclude include } regular-expression ] display interface wlan-ess interface-number [ brief ] [ { begin exclude include } regular-expression ] display interface [ wlan-dbss ] [ brief [ down ] ] [ { begin exclude include } regular-expression ] display interface wlan-dbss interface-number [ brief ] [ { begin exclude include } regular-expression ] display interface [ wlan-mesh ] [ brief [ down ] ] [ { begin exclude include } regular-expression ] display interface wlan-mesh interface-number [ brief ] [ { begin exclude include } regular-expression ] Available in any view Available in any view Available in any view 3

16 Configuring WLAN services WLAN service overview A wireless Local Area Network (WLAN) can provide the following services. WLAN client connectivity to conventional LANs Secured WLAN access with different authentication and encryption methods Seamless roaming of WLAN clients in a mobility domain Terminology Client Access point (AP) A PC or laptop with a wireless Network Interface Card (NIC), or any WiFi-capable terminal An AP bridges frames between wireless and wired networks. Access controller (AC) SSID Wireless medium Split MAC An AC can control and manage all APs in a WLAN. The AC communicates with an authentication server for WLAN client authentication. Service set identifier. A client scans all networks at first, and then selects a specific SSID to connect to a specific wireless network. A medium used for transmitting frames between wireless clients. Radio frequency is used as the wireless medium in the WLAN system. In split MAC mode, APs and ACs manage different services. An AP manages real-time services, such as beacon generation, power management, fragmentation, defragmentation, scheduling, and queuing. An AC manages services related to packet distribution, association, dissociation, reassociation, key management, 802.1X, EAP, and e. Wireless client access A wireless client access process involves three steps: active/passive scanning surrounding wireless services, authentication, and association, as shown in Figure 1. 4

17 Figure 1 Establishing a client access Scanning A wireless client gets surrounding wireless network information in two ways, passive scanning and active scanning. With active scanning, a wireless actively sends a probe request frame, and gets network signals from received probe response frames. With passive scanning, a wireless client gets wireless network information by listening to Beacon frames sent by surrounding APs. Actually, when a wireless client operates, it usually uses both passive scanning and active scanning to get information about surrounding wireless networks. 1. Active scanning When a wireless client operates, it periodically searches for (scans) surrounding wireless networks. Active scanning falls into two modes according to whether a specified SSID is carried in a probe request. A client sends a probe request with no SSID (the SSID IE length is 0): The client periodically sends a probe request frame on each of its supported channels to scan wireless networks. APs that receive the probe request send a probe response, which carries the available wireless network information. The client associates with the AP with the strongest signal. This active scanning mode enables a client to actively get acquainted with the available wireless services and select to access the proper wireless network as needed. The active scanning process of a wireless client is as shown in Figure 2. Figure 2 Active scanning (the SSID of the probe request is null, or, no SSID information is carried) Client Probe request (with no SSID) Probe Response AP 1 Probe request (with no SSID) Probe Response AP 2 5

18 A client sends a probe request (with a specified SSID): When the wireless client is configured to access a specific wireless network or has already successfully accessed a wireless network, the client periodically sends a probe request carrying the specified SSID of the configured or connected wireless network. When an AP that can provide the wireless service with the specified SSID receives the probe request, it sends a probe response. This active scanning mode enables a client to access a specified wireless network. The active scanning process is as shown in Figure 3. Figure 3 Active scanning (the probe request carries the specified SSID AP 1) 2. Passive scanning Passive scanning discovers surrounding wireless networks by listening to the beacon frames periodically sent by APs. Passive scanning is used by a client when it wants to save battery power. Typically, VoIP clients adopt the passive scanning mode. The passive scanning process is as shown in Figure 4. Figure 4 Passive scanning Authentication Association To secure wireless links, the wireless clients must be authenticated before accessing the AP, and only wireless clients passing the authentication can be associated with the AP links define two authentication mechanisms: open system authentication and shared key authentication. Open system authentication Shared key authentication For more information about the two authentication mechanisms, see "Configuring WLAN security." A client that wants to access a wireless network via an AP must be associated with that AP. Once the client chooses a compatible network with a specified SSID and passes the link authentication to an AP, it sends an association request frame to the AP. The AP detects the capability information carried in the association request frame, determines the capability supported by the wireless client, and sends an association response to the client to notify the client of the association result. Usually, a client can associate with only one AP at a time, and an association process is always initiated by the client. 6

19 Other related procedures 1. De-authentication A de-authentication frame can be sent by either an AP or wireless client to break an existing link. In a wireless system, de-authentication can occur due to many reasons, such as: Receiving an association/disassociation frame from a client which is unauthenticated. Receiving a data frame from a client which is unauthenticated. Receiving a PS-poll frame from a client which is unauthenticated. 2. Dissociation A dissociation frame can be sent by an AP or a wireless client to break the current wireless link. In the wireless system, dissociation can occur due to many reasons, such as: Receiving a data frame from a client which is authenticated and unassociated. Receiving a PS-Poll frame from a client which is authenticated and unassociated. IEEE overview The WLAN-MAC primarily includes the implementation of IEEE MAC layer functionality. Various modes of MAC are: Local-MAC Architecture Split-MAC Architecture In local-mac architecture, most WLAN services are provided by the AP only. Currently, local-mac architecture is not supported. In split-mac architecture, the AP and the AC manage different services. AC-AP tunnel overview An AC and AP communicate with each other over an AC-AP tunnel. The AC-AP tunnel uses a generic encapsulation and transport mechanism, as shown in Figure 5. Figure 5 AC-AP tunnel The AC-AP tunnel is built on a standard client/server model and employs UDP. Data packets to be sent to the AC are encapsulated, and these packets can be raw packets. Remote AP configuration and management, and WLAN and mobile management are also supported. The AC-AP tunnel supports both IPv4 and IPv6. AC-AP tunnel link backup Dual link establishment To achieve AC backup, an AP can establish two tunnels with two ACs that must have the same AP configurations. Only the AC which works in master mode provides services to all the APs in the network 7

20 and the subordinate AC acts as the backup AC. If the master AC fails, APs should quickly use the services provided by the subordinate AC. A heartbeat mechanism is used between these two ACs, which ensures that failure of the master will be detected quickly by the backup AC. Figure 6 Dual link topology AC 2 AP 1 AP 4 AC 1 AP 2 AP 3 In Figure 6, AC 1 is working in master mode and providing services to AP 1, AP 2, AP 3 and AP 4. AC 2 is working in subordinate mode. APs are connected to AC 2 through subordinate tunnels. AC 1 and AC 2 can be configured as backup for each other and start master/subordinate detection. When AC 2 detects AC 1 is down, AC 2 quickly converts the work mode from subordinate to master. All APs which are connected to AC 2 through subordinate tunnels transform the tunnels to master tunnels and use AC 2 as the master AC. Once AC 1 is reachable again, it remains the backup. Primary AC recovery Figure 7 Primary AC recovery Primary AC AC 1 AC 2 AP In Figure 7, AC 1 acting as the primary AC is the master (which has the connection priority of 7), and it establishes an AC-AP tunnel connection with the AP; AC 2 acts as the subordinate AC. If AC 1 goes down, AC 2 will act as the master until recovery of the AC-AP tunnel. This means once AC 1 is reachable 8

21 Dual work mode again, the AP will establish a connection with AC 1 acting as the primary AC and disconnect from AC 2. Figure 8 Dual work mode Dual work mode indicates that an AC can provide both master and subordinate connections. An AC will act as the master for some APs and act as the subordinate for some other APs. In this scenario, AC 1 acts as the master for AP 1 and subordinate for AP 2. Similarly, AC 2 acts as the master for AP 2 and subordinate for AP 1. WLAN topologies WLAN topologies include: Single/Multi BSS Single/Multi-ESS VLAN-based WLAN Centralized WLAN Single/Multi BSS The coverage of an AP is a basic service set (BSS). Each BSS is identified by a Basic Service Set Identifier (BSSID). The most basic WLAN network can be established with only one BSS. All wireless clients associate with the same BSS. If these clients have the same authorization, they can communicate with each other. Figure 9 shows a single-bss WLAN. 9

22 Figure 9 Single BSS network Communications between clients within the same BSS are carried out through the AP and the AC. To implement multi-bss, you simply need to add APs. Single/Multi-ESS All the clients under the same logical administration form an extended service set (ESS). The clients can communicate with each other and reach a host in the Internet. This multi-ess topology describes a scenario where more than one ESS exists. When a mobile client joins the AP, it can join one of the available ESSs. Figure 10 shows a multi-ess network. Figure 10 Multi-ESS network 10

23 Generally, an AP can provide more than one ESS at the same time. The configuration of ESS is distributed mainly from AC to AP, and the AP can broadcast the current information of ESS by beacon or probe response frames. Clients can select an ESS in which it is interested to join. Different ESS domains can be configured on the AC. The AC can be configured to allow associated APs to accept clients in these ESS domains once their credentials are accepted. Centralized WLAN Centralized WLAN is a unified solution for wireless local area networks. Figure 11 shows a centralized WLAN network. Figure 11 Centralized WLAN network In this network, there are two ACs and three APs. An AP can connect with an AC directly, or over a Layer 2 or Layer 3 network. The other AC serves as the backup. During initialization, an AP obtains its basic network configuration parameters, such as its own IP address, gateway address, domain name and DNS server address from a DHCP server. An AP uses a discovery mechanism to locate the AC. For example, using the unicast discovery mechanism, the AP can request the DNS server to provide the IP address of the AC. The following describes a basic communication process in the centralized WLAN network. 1. A client gets associated with an AP in the network. 2. The AP communicates with the AC for authenticating the client's credential. 3. The AC contacts the authentication server (AS) to authenticate the client. Once the wireless client passes authentication, it can access authorized WLAN services and communicate with other wireless clients or wired devices. 11

24 Protocols and standards ANSI/IEEE Std , 1999 Edition IEEE Std a IEEE Std b IEEE Std g IEEE Std i IEEE Std IEEE Std n Configuring WLAN service Configuration task list Task Enabling WLAN service Configuring country code Configuring software automatic update Configuring a WLAN service template Configuring an AP Configuring auto AP Configuring basic network parameters for an AP Configuring AC-AP tunnel dual-link Configuring radio parameters Configuring a radio policy Configuring n Description Required Required Optional Required Required Optional Optional Optional Required Required Optional Enabling WLAN service Step Command Remarks 1. Enter system view. system-view N/A 2. Enable WLAN service. wlan enable By default, WLAN service is enabled. Configuring country code A country code identifies the country in which you want to operate radios. It determines characteristics such as operating power level and total number of channels available for the transmission of frames. You must set the valid country code or area code before configuring an AP. 12

25 Some ACs and fit APs have fixed country codes, whichever is used is determined as follows: An AC's fixed country code cannot be changed, and all managed fit APs whose country codes are not fixed must use the AC's fixed country code. A fit AP's fixed country code cannot be changed and the fit AP can only use the country code. If an AC and a managed fit AP use different fixed country codes, the fit AP uses its own fixed country code. To specify the country code: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the global country code. 3. Specify the AP name and its model number and enter AP template view. 4. Specify a country code for the AP. wlan country-code code wlan ap ap-name model model-name [ id ap-id ] country-code code By default, the country code is CN. The model name is needed only when you create a new AP template. By default, the AP has no country code and uses the global country code. If an AP is configured with a country code, the AP uses its own country code. NOTE: If an AP is configured with a country code or has a fixed country code, changing the global country code does not affect the country code of the AP. Configuring software automatic update A fit AP is a zero-configuration device. It can automatically discover an AC after power-on. To make sure a fit AP can associate with an AC, their software versions must be consistent by default, which complicates maintenance. This task allows you to designate the software version of an AP on the AC, so that they can associate with each other even if their software versions are inconsistent. To configure software version automatic update: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure software version automatic update. wlan apdb model-name hardware-version software-version By default, the software versions of the fit AP and the AC should be consistent. Configuring a WLAN service template A WLAN service template includes attributes such as SSID, WLAN-ESS interface binding, authentication method (open-system or shared key) information. A service template can be of clear or crypto type. 13

26 To configure a service template: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a WLAN-ESS interface. interface wlan-ess interface-index N/A 3. Exit interface view. quit N/A 4. Create a WLAN service template. wlan service-template service-template-number { clear crypto } You cannot change the service template type for an existing service template. 5. Specify the SSID. ssid ssid-name By default, no SSID is set. 6. Hide the SSID in beacon frames. 7. Bind the WLAN-ESS interface to the service template. 8. Enable local forwarding for APs. 9. Specify an authentication method. 10. Specify the maximum number of clients allowed to associate with an SSID on a radio. beacon ssid-hide bind wlan-ess interface-index client forwarding-mode local [ vlan vlan-id-list ] authentication-method { open system shared key } client max-count max-number By default the SSID is not hidden in beacon frames. By default, no interface is bound to the service template. Support for this command depends on the device model. This command is only supported on ACs. Remote forwarding is enabled by default, that is, all managed APs forward wireless traffic to the AC. For related configuration about the shared key, see "Configuring WLAN security." 124 by default. 11. Enable fast association. fast-association enable 12. Enable the service template. service-template enable By default, fast association is disabled. When this function is enabled, the AP does not perform band navigation and load balancing calculations for clients bound to the SSID. By default, the service template is disabled. Configuring an AP The AC automatically assigns AP settings to the fit AP (in Run state) that has established CAPWAP connections with it. 14

27 To configure AP settings on the AC: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the AP name and its model number and enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] The model name is needed only when you create a new AP template. 3. Specify the serial ID of the AP. serial-id { text auto } 4. Configure a description for the AP. description description-string By default, no serial ID is configured for the AP. To configure auto AP, you must configure both the serial-id auto and wlan auto-ap enable commands. Optional 5. Enable traps for the AP. trap enable Optional 6. Configure the echo interval for the AP. 7. Set the CIR for packets sent from AC to AP. echo-interval interval cir committed-information-rate [ cbs committed-burst-size ] By default, the echo interval is 10 seconds. By default, no CIR is set for an AP. 8. Configure the AP name. ap-name name 9. Configure the jumbo frame threshold. 10. Enable the AP to respond to the probe requests that have no SSID. jumboframe enable value broadcast-probe reply By default, no AP name is configured. By default, the jumbo frame functionality is disabled. Enabled by default. 11. Specify the client idle timeout interval. 12. Specify the client keep alive interval. 13. Configure the AP connection priority. client idle-timeout interval client keep-alive interval priority level priority By default, the client idle timeout is 3600 seconds. If no data is received from an associated client within the interval, the AP will remove it from the network. By default, the client keep-alive function is disabled. The default is 4. 15

28 Step Command Remarks 14. Enable the remote AP function. 15. Specify a configuration file for the AP. hybrid-remote-ap enable map-configuration filename By default, the remote AP function is disabled. Before you enable remote AP, disable online user handshake function if 802.1X authentication is used. Do not use the remote AP function together with the WLAN mesh function. Not specified by default. 16. Exit AP template view. quit N/A 17. Configure the discovery policy type as unicast. 18. Enable/disable WLAN radios. 19. Set the network access server (NAS)-PORT-ID for an AP. wlan lwapp discovery-policy unicast wlan radio { disable enable } { all dot11a dot11an dot11b dot11g dot11gn radio-policy radio-policy-name } nas-port-id text By default, the AC receives broadcast discovery messages. If the unicast policy is specified, the AC will discard broadcast discovery messages. By default, no WLAN radio is enabled. By default, no NAS-PORT-ID is configured for an AP. 20. Set the NAS-ID for an AP. nas-id text By default, no NAS-ID is configured for an AP. Configuring auto AP The auto AP feature allows an AP to automatically connect to an AC. When you deploy a wireless network with many APs, the auto AP function avoids configuration of many AP serial IDs. To configure auto AP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the auto-ap function. wlan auto-ap enable Disabled by default. 3. Enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] The model number is needed only when you create a new AP template. 4. Set auto-ap serial ID. serial-id auto N/A 16

29 Step Command Remarks 5. Exit AP template view. quit N/A 6. Convert auto APs into configured APs. wlan auto-ap persistent { all name auto-ap-name [ new-ap-name ] } You can configure an AP template only when auto APs are converted into configured APs. The AP template is not removed when the APs go offline. NOTE: If you have configured the auto AP function, when you change the AP template configuration, the auto APs can use the new AP template configuration only when re-associated with the AC. Configuring basic network parameters for an AP Perform this task to configure basic network parameters in AP configuration view. The AC automatically assigns these settings to the AP when the AP (in Run state) has established an AC-AP tunnel connection with it. This feature avoids configuring APs one by one from a terminal, greatly reducing the work load in large WLAN networks. If you change the parameters for an auto AP, the auto AP needs to re-associate with the AC to update its configuration, and then you need to save the settings to the wlan_ap_cfg.wcfg file of the AP, and restart the AP to validate the new settings. If you change the parameters for an associated AP, you need to save the settings to the wlan_ap_cfg.wcfg file of the AP, and restart the AP to validate the new settings. To configure AP parameters: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a global AC so that APs can discover the AC. 3. Specify a global DNS server. 4. Specify a global domain name. 5. Set the AP name and model, and enter AP template view. 6. Create and enter AP configuration view. wlan ap-provision ac { host-name host-name ip ip-address ipv6 ipv6-address } wlan ap-provision dns server { ip ip-address ipv6 ipv6-address } wlan ap-provision dns domain domain-name wlan ap ap-name [ model model-name [ id ap-id ] ] provision By default, no global AC is specified. By default, no global DNS server is specified. By default, no global domain name is specified. The AP model name is needed only when you create an AP template. After you create AP provision view, the device automatically adds the vlan untagged 1 command for the AP. 17

30 Step Command Remarks 7. Specify an AC so that the AP can discover the AC. 8. Specify a DNS server for the AP. 9. Specify a domain name for the DNS server. 10. Configure the management VLAN ID for the AP. 11. Configure the default VLAN ID for the Ethernet interface on the AP. 12. Configure a list of VLANs whose packets are sent tagged on the Ethernet interface of the AP. 13. Configure a list of VLANs whose packets are sent untagged on the Ethernet interface of the AP. ac { host-name host-name ip ip-address ipv6 ipv6-address } dns server { ip ip-address ipv6 ipv6-address } dns domain domain-name management-vlan vlan-id vlan pvid vlan-id vlan tagged vlan-id-list vlan untagged vlan-id-list By default, no AC is specified for the AP. The wlan ap-provision ac command applies to all APs, and the ac command in AP provision view applies to the current AP. If you configure both commands, the configuration in AP provision view applies to the current AP. By default, no DNS server is specified for the AP. The wlan ap-provision dns server command applies to all APs, and the dns server command in AP provision view applies to the current AP. If you configure both commands, the configuration in AP provision view applies to the current AP. By default, no domain name is specified for the DNS server. The wlan ap-provision dns domain command applies to all APs, and the dns domain command in AP provision view applies to the current AP. If you configure both commands, the configuration in AP provision view applies to the current AP. By default, the management VLAN of the AP is VLAN 1. By default, the default VLAN ID of the Ethernet interface on the AP is 1. Not configured by default. Not configured by default. 18

31 Step Command Remarks 14. Specify an IP address for the management VLAN interface of the AP. 15. Specify an IPv6 address for the management VLAN interface of the AP. 16. Specify the gateway of the AP. 17. Save the configuration in AP configuration view to the wlan_ap_cfg.wcfg file of the specified AP or all APs. 18. Clear the wlan_ap_cfg.wcfg file of the specified AP or all APs. ip address ip-address { mask mask-length } ipv6 address { ipv6-address prefix-length ipv6-address/prefix-length } gateway { ip ip- address ipv6 ipv6-address } save wlan ap provision { all name ap-name } reset wlan ap provision { all name ap-name } Not configured by default. The management VLAN of the AP must be VLAN 1. Not configured by default. The management VLAN of the AP must be VLAN 1. Not configured by default. Available in any view. This command takes effect only on APs in Run state. For more information about the command, see WLAN Command Reference. Available in any view. This command takes effect only for APs in Run state. Configuring AC-AP tunnel dual-link Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the address of the backup AC. 3. Enter AP template view. 4. Specify an IPv4/IPv6 backup AC. wlan backup-ac { ip ipv4-address ipv6 ipv6-address } wlan ap ap-name [ model model-name [ id ap-id ] ] backup-ac { ip ipv4-address ipv6 ipv6-address } By default, no backup AC address exists. The backup AC configured in AP template view takes precedence over that configured in system view. The model name is needed only when you create a new AP template. By default, the global backup AC, if specified, is used by the AP. The backup AC configured in AP template view takes precedence over that configured in system view. 19

32 Step Command Remarks 5. Specify the AP connection priority for the AC. priority level priority By default, the AP connection priority of the AC is 4. If an AC has an AP connection priority of 7, the AC becomes the master AC. When the master AC fails and then recovers, it will re-establish connections with APs and become the master AC. NOTE: The two ACs must have the same AP configuration view settings for an AP. Otherwise, the AP may fail to work after a master and subordinate switchover. Enabling CAPWAP/LWAPP tunnel encryption with IPsec Control And Provisioning of Wireless Access Points (CAPWAP) defines how an AP communicates with an AC. It provides a generic encapsulation and transport mechanism between AP and AC. However, tunnel packets are transmitted in plain text, which brings security problems. To ensure CAPWAP/LWAPP transmission security, you can use IPsec to encrypt and authenticate control and data packets. If you configure both AC backup and Portal stateful failover, use the undo ipsec synchronization enable command to disable IPsec stateful failover. Configuration considerations 1. Enable the AP and AC to establish a CAPWAP/LWAPP tunnel between them and make sure the AP is in running state. 2. Enter AP configuration view to complete IPsec encryption configurations, and execute the save wlan ap provision command to save the configuration to the wlan_ap_cfg.wcfg file of the AP. 3. Reboot the AP to validate the configuration. 4. Configure IPsec. For more information about IPsec configuration, see Security Configuration Guide. Follow these guidelines when you configure IPsec: The security protocol, encapsulation mode, authentication algorithm, and encryption algorithm can only be ESP, tunnel, SHA1, and DES, respectively. You can only use IKEv1 to set up SAs, use the default security proposal, and adopt only the main IKE negotiation mode. For more information about IPsec commands, see Security Command Reference. You can configure an IPsec policy that uses IKE only by referencing an IPsec policy template because the AC responds to the AP's negotiation requests. When you configure pre-shared key authentication for an IKE peer, the pre-shared key configured with the pre-shared-key command (the key on the AC) must be the same as that configured with the tunnel encryption ipsec pre-shared-key command (the key sent by the AC to the AP by using the AP provision function). To make sure the SAs between the AC and AP can be removed in time when the AP disconnects with the AC, configure Dead Peer Detection (DPD), configure the ISAKMP SA keepalive interval with the ike sa keepalive-timer interval command, configure the ISAKMP SA keepalive timeout 20

33 with the ike sa keepalive-timer timeout command, and enable invalid security parameter index (SPI) recovery with the ipsec invalid-spi-recovery enable command. 5. Apply the IPsec policy to VLAN interfaces. Configuration procedure To enable CAPWAP/LWAPP tunnel encryption with IPsec: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] The AP model name is needed only when you create an AP template. 3. Enter AP configuration view. provision N/A 4. Configure the AP to use IPsec to encrypt the control tunnel. tunnel encryption ipsec pre-shared-key { cipher simple } key By default, the AP does not encrypt the control tunnel. 5. Configure the AP to use IPsec to encrypt the data tunnel. data-tunnel encryption enable By default, the AP does not encrypt the data tunnel. 6. Save the configuration in AP configuration view to the wlan_ap_cfg.wcfg file of the specified APs. save wlan ap provision { all name ap-name } This command takes effect only on APs in Run state. For more information about the command, see WLAN Command Reference. Configuring radio parameters Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. 3. Enter radio view. 4. Apply a service template on the radio. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] service-template service-template-number [ vlan-id vlan-id1 [ vlan-id2 ] ] [ nas-port-id nas-port-id nas-id nas-id ] [ ssid-hide ] The AP model name is needed only when you create an AP template. The default varies depending on the AP model. Multiple service templates can be applied on a radio. 21

34 Step Command Remarks 5. Configure a channel. 6. Configure the radio power. 7. Specify the type of preamble. 8. Enable Adaptive Noise Immunity (ANI) function. 9. Apply a radio policy to the radio. Specify a channel number for the radio: channel channel-number Set the channel mode to auto. In this mode, you can lock the current channel: channel auto channel lock Specify the maximum radio power: max-power radio-power Lock the current power, and set the maximum power as the power after power selection: power lock preamble { long short } ani enable radio-policy radio-policy-name By default: auto mode is enabled. No channel is locked. For more information about the commands, see WLAN Command Reference. By default: The maximum radio power varies with country codes, channels, AP models, radio types and antenna types. If n is adopted, the maximum radio power also depends on the bandwidth mode. The current power is not locked. For more information about the commands, see WLAN Command Reference. By default, the short preamble is supported. By default, ANI is enabled. By default, the default_rp radio policy is bound to a radio. The radio policy must have been configured with the wlan radio-policy command. 10. Configure the antenna type. antenna type type The default setting for the command depends on the device model. 11. Configure the maximum distance that the radio can cover. distance distance By default, the radio can cover 1 km (0.62 miles) at most. 12. Enable the radio. radio enable By default, the radio is not enabled. 22

35 Configuring a radio policy You can configure radio parameters in a radio policy and apply the radio policy on a radio so that the radio uses the parameters in the policy. To configure a radio policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a radio policy and enter radio policy view. 3. Set the interval for sending beacon frames. 4. Set the number of beacon intervals between DTIM frames. 5. Specify the maximum length of packets that can be transmitted without fragmentation. 6. Specify the request to send (RTS) threshold length. 7. Set the maximum number of retransmission attempts for frames larger than the RTS threshold. 8. Specify the maximum number of attempts to transmit a frame shorter than the RTS threshold. 9. Specify the maximum interval for the AP to hold received packets. 10. Specify the maximum number of associated clients. 11. Specify a collision avoidance mechanism. wlan radio-policy policy-name beacon-interval interval dtim counter fragment-threshold size rts-threshold size long-retry threshold count short-retry threshold count max-rx-duration interval client max-count max-number protection-mode { cts-to-self rts-cts } N/A By default, the beacon interval is 100 time units (TUs). By default, the DTIM counter is 1. By default, the fragment threshold is 2346 bytes. The threshold must be an even number. By default, the RTS threshold is 2346 bytes. By default, the long retry threshold is 4. By default, the short retry threshold is 7. By default, the interval is 2000 milliseconds. The default is 64. By default, the collision avoidance mechanism is RTS/CTS. Enabling automatic creation of radio policies After you enable automatic creation of radio policies, a radio policy is automatically created and bound to each radio of a newly created AP template. To enable automatic creation of radio policies: 23

36 Step Command Remarks 1. Enter system view. system-view N/A 2. Enable automatic creation of radio policies. wlan radio-policy auto-create By default, automatic creation of radio policies is disabled. Configuring n As the next generation wireless LAN technology, n supports both 2.4GHz and 5GHz bands. It provides higher-speed services to customers by using the following methods: 1. Increasing bandwidth: n can bond two adjacent 20-MHz channels together to form a 40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with one acting as the primary channel and the other as the secondary, or the channels work together as a 40-MHz channel. With this flexibility, the data forwarding rate can be doubled. 2. Improving channel utilization through the following ways: n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU can accommodate multiple Message Protocol Data Units (MPDUs) which have their PHY headers removed. This reduces the overhead in transmission and the number of ACK frames to be used, and improves network throughput. Similar with MPDU aggregation, multiple MAC Service Data Units (MSDU) can be aggregated into a single A-MSDU. This reduces the MAC header overhead and improves MAC layer forwarding efficiency. To improve physical layer performance, n introduces the short GI function, which shortens the GI interval of 800 us in a/g to 400 us. This can increase the data rate by 10 percent. To configure n: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. 3. Enter radio view. 4. Specify the bandwidth mode for the radio. 5. Enable access permission for n clients only. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number type { dot11an dot11gn } channel band-width { } client dot11n-only The model name is needed only when you create a new AP template. N/A By default, the an radio operates in 40 MHz mode and the gn radio operates in 20 MHz mode. By default, an an radio permits both a and an clients to access, and an gn radio permits both b/g and gn clients to access. 24

37 Step Command Remarks 6. Enable the short GI function. short-gi enable By default, the short GI function is enabled. 7. Enable the A-MSDU function. 8. Enable the A-MPDU function. a-msdu enable a-mpdu enable By default, the A-MSDU function is enabled. The device receives but does not send A-MSDUs. By default, the A-MPDU function is enabled. 9. Enable the radio. radio enable By default, the radio is disabled. Before enabling the radio, you must configure the Modulation and Coding Scheme (MCS). For mandatory and supported n rates, see "Configuring WLAN RRM." NOTE: For information about Modulation and Coding Scheme (MCS) index and mandatory and supported n rates, see "Configuring WLAN RRM." Shutting down all LEDs on APs Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. 3. Shut down all LEDs on all online APs of the current AP template. wlan ap ap-name [ model model-name [ id ap-id ] ] shut-all-led enable The model name is needed only when you create a new AP template. By default, all LEDs on all the online APs of the current AP template light based on AP status. Displaying and maintaining WLAN service You can use the wlan link-test command to perform a Radio Frequency Ping (RFPing) operation to a client. The operation results show information about signal strength and Round-trip time (RTT) between the AP and the client. 25

38 Task Command Remarks Display AP information. Display AP address information. Display radio information. Display the model information of a specified AP or all APs. Display the reboot log information of an AP. Display AP country code information. Display WLAN radio policy information. Display WLAN service template information. Display AP connection statistics. Display wireless client statistics. Display radio statistics. Display AP load information. display wlan ap { all name ap-name } [ verbose ] [ { begin exclude include } regular-expression ] display wlan ap { all name ap-name } address [ { begin exclude include } regular-expression ] display wlan ap { all name ap-name } radio [ { begin exclude include } regular-expression ] display wlan ap-model { all name ap-name } [ { begin exclude include } regular-expression ] display wlan ap reboot-log name ap-name [ { begin exclude include } regular-expression ] display wlan country-code ap [ { begin exclude include } regular-expression ] display wlan radio-policy [ radio-policy-name ] [ { begin exclude include } regular-expression ] display wlan service-template [ service-template-number ] [ { begin exclude include } regular-expression ] display wlan statistics ap { all name ap-name } connect-history [ { begin exclude include } regular-expression ] display wlan statistics client { all mac-address mac-address } [ { begin exclude include } regular-expression ] display wlan statistics radio [ ap ap-name ] [ { begin exclude include } regular-expression ] display wlan statistics radio [ ap ap-name ] load [ { begin exclude include } regular-expression ] Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view 26

39 Task Command Remarks Display service template statistics. Display the connection history for all APs bound to a service template. Display WLAN statistics. Display WLAN client information. Reset AP connections. Clear AP reboot logs. Clear AP or client statistics. Cut off WLAN clients. display wlan statistics service-template service-template-number [ { begin exclude include } regular-expression ] display wlan statistics service-template service-template-number connect-history [ { begin exclude include } regular-expression ] display wlan statistics { client { all mac-address mac-address } radio [ ap-name ] } [ { begin exclude include } regular-expression ] display wlan client { ap ap-name [ radio radio-number ] mac-address mac-address service-template service-template-number } [ verbose ] [ { begin exclude include } regular-expression ] reset wlan ap { all name ap-name } reset wlan ap reboot-log { all name ap-name } reset wlan statistics { client { all mac-address mac-address } radio [ ap-name ] } reset wlan client { all mac-address mac-address } Available in any view Available in any view Available in any view. Available in any view Available in user view Available in user view Available in user view Available in user view RFPing a wireless client. wlan link-test mac-address Available in user view Configuring user isolation Introduction to VLAN-based user isolation Without VLAN-based user isolation, devices in the same VLAN can access each other at Layer-2, which could result in security problems. VLAN-based user isolation is designed to solve this problem. When an AC configured with user isolation receives unicast packets (broadcast packets and multicast packets in a VLAN are not isolated) from a wireless client to another wireless client or wired PC in the same VLAN, or from a wired PC to a wireless client in the same VLAN, the AC determines whether to isolate the two devices according to the configured list of permitted MAC addresses. To avoid user isolation from affecting communications between hosts and the gateway, you can add the MAC address of the gateway to the list of permitted MAC addresses. 27

40 User isolation both provides network services for users and isolates users, disabling them from communication at Layer-2 and thus ensuring service security. Without VLAN-based user isolation As shown in Figure 12, when VLAN-based user isolation is disabled on the AC, wireless clients A and B, and wired PC Host A in VLAN 2 can access each other directly, and can also access the Internet. Figure 12 VLAN-based user isolation network diagram With VLAN-based user isolation When VLAN-based user isolation is enabled on the AC, Client A, Client B, and Host A in VLAN 2 access the Internet through the gateway. If you add only the MAC address of the gateway to the permitted MAC address list, Client A, Client B, and Host A in the same VLAN are isolated at Layer-2. If you add only the MAC address of a client (Client A, for example) to the permitted MAC address list, Client A and Client B can access each other directly, but Client B and Host A cannot. To enable all the clients in the VLAN to access one another at Layer-2, you must add the MAC address of the gateway and the MAC addresses of the clients to the permitted MAC address list. Configuring VLAN-based user isolation Step Command Remarks 1. Enter system view. system-view N/A 2. Enable user isolation for the specified VLANs. user-isolation vlan vlan-list enable By default, user isolation is disabled. 28

41 Step Command Remarks 3. Specify permitted MAC addresses for the specified VLANs. user-isolation vlan vlan-list permit-mac mac-list Up to 16 permitted MAC addresses can be configured for a VLAN. NOTE: To avoid network disruption caused by user isolation, H3C recommends that you add the MAC address of the gateway to the permitted MAC address list and then enable user isolation. If you configure user isolation for a super VLAN, the configuration does not take effect on the sub-vlans in the super VLAN, and you must configure user isolation on the sub-vlans if needed. Support for super VLAN depends on the device model. For more information, see "About the WX Series Access Controllers Configuration Guides." Introduction to SSID-based user isolation SSID-based user isolation disables wireless users that use the same SSID from accessing each other at Layer-2 to ensure the security of services and accounting accuracy. Configuring SSID-based user isolation Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a service template. 3. Enable SSID-based user isolation. wlan service-template service-template-number { clear crypto } user-isolation enable N/A By default, SSID-based user isolation is disabled. Isolating broadcasts and multicasts from wired users to wireless users Step Command Remarks 1. Enter system view. system-view N/A 2. Isolate broadcasts and multicasts from wired users to wireless users. undo user-isolation permit broadcast By default, broadcasts and multicasts from wired users to wireless user are not isolated, and broadcasts and multicasts from wireless users to wireless users are isolated. 29

42 Displaying and maintaining user isolation Task Command Remarks Display user isolation statistics. Clear user isolation statistics. display user-isolation statistics [ vlan vlan-id ] [ { begin exclude include } regular-expression ] reset user-isolation statistics [ vlan vlan-id ] Available in any view Available in user view Configuring AP group for AP based access control Some wireless service providers need to control the access positions of clients. For example, as shown in Figure 13, to meet security or billing needs, connect wireless clients 1, 2 and 3 to the wired network through APs 1, 2 and 3 respectively. To achieve this, you can configure an AP group and then apply the AP group in a user profile. Figure 13 Client access control Configuring an AP group Step Command Remarks 1. Enter system view. system-view N/A 2. Create an AP group and enter AP group view. 3. Add specified APs into the AP group. wlan ap-group value ap template-name-list N/A No AP is added by default. You can use this command repeatedly to add multiple APs, or add up to 10 APs in one command line. A nonexistent AP can be added. 30

43 Step Command Remarks 4. Configure a description for the AP group. description string By default, no description is configured for the AP group. Applying the AP group in a user profile Step Command Remarks 1. Enter system view. system-view N/A 2. Enter user profile view. user-profile profile-name 3. Apply the AP group in the user profile. wlan permit-ap-group value If the user profile does not exist, you need to create it first. No AP group is applied in the user profile by default. 4. Return to system view. quit N/A 5. Enable the user profile. user-profile profile-name enable Not enabled by default. Note that: The name of the user profile must be identical to that of the external group on the RADIUS server. To support roaming, all ACs in a mobility group must have the same profile name configured. NOTE: For more information about user profile, see Security Configuration Guide. Displaying and maintaining AP group Task Command Remarks Display AP group information. display wlan ap-group [ group-id ] [ { begin exclude include } regular-expression ] Available in any view Configuring SSID-based access control When a user wants to access a WLAN temporarily, the administrator can specify a permitted SSID in the corresponding user profile so that the user can access the WLAN only through the SSID. After completing the configuration, the user profile needs to be enabled to take effect. To specify a permitted SSID: Step Command Remarks 1. Enter system view. system-view N/A 31

44 Step Command Remarks 2. Enter user profile view. user-profile profile-name If the specified user profile does not exist, this command will create it and enter its view. 3. Specify a permitted SSID. wlan permit-ssid ssid-name No permitted SSID is specified by default, and users can access the WLAN without SSID limitation. 4. Return to system view. quit N/A 5. Enable the user profile. user-profile profile-name enable Not enabled by default. NOTE: For more information about user access control, see Security Configuration Guide. For more information about user profile, see Security Configuration Guide. Configuring uplink detection Configuring uplink detection Uplink detection ensures that when the uplink of an AC fails, clients can access external networks through APs connected to another AC whose uplink operates properly. As shown in Figure 14, when the uplink of the AC fails, the uplink detection function can detect the failure and disable the radio on the AP. If the uplink recovers, the AC enables the radio on the AP. To achieve this purpose, you need to configure collaboration between NQA, track, and uplink detection: When the track entry is in Positive state, the AC enables the radio of the AP. Wireless clients can associate with the AP. When the track entry is in Negative state, the AC disables the radio of the AP. Wireless clients cannot associate with the AP. When the track entry is in Invalid state, the AC does not change the radio state of the AP. Figure 14 Uplink detection network diagram To configure uplink detection: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a track entry to detect whether the uplink is reachable. wlan uplink track track-entry-number By default, no track entry is specified. 32

45 NOTE: For more information about the track module, see High Availability Configuration Guide. For more information about NQA, see Network Management and Monitoring Configuration Guide. Configuring AC hot backup NOTE: Support for this feature depends on your device model. For more information, see About the WX Series Access Controllers Configuration Guides. For the EWPX2WCMD0, LSRM1WCM3A1, and LSQM1WCMD0 cards, make sure the Ten-GigabitEthernet1/0/1 interface is up and configure the interface to permit packets from the VLAN with the hot-backup vlan vlan-id command. As shown in Figure 15, two ACs in a Layer 2 network provide redundancy for the APs. Each AP establishes a tunnel with each AC. The AC working in master mode provides services to all the APs in the network and the subordinate AC acts as the backup AC. A heartbeat mechanism is used between ACs to make sure failure of the master will be detected quickly by the backup AC. If the master AC fails, APs will quickly use the services provided by the subordinate AC. Figure 15 Dual link connections AC 2 AP 1 AP 4 AC 1 AP 2 AP 3 In Figure 15, AC 1 is working in master mode and providing services to AP 1, AP 2, AP 3 and AP 4. AC 2 is working in subordinate mode. APs are connected to AC 2 through subordinate tunnels. AC 1 and AC 2 are configured as backup for each other and start master/subordinate detection. When AC 2 detects AC 1 is down, AC 2 will convert the work mode from subordinate to master. All APs which are connected to AC 2 through subordinate tunnels will transform the tunnels to master tunnels and use AC 2 as the master AC. Enabling AC hot backup You can set the domain to which an AC belongs (a domain is a group of ACs that back up each other). 33

46 To enable AC hot backup: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable AC hot backup. hot-backup enable [ domain domain-id ] * Disabled by default. Configuring the VLAN ID of the port connected to the other AC You can set the ID of the VLAN to which the port connected to another AC belongs. To configure the VLAN ID of the port connected to another AC: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the VLAN ID of the port connected to another AC. hot-backup vlan vlan-id By default, the port connected to another AC belongs to VLAN 1. Configuring the interval for sending heartbeat messages If the master AC or backup AC does not receive any heartbeat packets from the peer within three heartbeat intervals, it considers the peer device disconnected. To configure the interval for sending heartbeat messages: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the interval for sending heartbeat messages. hot-backup hellointerval hellointerval 2000 milliseconds by default. Configuring the delay for the AP to switch from the master AC to the backup AC Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the delay for the AP to switch from the master AC to the backup AC. wlan backup-ac switch-delay time The default is five seconds. Displaying the AC connection state Task Command Remarks Display the AC connection state. display hot-backup state Available in any view 34

47 WLAN service configuration examples WLAN service configuration example Network requirements As shown in Figure 16, enable the client to access the internal network resources at any time. More specifically: The AP is connected to the AC through a Layer 2 switch. The manually input serial ID of the AP is A29G007C The AP provides plain-text wireless access service with SSID service1. The AP adopts g. Figure 16 Network diagram Configuration procedure 1. Configure the AC: # Enable WLAN service, which is enabled by default. <AC> system-view [AC] wlan enable # Create a WLAN ESS interface. <AC> system-view [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Create a clear-type WLAN service template, configure the SSID of the service template as service and bind the WLAN-ESS interface to this service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid service [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] client max-count 10 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure a radio policy (the default radio policy default_rp will be used if you don't want to configure a new radio policy for customizing related parameters). [AC] wlan radio-policy radpolicy1 [AC-wlan-rp-radpolicy1] beacon-interval 200 [AC-wlan-rp-radpolicy1] dtim 4 [AC-wlan-rp-radpolicy1] rts-threshold 2300 [AC-wlan-rp-radpolicy1] fragment-threshold 2200 [AC-wlan-rp-radpolicy1] short-retry threshold 6 [AC-wlan-rp-radpolicy1] long-retry threshold 5 [AC-wlan-rp-radpolicy1] max-rx-duration

48 # Create an AP template named ap1 and its model is WA2100, and configure the serial ID of the AP as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C [AC-wlan-ap-ap1] description L3Office # Specify the radio type as g, and channel as 11. [AC-wlan-ap-ap1] radio 1 type dot11g [AC-wlan-ap-ap1-radio-1] channel 11 # Bind radio policy radiopolicy1 to radio 1, and bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 2. Verify the configuration: The clients can associate with the APs and then access the WLAN. You can use the display wlan client command to view the online clients. WLAN auto-ap configuration example Network requirements As shown in Figure 17, an AC is connected to a Layer 2 switch. AP 1 (serial ID SZ001) and AP 2 (serial ID SZ002) are connected to the AC through the L2 switch. AP1, AP 2 and the AC are in the same network. AP 1 and AP 2 get their IP address from the DHCP server. Enable the auto-ap function to enable APs to automatically connect to the AC. Figure 17 Network diagram Configuration procedure 1. Configure the AC: # Create a WLAN ESS interface. <AC> system-view [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Define a WLAN service template of clear type, configure its SSID as service, and bind the WLAN-ESS interface to this service template. 36

49 [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid service [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure a radio policy (the default radio policy default_rp will be used if you don't want to configure a new radio policy for customizing related parameters). [AC] wlan radio-policy radpolicy1 [AC-wlan-rp-radpolicy1] beacon-interval 200 [AC-wlan-rp-radpolicy1] dtim 4 [AC-wlan-rp-radpolicy1] rts-threshold 2300 [AC-wlan-rp-radpolicy1] fragment-threshold 2200 [AC-wlan-rp-radpolicy1] short-retry threshold 6 [AC-wlan-rp-radpolicy1] long-retry threshold 5 [AC-wlan-rp-radpolicy1] max-rx-duration 500 [AC-wlan-rp-radpolicy1] quit # Configure the AP auto configuration feature. [AC] wlan auto-ap enable # Configure a common AP for model WA2100 (For each AP model, one common auto AP configuration is required). [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id auto # Configure the radio of the common AP, set the maximum power to 10, and automatic channel is adopted by default. [AC-wlan-ap-ap1] radio 1 type dot11a [AC-wlan-ap-ap1-radio-1] max-power 10 # Bind radio policy radiopolicy1 to radio 1, and bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 2. Verify the configuration: You can use the display wlan ap command to view the two APs, and can use the wlan auto-ap persistent command to convert the two auto APs to configured APs. The clients can associate with the APs and access the WLAN. AC-AP tunnel dual-link configuration example Network requirements As shown in Figure 18, AC 1 and AC 2 are connected to a L2 switch. An AP is connected to AC 1 and AC 2 through the L2 switch. AC 1, AC 2 and the AP are in the same network. The AP gets its IP address from the DHCP server. The IP address of AC1 is and the IP address of AC 2 is AC 1 is working in master mode and AC2 is working in subordinate mode. When AC 2 detects AC 1 is down, AC 2 will convert its work mode from subordinate to master. The AP which is connected to AC 2 through a subordinate tunnel will transform the tunnel mode to master and use AC 2 as the master AC. 37

50 Figure 18 Network diagram Configuration procedure 1. Configure AC 1: # Create a WLAN ESS interface. <AC1> system-view [AC1] interface WLAN-ESS 1 [AC1-WLAN-ESS1] quit # Define a WLAN service template of clear type, configure the SSID of the service template as service, and bind the WLAN-ESS interface to this service template. [AC1] wlan service-template 1 clear [AC1-wlan-st-1] ssid service [AC1-wlan-st-1] bind WLAN-ESS 1 [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Specify the backup AC address. [AC1] wlan backup-ac ip # Configure the AP on AC 1. [AC1] wlan ap ap1 model WA2100 [AC1-wlan-ap-ap1] serial-id A29G007C [AC1-wlan-ap-ap1] radio 1 type dot11g [AC1-wlan-ap-ap1-radio-1] service-template 1 [AC1-wlan-ap-ap1-radio-1] radio enable 2. Configure AC 2: # Create a WLAN ESS interface. <AC2> system-view [AC2] interface wlan-ess 1 [AC2-WLAN-ESS1] quit # Define a WLAN service template of clear type, configure the SSID on AC 2 as service because the SSIDs of the master AC and subordinate AC must be the same, and bind the WLAN-ESS interface to this service template. [AC2] wlan service-template 1 clear [AC2-wlan-st-1] ssid service 38

51 [AC2-wlan-st-1] bind WLAN-ESS 1 [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit # Specify the backup AC address. [AC2] wlan backup-ac ip # Configure the AP on AC 2. [AC2] wlan ap ap1 model WA2100 [AC2-wlan-ap-ap1] serial-id A29G007C [AC2-wlan-ap-ap1] radio 1 type dot11g [AC2-wlan-ap-ap1-radio-1] service-template 1 [AC2-wlan-ap-ap1-radio-1] radio enable 3. Verify the configuration: When AC 1 fails, AC 2 becomes the master AC immediately. You can use the display wlan ap command on the AC to view the status of the APs. Configuration example for CAPWAP tunnel encryption with IPsec Network requirements The data and control packets between AP 1 and AC are transmitted in plain text. Use IPsec to encrypt the CAPWAP control tunnel between AP 2 and the AC. Use IPsec to encrypt the CAPWAP control and data tunnels between AP 3 and the AC. Figure 19 Network diagram /24 AP 1 Client / /24 AC Switch AP 2 Client /24 AP 3 Client Configuration procedure Establish CAPWAP connections between AP 2, AP 3, and the AC before you configure AP 2 and AP 3 provision and make sure AP 2 and AP 3 are in Run state. # Create AP 2 and enter AP configuration view, configure the AP to use IPsec key to encrypt the control tunnel, and save the configuration to the wlan_ap_cfg.wcfg file of the AP. <AC> system-view [AC] wlan ap ap2 model WA2620E-AGN [AC-wlan-ap-ap2] provision 39

52 [AC-wlan-ap-ap2-prvs] tunnel encryption ipsec pre-shared-key simple [AC-wlan-ap-ap2-prvs] save wlan ap provision name ap2 [AC-wlan-ap-ap2-prvs] quit [AC-wlan-ap-ap2] quit # Create AP 3 and enter AP configuration view, configure the AP to use IPsec key abcde to encrypt the control and data tunnels, and save the configuration to the wlan_ap_cfg.wcfg file of the AP. [AC] wlan ap ap3 model WA2620E-AGN [AC-wlan-ap-ap3] provision [AC-wlan-ap-ap3-prvs] tunnel encryption ipsec pre-shared-key simple abcde [AC-wlan-ap-ap3-prvs] data-tunnel encryption enable [AC-wlan-ap-ap3-prvs] save wlan ap provision name ap3 [AC-wlan-ap-ap3-prvs] return # Reboot AP 2 and AP 3 to validate the configuration. <AC> reset wlan ap name ap2 <AC> reset wlan ap name ap3 # Configure an IPsec security proposal. <AC> system-view [AC] ipsec transform-set tran1 [AC-ipsec-transform-set-tran1] encapsulation-mode tunnel [AC-ipsec-transform-set-tran1] transform esp [AC-ipsec-transform-set-tran1] esp encryption-algorithm des [AC-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [AC-ipsec-transform-set-tran1] quit # Create a DPD name dpd. [AC] ike dpd dpd # Set the ISAKMP SA keepalive interval to 100 seconds. [AC] ike sa keepalive-timer interval 100 # Set the ISAKMP SA keepalive timeout to 300 seconds. [AC] ike sa keepalive-timer timeout 300 # Enable invalid SPI recovery. [AC] ipsec invalid-spi-recovery enable # Configure IKE peer ap2, configure the pre-shared key (the same as that on AP 2), and apply a DPD detector to AP 2. [AC] ike peer ap2 [AC-ike-peer-ap2] remote-address [AC-ike-peer-ap2] pre-shared-key [AC-ike-peer-ap2] dpd dpd [AC-ike-peer-ap2] quit # Configure IKE peer ap3, configure the pre-shared key abcde (the same as that on AP 3), and apply a DPD detector to AP 3. [AC] ike peer ap3 [AC-ike-peer-ap3] remote-address [AC-ike-peer-ap3] pre-shared-key abcde [AC-ike-peer-ap3] dpd dpd [AC-ike-peer-ap3] quit 40

53 # Create an IPsec policy template with the name pt and the sequence number 1, and configure the IPsec policy to reference IPsec transform set tran1 and IKE peer ap2. [AC] ipsec policy-template pt 1 [AC-ipsec-policy-template-pt-1] transform-set tran1 [AC-ipsec-policy-template-pt-1] ike-peer ap2 [AC-ipsec-policy-template-pt-1] quit # Create an IPsec policy template with the name pt and the sequence number 2, and configure the IPsec policy to reference IPsec transform set tran1 and IKE peer ap3. [AC] ipsec policy-template pt 2 [AC-ipsec-policy-template-pt-2] transform-set tran1 [AC-ipsec-policy-template-pt-2] ike-peer ap3 [AC-ipsec-policy-template-pt-2] quit # Reference IPsec policy template pt to create an IPsec policy with the name map and sequence number 1. [AC] ipsec policy map 1 isakmp template pt # Apply the IPsec policy to VLAN-interface 1. CAPWAP tunnel establishment between AP 1 and the AC is not affected by this configuration. [AC] interface vlan-interface 1 [AC-Vlan-interface-1] ip address [AC-Vlan-interface-1] ipsec policy map Verifying the configuration Take AP 2 as an example. If Join requests are transmitted between AP 2 and the AC, IKE is triggered to establish SAs. You can use the display ipsec sa command to display the established SAs. After SAs are successfully established, the control packets between AP 2 and the AC are transmitted in cipher text. Example for configuring fit APs on an AC Configure settings for AP 1 and AP 2 on an AC so that the AC automatically assigns the settings to the fit APs over AC-AP tunnel connections. Specify the IP addresses of AP 1 and AP 2 as /24 and /24. AP 1 and AP 2 can discover AC 1 with the IP address /24. Figure 20 Network diagram 41

54 Configuration procedure NOTE: An AC can assign settings only to fit APs that have established an AC-AP tunnel connection with it, so make sure AP 1 and AP 2 are in Run state. The management VLAN of the AP must be VLAN Configure the AC: # Specify the global IP address for AC 1 so that AP 1 and AP 2 can discover AC 1. <AC> system-view [AC] wlan ap-provision ac ip # Create and enter AP 1 configuration view. Configure the IP address of the management VLAN interface of AP 1 as [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] provision [AC-wlan-ap-ap1-prvs] ip address [AC-wlan-ap-ap1-prvs] quit [AC-wlan-ap-ap1] quit # Create and enter AP 2 configuration view, and configure the IP address of the management VLAN interface of AP 2 as [AC] wlan ap ap2 model WA2210-AG [AC-wlan-ap-ap2] provision [AC-wlan-ap-ap2-prvs] ip address [AC-wlan-ap-ap2-prvs] return # Save the configuration in AP configuration view to the wlan_ap_cfg.wcfg files of the APs. [AC-wlan-ap-ap2-prvs] save wlan ap provision all [AC-wlan-ap-ap2-prvs] return # Reboot AP 1 and AP 2 to validate the configuration. <AC> reset wlan ap name ap1 <AC> reset wlan ap name ap2 2. Configure AC 1: # Create a WLAN ESS interface. <AC1> system-view [AC1] interface wlan-ess 1 [AC1-WLAN-ESS1] quit # Define a WLAN service template of clear type, configure its SSID as service, and bind the WLAN-ESS interface to this service template. [AC] wlan service-template 1 clear [AC1-wlan-st-1] ssid service [AC1-wlan-st-1] bind wlan-ess 1 [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Create an AP template named ap1 and its model is WA2100, and configure the serial ID of the AP as A29G007C [AC1] wlan ap ap1 model WA

55 Verifying the configuration [AC1-wlan-ap-ap1] serial-id A29G007C [AC1-wlan-ap-ap1] description L3office # Specify the radio type as g, and channel as 11. [AC1-wlan-ap-ap1] radio 1 type dot11g [AC1-wlan-ap-ap1-radio-1] channel 11 # Bind radio policy radiopolicy1 to radio 1, and bind service template 1 to radio 1. [AC1-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC1-wlan-ap-ap1-radio-1] service-template 1 [AC1-wlan-ap-ap1-radio-1] radio enable [AC1-wlan-ap-ap1-radio-1] return After AP 1 and AP 2 are rebooted, they can establish an AC-AP tunnel connection with AC n configuration example Network requirements As shown in Figure 21, deploy an n network to provide high-bandwidth access for multi-media applications. The AP provides a plain-text wireless service with SSID 11nser vice gn is adopted to inter-work with existing g networks. Figure 21 Network diagram Configuration procedure 1. Configure the AC: # Create a WLAN-ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Configure a service template of clear type, configure the SSID of the service template as 11nservice, and bind the WLAN-ESS interface with the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid 11nservice [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure the AP on the AC, and the AP must support n. [AC] wlan ap ap1 model WA2610E-AGN [AC-wlan-ap-ap1] serial-id A29G007C # Configure the radio of the AP to operate in gn mode. [AC-wlan-ap-ap1] radio 1 type dot11gn # Bind the service template to radio 1. 43

56 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 2. Verify the configuration: The clients can associate with the APs and access the WLAN. You can use the display wlan client verbose command to view the online clients, including n clients. User isolation configuration example Network requirements As shown in Figure 22, the MAC address of the gateway is 000f-e Configure user isolation on the AC so that Client A, Client B, and Host A in VLAN 2 can access the Internet but cannot access one another directly. Figure 22 Network diagram Configuration procedure 1. Configure the AC: # Configure the AP so that an AC-AP tunnel connection can be established between the AC and AP. For how to establish an AC-AP tunnel connection, see "WLAN service configuration example." The detailed configuration steps are omitted. # Enable user isolation for VLAN 2 so that users in VLAN 2 cannot access each other directly. <AC> system-view [AC] user-isolation vlan 2 enable 44

57 # Add the MAC address of the gateway to the permitted MAC address list of VLAN 2 so that Client A, Client B and Host A in VLAN 2 can access the Internet. [AC] user-isolation vlan 2 permit-mac 000f-e Verify the configuration: Client A, Client B and Host A in VLAN 2 can access the Internet, but they cannot access one another. Uplink detection configuration example Network requirements As shown in Figure 23, when the uplink of the AC fails, clients cannot access external networks if they are associated with the AP connected to the AC. Enable the uplink detection function so that when the uplink of the AC fails, clients are disabled from associating with the AP connected to the AC. Figure 23 Network diagram Configuration procedure # Create an NQA test group with test type ICMP echo, and configure related test parameters. <AC> system-view [AC] nqa entry admin test [AC-nqa-admin-test] type icmp-echo [AC-nqa-admin-test-icmp-echo] destination ip # Configure optional parameter frequency. [AC-nqa-admin-test-icmp-echo] frequency 1000 # Configure reaction entry 1, specifying that five consecutive probe failures trigger the collaboration between the reaction entry and NQA. [AC-nqa-admin-test-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only [AC-nqa-admin-test-icmp-echo] quit # Start the ICMP echo test. [AC] nqa schedule admin test start-time now lifetime forever # Configure track entry 1, and associate it with reaction entry 1 of the NQA test group (with the administrator admin, and the operation tag test). [AC] track 1 nqa entry admin test reaction 1 # Specify track entry 1 for uplink detection. [AC] wlan uplink track 1 45

58 AP group configuration examples AP group configuration without roaming Network requirements As shown in Figure 24, configure an AP group and apply it in a user profile on the AC, so that a client can access the WLAN only through AP 1. Figure 24 Network diagram AC /24 RADIUS server /24 L2 switch AP 1 AP 2 Client Client Configuration procedure 1. Configure the AC: # Enable port security. <AC> system-view [AC] port-security enable # Enable EAP authentication mode. [AC] dot1x authentication-method eap # Create a RADIUS scheme. [AC] radius scheme wlan-user-policy # Specify the RADIUS server and keys for authentication and accounting. [AC-radius-wlan-user-policy] server-type extended [AC-radius-wlan-user-policy] primary authentication [AC-radius-wlan-user-policy] primary accounting [AC-radius-wlan-user-policy] key authentication wlan [AC-radius-wlan-user-policy] key accounting wlan # Specify the IP address of the AC. [AC-radius-wlan-user-policy] nas-ip [AC-radius-wlan-user-policy] quit # Configure an ISP domain named universal by referencing the configured RADIUS scheme. 46

59 [AC] domain universal [AC-isp-universal] authentication default radius-scheme wlan-user-policy [AC-isp-universal] authorization default radius-scheme wlan-user-policy [AC-isp-universal] accounting default radius-scheme wlan-user-policy [AC-isp-universal] quit # Configure domain universal as the default domain. [AC] domain default enable universal # Configure port security on interface WLAN-ESS 1. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] port-security tx-key-type 11key [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Configure a service template. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid test [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure AP1. [AC] wlan ap ap1 model wa2100 [AC-wlan-ap-ap1] serial-id A29G007C [AC-wlan-ap-ap1] radio 1 type dot11g [AC-wlan-ap-ap1-radio1] service-template 1 [AC-wlan-ap-ap1-radio1] radio enable [AC-wlan-ap-ap1-radio1] return # Add AP1 to AP group 11, apply the AP group to user profile management and enable the user profile. <AC> system-view [AC] wlan ap-group 11 [AC-ap-group11] ap ap1 [AC-ap-group11] quit [AC] user-profile management [AC-user-profile-management] wlan permit-ap-group 11 [AC-user-profile-management] quit [AC] user-profile management enable 2. Configure the RADIUS server: # Deploy the user profile on the RADIUS server. Log in to IMC, and click the Service tab. Select User Access Manager/Service Configuration from the navigation tree. Then click Add on the page to enter the following configuration page. Deploy the user profile management on the page. 47

60 Figure 25 Deploy the user profile 3. Verify the configuration: The AP group in the user profile contains only AP 1, so a client can only access the WLAN through AP 1. AP group configuration for inter-ac roaming Network requirements As shown in Figure 26, AC 1 and AC 2 belong to the same mobility group. Configure an AP group on the ACs so that a client can still access the WLAN when it moves from between APs. Figure 26 Network diagram Configuration procedure NOTE: Configuration on the RADIUS server is similar with that in AP group configuration without roaming and is omitted. 1. Configure AC 1: # Enable port security. <AC1> system-view 48

61 [AC1] port-security enable # Enable EAP authentication mode. [AC1] dot1x authentication-method eap # Configure port security on interface WLAN-ESS 1. [AC1] interface wlan-ess 1 [AC1-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC1-WLAN-ESS1] port-security tx-key-type 11key [AC1-WLAN-ESS1] undo dot1x multicast-trigger [AC1-WLAN-ESS1] undo dot1x handshake [AC1-WLAN-ESS1] quit # Define a crypto type WLAN service template, configure the SSID as abc, and bind the WLAN-ESS interface to this service template. [AC1] wlan service-template 1 crypto [AC1-wlan-st-1] ssid abc [AC1-wlan-st-1] bind wlan-ess 1 [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] cipher-suite ccmp [AC1-wlan-st-1] security-ie rsn [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Create an AP template named ap1, and specify its model as WA2100, and serial ID as A045B05B [AC1] wlan ap ap1 model WA2100 [AC1-wlan-ap-ap1] serial-id A045B05B [AC1-wlan-ap-ap1] radio 1 type dot11g # Bind service template 1 to radio 1. [AC1-wlan-ap-ap1-radio-1] service-template 1 [AC1-wlan-ap-ap1-radio-1] radio enable [AC1-wlan-ap-ap1-radio-1] quit [AC1-wlan-ap-ap1] quit # Configure mobility group abc and enable the mobility group. [AC1] wlan mobility-group abc [AC1-wlan-mg-abc] source ip [AC1-wlan-mg-abc] member ip [AC1-wlan-mg-abc] mobility-group enable [AC1-wlan-mg-abc] return # Configure AP group 1, add AP 1 and AP 2 in it, apply it in user profile management, and enable the user profile. <AC1> system-view [AC1] wlan ap-group 1 [AC1-ap-group1] ap ap1 ap2 [AC1-ap-group1] quit [AC1] user-profile management [AC1-user-profile-management] wlan permit-ap-group 1 [AC1-user-profile-management] quit [AC1] user-profile management enable 2. Configure AC 2: 49

62 # Enable port security. <AC2> system-view [AC2] port-security enable # Enable EAP authentication mode. [AC2] dot1x authentication-method eap # Configure port security on interface WLAN-ESS 1. [AC2] interface wlan-ess 1 [AC2-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC2-WLAN-ESS1] port-security tx-key-type 11key [AC2-WLAN-ESS1] undo dot1x multicast-trigger [AC2-WLAN-ESS1] undo dot1x handshake [AC2-WLAN-ESS1] quit # Define a crypto type WLAN service template, configure the SSID as abc, and bind the WLAN-ESS interface to this service template. [AC2] wlan service-template 1 crypto [AC2-wlan-st-1] ssid abc [AC2-wlan-st-1] bind wlan-ess 1 [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] cipher-suite ccmp [AC2-wlan-st-1] security-ie rsn [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit # Create an AP template named ap2, and specify its model as WA2100, and serial ID as A22W [AC2] wlan ap ap2 model WA2100 [AC2-wlan-ap-ap2] serial-id A22W [AC2-wlan-ap-ap2] radio 1 type dot11g [AC2-wlan-ap-ap2-radio-1] service-template 1 [AC2-wlan-ap-ap2-radio-1] radio enable [AC2-wlan-ap-ap2-radio-1] quit [AC2-wlan-ap-ap2] quit # Configure mobility group abc and enable the mobility group. [AC2] wlan mobility-group abc [AC2-wlan-mg-abc] source ip [AC2-wlan-mg-abc] member ip [AC2-wlan-mg-abc] mobility-group enable [AC2-wlan-mg-abc] quit # Configure AP group 1, add AP 1 and AP 2 in it, apply it in user profile management, and enable the user profile. [AC2] wlan ap-group 1 [AC2-ap-group1] ap ap1 ap2 [AC2-ap-group1] quit [AC2] user-profile management [AC2-user-profile-management] wlan permit-ap-group 1 [AC2-user-profile-management] quit [AC2] user-profile management enable 50

63 3. Verify the configuration: AP 1 and AP 2 are permitted in the AP group, so a client can roam between them. 51

64 Configuring WLAN security The wireless security capabilities incorporated in , though adequate to prevent the general public accessibility, do not offer sufficient protection from sophisticated network break-ins. To protect against any potential unauthorized access, advanced security mechanisms beyond the capabilities of are necessary. Authentication modes To secure wireless links, the wireless clients must be authenticated before accessing the AP, and only wireless clients passing the authentication can be associated with the AP links define two authentication mechanisms: open system authentication and shared key authentication. Open system authentication Open system authentication is the default authentication algorithm. This is the simplest of the available authentication algorithms. Essentially it is a null authentication algorithm. Any client that requests authentication with this algorithm can become authenticated. Open system authentication is not required to be successful as an AP may decline to authenticate the client. Open system authentication involves a two-step authentication process. In the first step, the wireless client sends a request for authentication. In the second step, the AP determines whether the wireless client passes the authentication and returns the result to the client. Figure 27 Open system authentication process Shared key authentication Figure 28 shows a shared key authentication process. The client and the AP have the same shared key configured. a. The client sends an authentication request to the AP. b. The AP randomly generates a challenge and sends it to the client. c. The client uses the shared key to encrypt the challenge and sends it to the AP. d. The AP uses the shared key to encrypt the challenge and compares the result with that received from the client. If they are identical, the client passes the authentication. If not, the authentication fails. 52

65 Figure 28 Shared key authentication process WLAN data security WLAN networks tend to be more susceptible to attacks than wired networks because WLAN devices share the same transmission medium. As a result, the potential exists for one a device to intercept data not intended for it. If no security is provided, plain-text data is at risk of being read by unintended recipients. To secure data transmission, protocols provide some encryption methods to make sure devices without the correct key cannot read encrypted data. 1. Plain-text data All data packets are not encrypted. It is in fact a WLAN service without any security protection. 2. WEP encryption Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption for confidentiality. WEP encryption falls into static and dynamic encryption according to how a WEP key is generated. Static WEP encryption With Static WEP encryption, all clients using the same SSID must use the same encryption key. If the encryption key is deciphered or lost, attackers will get all encrypted data. In addition, periodical manual key update brings great management workload. Dynamic WEP encryption Dynamic WEP encryption is a great improvement over static WEP encryption. With dynamic WEP encryption, WEP keys are negotiated between client and server through the 802.1X protocol so that each client is assigned a different WEP key, which can be updated periodically to further improve unicast frame transmission security. Although WEP encryption increases the difficulty of network interception and session hijacking, it still has weaknesses due to limitations of RC4 encryption algorithm and static key configuration. 3. TKIP encryption Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has many advantages over WEP, and provides more secure protection for WLAN as follows: First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP encryption uses 128 bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48 bits. 53

66 Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single static key with a base key generated by an authentication server. TKIP dynamic keys cannot be easily deciphered. Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC, the data may be tampered, and the system may be attacked. If two packets fail the MIC in a certain period, the AP automatically takes countermeasures. It will not provide services in a certain period to prevent attacks. 4. CCMP encryption CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE MPDU header. The AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a dynamic key negotiation and management method, so that each wireless client can dynamically negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to make sure each encrypted packet uses a different PN, improving the security to a certain extent. Client access authentication 1. PSK authentication To implement pre-shared key (PSK) authentication, the client and the authenticator must have the same shared key configured. Otherwise, the client cannot pass pre-shared key (PSK) authentication X authentication As a port-based access control protocol, 802.1X authenticates and controls accessing devices at the port level. A device connected to an 802.1X-enabled port of a WLAN access control device can access the resources on the WLAN only after passing authentication. 3. MAC authentication MAC address authentication does not require any client software. The MAC address of a client is compared against a predefined list of allowed MAC addresses. If a match is found, the client can pass the authentication and access the WLAN; if not, the authentication fails and access is denied. The entire process does not require the user to enter a username or password. This type of authentication is suited to small networks (such as families and small offices) with fixed clients. MAC address authentication can be done locally or through a RADIUS server. Local MAC address authentication A list of usernames and passwords (the MAC addresses of allowed clients) is created on the wireless access device to authenticate the clients. Only clients whose MAC addresses are included in the list can pass the authentication and access the WLAN. MAC address authentication through RADIUS server The wireless access device serves as the RADIUS client and sends the MAC address of each requesting client to the RADIUS server. If the client passes the authentication on the RADIUS server, the client can access the WLAN within the authorization assigned by the RADIUS server. In this authentication mode, if different domains are defined, authentication information of different SSIDs are sent to different RADIUS servers based on their domains. 54

67 NOTE: For more information about access authentication, see Security Configuration Guide. Protocols and standards IEEE Standard for Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements Wi-Fi Protected Access Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004 Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements , 1999 IEEE Standard for Local and metropolitan area networks "Port-Based Network Access Control" 802.1X i IEEE Standard for Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Specific requirements Configuring WLAN security Configuration task list To configure WLAN security in a service template, map the service template to a radio policy, and add radios to the radio policy. The SSID name, advertisement setting (beaconing), and encryption settings are configured in the service template. You can configure an SSID to support any combination of WPA, RSN, and Pre-RSN clients Complete these tasks to configure WLAN security: Task Enabling an authentication method Configuring the PTK lifetime Configuring the GTK rekey method Configuring security IE Configuring cipher suite Configuring port security Remarks Required Optional Optional Required Required Optional Enabling an authentication method You can enable open system or shared key authentication or both. To enable an authentication method: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 55

68 Step Command Remarks 3. Enable the authentication method. authentication-method { open-system shared-key } Open system authentication method is used by default. Shared key authentication is usable only when WEP encryption is adopted. In this case, you must configure the authentication-method shared-key command. For RSN and WPA, open system authentication is required. Configuring the PTK lifetime A pairwise transient key (PTK) is generated through a four-way handshake, during which, the pairwise master key (PMK), an AP random value (ANonce), a site random value (SNonce), the AP's MAC address and the client's MAC address are used. To configure the PTK lifetime: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 3. Configure the PTK lifetime. ptk-lifetime time By default, the PTK lifetime is seconds. Configuring the GTK rekey method An AC generates a group temporal key (GTK) and sends the GTK to a client during the authentication process between an AP and the client through group key handshake or the 4-way handshake. The client uses the GTK to decrypt broadcast and multicast packets. Robust Security Network (RSN) negotiates the GTK through the 4-way handshake or group key handshake, and Wi-Fi Protected Access (WPA) negotiates the GTK only through group key handshake. Two GTK rekey methods can be configured: Time-based GTK rekey: After the specified interval elapses, GTK rekey occurs. Packet-based GTK rekey. After the specified number of packets is sent, GTK rekey occurs. You can also configure the device to start GTK rekey when a client goes offline. Configuring GTK rekey based on time Step Command Remarks 1. Enter system view. system-view N/A 56

69 Step Command Remarks 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 3. Enable GTK rekey. gtk-rekey enable 4. Configure the GTK rekey interval. gtk-rekey method time-based [ time ] By default, GTK rekey is enabled. By default, the interval is seconds. 5. Configure the device to start GTK rekey when a client goes offline. gtk-rekey client-offline enable Not configured by default. The command takes effect only when GTK rekey has been enabled with the gtk-rekey enable command. Configuring GTK rekey based on packet Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 3. Enable GTK rekey. gtk-rekey enable By default, GTK rekey is enabled. 4. Configure GTK rekey based on packet. 5. Configure the device to start GTK rekey when a client goes offline. gtk-rekey method packet-based [ packet ] gtk-rekey client-offline enable The default packet number is Not configured by default. This command takes effect only when GTK rekey has been enabled with the gtk-rekey enable command. NOTE: By default, time-based GTK rekey is adopted, and the rekey interval is seconds. Configuring a new GTK rekey method overwrites the previous one. For example, if time-based GTK rekey is configured after packet-based GTK rekey is configured, time-based GTK rekey takes effect. Configuring security IE Configuring WPA security IE WPA ensures greater protection than WEP. WPA operates in either WPA-PSK (or Personal) mode or WPA-802.1X (or Enterprise) mode. In Personal mode, a pre-shared key or pass-phrase is used for authentication. In Enterprise mode, 802.1X and RADIUS servers and the Extensible Authentication Protocol (EAP) are used for authentication. To configure the WPA security IE: 57

70 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN service template view. 3. Enable the WPA-IE in the beacon and probe responses. wlan service-template service-template-number crypto security-ie wpa N/A By default, WPA-IE is disabled. Configuring RSN security IE An RSN is a security network that allows only the creation of robust security network associations (RSNAs). An RSN can be identified by the indication in the RSN Information Element (IE) of beacon frames. It provides greater protection than WEP and WPA. To configure RSN security IE: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN service template view. 3. Enable the RSN security IE in the beacon and probe responses. wlan service-template service-template-number crypto security-ie rsn N/A By default, RSN-IE is disabled. Configuring cipher suite A cipher suite is used for data encapsulation and de-encapsulation. It uses the following encryption methods: WEP40/WEP104/WEP128 TKIP CCMP Configuring WEP cipher suite 1. Configure static WEP encryption The WEP encryption mechanism requires that the authenticator and clients on a WLAN have the same key configured. WEP adopts the RC4 algorithm (a stream encryption algorithm), supporting WEP40, WEP104 and WEP128 keys. WEP can be used with either open system authentication mode or shared key authentication mode: In open system authentication mode, a WEP key is used for encryption only. A client can access the WLAN without having the same key as the authenticator. But, if the receiver has a different key from the sender, it discards the packets received from the sender. In shared key authentication mode, the WEP key is used for both encryption and authentication. If the key of a client is different from that of the authenticator, the client cannot pass the authentication and cannot access the WLAN. To configure static WEP encryption: 58

71 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN service template view. 3. Enable the WEP cipher suite. 4. Configure the WEP default key. 5. Specify a key index number. wlan service-template service-template-number crypto cipher-suite { wep40 wep104 wep128 } * wep default-key { } { wep40 wep104 wep128 } { pass-phrase raw-key } [ cipher simple ] key wep key-id { } N/A By default, no cipher suite is selected. By default, the WEP default key index number is 1. The default is Configure dynamic WEP encryption Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN service template view. 3. Enable dynamic WEP encryption. 4. Enable the WEP cipher suite. 5. Configure the WEP default key. 6. Specify a key index number. wlan service-template service-template-number crypto wep mode dynamic cipher-suite { wep40 wep104 wep128 } wep default-key { } { wep40 wep104 wep128 } { pass-phrase raw-key } [ cipher simple ] key wep key-id { } N/A By default, static WEP encryption is adopted. Dynamic WEP encryption must be used together with 802.1X authentication. With dynamic WEP encryption configured, the device automatically uses the WEP 104 cipher suite. To change the encryption method, use the cipher-suite command. No WEP default key is configured by default. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If not, the device randomly generates a multicast WEP key. By default, the key index number is 1. For dynamic WEP encryption, the WEP key ID cannot be configured as 4. 59

72 Configuring TKIP cipher suite Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN service template view. wlan service-template service-template-number crypto N/A 3. Enable the TKIP cipher suite. cipher-suite tkip By default, no cipher suite is selected. 4. Configure the TKIP countermeasure interval. tkip-cm-time time The default countermeasure interval is 0 seconds. No countermeasures are taken. NOTE: Message integrity check (MIC) is used to prevent attackers from data modification. It ensures data security by using the Michael algorithm. When a fault occurs to the MIC, the device will consider that the data has been modified and the system is being attacked. Upon detecting the attack, TKIP will suspend within the countermeasure interval. No TKIP associations can be established within the interval. Configuring CCMP cipher suite CCMP adopts the AES encryption algorithm. To configure the CCMP cipher suite: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN service template view. 3. Enable the CCMP cipher suite. wlan service-template service-template-number crypto cipher-suite ccmp N/A By default, no cipher suite is selected. Configuring port security The authentication type configuration includes the following options: PSK 802.1X MAC PSK and MAC NOTE: This document describes only several common port security modes. For more information about other port security modes, see Security Configuration Guide. Before configuring port security, you must: 1. Create the wireless port. 60

73 2. Enable port security. Configuring PSK authentication Step Command Remarks 1. Enter system view.. system-view N/A 2. Enter WLAN-ESS interface view. 3. Enable key negotiation. 4. Configure the pre-shared key. 5. Enable the PSK port security mode. interface wlan-ess interface-number port-security tx-key-type 11key port-security preshared-key { pass-phrase raw-key } [ cipher simple ] key port-security port-mode psk N/A Not enabled by default. Not configured by default. N/A Configuring 802.1X authentication Step Command 1. Enter system view. system-view 2. Enter WLAN-ESS interface view. interface wlan-ess interface-number 3. Enable the 802.1X port security mode. port-security port-mode { userlogin-secure userlogin-secure-ext } Configuring MAC authentication Step Command 1. Enter system view. system-view 2. Enter WLAN-ESS interface view. interface wlan-ess interface-number 3. Enable MAC port security mode. port-security port-mode mac-authentication NOTE: i does not support MAC authentication. Configuring PSK and MAC authentication Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN-ESS interface view. 3. Enable key negotiation. 4. Enable the PSK and MAC port security mode. interface wlan-ess interface-number port-security tx-key-type 11key port-security port-mode mac-and-psk N/A Not enabled by default. N/A 61

74 Step Command Remarks 5. Configure the pre-shared key. port-security preshared-key { pass-phrase raw-key } key The key is a string of 8 to 63 characters, or a 64-digit hex number. NOTE: For more information about port security configuration commands, see Security Command Reference. Displaying and maintaining WLAN security Task Command Remarks Display WLAN service template information. Display client information. Display MAC authentication information. Display the MAC address information of port security. Display the PSK user information of port security. Display the configuration information, running state and statistics of port security. Display 802.1X session information or statistics. display wlan service-template [ service-template-number ] [ { begin exclude include } regular-expression ] display wlan client { ap ap-name [ radio radio-number ] mac-address mac-address service-template service-template-number } [ verbose ] [ { begin exclude include } regular-expression ] display mac-authentication [ interface interface-list ] [ { begin exclude include } regular-expression ] display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ { begin exclude include } regular-expression ] display port-security preshared-key user [ interface interface-type interface-number ] [ { begin exclude include } regular-expression ] display port-security [ interface interface-list ] [ { begin exclude include } regular-expression ] display dot1x [ sessions statistics ] [ interface interface-list ] [ { begin exclude include } regular-expression ] Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view NOTE: For more information about related display commands, see Security Command Reference. 62

75 WLAN security configuration examples PSK authentication configuration example Network requirements As shown in Figure 29, an AC is connected to an AP through a Layer 2 switch, and they are in the same network. Perform PSK authentication with key on the client. Figure 29 Network diagram Configuration procedure 1. Configure the AC: # Configure port security. <AC> system-view [AC] port-security enable # Configure WLAN port security, configure the authentication mode as PSK, and the pre-shared key as [AC] interface wlan-ess 10 [AC-WLAN-ESS10] port-security port-mode psk [AC-WLAN-ESS10] port-security preshared-key pass-phrase [AC-WLAN-ESS10] port-security tx-key-type 11key [AC-WLAN-ESS10] quit # Create service template 10 of crypto type, configure its SSID as psktest, and bind WLAN-ESS10 to service template 10. [AC] wlan service-template 10 crypto [AC-wlan-st-10] ssid psktest [AC-wlan-st-10] bind WLAN-ESS 10 [AC-wlan-st-10] security-ie rsn [AC-wlan-st-10] cipher-suite ccmp [AC-wlan-st-10] authentication-method open-system [AC-wlan-st-10] service-template enable [AC-wlan-st-10] quit # Create an AP template named ap1 and its model is WA2100, and configure the serial ID of AP 1 as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C # Bind service template 10 to radio 1. [AC-wlan-ap-ap1] radio 1 type dot11g [AC-wlan-ap-ap1-radio-1] service-template 10 [AC-wlan-ap-ap1-radio-1] radio enable 2. Verify the configuration: 63

76 Configure the same PSK key on the client. After that, the client can associate with the AP and access the WLAN. You can use the display wlan client verbose command and display port-security preshared-key user command to view the online clients. MAC and PSK authentication configuration example Network requirements As shown in Figure 30, an AC with IP address , an AP, and a RADIUS server with IP address are connected through a Layer 2 switch. Perform MAC and PSK authentication on the client. Figure 30 Network diagram RADIUS server /24 AC L2 switch AP Client /24 Configuration procedure 1. Configure the AC: # Enable port security. <AC> system-view [AC] port-security enable # Configure WLAN port security, using MAC and PSK authentication. [AC] interface wlan-ess 2 [AC-WLAN-ESS2] port-security port-mode mac-and-psk [AC-WLAN-ESS2] port-security tx-key-type 11key [AC-WLAN-ESS2] port-security preshared-key pass-phrase [AC-WLAN-ESS2] quit # Create service template 2 of crypto type, configure its SSID as mactest, and bind WLAN-ESS2 to service template 2. [AC] wlan service-template 2 crypto [AC-wlan-st-2] ssid mactest [AC-wlan-st-2] bind wlan-ess 2 [AC-wlan-st-2] authentication-method open-system [AC-wlan-st-2] cipher-suite tkip [AC-wlan-st-2] security-ie rsn [AC-wlan-st-2] service-template enable [AC-wlan-st-2] quit 64

77 # Create an AP template named ap1 and its model is WA2100, and configure the serial ID of AP 1 as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C # Bind service template 2 to radio 1. [AC-wlan-ap-ap1] radio 1 type dot11g [AC-wlan-ap-ap1-radio-1] service-template 2 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC-radius-rad] key authentication [AC-radius-rad] key accounting [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit # Configure AAA domain cams by referencing RADIUS scheme rad. [AC] domain cams [AC-isp-cams] authentication lan-access radius-scheme rad [AC-isp-cams] authorization lan-access radius-scheme rad [AC-isp-cams] accounting lan-access radius-scheme rad [AC-isp-cams] quit # Configure the MAC authentication domain by referencing AAA domain cams. [AC] mac-authentication domain cams # Configure MAC authentication user name format, using MAC addresses without hyphen as username and password (consistent with the format on the server). [AC] mac-authentication user-name-format mac-address without-hyphen 2. Configure the RADIUS server (IMCv3): NOTE: The following takes the IMC (the IMC versions are IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) as an example to illustrate the basic configurations of the RADIUS server. # Add access device. a. Log in to the IMC Platform. b. Click the Service tab, and then select Access Service > Access Device from the navigation tree to enter the access device configuration page. c. Click Add on the page to enter the configuration page shown in Figure 31: d. Add for Shared Key. e. Add ports 1812, and 1813 for Authentication Port and Accounting Port respectively. 65

78 f. Select LAN Access Service for Service Type. g. Select H3C for Access Device Type. h. Select or manually add an access device with the IP address Figure 31 Adding access device # Add service. a. Click the Service tab, and then select Access Service > Access Device from the navigation tree to enter the add service page. b. Click Add on the page to enter the following configuration page. c. Set the service name to mac, and the others keep the default values. Figure 32 Adding service # Add account. a. Click the User tab, and then select User > All Access Users from the navigation tree to enter the user page. b. Click Add on the page to enter the page shown in Figure 33. c. Enter a username 00146c8a43ff. d. Add an account and password 00146c8a43ff. e. Select the service mac. 66

79 Figure 33 Adding account 3. Configure the RADIUS server (IMCv5): NOTE: The following takes the IMC (the IMC versions are IMC PLAT 5.0 and IMC UAM 5.0) as an example to illustrate the basic configurations of the RADIUS server. # Add an access device. a. Log in to the IMC Platform. b. Click the Service tab, and then select User Access Manager > Access Device Management > Access Device from the navigation tree to enter the access device configuration page. c. Click Add on the page to enter the configuration page as shown in Figure 34: d. Input as the Shared Key. Keep the default values for other parameters. e. Select or manually add the access device with the IP address Figure 34 Adding access device # Add service. a. Click the Service tab, and then select User Access Manager > Service Configuration from the navigation tree to enter the add service page. 67

80 b. Click Add on the page to enter the following configuration page. c. Set the service name as mac, and keep the default values for other parameters. Figure 35 Adding service # Add an account. a. Click the User tab, and then select User > All Access Users from the navigation tree to enter the user page. b. Click Add on the page to enter the page as shown in Figure 36. c. Enter username 00146c8a43ff. d. Set the account name and password both as 00146c8a43ff. e. Select the service mac. Figure 36 Adding account 4. Verify the configuration: After the client passes the MAC authentication, the client can associate with the AP and access the WLAN. You can use the display wlan client verbose command, display connection command, and display mac-authentication command to view the online clients. 68

81 802.1X authentication configuration example Network requirements As shown in Figure 37, an AC with IP address , an AP and a RADIUS server with IP address are connected through a Layer 2 switch. Perform 802.1X authentication on the client. Figure 37 Network diagram RADIUS server /24 AC L2 switch AP Client /24 Configuration procedure 1. Configure the AC: # Enable port security. <AC> system-view [AC] port-security enable # Configure the 802.1X authentication mode as EAP. [AC] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC-radius-rad] key authentication [AC-radius-rad] key accounting [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit # Configure AAA domain cams by referencing RADIUS scheme rad. [AC] domain cams [AC-isp-cams] authentication lan-access radius-scheme rad [AC-isp-cams] authorization lan-access radius-scheme rad [AC-isp-cams] accounting lan-access radius-scheme rad [AC-isp-cams] quit # Specify the mandatory domain as cams. [AC] interface WLAN-ESS 1 69

82 [AC-WLAN-ESS1] dot1x mandatory-domain cams # Configure the port security mode as userlogin-secure-ext, and enable key negotiation. [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as dot1x, and configure the tkip and ccmp cipher suite. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid dot1x [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite tkip [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1 and its model is WA2100, and configure the serial ID of AP 1 as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C # Bind service template 1 to radio 1. [AC-wlan-ap-ap1] radio 1 type dot11g [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 2. Configure the RADIUS server (IMCv3): NOTE: The following takes the IMC (the IMC versions are IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) as an example to illustrate the basic configurations of the RADIUS server. # Add access device. a. Log in to the IMC Platform. b. Click the Service tab, and then select Access Service > Access Device from the navigation tree to enter the access device configuration page. c. Click Add on the page to enter the configuration page shown in Figure 38: d. Add for Shared Key. e. Add ports 1812, and 1813 for Authentication Port and Accounting Port respectively. f. Select LAN Access Service for Service Type. g. Select H3C for Access Device Type. h. Select or manually add an access device with the IP address

83 Figure 38 Adding access device # Add service. a. Click the Service tab, and then select Access Service > Service Configuration from the navigation tree to enter the add service page. b. Click Add on the page to enter the configuration page shown in Figure 39. c. Set the service name to dot1x. d. Select EAP-PEAP AuthN from the Certificate Type drop-down list, and MS-CHAPV2 AuthN from the Certificate Sub-Type list. Figure 39 Adding service # Add account. 71

84 a. Click the User tab, and then select Users > All Access Users from the navigation tree to enter the user page. b. Click Add on the page to enter the page shown in Figure 40. c. Enter a username user. d. Add an account user and password dot1x. e. Select the previously configured service dot1x. Figure 40 Adding account 3. Configure the RADIUS server (IMCv5): NOTE: The following takes the IMC (the IMC versions are IMC PLAT 5.0 and IMC UAM 5.0) as an example to illustrate the basic configurations of the RADIUS server. # Add an access device. a. Log in to the IMC Platform. b. Click the Service tab, and then select User Access Manager > Access Device Management from the navigation tree to enter the access device configuration page. c. Click Add on the page to enter the configuration page as shown in Figure 41: d. Input as the Shared Key. Keep the default values for other parameters. e. Select or manually add the access device with the IP address

85 Figure 41 Adding access device # Add service. a. Click the Service tab, and then select User Access Manager > Service Configuration from the navigation tree to enter the add service page. b. Click Add on the page to enter the following configuration page. c. Set the service name to dot1x, select EAP-PEAP AuthN as the Certificate Type, and MS-CHAPV2 AuthN as the Certificate Sub-Type. Figure 42 Adding service # Add an account. a. Click the User tab, and then select User > All Access Users from the navigation tree to enter the user page. b. Click Add on the page to enter the page as shown in Figure 43. c. Enter username user. d. Set the account name user and password dot1x. 73

86 e. Select the service dot1x. Figure 43 Adding account 4. Configure the wireless card: a. Double click the icon at the bottom right corner of your desktop. The Wireless Network Connection Status window appears. b. Click the Properties button in the General tab. The Wireless Network Connection Properties window appears. c. On the Wireless Networks tab, select wireless network with the SSID dot1x, and then click Properties. The dot1x Properties window appears. d. On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties. e. On the popup window, clear Validate server certificate, and click Configure. f. In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any). The configuration procedure is as shown in Figure 48 through Figure

87 Figure 44 Configuring the wireless card (I) 75

88 Figure 45 Configuring the wireless card (II) 76

89 Figure 46 Configuring the wireless card (III) 5. Verify the configuration: The client can pass 802.1X authentication and associate with the AP. You can use the display wlan client verbose command, display connection command, and display dot1x command to view the online clients. Dynamic WEP encryption-802.1x authentication configuration example Network requirements As shown in Figure 47, an AC with IP address , an AP, and a RADIUS server with IP address are connected through a Layer 2 switch. Perform dynamic WEP encryption. 77

90 Figure 47 Network diagram RADIUS server /24 AC L2 switch AP Client /24 Configuration procedure 1. Configure the AC: # Enable port security. <AC> system-view [AC] port-security enable # Configure the 802.1X authentication mode as EAP. [AC] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication and accounting servers as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting as [AC-radius-rad] key authentication [AC-radius-rad] key accounting [AC-radius-rad] user-name-format without-domain [AC-radius-rad] quit # Configure AAA domain bbb by referencing RADIUS scheme rad. [AC] domain bbb [AC-isp-bbb] authentication lan-access radius-scheme rad [AC-isp-bbb] authorization lan-access radius-scheme rad [AC-isp-bbb] accounting lan-access radius-scheme rad [AC-isp-bbb] quit # Specify the mandatory domain as bbb. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] dot1x mandatory-domain bbb # Configure the port security mode as userlogin-secure-ext. [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext # Disable the multicast trigger function and the online user handshake function. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit 78

91 # Create service template 1 of crypto type, configure its SSID as dot1x, and enable dynamic WEP encryption. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid dot1x [AC-wlan-st-1] wep mode dynamic [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, and specify its model as WA2100, and serial ID as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C # Bind service template 1 to radio 1. [AC-wlan-ap-ap1] radio 1 type dot11g [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable 2. Configure the RADIUS server (IMCv3): See "Configure the RADIUS server (IMCv3):." 3. Configure the RADIUS server (IMCv5): See "Configure the RADIUS server (IMCv5):." 4. Configure the wireless card: a. Double click the icon at the bottom right corner of your desktop. The Wireless Network Connection Status window appears. b. Click the Properties button on the General tab. The Wireless Network Connection Properties window appears. c. On the Wireless Networks tab, select wireless network with the SSID dot1x, and then click Properties. The dot1x Properties window appears. d. On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties. e. On the popup window, clear Validate server certificate, and click Configure. f. In the popup dialog box, clear Automatically use my Windows logon name and password (and domain if any). The configuration procedure is as shown in Figure 48 through Figure

92 Figure 48 Configuring the wireless card (I) 80

93 Figure 49 Configuring the wireless card (II) 81

94 Figure 50 Configuring the wireless card (III) Verifying the configuration After inputting username user and password dot1x in the popup dialog box, the client can associate with the AP and access the WLAN. You can use the display wlan client verbose command, display connection command, and display dot1x command to view online client information. Supported combinations for ciphers RSN This section introduces the combinations that can be used during the cipher suite configuration. For RSN, the WLAN-WSEC module supports only CCMP and TKIP ciphers as the pair wise ciphers and WEP cipher suites will only be used as group cipher suites. Below are the RSN cipher suite combinations. (WEP40, WEP104 and WEP128 are mutually exclusive). Unicast cipher Broadcast cipher Authentication method Security Type CCMP WEP40 PSK RSN CCMP WEP104 PSK RSN CCMP WEP128 PSK RSN 82

95 Unicast cipher Broadcast cipher Authentication method Security Type CCMP TKIP PSK RSN CCMP CCMP PSK RSN TKIP WEP40 PSK RSN TKIP WEP104 PSK RSN TKIP WEP128 PSK RSN TKIP TKIP PSK RSN CCMP WEP X RSN CCMP WEP X RSN CCMP WEP X RSN CCMP TKIP 802.1X RSN CCMP CCMP 802.1X RSN TKIP WEP X RSN TKIP WEP X RSN TKIP WEP X RSN TKIP TKIP 802.1X RSN WPA For WPA, the WLAN-WSEC module supports the CCMP and TKIP ciphers as the pair wise ciphers and WEP cipher suites will only be used as group cipher suites. Below are the WPA cipher suite combinations (WEP40, WEP104 and WEP128 are mutually exclusive). Unicast cipher Broadcast cipher Authentication method Security Type CCMP WEP40 PSK WPA CCMP WEP104 PSK WPA CCMP WEP128 PSK WPA CCMP TKIP PSK WPA CCMP CCMP PSK WPA TKIP WEP40 PSK WPA TKIP WEP104 PSK WPA TKIP WEP128 PSK WPA TKIP TKIP PSK WPA CCMP WEP X WPA CCMP WEP X WPA CCMP WEP X WPA CCMP TKIP 802.1X WPA CCMP CCMP 802.1X WPA TKIP WEP X WPA 83

96 Unicast cipher Broadcast cipher Authentication method Security Type TKIP WEP X WPA TKIP WEP X WPA TKIP TKIP 802.1X WPA Pre-RSN For Pre-RSN stations, the WLAN-WSEC module supports only WEP cipher suites. (WEP40, WEP104, and WEP128 are mutually exclusive). Unicast cipher Broadcast cipher Authentication method Security Type WEP40 WEP40 Open system no Sec Type WEP104 WEP104 Open system no Sec Type WEP128 WEP128 Open system no Sec Type WEP40 WEP40 Shared key no Sec Type WEP104 WEP104 Shared key no Sec Type WEP128 WEP128 Shared key no Sec Type 84

97 Configuring WLAN roaming WLAN roaming overview Inter AC Tunneling Protocol (IACTP) is a proprietary protocol of H3C which defines how access controllers (ACs) communicate with each other. Based on the standard TCP client/server model, this protocol generically encapsulates and transports communications securely between ACs. You can use IACTP to create and maintain AC groups, termed mobility groups, which can include up to 8 ACs. IACTP provides a secure control tunnel for applications such as roaming that allow sharing and exchanging messages. IACTP can be used with either IPv4 or with IPv6. When a station first associates with an AC in a mobility group, that AC becomes the station's Home-AC (HA). The connection request goes through 802.1X authentication followed by 11 Key exchange, and the station information is then synchronized across the other ACs in the mobility group. When the station roams to another AC in the mobility group (a Foreign-AC (FA)), the HA information is used to fast-forward station authentication by skipping 802.1X authentication and performing only key exchange. This method facilitates seamless roaming within a mobility group. Terminology HA The AC to which a wireless station is connected by associating with an AP for the first time is the HA of the station. FA An AC that is other than the HA and to which a station is currently connected is an FA of the station. Fast-roam capable station A wireless station that associates to an AC in the mobility-group and supports fast roaming (only key caching is supported). Roam-out station A wireless station that has associated with an AC other than the HA in the mobility-group is a roam-out station at its HA. Roam-in station A wireless station that has associated with an AC other than the HA in the mobility-group is a roam-in station at the FA. Intra-AC roaming A procedure where a wireless station roams from one AP to another AP, which are connected to the same AC. Inter-AC roaming A procedure where a wireless station roams from one AP to another AP, which are connected to different ACs. Inter-AC fast roaming capability If a station uses 802.1X (RSN) authentication through negotiation and supports key caching, this station has inter-ac fast roaming capability. WLAN roaming topologies WLAN Roaming topologies consist of: Intra-AC roaming topology Inter-AC roaming topology Intra-FA roaming topology 85

98 Intra-AC roaming Inter-FA roaming topology Roam-back topology The figure below illustrates how a station can roam from one AP to another AP, through a connection to the same AC. Figure 51 Intra-AC roaming Inter-AC roaming 1. A station is associated with AP 1, which is connected to an AC. 2. The station disassociates with AP 1 and roams to AP 2 connected to the same AC. 3. The station is associated with AP 2 through intra-ac roam association. The figure below illustrates how a station can roam from one AP to another AP, through a connection to different ACs. 86

99 Figure 52 Inter-AC roaming Intra-FA roaming 1. A station is associated with AP 1, which is connected to AC The station disassociates with AP 1 and roams to AP 2 connected to AC The station is associated with AP 2 through inter-ac roam association. Prior to inter-ac roaming, AC 1 should synchronize the station information with AC 2 through an IACTP tunnel. Figure 53 Intra-FA roaming 1. A station is associated with AP 1, which is connected to AC The station disassociates with AP 1 and roams to AP 2 connected to AC 2. Now AC 2 is the FA for the station. 87

100 Inter-FA roaming 3. The station is associated with AP 2 through inter-ac roam association. Prior to inter-ac roaming, AC 1 should synchronize the station information with AC 2 through an IACTP tunnel. 4. The station then disassociates with AP 2 and roams to AP 3 which is also connected to AC 2. The station is associated with AP 3 through intra-fa roam association. Figure 54 Inter-FA roaming 1. A station is associated with AP 1, which is connected to AC The station disassociates with AP 1 and roams to AP 2 connected to AC 2. Now AC 2 is the FA for the station. 3. The station is associated with AP 2 through inter-ac roam association. 4. The station then disassociates with AP 2 and roams to AP 3 which is connected to AC 3, which now is its FA. Prior to inter-ac roaming, AC 1 should synchronize the station information with AC 2 and AC 3 through IACTP tunnels. 88

101 Roam-back Figure 55 Roam-back AC 1 AC 2 Fast- roam association IP network Inter-AC roam association IP network Inter-AC roam association AP 1 AP 2 AP 3 Inter-AC roaming Inter-AC roaming 1. A station is associated with AP 1, which is connected to AC The station disassociates with AP 1 and roams to AP 3 connected to AC 2. Now AC 2 is the FA for the station. 3. The station is associated with AP 3 through inter-ac roam association. Prior to inter-ac roaming, AC 1 should synchronize the station information with AC 2 through an IACTP tunnel. 4. The station then disassociates with AP 3 and roams back to AP 2 or AP 1 connected to AC 1, which is its HA. Configuring an IACTP mobility group The IACTP service is part of the WLAN system, and can be enabled only after a mobility group and the tunnel source IP address are configured. An IACTP mobility group includes attributes such as the mobility tunnel protocol type, source IP address, authentication mode, and member IP addresses. To configure a mobility group and enable IACTP service for it: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a mobility group with the specified name. 3. Specify the mobility tunnel protocol type. 4. Specify the tunnel source IP address. wlan mobility-group name mobility-tunnel { iactp iactp6 } source { ip ipv4-address ipv6 ipv6-address } ACs in the same mobility group should have the same mobility group name. By default, the mobility tunnel protocol type is IPv4. Not configured by default 89

102 Step Command Remarks 5. Add a member. 6. Specify an IACTP control message integrity authentication mode. member { ip ipv4-address ipv6 ipv6-address } [ vlan vlan-id-list ] authentication-mode authentication-method [ cipher simple ] authentication-key By default, no member exists in a mobility group. Members can be added dynamically irrespective of whether IACTP service is enabled or not. By default, IACTP control message integrity authentication is disabled. 7. Enable the IACTP service for the group. mobility-group enable By default, IACTP service is disabled. NOTE: Do not configure ACs in a mobility group to back up each other. ACs in a mobility group must have the same user profile configurations. Displaying and maintaining WLAN roaming Task Command Remarks Display mobility group information. Display the roam-track information of a client on the HA. Display the WLAN client roaming information. display wlan mobility-group [ member { ip IPv4-address ipv6 IPv6-address } ] [ { begin exclude include } regular-expression ] display wlan client roam-track mac-address mac-address [ { begin exclude include } regular-expression ] display wlan client { roam-in roam-out } [ member { ip IPv4-address ipv6 IPv6-address } ] [ verbose ] [ { begin exclude include } regular-expression ] Available in any view Available in any view Available in any view 90

103 WLAN roaming configuration examples Intra-AC roaming configuration example Network requirements As shown in Figure 56, an AC has two APs associated and all of them are in VLAN 1. A client is associated with AP 1. Configure intra-ac roaming so that the client can associate with AP 2 when roaming to AP 2. Figure 56 Network diagram Configuration procedure NOTE: For wireless service configuration, see "Configuring WLAN services." A client has inter-ac fast roaming capability only if it uses 802.1X (RSN) authentication. If you select an authentication mode involving remote authentication, you need to configure the corresponding RADIUS server. For more information, see "Configuring WLAN security." 1. Configure the AC: # On interface WLAN-ESS 1, configure port security mode as userlogin-secure-ext, and enable key negotiation of the 11key type. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC-WLAN-ESS1] undo dot1x multicast-trigger [AC-WLAN-ESS1] undo dot1x handshake [AC-WLAN-ESS1] quit 91

104 # Create service template 1 of crypto type, configure its SSID as intra-roam, and bind WLAN-ESS1 to intra-roam. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid intra-roam [AC-wlan-st-1] bind wlan-ess 1 # Configure the authentication method as open-system, and use the CCMP cipher suite for frame encryption. [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn # Enable service template 1. [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Enable port security. [AC] port-security enable # Configure the 802.1X authentication method as EAP. [AC] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC] radius scheme rad [AC-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC-radius-rad] primary authentication [AC-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC-radius-rad] key authentication [AC-radius-rad] key accounting # Configure the source IP address of RADIUS packets sent by the AC as [AC-radius-rad] nas-ip [AC-radius-rad] quit # Create ISP domain cams and configure the ISP domain cams to use RADIUS scheme rad to implement authentication, authorization, and accounting for all types of users. [AC] domain cams [AC-isp-cams] authentication default radius-scheme rad [AC-isp-cams] authorization default radius-scheme rad [AC-isp-cams] accounting default radius-scheme rad [AC-isp-cams] quit #Configure the 802.1X mandatory authentication domain as cams on interface WLAN-ESS 1. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] dot1x mandatory-domain cams [AC-WLAN-ESS1] quit # Configure AP 1: Create an AP template named ap1 and its model is WA2100, and configure the serial ID of AP 1 as A045B05B [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A045B05B [AC-wlan-ap-ap1] radio 1 type dot11g 92

105 # Bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit # Configure AP 2: Create an AP template named ap2 and its model is WA2100, and configure the serial ID of AP 2 as A22W [AC] wlan ap ap2 model WA2100 [AC-wlan-ap-ap2] serial-id A22W [AC-wlan-ap-ap2] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 2 (Intra-AC roaming requires consistent SSIDs of different APs. Therefore, radio 1 of AP 2 should be bound to service template 1.). [AC-wlan-ap-ap2-radio-1] service-template 1 [AC-wlan-ap-ap2-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] return 2. Verify the configuration: After the client roams to AP2, use the display wlan client verbose command to display detailed client information. You should find that the AP name and BSSID fields have been changed to those of AP2. You can also use the display wlan client roam-track mac-address command to view client roaming track information. Inter-AC roaming configuration example Network requirements As shown in Figure 57, a client associates with AP 1. Configure inter-ac roaming so that the client can associate with AP2 when roaming to it. 93

106 Figure 57 Network diagram RADIUS server /24 L2 Switch AC 1 AC / /24 VLAN 1 VLAN 1 AP 1 AP 2 Roaming Client Configuration procedure NOTE: For wireless service configuration, see "WLAN service configuration." A client has inter-ac fast roaming capability only if it uses 802.1X (RSN) authentication through negotiation. If you select an authentication mode involving remote authentication, you need to configure the corresponding RADIUS server. For more information, see "WLAN security configuration." 1. Configure AC 1: # On interface WLAN-ESS 1, configure port security mode as userlogin-secure-ext, and enable key negotiation of the 11key type. <AC1> system-view [AC1] interface wlan-ess 1 [AC1-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC1-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC1-WLAN-ESS1] undo dot1x multicast-trigger [AC1-WLAN-ESS1] undo dot1x handshake [AC1-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as inter-roam, and bind WLAN-ESS1 to inter-roam. [AC1] wlan service-template 1 crypto [AC1-wlan-st-1] ssid inter-roam [AC1-wlan-st-1] bind wlan-ess 1 94

107 # Configure the authentication method as open-system, and use the CCMP cipher suite for frame encryption. [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] cipher-suite ccmp [AC1-wlan-st-1] security-ie rsn # Enable service template 1. [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Enable port security. [AC1] port-security enable # Configure the 802.1X authentication method as EAP. [AC1] dot1x authentication-method eap # Create a RADIUS scheme rad, and specify the extended RADIUS server type. [AC1] radius scheme rad [AC1-radius-rad] server-type extended # Configure the IP addresses of the primary authentication server and accounting server as [AC1-radius-rad] primary authentication [AC1-radius-rad] primary accounting # Configure the shared key for RADIUS authentication/accounting packets as [AC1-radius-rad] key authentication [AC1-radius-rad] key accounting # Configure the source IP address of RADIUS packets sent by the AC as [AC1-radius-rad] nas-ip [AC1-radius-rad] quit # Configure ISP domain cams to use RADIUS scheme rad to implement authentication, authorization, and accounting for all types of users. [AC1] domain cams [AC1-isp-cams] authentication default radius-scheme rad [AC1-isp-cams] authorization default radius-scheme rad [AC1-isp-cams] accounting default radius-scheme rad [AC1-isp-cams] quit #Configure the 802.1X mandatory authentication domain as cams on interface WLAN-ESS 1. [AC1] interface WLAN-ESS 1 [AC1-WLAN-ESS1] dot1x mandatory-domain cams [AC1-WLAN-ESS1] quit # Configure AP 1: Create an AP template named ap1 and its model is WA2100, and configure the serial ID of AP 1 as A045B05B [AC1] wlan ap ap1 model WA2100 [AC1-wlan-ap-ap1] serial-id A045B05B [AC1-wlan-ap-ap1] radio 1 type dot11g # Bind service template inter-roam to radio 1. [AC1-wlan-ap-ap1-radio-1] service-template 1 [AC1-wlan-ap-ap1-radio-1] radio enable [AC1-wlan-ap-ap1-radio-1] quit [AC1-wlan-ap-ap1] quit 95

108 # Create mobility group roam, specify the tunnel source IP as , and specify a member with IP address [AC1] wlan mobility-group roam [AC1-wlan-mg-roam] source ip [AC1-wlan-mg-roam] member ip [AC1-wlan-mg-roam] mobility-group enable 2. Configure AC 2: # On interface WLAN-ESS 1, configure port security mode as userlogin-secure-ext, and enable key negotiation of the 11key type. <AC2> system-view [AC2] interface wlan-ess 1 [AC2-WLAN-ESS1] port-security port-mode userlogin-secure-ext [AC2-WLAN-ESS1] port-security tx-key-type 11key # Disable the multicast trigger function and the online user handshake function. [AC2-WLAN-ESS1] undo dot1x multicast-trigger [AC2-WLAN-ESS1] undo dot1x handshake [AC2-WLAN-ESS1] quit # Create service template 1 of crypto type, configure its SSID as inter-roam, and bind WLAN-ESS1 to intra-roam. [AC2] wlan service-template 1 crypto [AC2-wlan-st-1] ssid inter-roam [AC2-wlan-st-1] bind wlan-ess 1 # Configure the authentication method as open-system, use the CCMP cipher suite for frame encryption, and enable the RSN security IE to be carried in beacon and reply frames.. [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] cipher-suite ccmp [AC2-wlan-st-1] security-ie rsn # Enable service template 1. [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit # Enable port security. [AC2] port-security enable # Configure the 802.1X authentication method as EAP. [AC2] dot1x authentication-method eap # Create RADIUS scheme rad, and specify the server type as extended to exchange extended messages with the server. [AC2] radius scheme rad [AC2-radius-rad] server-type extended # Specify the IP addresses of the primary authentication and accounting servers as [AC2-radius-rad] primary authentication [AC2-radius-rad] primary accounting # Configure the authentication and accounting keys as [AC2-radius-rad] key authentication [AC2-radius-rad] key accounting # Configure the source IP address of RADIUS packets as [AC2-radius-rad] nas-ip

109 [AC2-radius-rad] quit # Create ISP domain cams, and use RADIUS scheme rad as the AAA methods. [AC2] domain cams [AC2-isp-cams] authentication default radius-scheme rad [AC2-isp-cams] authorization default radius-scheme rad [AC2-isp-cams] accounting default radius-scheme rad [AC2-isp-cams] quit # On interface WLAN-ESS 1, configure the 802.1X mandatory authentication domain as cams. [AC1] interface WLAN-ESS 1 [AC1-WLAN-ESS1] dot1x mandatory-domain cams [AC1-WLAN-ESS1] quit # Configure AP 2: Create an AP template named ap2 and its model is WA2100, and configure the serial ID of AP 2 as A22W [AC2] wlan ap ap2 model WA2100 [AC2-wlan-ap-ap2] serial-id A22W [AC2-wlan-ap-ap2] radio 1 type dot11g # Bind service template inter-roam to radio 1 of AP 2 (Inter-AC roaming requires consistent SSIDs of APs. Therefore, radio 1 of AP 2 should be bound to service template inter-roam.). [AC2-wlan-ap-ap2-radio-1] service-template 1 [AC2-wlan-ap-ap2-radio-1] radio enable [AC2-wlan-ap-ap2-radio-1] quit [AC2-wlan-ap-ap2] quit # Create mobility group roam, specify the tunnel source IP as , and specify a member with IP address [AC2] wlan mobility-group roam [AC2-wlan-mg-roam] source ip [AC2-wlan-mg-roam] member ip [AC2-wlan-mg-roam] mobility-group enable 3. Verify the configuration: You can use the display wlan client roam-out command on AC 1 to display roamed out client information, and use the display wlan client roam-in command on AC 2 to display roamed in client information. You can also use the display wlan client roam-track mac-address command to view client roaming track information on AC 1. 97

110 Configuring WLAN RRM Overview Radio signals are susceptible to surrounding interference. The causes of radio signal attenuation in different directions are very complex. Therefore, we need to make careful plans before deploying a WLAN network. After WLAN deployment, the running parameters still need to be adjusted because the radio environment is always varying due to interference from mobile obstacles, micro-wave ovens and so on. To adapt to environment changes, radio resources such as working channels and transmit power should be dynamically adjusted. Such adjustments are complex and require experienced personnel to implement regularly, which brings high maintenance costs. WLAN radio resource management (RRM) is a scalable radio resource management solution. Through information collection (APs collect radio environment information in real time), information analysis (The AC analyzes the collected information), decision-making (The AC makes radio resource adjustment configuration according to analysis results), and implementation (APs implement the configuration made by the AC for radio resource optimization), WLAN RRM delivers a real-time, intelligent, integrated radio resource management solution, which enables a WLAN network to quickly adapt to radio environment changes and keep staying in a healthy state. Dynamic frequency selection A WLAN has limited working channels. Channel overlapping is very easy to occur. In addition, other radio sources such as radar and micro-wave ovens may interfere with the operation of APs. Dynamic frequency selection (DFS) can solve these problems. With DFS, the AC selects an optimal channel for each AP in real time to avoid co-channel interference and interference from other radio sources. The following conditions determine DFS: Error code rate Physical layer error code and CRC errors. Interference Influence of and non wireless signals on wireless services. Retransmission APs retransmit data if they do not receive ACK messages from the AC. Radar signal detected on a working channel The AC immediately notifies the AP to change its working channel. If the first three conditions are met, the AC selects a new channel. The AP does not use the new channel until the channel quality difference between the new and old channels exceeds the tolerance level. Transmit power control Traditionally, an AP uses the maximum power to cover an area as large as possible. This method, however, affects the operation of surrounding wireless devices. Transmit power control (TPC) is used to select a proper transmission power for each AP to satisfy both coverage and usage requirements. Whether the transmission power of an AP is increased or decreased is determined by these factors: the maximum number of neighbors (detected neighbors that are managed by the same AC), the neighbor AP that performs power detection, and the power adjustment threshold. 98

111 As shown in Figure 58, APs 1, 2 and 3 cover an area. When AP 4 joins, the default maximum neighbor number 3 (configurable) is reached. Among all the neighbors AP 2, AP 3, and AP 4 of AP 1, the signal strength of AP 4 is the third, so AP 4 becomes the AP that performs power detection. If AP 4 detects that the power of AP 1 is 90 dbm, which is lower than the default power adjustment threshold 80 dbm (configurable), AP 1 will increase its transmission power. If AP 4 detects that the power of AP 1 is 70 dbm, which is higher than the power adjustment threshold 80 dbm, AP 1 will decrease its transmission power. NOTE: The maximum number of neighbors and the neighbor AP that performs power detection are configured with the dot11a adjacency-factor and dot11bg adjacency-factor commands. The adjusted transmission power cannot be smaller than the minimum transmission power. Figure 58 Power reduction As shown in Figure 59, when AP 3 fails or goes offline, the other APs increase their transmission power to cover the signal blackhole. 99

112 Figure 59 Power increasing Configuration task list Complete the following tasks to configure WLAN RRM: Task Configuring data transmit rates Configuring channel exclusion Configuring DFS Configuring mesh DFS Configuring TPC Configuring a radio group Remarks Optional Optional Optional Optional Optional Optional 100

113 Task Configuring scan parameters Configuring power constraint Remarks Optional Optional Configuring data transmit rates Configuring a/802.11b/802.11g rates Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A Optional 3. Configure rates (in Mbps) for a. 4. Configure rates for b. 5. Configure rates for g. dot11a { disabled-rate mandatory-rate multicast-rate supported-rate } rate-value dot11b { disabled-rate mandatory-rate multicast-rate supported-rate } rate-value dot11g { disabled-rate mandatory-rate multicast-rate supported-rate } rate-value By default: Disabled rates None. Mandatory rates 6, 12, and 24; Multicast rates Automatically selected from mandatory rates supported by all clients; Supported rates 9, 18, 36, 48, and 54. Optional By default: Disabled rates None. Mandatory rates 1 and 2; Multicast rates Automatically selected from mandatory rates supported by all clients; Supported rates 5.5 and 11. Optional By default: Disabled rates None. Mandatory rates 1, 2, 5.5, and 11; Multicast rates Automatically selected from mandatory rates supported by all clients; Supported rates 6, 9, 12, 18, 24, 36, 48, and 54. Configuring n rates Configuration of mandatory and supported n rates is achieved by specifying the maximum Modulation and Coding Scheme (MCS) index. The MCS data rate table shows relations between data 101

114 rates, MCS indexes, and parameters that affect data rates. A sample MCS data rate table (20 MHz) is shown in Table 1, and a sample MCS data rate table (40 MHz) is shown in Table 2. For the whole table, see IEEE P802.11n D2.00. As shown in the two tables, MCS 0 through MCS 7 use one spatial stream, and the data rate corresponding to MCS 7 is the highest; MCS 8 through MCS 15 use two spatial streams, and the data rate corresponding to MCS 15 is the highest. Table 1 MCS data rate table (20 MHz) MCS index Number of spatial streams Modulation Data rate (Mbps) 800ns GI 0 1 BPSK QPSK QPSK QAM QAM QAM QAM QAM BPSK QPSK QPSK QAM QAM ns GI QAM QAM QAM Table 2 MCS data rate table (40 MHz) MCS index Number of spatial streams Modulation Data rate (Mbps) 800ns GI 0 1 BPSK QPSK QPSK QAM QAM ns GI QAM QAM QAM BPSK

115 MCS index Number of spatial streams Modulation Data rate (Mbps) 800ns GI 9 2 QPSK QPSK ns GI QAM QAM QAM QAM QAM rates fall into three types: mandatory rates, supported rates, and multicast rates. Mandatory rates Mandatory rates must be supported by the AP. Clients can associate with the AP only when they support the mandatory rates. Supported rates Higher rates supported by the AP besides the mandatory rates. Supported rates allow some clients that support both mandatory and supported rates to choose higher rates when communicating with the AP. Multicast rates Multicast rates supported by the AP besides the mandatory rates. Multicast rates allow clients to sent multicast traffic at the multicast rates. When you specify the maximum MCS index, you actually specify a range. For example, if you specify the maximum MCS index as 5 for mandatory rates, rates corresponding to MCS indexes 0 through 5 are configured as n mandatory rates. To configure n rates: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RRM view. wlan rrm N/A 3. Specify the maximum MCS index for n mandatory rates. 4. Specify the maximum MCS index for n supported rates. 5. Specify the MCS index for n multicast rates. dot11n mandatory maximum-mcs index dot11n support maximum-mcs index dot11n multicast-rate index No maximum MCS index is specified for n mandatory rates by default. By default, the maximum MCS index for n supported rates is 76. By default, the MCS index for n multicast rates is not specified. NOTE: If you configure the client dot11n-only command for a radio, you must configure the maximum MCS index for n mandatory rates. 103

116 Configuring channel exclusion To avoid selecting improper channels, you can exclude specific channels from automatic channel selection. The excluded channels will not be available for initial automatic channel selection, DFS, and mesh DFS. This feature does not affect rogue detection and WIDS. To configure channel exclusion: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Configure channel exclusion. dot11a exclude-channel channel-list dot11bg exclude-channel channel-list By default, no channel exists in the channel exclusion list. NOTE: The channel exclusion list is not restricted by the country code. You can add channels not supported by the country code to the list, and changing the country code does not change the channel list. The device will select an available channel from the channels supported by the country code and not in the channel exclusion list. When you configure this feature, do not add all channels supported by the country code to the channel exclusion list. If you use the dot11a/dot11bg exclude-channel command to add an automatically selected channel into the channel exclusion list, the AC disables the radio, enables the radio, and then selects an available channel from the channels supported by the country code and not in the channel exclusion list. For 40 MHz n radios, if you add an automatically selected primary channel to the channel exclusion list, the AC will select another available primary channel. If you add a secondary channel into the channel exclusion list in this case, the AC will select another secondary channel. If the AC cannot find an available secondary channel, no channels will be available for the wireless, mesh, and WDS services. Configuring DFS NOTE: Before configuring DFS, make sure the AC uses the auto mode (configured by using the channel auto command); otherwise DFS does not work. Before enabling DFS, make sure the channel is not locked. If you configure the power lock command first, and then enable DFS, DFS does not work because the channel is locked. If you enable DFS, and then configure the power lock command, the last selected channel is locked. For more information about the channel and channel lock commands, see WLAN Command Reference. Configuring auto-dfs With auto DFS enabled, an AC performs DFS when the working channel of an AP meets a trigger condition and informs the adjusted channel to the AP after a calibration interval. After that, the AC will make DFS decisions at the calibration interval automatically. 104

117 To configure auto DFS: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable auto DFS. 4. Specify the calibration interval. dot11a calibrate-channel self-decisive dot11bg calibrate-channel self-decisive dot11a calibration-interval minutes dot11bg calibration-interval minutes By default, auto DFS is disabled. By default, the calibration interval is 8 minutes. Configuring one-time DFS With one-time DFS configured for an AP, the AC performs DFS when the working channel of the AP meets a trigger condition, and informs the adjusted channel to the AP after a calibration interval (defaults to eight minutes, specified with the dot11a/dot11bg calibration-interval command). Then, if you want the AC to perform DFS for the AP, you have to make this configuration again. To configure one-time DFS: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable dynamic channel selection. dot11a calibrate-channel dot11bg calibrate-channel By default, auto DFS is disabled. 4. Configure one-time DFS. dot11a calibrate-channel pronto ap { all name apname radio radionum } dot11bg calibrate-channel pronto ap { all name apname radio radionum } Not configured by default. 5. Specify the calibration interval. dot11a calibration-interval minutes dot11bg calibration-interval minutes By default, the calibration interval is 8 minutes. Configuring DFS trigger parameters The CRC error threshold, interference threshold, and tolerance level determine DFS. The system begins to calculate the channel quality when either the CRC error threshold or interference threshold is exceeded on the current channel. However, the new channel is not applied until the quality of the current channel is worse than that of the new channel by the tolerance threshold. To set DFS trigger parameters: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 105

118 Step Command Remarks 3. Configure the CRC error threshold. 4. Configure the interference threshold. 5. Configure the tolerance level. dot11a crc-error-threshold percent dot11bg crc-error-threshold percent dot11a interference-threshold percent dot11bg interference-threshold percent dot11a tolerance-level percentage dot11bg tolerance-level percentage The default is 20. The default is 50. The default is 20%. Configuring mesh DFS NOTE: Before configuring mesh DFS, make sure the AC uses the auto mode (configured by using the channel auto command); otherwise DFS does not work. Configuring automatic mesh DFS With mesh auto DFS enabled, an AC performs DFS when the working channel of an AP meets a trigger condition and informs the adjusted channel to the AP after a calibration interval. After that, the AC will make DFS decisions at the calibration interval automatically. To configure mesh auto DFS: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable mesh auto DFS. mesh calibrate-channel self-decisive By default, auto DFS is disabled. 4. Specify the calibration interval. dot11a calibration-interval minutes dot11bg calibration-interval minutes By default, the calibration interval is 8 minutes. Configuring one-time mesh DFS With one-time mesh DFS configured for an AP, the AC performs DFS when the working channel of the AP meets a trigger condition, and informs the adjusted channel to the AP after a calibration interval. Then, if you want the AC to perform DFS for the AP, you have to make this configuration again. To configure one-time mesh DFS: Step Command Remarks 1. Enter system view. system-view N/A 106

119 Step Command Remarks 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable dynamic mesh channel selection. 4. Configure one-time mesh DFS. 5. Specify the calibration interval. mesh calibrate-channel mesh calibrate-channel pronto mesh-profile { all mesh-profile-number } dot11a calibration-interval minutes dot11bg calibration-interval minutes By default, dynamic mesh channel selection is disabled. By default, one-time mesh DFS is not configured. By default, the calibration interval is 8 minutes. Configuring TPC NOTE: Make sure the power is not locked (with the power lock command) before enabling TPC. Otherwise TPC does not work. If you enable TPC, and then configure the power lock command, the last selected power is locked. For more information about the power lock command, see WLAN Command Reference. Configuring auto-tpc With auto TPC enabled, the AC performs TPC for an AP upon certain interference and informs the adjusted power to the AP after a calibration interval. After that, the AC makes TPC decisions at the calibration interval automatically. To configure auto TPC: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable auto TPC for the band. 4. Specify the calibration interval. dot11a calibrate-power self-decisive dot11bg calibrate-power self-decisive dot11a calibration-interval minutes dot11bg calibration-interval minutes Disabled by default. By default, the power calibration interval is 8 minutes. Configuring one-time TPC With one-time TPC configured, the AC performs TPC for the AP upon certain interference, and informs the adjusted power to the AP after a calibration interval (defaults to eight minutes, specified with the 107

120 calibration-interval command). After that, if you want the AC to perform TPC for the AP, you have to make this configuration again. To configure one-time TPC: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable dynamic power selection for the band. dot11a calibrate-power dot11bg calibrate-power Disabled by default. 4. Configure one-time TPC for the band. dot11a calibrate-power pronto ap { all name apname radio radionum } dot11bg calibrate-power pronto ap { all name apname radio radionum } Not configured by default. 5. Specify the calibration interval. dot11a calibration-interval minutes dot11bg calibration-interval minutes By default, the power calibration interval is 8 minutes. Configuring TPC trigger parameters Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Configure the maximum number of neighbors and specify the neighbor AP that performs power detection. 4. Configure the power adjustment threshold. dot11a adjacency-factor neighbor dot11bg adjacency-factor neighbor dot11a calibrate-power threshold value dot11bg calibrate-power threshold value By default, the maximum number of neighbors is 3, and the neighbor AP that performs power detection is the AP whose signal strength is the third among all neighbors. 65 by default. Configuring the minimum transmission power The transmission power adjusted by auto-tpc or one-time TPC for an AP cannot be lower than the minimum transmission power set by the dot11a/dot11bg calibrate-power min command to avoid that the AP's signals cannot be detected. To configure the minimum transmission power level: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 108

121 Step Command Remarks 3. Configure the minimum transmission power. dot11a calibrate-power min tx-power dot11bg calibrate-power min tx-power By default, the minimum transmission power is 1 dbm. Configuring a radio group With DFS or TPC configured for a radio, the AC calculates the channel quality or power of the radio at the calibration interval. When the result meets a trigger condition, the AC selects a new channel or power for the radio. In an environment where interference is serious, frequent channel or power adjustments may affect user access to the WLAN network. In this case, you can configure a radio group to keep the channel or power of radios in the group unchanged within a specified time. The channel and power of radios not in the radio group are adjusted normally. After a channel or power adjustment (one-time, auto, or initial DFS or TPC), the channel or power of any radio in the radio group keeps unchanged within the specified holddown time. When the holddown time expires, the AC calculates the channel or power again. If the result meets a trigger condition, the channel or power is changed, and the new channel or power keeps unchanged within the specified holddown time. This mechanism continues. To configure a radio group: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a radio group, and enter RRM radio group view. 3. Configure a description for the radio group. 4. Add a radio of an AP to the radio group. 5. Configure the channel holddown time. 6. Configure the power holddown time. wlan rrm-calibration-group group-id description text ap ap-name radio radio-number channel holddown-time minutes power holddown-time minutes By default, no radio group exists. By default, no description is configured for the radio group. By default, no radio exists in the radio group. A member of a radio group is a radio. One radio can belong to only one radio group. 720 minutes by default. If the AC detects any radar signals on the channel within the specified holddown time, the AC immediately selects a new channel and resets the holddown timer. 60 minutes by default. 109

122 Configuring scan parameters NOTE: The scan channel, scan type, and scan report-interval commands apply to channel adjustment, rogue device detection, and IDS detection. The autochannel-set avoid-dot11h command applies to all types of channel scanning. To configure scan parameters: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Set the scan mode. scan channel { auto all } 4. Set the scan type. scan type { active passive } 5. Set the scan report interval. scan report-interval seconds By default, the scan mode is auto. By default, the scan type is passive. By default, the scan report interval is 10 seconds. 6. Configure only non-dot11h channels to be scanned. autochannel-set avoid-dot11h By default, the auto-channel set involves all channels supported by the country code. Configuring power constraint Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable spectrum management for a radios. 4. Configure the power constraint for all a radios. spectrum-management enable power-constraint power-constraint By default, spectrum management is disabled. The default power constraint is 0 dbm. 110

123 Displaying and maintaining WLAN RRM Task Command Remarks Display WLAN RRM configuration information. Display the WLAN RRM status of the APs. Display the channel and power change history for APs. Display WLAN RRM information of the APs. Display radio group configuration information. Display mesh channel adjustment history. display wlan rrm [ { begin exclude include } regular-expression ] display wlan ap { all name ap-name } rrm-status [ { begin exclude include } regular-expression ] display wlan ap { all name ap-name } rrm-history [ { begin exclude include } regular-expression ] display wlan ap { all name ap-name } [ verbose ] [ { begin exclude include } regular-expression ] display wlan rrm-calibration-group { group-id all } [ { begin exclude include } regular-expression ] display wlan mesh calibrate-channel history [ { begin exclude include } regular-expression ] Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Load balancing Overview Load balancing dynamically adjusts loads among APs to ensure adequate bandwidth for clients. It is mainly used in high-density WLAN networks. Requirement of load-balancing implementation As shown in Figure 60, Client 6 wants to associate with AP 3. AP 3 has reached its maximum load, so it rejects the association request. Then, Client 6 tries to associate with AP 1 or AP 2, but it cannot receive signals from these two APs, so it has to resend an association request to AP 3. Therefore, to implement load-balancing, the APs must be managed by the same AC, and the clients can find the APs. 111

124 Figure 60 Requirement of load-balancing implementation Client 3 Client 4 Client 1 AP 3 Client 5 AC L2 switch AP 1 Client 2 AP 2 Client 6 Load-balancing modes The AC supports two load balancing modes, session mode and traffic mode. Session mode load-balancing: Session-mode load balancing is based on the number of clients associated with the AP/radio. As shown in Figure 61, Client 1 is associated with AP 1, and Client 2 through Client 6 are associated with AP 2. The AC has session-mode load balancing configured: the maximum number of sessions is 5 and the maximum session gap is 4. Then, Client 7 sends an association request to AP 2. The maximum session threshold and session gap have been reached on AP 2, so it rejects the request. At last, Client 7 associates with AP 1. Figure 61 Network diagram for session-mode load balancing Traffic mode load-balancing: 112

125 Traffic snapshot is considered for traffic mode load balancing. As shown in Figure 62, Client 1 and Client 2 that run g are associated with AP 1. The AC has traffic-mode load balancing configured: the maximum traffic threshold is 10% and the maximum traffic gap is 20%. Then, Client 3 wants to access the WLAN through AP 1. The maximum traffic threshold and traffic gap (between AP 1 and AP 2) have been reached on AP 1, so it rejects the request. At last, Client 3 associates with AP 2. Figure 62 Network diagram for traffic-mode load balancing Load-balancing methods The AC supports AP-based load balancing and group-based load balancing. 1. AP-based load balancing AP-based load balancing can be either implemented among APs or among the radios of an AP. AP-based load balancing APs can carry out either session-mode or traffic-mode load balancing as configured. An AP starts load balancing when the maximum threshold and gap are reached. It does not accept any association requests unless the load decreases below the maximum threshold or the gap is less than the maximum gap. However, if a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate to any other AP and accepts the association request from the client. Radio-based load balancing The radios of an AP that is balanced can carry out either session-mode or traffic-mode load balancing as configured. A radio starts load balancing when the maximum threshold and gap are reached. It rejects any association requests unless the load decreases below the maximum threshold or the gap is less than the maximum gap. However, if a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate to any other AP and accepts the association request from the client. 2. Group-based load balancing To balance loads among the radios of different APs, you can add them to the same load balancing group. The radios in a load balancing group can carry out either session-mode or traffic-mode load balancing as configured. The radios that are not added to any load balancing group do not carry 113

126 out load balancing. A radio in a load balancing group starts load balancing when the maximum threshold and gap are reached on it. The radio does not accept any association requests unless the load decreases below the maximum threshold or the gap is less than the maximum gap. However, if a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate to any other AP and accepts the association request from the client. Load balancing configuration task list NOTE: If the AC has a load balancing mode configured but has no load balancing group created, it adopts AP-based load balancing by default. As long as a load balancing group is created, the AC adopts Group-based load balancing by default. Band navigation and load balancing can be used simultaneously. Complete these tasks to configure load balancing: Task Configuring a load balancing mode Configuring session mode load balancing Configuring traffic mode load balancing Remarks Required. Use either approach. Configuring AP-based load balancing Configuring group-based load balancing Configuring parameters that affect load balancing Displaying and maintaining load balancing Required. Use either approach. AP-based load balancing: After you complete Configuring a load balancing mode, the AC adopts AP-based load balancing by default. Group-based load balancing: Complete Configuring a load balancing mode first. A load balancing group takes effect only when the load balancing mode is configured. This configuration takes effect for both AP-based load balancing and radio group load balancing. Configuring a load balancing mode Prerequisites Before you configure load balancing, make sure of the following: The target APs are associated to the same AC. The clients can find the APs. The fast association function is disabled. By default, the fast association function is disabled. For more information about fast association, see "Configuring WLAN services." 114

127 Configuring session mode load balancing NOTE: If the AC has a load balancing mode configured but has no load balancing group created, it adopts AP-based load balancing by default. To configure session mode load balancing: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RRM view. wlan rrm N/A 3. Configure session mode load balancing. load-balance session value [ gap gap-value ] By default, no session threshold is set. Configuring traffic mode load balancing NOTE: If the AC has a load balancing mode configured but has no load balancing group created, it adopts AP-based load balancing by default. To configure traffic mode load balancing: Step Command Remarks 1. Enter system view system-view N/A 2. Enter RRM view wlan rrm N/A 3. Configure traffic mode load balancing load-balance traffic value [ gap gap-value ] By default, no traffic threshold is set. Configuring group-based load balancing Prerequisites Before you configure load balancing, make sure of the following: The target APs are associated to the same AC. The clients can find the APs. The fast association function is disabled. By default, the fast association function is disabled. For more information about fast association, see "Configuring WLAN services." A load balancing mode has been configured. For more information, see "Configuring a load balancing mode." Configuring a load balancing group Step Command Remarks 1. Enter system view. system-view N/A 115

128 Step Command Remarks 2. Create a load balancing group, and enter RRM load balancing group. 3. Configure a description for the load balancing group. 4. Add a radio of an AP to the load balancing group wlan load-balance-group group-id description text ap ap-name radio radio-number By default, no load balancing group exists. By default, a load balancing group has no description. By default, no radio exists in a load balancing group. A member of a load balancing group is a radio. One radio can belong to only one load balancing group. Configuring parameters that affect load balancing The following parameters affect load balancing calculation: Load balancing RSSI threshold A client may be detected by multiple APs. An AP considers a client whose RSSI is lower than the load balancing RSSI threshold as not detected. If only one AP can detect the client, the AP increases the access probability for the client even if it is over-loaded. Maximum denial count of client association requests If a client has been denied more than the specified maximum times, the AP considers that the client is unable to associate to any other AP and accepts the association request from the client. To configure parameters that affect load balancing: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RRM view. wlan rrm N/A 3. Configure the load balancing RSSI threshold. 4. Configure the maximum denial count of client association requests. load-balance rssi-threshold rssi-threshold load-balance access-denial access-denial The default load balancing RSSI threshold is 25. The default value is 10. Displaying and maintaining load balancing Task Command Remarks Display load balancing configuration. display wlan load-balance-group { group-id all } [ { begin exclude include } regular-expression ] Available in any view 116

129 Configuring band navigation Band navigation enables APs to prefer accepting dual-band (2.4 GHz and 5 GHz) clients on their 5 GHz radio because the 2.4 GHz band is often congested, increasing overall network performance. When band navigation is enabled, the AP directs clients to its 2.4 GHz or 5 GHz radio by following these principles: The AP associates to a 2.4 GHz client on its 2.4 GHz radio after rejecting it several times. The AP directs a dual-band client to its 5 GHz radio. The AP associates to a 5 GHz- client on its 5 GHz radio. The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz radio. If the RSSI is lower than the value specified by the command band-navigation rssi-threshold, the AP does not direct the client to the 5 GHz band. If the number of clients on the 5 GHz radio has reached the upper limit, and the gap between the number of clients on the 5 GHz radio and that on the 2.4 GHz radio has reached the upper limit (the two thresholds are specified by the command band-navigation balance session session [ gap gap ]), the AP denies the client s association to the 5 GHz radio, and allows new clients to associate to the 2.4 GHz radio. If a client has been denied more than the maximum times on the 5 GHz radio (specified by the command band-navigation balance access-denial), the AP considers that the client is unable to associate to any other AP, and allows the 5 GHz radio to accept the client. Configuration guidelines Follow these guidelines when you configure band navigation: When band navigation is enabled, the client association efficiency is affected, so this feature is not recommended in a scenario where most clients use 2.4 GHz. Band navigation is not recommended in a delay-sensitive network. Band navigation and load balancing can be used simultaneously. Configuration prerequisites To enable band navigation to operate properly, make sure of the following: The fast association function is disabled. By default, the fast association function is disabled. For more information about fast association, see "Configuring WLAN services." Band navigation is enabled for the AP. By default, band navigation is enabled for the AP. The SSID is bound to the 2.4 GHz and 5 GHz radios of the AP. Enabling band navigation globally Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RRM view. wlan rrm N/A 117

130 Step Command Remarks 3. Enable band navigation globally. band-navigation enable By default, band navigation is disabled globally. Band navigation takes effect for the specified AP only when band navigation is enabled both globally and for the AP. Enabling band navigation for an AP Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. 3. Enable band navigation for the AP. wlan ap ap-name [ model model-name [ id ap-id ] ] band-navigation enable N/A By default, band navigation is enabled for an AP. Band navigation takes effect for an AP only when band navigation is enabled both globally and for the AP. Configuring band navigation parameters Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RRM view. wlan rrm N/A 3. Configure load balancing session threshold and session gap. 4. Configure the maximum denial count of association requests sent by a 5 GHzclient. 5. Configure the client RSSI threshold. band-navigation balance session session [ gap gap ] band-navigation balance access-denial access-denial band-navigation rssi-threshold rssi-threshold By default, the band navigation load balancing function is disabled. By default, association requests sent by a 5 GHz-capable client are not denied. The default RSSI threshold is

131 Step Command Remarks 6. Configure the client information aging time. band-navigation aging-time aging-time The default aging time is 180 seconds. The AP records client information when a client tries to associate to it. If the AP receives a probe request or association request from the client before the aging time expires, the AP refreshes the client information and restarts the aging timer. If not, the AP removes the client information, and does not count the client during band navigation. Enabling g protection Enabling g protection When both b and g clients access a WLAN network, interference easily occurs and access rate is greatly degraded because they adopt different modulation modes. To enable both b and g clients to operate properly, g protection needs to be enabled for an g device to send RTS/CTS or CTS-to-self packets to b devices, which will defer access to the medium. Either of the following cases can start g protection on an g AP. 1. An b client associates with the g AP. In this case, g protection is always enabled. 2. The g AP detects an overlapping b BSS or some b packets that are not destined to it. For this case, you can use the following command to enable g protection or disable it using the undo form of the command. To enable g protection: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable g protection. dot11g protection enable Disabled by default. NOTE: Enabling g protection reduces network performance. Configuring g protection mode g protection modes include RTS/CTS and CTS-to-self. 119

132 RTS/CTS An AP sends an RTS packet before sending data to a client. After receiving the RTS packet, all the devices within the coverage of the AP will not send data within the specified time. Upon receiving the RTS packet, the client sends a CTS packet, ensuring that all the devices within the coverage of the client will not send data within the specified time. CTS-to-Self An AP uses its IP address to send a CTS packet before sending data to a client, ensuring that all the devices within the coverage of the AP will not send data within the specified time. To configure the g protection mode: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Configure the g protection mode. dot11g protection-mode { cts-to-self rts-cts } By default, the g protection mode is CTS-to-Self. Configuring n protection Enabling n protection When both n and non n clients access a WLAN network, interference easily occurs and access rate is greatly degraded because they adopt different modulation modes. To enable both n and non n clients to operate properly, n protection needs to be enabled for an n device to send RTS/CTS or CTS-to-self (the destination of the CTS packets is the device that sends them) packets to non n devices, which will defer access to the medium. The following cases require n protection to be enabled for an n AP. A non n client associates with the n AP. In this case, g protection is always enabled without manual intervention. The n AP detects a non n BSS or some n packets that are not destined to it. To enable n protection, you need to issue the dot11n protection enable command. To enable n protection: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Enable n protection. dot11n protection enable By default, n protection is disabled. NOTE: Enabling n protection reduces network performance. 120

133 Configuring n protection mode n protection modes include RTS/CTS and CTS-to-self. RTS/CTS An AP sends an RTS packet before sending data to a client. After receiving the RTS packet, all the devices within the coverage of the AP will not send data within the specified time. Upon receiving the RTS packet, the client sends a CTS packet, ensuring that all the devices within the coverage of the client will not send data within the specified time. CTS-to-Self An AP uses its IP address to send a CTS packet before sending data to a client, ensuring that all the devices within the coverage of the AP will not send data within the specified time. To configure the n protection mode: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Configure the n protection mode. dot11n protection-mode { cts-to-self rts-cts } By default, the n protection mode is CTS-to-Self. Configuring the maximum bandwidth Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN RRM view. wlan rrm N/A 3. Configure the maximum bandwidth a dot11a max-bandwidth 11a-bandwidth b dot11b max-bandwidth 11b-bandwidth g dot11g max-bandwidth 11g-b a ndwid th n dot11nmax-bandwidth 11n-bandwidth By default: The maximum bandwidth for a is kbps. The maximum bandwidth for b is 7000 kbps. The maximum bandwidth for g is kbps. The maximum bandwidth for n is kbps. The configured maximum bandwidth should be close to and smaller than the upper limit of the actual traffic. NOTE: For a radio enabled with the intelligent bandwidth guarantee function, the modified maximum bandwidth takes effect only after you disable and then enable the radio. 121

134 WLAN RRM configuration examples Configuring auto DFS Network requirements As shown in Figure 63, configure auto DFS on AC, so that AC can perform channel adjustment when the channel of AP1 is unavailable. Figure 63 Network diagram Configuration procedure # Create a WLAN ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as channel-adjust, and bind WLAN-ESS1 to channel-adjust. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid channel-adjust [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1 and its model is WA2100, and configure the serial ID of AP 1 as A045B05B [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A045B05B [AC-wlan-ap-ap1] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit # Enable auto DFS. [AC] wlan rrm [AC-wlan-rrm] dot11bg calibrate-channel self-decisive # Configure auto DFS trigger parameters. [AC-wlan-rrm] dot11bg crc-error-threshold 20 [AC-wlan-rrm] dot11bg interference-threshold 50 [AC-wlan-rrm] dot11bg tolerance-level

135 Verifying the configuration You can use the display wlan ap { all name apname } rrm-status command to display the channel information of the AP. When the channel is unavailable, the AC will change it, for example, from channel 1 to channel 6 after the calibration interval (configured by command dot11bg calibration-interval; the default is 8 minutes). After the channel change, you can use the display wlan ap { all name apname } rrm-history command to check the specific reason. Configuring mesh auto DFS Network requirements As shown in Figure 64, configure mesh auto DFS on the AC, so that the AC can perform channel adjustment when the mesh channel between AP 1 and AP 2 is unavailable. Figure 64 Network diagram Configuration procedure 1. Configure mesh: # Create WLAN mesh interface 1. Enable 11key negotiation, set a PSK, and set the port security mode as PSK mode for the interface. <AC> system-view [AC] interface wlan-mesh 1 [AC-wlan-mesh1] port-security tx-key-type 11key [AC-wlan-mesh1] port-security preshared-key pass-phrase [AC-wlan-mesh1] port-security port-mode psk [AC-wlan-mesh1] quit # Create mesh profile 1, and bind WLAN mesh interface 1 to it. [AC] wlan mesh-profile 1 [AC-wlan-mshp-1] bind wlan-mesh 1 [AC-wlan-mshp-1] quit # Enable the MKD service. [AC] mkd-service enable mesh-profile 1 # Set the mesh ID as outdoor for mesh profile 1, and enable the mesh profile. [AC] wlan mesh-profile 1 [AC-wlan-mshp-1] mesh-id outdoor [AC-wlan-mshp-1] mesh-profile enable [AC-wlan-mshp-1] quit # A default mesh policy exists by default. You can also configure a mesh policy. The default mesh policy is used in this example. 2. Configure AP 1: # Create AP template ap1 of model WA2620X-AGNP, and configure its serial ID. [AC] wlan ap ap1 model wa2620x-agnp [AC-wlan-ap-ap1] serial-id A045B05B

136 # Create radio 1, specify channel 149, map mesh profile 1 to the radio, and then enable the radio. [AC-wlan-ap-ap1] radio 1 type dot11a [AC-wlan-ap-ap1-radio-1] channel 149 [AC-wlan-ap-ap1-radio-1] mesh-profile 1 [AC-wlan-ap- p1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit # Enable the mesh portal service for MPP. [AC-wlan-ap-ap1] portal-service enable [AC-wlan-ap-ap1] quit 3. Configure AP 2: # Create AP template ap2 of model WA2620X-AGNP, and configure its serial ID. [AC] wlan ap ap2 model wa2620x-agnp [AC-wlan-ap-ap2] serial-id G007C # Create radio 1, specify channel 149 for it, and map mesh profile 1 to it, and then enable the radio. [AC-wlan-ap-ap2] radio 1 type dot11a [AC-wlan-ap-ap2-radio-1] channel 149 [AC-wlan-ap-ap2-radio-1] mesh-profile 1 [AC-wlan-ap-ap2-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] return After the configuration, a mesh link will be established between the AP 1 and AP 2, and they can ping each other. 4. Configure mesh auto DFS: # Enable mesh auto DFS. <AC> system-view [AC] wlan rrm [AC-wlan-rrm] mesh calibrate-channel self-decisive Verifying the configuration Use the display wlan mesh calibrate-channel history command to view channel adjustment history information. When a trigger condition is met, the AC changes the channel, for example, from channel 149 to channel 153 after the calibration interval. Configuring auto TPC Network requirements As shown in Figure 65, AP 1 through AP 3 are connected to AC. It is required to configure auto TPC and Specify the maximum number of neighbors as 3 on AC. In this way, when AP4 joins, AC will perform auto TPC. 124

137 Figure 65 Network diagram Configuration procedure # Create a WLAN ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as power-adjust, and bind WLAN-ESS1 to power-adjust. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid power-adjust [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1 and its model is WA2100, and configure the serial ID of AP 1 as A045B05B [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A045B05B [AC-wlan-ap-ap1] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit Configurations of other APs are similar to AP 1, and are omitted. # Enable auto TPC. [AC] wlan rrm [AC-wlan-rrm] dot11bg calibrate-power self-decisive 125

138 # Specify the maximum number of neighbors, the power adjustment threshold, and the calibration interval. [AC-wlan-rrm] dot11bg adjacency-factor 3 [AC-wlan-rrm] dot11bg calibrate-power threshold 65 [AC-wlan-rrm] dot11bg calibrate-power min 1 Verifying the configuration When AP4 joins, the number of neighbors reaches 3. Assume the signal strength of AP 4 is the third among all neighbors (AP 2, AP 3, and AP 4). AP 4 thus becomes the neighbor AP that perform power detection.. If AP 4 detects that the power of AP 1 is 90 dbm, which is lower than the power adjustment threshold 80 dbm, AP 1 will increase its transmission power. If AP 4 detects that the power of AP 1 is 70 dbm, which is higher than the power adjustment threshold 80 dbm, AP 1 will decrease its transmission power. You can use the display wlan ap { all name apname } rrm-status command to check the adjusted power (TxPower). The adjusted power of AP 1 cannot be lower than the minimum transmission power (1 dbm in this example). Configuring a radio group Network requirements As shown in Figure 66, AP 1 through AP 3 are connected to the AC. Configure auto DFS so that the AC can automatically switch the working channel of an AP when the signal quality on that channel is degraded to a certain level. Configure auto TPC so that the AC can automatically adjust the power of an AP when the third neighbor of that AP is discovered (or in other words, when AP 4 joins). Add radio 1 of AP 1 and radio 1 of AP 2 to a radio group to prevent frequent channel and power adjustments. Figure 66 Network diagram Verifying the configuration # Create a WLAN ESS interface. 126

139 <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as rrm-adjust, and bind WLAN-ESS1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid rrm-adjust [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, and specify its model as WA2100, and serial ID as A045B05B [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A045B05B [AC-wlan-ap-ap1] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit # Configurations of other APs are similar to AP1, and are omitted. # Enable auto DFS and auto TPC. [AC] wlan rrm [AC-wlan-rrm] dot11bg calibrate-channel self-decisive [AC-wlan-rrm] dot11bg calibrate-power self-decisive # Configure auto DFS trigger parameters (Optional because the parameters has default values). [AC-wlan-rrm] dot11bg crc-error-threshold 20 [AC-wlan-rrm] dot11bg interference-threshold 50 [AC-wlan-rrm] dot11bg tolerance-level 20 # Configure the auto TPC trigger parameter adjacency factor (Optional because the parameter has a default value by default). [AC-wlan-rrm] dot11bg adjacency-factor 3 [AC-wlan-rrm] quit # Create radio group 1. [AC] wlan rrm-calibration-group 1 # Add radio 1 of AP 1 and radio 1 of AP 2 to the radio group. [AC-wlan-rc-group-1] ap ap1 radio 1 [AC-wlan-rc-group-1] ap ap2 radio 1 # Set the channel holddown time to 20 minutes. [AC-wlan-rc-group-1] channel holddown-time 20 # Set the power holddown time to 30 minutes. [AC-wlan-rc-group-1] power holddown-time

140 Verifying the configuration The working channel of radio 1 of AP 1 and that of AP 2 do not change within 20 minutes after each automatic channel adjustment. The power of radio 1 of AP 1 and that of AP 2 does not change within 30 minutes after each automatic power adjustment. Load balancing configuration examples Configuring session-mode load balancing Network requirements As shown in Figure 67, all APs operate in g mode. Client 1 is associated with AP 1. Client 2 through Client 6 are associated with AP 2. Configure session-mode load balancing on AC. The threshold, or, the maximum number of sessions is 5 and the maximum load gap is 4. Figure 67 Network diagram Configuration procedure # Enable session-mode load balancing, and configure the maximum number of sessions and the maximum load gap as 5 and 4 respectively. <AC> system-view [AC] wlan rrm [AC-wlan-rrm] load-balance session 5 gap 4 [AC-wlan-rrm] quit # Create a WLAN ESS interface. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit 128

141 # Create service template 1 of clear type, configure its SSID as session-balance, and bind WLAN-ESS1 to session-balance. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid session-balance [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1 and its model is WA2100, and configure the serial ID of AP 1 as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C [AC-wlan-ap-ap1] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return # Create an AP template named ap2 and its model is WA2100, and configure the serial ID of AP 2 as A29G007C <AC> system-view [AC] wlan ap ap2 model WA2100 [AC-wlan-ap-ap2] serial-id A29G007C [AC-wlan-ap-ap2] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 2. [AC-wlan-ap-ap2-radio-1] channel 1 [AC-wlan-ap-ap2-radio-1] service-template 1 [AC-wlan-ap-ap2-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] return Verifying the configuration Client 1 is associated with AP 1, and Client 2 through Client 6 are associated with AP 2. The number of clients associated with AP 2 reaches 5, and the load gap between AP 2 and AP 1 reaches 4, so Client 7 is associated with AP 1. Configuring traffic-mode load balancing Network requirements As shown in Figure 68, all APs operate in g mode. Client 1 and Client 2 are associated with AP1, and no client is associated with AP 2. Configure traffic-mode load balancing on the AC. The traffic threshold is 10% and the maximum load gap is 40%. 129

142 Figure 68 Network diagram Configuration procedure # Enable traffic-mode load balancing and configure the traffic threshold and the maximum load gap as 10% and 40% respectively. <AC> system-view [AC] wlan rrm [AC-wlan-rrm] load-balance traffic 10 gap 40 [AC-wlan-rrm] quit # Create interface WLAN-ESS 1. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as traffic-balance, and bind WLAN-ESS1 to traffic-balance. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid traffic-balance [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1 and its model is WA2100, and configure the serial ID of AP 1 as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C [AC-wlan-ap-ap1] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return 130

143 # Create an AP template named ap2 and its model is WA2100, and configure the serial ID of AP 2 as A29G007C <AC> system-view [AC] wlan ap ap2 model WA2100 [AC-wlan-ap-ap2] serial-id A29G007C [AC-wlan-ap-ap2] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 2. [AC-wlan-ap-ap2-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] return Verifying the configuration Client 1 and Client 2 are associated with AP 1. When the maximum traffic threshold and load gap are reached on AP 1, Client 3 is associated with AP 2. Configuring group-based session-mode load balancing Network requirements As shown in Figure 69, all APs operate in g mode. Client 1 is associated with AP 1. Client 2 through Client 6 are associated with AP 2, and no client is associated with AP 3. Configure session-mode load balancing on the AC. The maximum number of sessions is 5 and the maximum session gap is 4. Session-mode load balancing is required on only radio 1 of AP 1 and radio 1 of AP 2. Therefore, add them into a load balancing group. Figure 69 Network diagram Configuration procedure 1. Configure APs on the AC: # Create a WLAN ESS interface. <AC> system-view 131

144 [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as session-balance, and bind WLAN-ESS1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid session-balance [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, and specify its model as WA2100, and serial ID as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C [AC-wlan-ap-ap1] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return # Create an AP template named ap2 and specify its model as WA2100, and configure the serial ID as A29G007C <AC> system-view [AC] wlan ap ap2 model WA2100 [AC-wlan-ap-ap2] serial-id A29G007C [AC-wlan-ap-ap2] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 2. [AC-wlan-ap-ap2-radio-1] service-template 1 [AC-wlan-ap-ap2-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] return # Create an AP template named ap3, and specify its model as WA2100, and serial ID as A29G007C <AC> system-view [AC] wlan ap ap3 model WA2100 [AC-wlan-ap-ap3] serial-id A29G007C [AC-wlan-ap-ap3] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 3. [AC-wlan-ap-ap3-radio-1] service-template 1 [AC-wlan-ap-ap3-radio-1] radio enable [AC-wlan-ap-ap3-radio-1] quit [AC-wlan-ap-ap3] quit 2. Configure the load balancing mode: # Enable session-mode load balancing, and configure the maximum number of sessions and the maximum load gap as 5 and 4 respectively. [AC] wlan rrm [AC-wlan-rrm] load-balance session 5 gap 4 [AC-wlan-rrm] quit 132

145 3. Configure group-based session-mode load balancing: # Create load balancing group 1. [AC] wlan load-balance-group 1 # Add radio 1 of AP 1 and radio 1 of AP 2 to the load balancing group. [AC-wlan-lb-group-1] ap ap1 radio 1 [AC-wlan-lb-group-1] ap ap2 radio 1 Verifying the configuration Radio 1 of AP 1 and radio 1 of AP 2 are in the same load balancing group, and the radio of AP 3 does not belong to any load balancing group. Load balancing takes effect on only radios in a load balancing group, so AP 3 does not take part in load balancing. Assume Client 7 wants to associate with AP 2. The number of clients associated with radio 1 on AP 2 reaches 5, and the load gap between AP 2 and AP 1 reaches 4, so Client 7 is associated with AP 1. Configuring group-based traffic-mode load balancing Network requirements As shown in Figure 70, all APs operate in g mode. Client 1 and Client 2 are associated with AP 1, and no client is associated with AP 2 and AP 3. Configure traffic-mode load balancing on the AC. The traffic threshold is 10% and the maximum traffic gap is 40%. Traffic-mode load balancing is required on only radio 1 of AP 1 and radio 1 of AP 2. Figure 70 Network diagram Configuration procedure 1. Configure APs on the AC: 133

146 # Create a WLAN ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as traffic-balance, and bind WLAN-ESS1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid traffic-balance [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, and specify its model as WA2100, and serial ID as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C [AC-wlan-ap-ap1] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return # Create an AP template named ap2 and specify its model as WA2100, and serial ID as A29G007C <AC> system-view [AC] wlan ap ap2 model WA2100 [AC-wlan-ap-ap2] serial-id A29G007C [AC-wlan-ap-ap2] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 2. [AC-wlan-ap-ap2-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] quit [AC-wlan-ap-ap2] quit # Create an AP template named ap3, and specify its model as WA2100, and serial ID as A29G007C <AC> system-view [AC] wlan ap ap3 model WA2100 [AC-wlan-ap-ap3] serial-id A29G007C [AC-wlan-ap-ap3] radio 1 type dot11g # Bind service template 1 to radio 1 of AP 3. [AC-wlan-ap-ap3-radio-1] service-template 1 [AC-wlan-ap-ap3-radio-1] radio enable [AC-wlan-ap-ap3-radio-1] quit [AC-wlan-ap-ap3] quit 2. Configure the load balancing mode: # Enable traffic-mode load balancing and configure the traffic threshold and the maximum load gap as 10% and 40% respectively. [AC] wlan rrm 134

147 [AC-wlan-rrm] load-balance traffic 10 gap 40 [AC-wlan-rrm] quit 3. Configure group-based traffic-mode load balancing: # Create load balancing group 1. [AC] wlan load-balance-group 1 # Add radio 1 of AP 1 and radio 1 of AP 2 to the load balancing group. [AC-wlan-lb-group-1] ap ap1 radio 1 [AC-wlan-lb-group-1] ap ap2 radio 1 Verifying the configuration Radio 1 of AP 1 and radio 1 of AP 2 are in the same load balancing group, and the radio of AP 3 does not belong to any load balancing group. Load balancing takes effect on only radios in a load balancing group, so AP 3 does not take part in load balancing. Assume Client 3 wants to associate with AP 1. When the maximum traffic threshold and load gap are reached on radio 1 of AP 1, Client 3 is associated with AP 2. Band navigation configuration example Network requirements As shown in Figure 71, Client 1 through Client 4 try to associate to AP 1, and the two radios of AP 1 operate at 5 GHz and 2.4 GHz respectively. Client 1, Client 2, and Client 3 are dual-band clients, and Client 4 is a single-band (2.4 GHz) client. Configure band navigation to direct clients to different radios of the AP. Figure 71 Network diagram Configuration procedure # Enable band navigation on the AC. <AC> system-view [AC] wlan rrm [AC-wlan-rrm] band-navigation enable [AC-wlan-rrm] quit # Create a WLAN-ESS interface. [AC] interface wlan-ess 1 135

148 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as band-navigation, and bind the WLAN-ESS interface with the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid band-navigation [AC-wlan-st-1] bind wlan-ess 1 # Disable fast association ( By default, fast association is disabled.) [AC-wlan-st-1] undo fast-association enable [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create an AP template named ap1, and specify its model as WA2620E-AGN, and serial ID as A29G007C [AC] wlan ap ap1 model WA2620E-AGN [AC-wlan-ap-ap1] serial-id A29G007C # Enable band navigation for AP 1 ( By default, band navigation is enabled.). [AC-wlan-ap-ap1] band-navigation enable # Bind service template 1 to radio 1 of AP 1. [AC-wlan-ap-ap1] radio 1 type dot11an [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit # Bind service template 1 to radio 2 of AP 1. [AC-wlan-ap-ap1] radio 2 type dot11gn [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable [AC-wlan-ap-ap1-radio-2] return # Configure the band navigation load balancing session threshold as 2, and session gap as 1. <AC> system-view [AC] wlan rrm [AC-wlan-rrm] band-navigation balance session 2 gap 1 Verifying the configuration Client 1 and Client 2 are associated to the 5 GHz radio of AP 1, and Client 4 can only be associated to the 2.4 GHz radio of AP 1. Because the number of clients on the 5 GHz radio has reached the upper limit 2, and the gap between the number of clients on the 5 GHz radio and 2.4 GHz radio has reached the session gap 1, Client 3 is associated to the 2.4 GHz radio of AP

149 Configuring WLAN IDS networks are susceptible to a wide array of threats such as unauthorized access points and clients, ad hoc networks, and Denial of Service (DoS) attacks. Rogue devices are a serious threat to enterprise security. Wireless intrusion detection system (WIDS) is used for the early detection of malicious attacks and intrusions on a wireless network. Wireless intrusion prevention system (WIPS) helps to protect enterprise networks and users from unauthorized wireless access. The Rogue detection feature is a part of the WIDS/WIPS solution, which detects the presence of rogue devices in a WLAN network and takes countermeasures to prevent rogue devices operation. Terminology WLAN intrusion detection system WLAN IDS is designed to be deployed in an area that an existing wireless network covers. It aids in the detection of malicious outsider attacks and intrusions via the wireless network. Rogue AP An unauthorized or malicious access point on the network, such as an employee setup AP, misconfigured AP, neighbor AP or an attacker operated AP. As it is not authorized, if any vulnerability occurs on the AP, the hacker will have chance to compromise your network security. Rogue client An unauthorized or malicious client on the network. Rogue wireless bridge Unauthorized wireless bridge on the network. Monitor AP An AP that scans or listens to frames to detect wireless attacks in the network. Ad hoc mode Sets the working mode of a wireless client to ad hoc. An ad hoc terminal can directly communicate with other stations without support from any other device. Passive scanning In passive scanning, a monitor AP listens to all the frames over the air in that channel. Active scanning In active scanning, a monitor AP, besides listening to all frames, sends a broadcast probe request and receives all probe response messages on that channel. Each AP in the vicinity of the monitor AP will reply to the probe request. This helps identify all authorized and unauthorized APs by processing probe response frames. The monitor AP masquerades as a client when sending the probe request. Rogue detection Detecting rogue devices Rogue detection is applicable to large wireless networks. It detects the presence of rogue devices in a WLAN network based on the pre-configured rules. Rogue detection can detect different types of devices in a WLAN network, for example, rogue APs, rogue clients, rogue wireless bridges, and ad-hoc terminals. Taking countermeasures against rogue device attacks You can enable the countermeasures function on a monitor AP. The monitor AP downloads an attack list from the AC and takes countermeasures against the rogue devices based on the configured countermeasures mode. 137

150 For example, if the countermeasures mode is config, the monitor AP takes countermeasures against only rogue devices in the static attack list. It sends fake de-authentication frames by using the MAC addresses of the rogue devices to remove them from the network. Functionalities supported The rogue detection feature supports the following functionalities: RF monitoring in different channels Rogue AP detection Rogue client detection Ad hoc network detection Wireless bridge detection Countermeasures against rogue devices, clients and ad hoc networks WIDS attack detection The WIDS attack detection function detects intrusions or attacks on a WLAN network, and informs the network administrator of the attacks through recording information or sending logs. At present, WIDS detection supports detection of the following attacks: Flood attack Spoofing attack Weak IV attack Flood attack detection A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind within a short span of time. When this occurs, the WLAN devices get overwhelmed and consequently, is unable to service normal clients. WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic generated by each device. When the traffic density of a device exceeds the limit, the device is considered flooding the network and, if the dynamic blacklist feature is enabled, is added to the blacklist and forbidden to access the WLAN for a period of time. WIDS inspects the following types of frames: Authentication requests and de-authentication requests Association requests, disassociation requests and reassociation requests Probe requests null data frames action frames. Spoofing attack detection In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For instance, a client in a WLAN has been associated with an AP and works normally. In this case, a spoofed de-authentication frame can cause a client to get de-authenticated from the network and can affect the normal operation of the WLAN. At present, spoofing attack detection counters this type of attack by detecting broadcast de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it is identified as a spoofed frame, and the attack is immediately logged. 138

151 Weak IV detection Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame. An IV and a key are used to generate a key stream, and thus encryptions using the same key have different results. When a WEP frame is sent, the IV used in encrypting the frame is also sent as part of the frame header. However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is compromised, the attacker can access network resources. Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak IV is detected, it is immediately logged. WLAN IDS configuration task list Task Configuring AP operating mode Description Required Configuring rogue device detection Configuring IDS attack detection Configuring rogue device detection Taking countermeasures against attacks from detected rogue devices Displaying and maintaining rogue detection Configuring IDS attack detection Displaying and maintaining IDS attack detection Optional Optional Configuring AP operating mode A WLAN consists of various APs that span across the building offering WLAN services to the clients. The administrator may want some of these APs to detect rogue devices. The administrator can configure an AP to operate in any of the three modes, normal, monitor, and hybrid. In normal mode, an AP provides WLAN data services but does not perform any scanning. In monitor mode, an AP scans all frames in the WLAN, but cannot provide WLAN services. In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN data services. To configure the AP operating mode: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. wlan ap ap-name model model-name N/A 139

152 Step Command Remarks 3. Configure the AP operating mode as monitor. 4. Configure the AP operating mode as hybrid. work-mode monitor device-detection enable N/A Use either command. By default, the AP operating mode is normal. When an AP has its operating mode changed from normal to monitor, it does not restart. When an AP has its operating mode changed from monitor to normal, it restarts. NOTE: If the AP operates in hybrid mode, configure a service template so the AP can provide WLAN service when scanning devices. If the AP operates in monitor mode, the AP cannot provide WLAN service, and you do not need to configure a service template. Configuring rogue device detection Configuring rogue device detection Configuring detection rules Configuring detection rules is to configure rogue device classification rules. An AC classifies devices as either rogues or friends based on the configured classification rules. Check whether an AP is a rogue. 140

153 Figure 72 Checking whether an AP is a rogue AP Static attack list Exists The list does not exist or is not configured Permitted MAC address list The list does not exist or Is not configured Permitted SSID list Does not exist Exists The list exists or is not configured Permitted vendor list Does not exist The list exists or is not configured Legal AP (Friend) Illegal AP (Rogue) Check whether a client is a rogue. 141

154 Figure 73 Checking whether a client is a rogue Check whether an ad hoc network or a wireless bridge is a rogue. Figure 74 Checking whether an ad hoc network or a wireless bridge is a rogue Ad hoc network or wireless bridge Static attack list Exists The list does not exist or is not configured Permitted MAC address list The list does not exist or is not configured Exists Legal ad hoc network or wireless bridge (Friend) Illegal ad hoc network or wireless bridge (Rogue) To configure the rules: 142

155 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN IDS view. wlan ids N/A 3. Add the MAC address of a client or AP to the permitted MAC address list. 4. Add an SSID to the permitted SSID list. 5. Add a vendor ID to the permitted vendor list. device permit mac-address mac-address device permit ssid ssid device permit vendor vendor By default, the permitted MAC address list is empty. By default, the permitted SSID list is empty. By default, the vendor list is empty. Configuring the device expiry timer This task allows you to set the device expiry interval for device entries in the detected device list. If a device in the list is not detected within this interval, the device entry is removed from the detected list; if the deleted entry is that of a rogue, it is moved to the rogue history table. To configure the device expiry timer: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN IDS view. wlan ids N/A 3. Configure the device expiry timer. device aging-duration duration By default the aging duration is 600 seconds. Taking countermeasures against attacks from detected rogue devices Configuring the rules You can configure a device as a rogue by adding its MAC address to the static attack list. To configure the rules: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN IDS view. wlan ids N/A 3. Add the MAC address of a client or AP to the static attack list. device attack mac-address mac-address By default, the attack list is empty. Configuring the countermeasures mode The countermeasures mode can be set to control which devices countermeasures are taken for. Based on the configuration, monitor APs can take countermeasures against devices present in its static attack list, 143

156 all rogue devices, only rogue APs, or only ad hoc clients. Countermeasures are not taken against wireless bridges even if they are classified as rogues. To configure the countermeasures mode: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN IDS view. wlan ids N/A 3. Configure the countermeasures mode. 4. Enable the countermeasures function. countermeasures mode { all { rogue adhoc config } * } countermeasures enable By default, the countermeasure mode is config, or, the static attack list. Disabled by default. If you want to configure the countermeasures mode as config, you need to use the device attack mac-address command to configure the static attack list first. Displaying and maintaining rogue detection Task Command Remarks Display attack list information. Display detected entities. Display the history of attacks detected in the WLAN system. Display the list of permitted MAC addresses, the list of permitted SSIDs, or the list of permitted vendor OUIs.. Clear the list of detected entities in WLAN. Clear all entries from the rogue-history list. display wlan ids attack-list { config all ap ap-name } [ { begin exclude include } regular-expression ] display wlan ids detected { all rogue { ap client } adhoc ssid mac-address mac-address } [ { begin exclude include } regular-expression ] display wlan ids rogue-history [ { begin exclude include } regular-expression ] display wlan ids permitted { mac-address ssid vendor } [ { begin exclude include } regular-expression ] reset wlan ids detected { all rogue { ap client } adhoc ssid mac-address mac-address } reset wlan ids rogue-history Available in any view Available in any view Available in any view Available in any view Available in user view Available in user view 144

157 Configuring IDS attack detection Configuring IDS attack detection Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IDS view. wlan ids N/A 3. Enable IDS attack detection. attack-detection enable { all flood weak-iv spoof } Disabled by default. Displaying and maintaining IDS attack detection Task Command Remarks Display all the attacks detected by WLAN IDS IPS. Display the count of attacks detected by WLAN IDS IPS. Clear the history of attacks detected by the WLAN system. Clear the statistics of attacks detected in the WLAN system. display wlan ids history [ { begin exclude include } regular-expression ] display wlan ids statistics [ { begin exclude include } regular-expression ] reset wlan ids history reset wlan ids statistics Available in any view Available in any view Available in user view Available in user view WLAN IDS configuration example Network requirements As shown in Figure 75, a monitor AP (with serial ID A29G007C000020) and AP1 (serial ID A29G007C000021) are connected to an AC through a Layer 2 switch. AP1 operates in normal mode, and only provides WLAN services. AP2 operates in monitor mode, and detects rogue devices. Client 1 (MAC address 000f-e ), Client 2 (MAC address 000f-e ) and Client 3 (MAC address 000f-e ) are connected to AP1. Client 4 (MAC address 000f-e e) are considered as rogues. 145

158 Figure 75 Network diagram Configuration procedure # Create a WLAN ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create service template 1 of clear type, configure its SSID as normal, and bind WLAN-ESS1 to normal. <AC> system-view [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid normal [AC-wlan-st-1] bind wlan-ess 1 # Configure the authentication method as open-system, and enable service template 1. [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure AP1 to operate in normal mode, and provide WLAN service only. [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C # Configure the radio type as g, bind service template 1 to the radio, and enable the radio. [AC-wlan-ap-ap1] radio 1 type dot11g [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable # Configure AP2 to operate in monitor mode. It only scans rogue devices, but does not provide access services. [AC] wlan ap ap2 model WA2100 [AC-wlan-ap-ap2] serial-id A29G007C [AC-wlan-ap-ap2] work-mode monitor # Configure the radio type as g, and enable the radio. 146

159 [AC-wlan-ap-ap2] radio 1 type dot11g [AC-wlan-ap-ap2-radio-1] radio enable [AC-wlan-ap-ap2-radio-1] return # Configure IDS rules to allow Client 1, Client 2, and Client 3 to connect to the WLAN network to use WLAN services provided by AP 1. <AC> system-view [AC] wlan ids [AC-wlan-ids] device permit mac-address 000f-e [AC-wlan-ids] device permit mac-address 000f-e [AC-wlan-ids] device permit mac-address 0015-e # Configure Client 4 (rogue client), configure the countermeasures mode and enable countermeasures. [AC-wlan-ids] device attack mac-address 0015-e e [AC-wlan-ids] countermeasures mode config [AC-wlan-ids] countermeasures enable 147

160 Configuring WLAN IDS frame filtering Overview Frame filtering is a feature of MAC and a sub-feature of WLAN IDS. An access controller maintains a white list (permitted entries), a static blacklist (denied entries), and a dynamic blacklist (denied entries that are added to the blacklist when WLAN IDS detects flood attacks). You can configure the white and black lists through the CLI. You can configure the blacklist and white list functions to filter frames from WLAN clients and implement client access control. WLAN client access control is accomplished through the following three types of lists. White list Contains the MAC addresses of all clients allowed to access the WLAN. If the white list is used, only permitted clients can access the WLAN, and all frames from other clients are discarded. Static blacklist Contains the MAC addresses of clients forbidden to access the WLAN. This list is manually configured. Dynamic blacklist Contains the MAC addresses of clients forbidden to access the WLAN. A client is dynamically added to the list if it is considered sending attacking frames until the timer of the entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more information about ARP detection, see Security Configuration Guide. When an AP receives an frame, it checks the source MAC address of the frame and processes the frame by following these rules: 1. If the source MAC address does not match any entry in the white list, the frame is dropped. If there is a match, the frame is considered valid and is further processed. 2. If no white list entries exist, the static and dynamic blacklists are searched. 3. If the source MAC address matches an entry in any of the two lists, the frame is dropped. 4. If there is no match, or no blacklist entries exist, the frame is considered valid and is further processed. The static blacklist and whitelist configured on the AC apply to all APs connected to the AC, and dynamic blacklist applies to APs that received attack packets. 148

161 Figure 76 Frame filtering In the topology, three APs are connected to an AC. Configure white list and static blacklist entries on the AC, which sends all the entries to the APs. If the MAC address of a station, Client 1 for example, is present in the blacklist, it cannot access any of the APs. If only Client 1 is present in the white list, it can access any of the APs, and other clients cannot access any of the APs. Enable dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, a dynamic blacklist entry is generated in the blacklist, and Client 1 cannot associate with AP 1, but can associate with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic blacklist entry is generated in the blacklist. Configuring WLAN IDS frame filtering WLAN IDS frame filtering configuration involves white list configuration, blacklist configuration, and dynamic blacklist feature configuration. The maximum number of static and dynamic blacklist and whitelist entries depends on your device model. For more information, see About the WX Series Access Controllers Configuration Guides. In WLAN IDS view, you can configure the static blacklist, white list, enable dynamic blacklist feature and configure the lifetime for dynamic entries. Only entries present in the white list are permitted. You can add entries into or delete entries from the list. Entries present in the static blacklist are denied. Whenever WLAN IDS detects a flood attack, the attacking device is added into the dynamic blacklist. You can set a lifetime in seconds for dynamic blacklist entries. After the lifetime of an entry expires, the device entry is removed from the dynamic blacklist. If a flood attack from the device is detected again before the lifetime expires, the entry is refreshed. To configure WLAN IDS frame filtering: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN IDS view. wlan ids N/A 149

162 Step Command Remarks 3. Add an entry into the white list. 4. Add an entry into the static blacklist. whitelist mac-address mac-address static-blacklist mac-address mac-address Optional Optional 5. Enable the dynamic blacklist feature. 6. Configure the lifetime for dynamic blacklist entries. dynamic-blacklist enable dynamic-blacklist lifetime lifetime By default, the dynamic blacklist feature is disabled. By default, the lifetime is 300 seconds. Displaying and maintaining WLAN IDS frame filtering Task Command Remarks Display blacklist entries. Display white list entries. Clear dynamic blacklist entries. display wlan blacklist { static dynamic } [ { begin exclude include } regular-expression ] display wlan whitelist [ { begin exclude include } regular-expression ] reset wlan dynamic-blacklist { mac-address mac-address all } Available in any view Available in any view Available in user view WLAN IDS frame filtering configuration example Network requirements As shown in Figure 77, an AC is connected to a Layer 2 switch. AP 1 and AP 2 are connected to the AC through the Layer 2 switch. Client 1 ( f-1211) is a rogue client. To ensure WLAN security, add the MAC address of Client 1 into the blacklist on the AC to disable it from accessing the wireless network through any AP. Figure 77 Network diagram 150

163 Configuration procedure # Add MAC address f-1211 of Client 1 into the blacklist. <AC> system-view [AC] wlan ids [AC-wlan-ids] static-blacklist mac-address f-1211 After the configuration, Client 1 cannot access AP 1 or AP

164 Configuring WLAN QoS Overview An network offers contention-based wireless access. To provide applications with QoS services, IEEE developed e for the based WLAN architecture. When IEEE e was being standardized, Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM) standard to allow QoS provisioning of different vendors' devices to interoperate. WMM makes a WLAN network capable of providing QoS services. Terminology WMM WMM is a wireless QoS protocol designed to preferentially transmit packets with high priority, thus guaranteeing better QoS services for voice and video applications in a wireless network. EDCA AC Enhanced distributed channel access (EDCA) is a channel contention mechanism designed by WMM to preferentially transmit packets with high priority and allocate more bandwidth to such packets. Access category (AC) is used for channel contention. WMM defines four access categories; they are AC-VO (voice) queue, AC-VI (video) queue, AC-BE (best-effort) queue, and AC-BK (background) queue in the descending order of priority. When contending for a channel, a high-priority AC queue preempts a low-priority AC queue. AC also stands for access controller in this document. Identify the acronyms through the context. CAC Connection admission control (CAC) limits the number of clients that are using high-priority AC queues (including AC-VO and AC-VI queues) to guarantee sufficient bandwidth for existing high-priority traffic. U-APSD Unscheduled automatic power-save delivery (U-APSD) is a new power saving mechanism defined by WMM to enhance the power saving capability of clients. SVP SpectraLink voice priority (SVP) is a voice priority protocol designed by the Spectralink company to guarantee QoS for voice traffic. WMM protocol overview The distributed coordination function (DCF) in stipulates that access points (APs) and clients employ the carrier sense multiple access with collision avoidance (CSMA/CA) access mechanism. APs or clients listen to the channel before they hold the channel for data transmission. When the specified idle duration of the channel times out, APs or clients randomly select a backoff slot within the contention window to perform backoff. The device that finishes backoff first gets the channel. With , all 152

165 EDCA parameters devices have the same idle duration and contention window, and they are equal when contending for a channel. In WMM, this equal contention mechanism is changed. WMM assigns data packets in a basic service set (BSS) to four AC queues. By allowing a high-priority AC queue to have more channel contention opportunities than a low-priority AC queue, WMM offers different service levels for different AC queues. WMM defines a set of EDCA parameters for each AC queue, as follows: Arbitration inter-frame spacing number (AIFSN) Different from the protocol where the idle duration (set using DIFS) is a constant value, WMM can define an idle duration per AC queue. The idle duration increases as the AIFSN value increases (see Figure 78 for the AIFS durations). Exponent form of CWmin (ECWmin) and exponent form of CWmax (ECWmax) Determine the average backoff slots, which increases as the two values increase (see Figure 78 for the backoff slots). Transmission opportunity limit (TXOPLimit) Indicates the maximum time for which a user can hold a channel after a successful contention. The greater the TXOPLimit is, the longer the user can hold the channel. The value 0 indicates that the user can send only one packet each time it holds the channel. Figure 78 Per-AC channel contention parameters in WMM CAC admission policies CAC requires that a client obtain permission of the AP before it can use a high-priority AC queue for transmission, thus guaranteeing bandwidth to the clients that have gained access. CAC controls real time traffic (AC-VO and AC-VI traffic) but not common data traffic (AC-BE and AC-BK traffic). If a client wants a high-priority AC queue, the client must send a request to the AP. The AP returns a positive or negative response based on either of the following admission control policies: Channel utilization-based admission policy The AP calculates the total time that the existing high-priority AC queues occupy the channel per second, and then calculates the time that the requesting traffic will occupy the channel per second. If the sum of the two values is smaller than or equal to the maximum hold time of the channel, the client can use the requested AC queue. Otherwise, the request is rejected. 153

166 Users-based admission policy If the number of clients using high-priority AC queues plus the clients requesting high-priority AC queues is smaller than or equal to the maximum number of high-priority AC queue clients, the request is accepted. Otherwise, the request is rejected. During calculation, a client is counted once, even if the client is using both the AC-VO and AC-VI queues. U-APSD power-save mechanism SVP ACK policy U-APSD improves the APSD power saving mechanism. When associating clients with AC queues, you can specify how these AC queues are handled. Some AC queues can be trigger-enabled, and some AC queues delivery-enabled. You can also specify the maximum number of data packets delivered in a trigger packet. Both the trigger attribute and the delivery attribute can be modified when flows are established using CAC. When a client sleeps, the delivery-enabled AC queue packets destined for the client are buffered. The client must send a trigger-enabled AC queue packet to get the buffered packets. After the AP receives the trigger packet, packets in the transmit queue are sent. The number of packets sent depends on the agreement made when the client was admitted. AC queues without the delivery attribute store and transmit packets as defined in the protocol. SVP can assign packets with the protocol ID 119 in the IP header to a specific AC queue. SVP stipulates that random backoff is not performed for SVP packets. Therefore, you can set both ECWmin and ECWmax to 0 when there are only SVP packets in an AC queue. WMM defines two ACK policies: Normal ACK and No ACK. When the no acknowledgement (No ACK) policy is used, the recipient does not acknowledge received packets during wireless packet exchange. This policy is suitable in an environment where communication quality is fine and interference is weak. While the No ACK policy helps improve transmission efficiency, it can cause increased packet loss when communication quality deteriorates. This situation results from no re-transmission of packets that are not received. When the Normal ACK policy is used, the recipient acknowledges each received unicast packet. Protocols and standards e-2005, Amendment 8: Medium Access Control (MAC) Quality of Service Enhancements, IEEE Computer Society, 2005 Wi-Fi, WMM Specification version 1.1, Wi-Fi Alliance, 2005 Configuring WMM Step Command Remarks 1. Enter system view. system-view N/A 2. Create a radio policy and enter radio policy view. wlan radio-policy radio-policy-name N/A 154

167 Step Command Remarks 3. Enable WMM. wmm enable By default, WMM is enabled. The n protocol stipulates that all n clients support WLAN QoS. Therefore, when the radio operates in an or gn mode, you should enable WMM. Otherwise, the associated n clients may fail to communicate. 4. Set the EDCA parameters of AC-VO or AC-VI queues for clients. 5. Set the EDCA parameters of AC-BE or AC-BK queues for clients. 6. Set the EDCA parameters and specify the ACK policy for the AP radio. 7. Set the CAC policy. 8. Map SVP packets to a specified AC queue. wmm edca client { ac-vo ac-vi } { aifsn aifsn-value ecw ecwmin ecwmin-value ecwmax ecwmax -value txoplimit txoplimit-value cac } * wmm edca client { ac-be ac-bk } { aifsn aifsn-value ecw ecwmin ecwmin-value ecwmax ecwmax -value txoplimit txoplimit -value } * wmm edca radio { ac-vo ac-vi ac-be ac-bk } { aifsn aifsn-value ecw ecwmin ecwmin-value ecwmax ecwmax -value txoplimit txoplimit -value noack } * wmm cac policy { channelutilization [ channelutilization-value ] users [ users-number ] } wmm svp map-ac { ac-vi ac-vo ac-be ac-bk } By default, a client uses the default EDCA parameters shown in Table 3. By default, a client uses the default EDCA parameters shown in Table 3. By default, an AP radio uses the default EDCA parameters shown in Table 4 and uses the Normal ACK policy. By default, the users-based admission policy applies, with the maximum number of users being 20. By default, the SVP packet mapping function is disabled. Note that SVP packet mapping applies to non WMM clients, and does not take effect on WMM clients. NOTE: If CAC is enabled for an AC queue, CAC is also enabled for the AC queues with higher priority. For example, if you use the wmm edca client command to enable CAC for the AC-VI queue, CAC is also enabled for the AC-VO queue. However, enabling CAC for the AC-VO queue does not enable CAC for the AC-VI queue. H3C recommends that you use the default EDCA parameter settings for APs and clients (except the TXOPLimit parameter for devices using b radio cards) unless it is necessary to modify the default settings. When the radio card of a device is b, H3C recommends that you set the TXOPLimit values of the AC-BK, AC-BE, AC-VI, and AC-VO queues to 0, 0, 188, and 102 respectively. The SVP packet mapping function takes effect only after you enable WMM. 155

168 Table 3 The default EDCA parameters for clients AC queue AIFSN ECWmin ECWmax TXOP Limit AC-BK queue AC-BE queue AC-VI queue AC-VO queue Table 4 The default EDCA parameters for APs AC queue AIFSN ECWmin ECWmax TXOP Limit AC-BK queue AC-BE queue AC-VI queue AC-VO queue Displaying and maintaining WMM Task Command Remarks Display the WMM information of the specified AP's radio or all radios. Display the WMM information of the client identified by the specified MAC address, of the clients associated with the specified AP, or of all clients. Display client or radio WLAN statistics. Display WLAN radio policy information. display wlan wmm radio { all ap ap-name } [ { begin exclude include } regular-expression ] display wlan wmm client { all ap ap-name mac-address mac-address } [ { begin exclude include } regular-expression ] display wlan statistics { client [ all mac-address mac-address ] radio [ ap-name ] } [ { begin exclude include } regular-expression ] display wlan radio-policy [ radio-policy-name ] [ { begin exclude include } regular-expression ] Available in any view. Available in any view. Available in any view. Available in any view. Clear radio WMM statistics. reset wlan wmm radio { all ap ap-name } Available in user view. Clear client WMM statistics. reset wlan wmm client { all ap ap-name mac-address mac-address } Available in user view. 156

169 WMM configuration examples WMM basic configuration example Network requirements As shown in Figure 79, AC is connected to a Layer 2 switch, and AP and AC are in the same network. Enable WMM on AC, so that AP and the client can prioritize the traffic. Figure 79 Network diagram Configuration procedure <AC> system-view # Create interface WLAN-ESS 1. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create a clear-type WLAN service template, configure its SSID as market, and bind WLAN-ESS 1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid market [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable # Configure a radio policy. Enable WMM (optional, because WMM is enabled by default). [AC] wlan radio-policy radiopolicy1 [AC-wlan-rp-radiopolicy1] wmm enable [AC-wlan-rp-radiopolicy1] quit # Create a template named ap1, configure the model name as WA2100, and configure the serial ID as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C # Bind service template 1 and radio policy radiopolicy1 to interface Radio 1. [AC-wlan-ap-ap1] radio 1 type dot11a [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable After WMM is enabled, you can use the display wlan wmm radio command to view WMM-related information. 157

170 CAC service configuration example Network requirements As shown in Figure 80, AC is connected to a Layer 2 switch. AP and AC are in the same network. Configure CAC for high-priority queues (AC-VO and AC-VI queues) on the AC, and use a users-based admission policy to allow the AP to accommodate up to 10 clients in the AC-VO and AC-VI queues. In this way, clients in the AC-VO and AC-VI queues can be guaranteed of enough bandwidth. Figure 80 Network diagram Configuration procedure <AC> system-view # Create interface WLAN-ESS 1. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Create a clear-type WLAN service template, configure its SSID as market, and bind WLAN-ESS 1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid market [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable # Create a radio policy named radiopolicy1, enable WMM for the radio policy, enable CAC for AC-VO and AC-VI, and configure the policy to limit the number of users to 10. [AC] wlan radio-policy radiopolicy1 [AC-wlan-rp-radiopolicy1] wmm enable [AC-wlan-rp-radiopolicy1] wmm edca client ac-vo cac [AC-wlan-rp-radiopolicy1] wmm edca client ac-vi cac [AC-wlan-rp-radiopolicy1] wmm cac policy users 10 [AC-wlan-rp-radiopolicy1] quit # Create a template named ap1, configure the model name as WA2100, and configure the serial ID as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C # Bind service template 1 and radio policy radiopolicy1 to interface Radio 1. [AC-wlan-ap-ap1] radio 1 type dot11a [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable If a client wants high-priority AC queue (AC-VO or AC-VI), the client must send a request to the AP. If the number of clients using high-priority AC queues (AC-VO or AC-VI) plus the clients requesting high-priority AC queues on AP is smaller than or equal to the maximum number of high-priority AC clients (10 in this 158

171 example), the request is accepted. The priority is decreased for packets from the clients exceeding the maximum number of high-priority AC clients. SVP service configuration example Network requirements As shown in Figure 81, AC is connected to L2 switch. AP and AC are in the same network. Configure the SVP service, so that SVP packets are assigned to the AC-VO queue on AP. To guarantee the highest priority for the AC-VO queue, set ECWmin and ECWmax to 0 for the AC-VO queue of AP. Figure 81 Network diagram Configuration procedure <AC> system-view # Create interface WLAN-ESS 1. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Configure a clear-type WLAN service template, configure its SSID as market, and bind WLAN-ESS 1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid market [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] service-template enable # Configure a radio policy radiopolicy1, and enable WMM for the radio policy. [AC] wlan radio-policy radiopolicy1 [AC-wlan-rp-radiopolicy1] wmm enable # Assign SVP packets to the AC-VO queue. [AC-wlan-rp-radiopolicy1] wmm svp map-ac ac-vo # Create a template named ap1, configure the model name as WA2100, and configure the serial ID as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C # Bind service template 1 and radio policy radiopolicy1 to interface Radio 1. [AC-wlan-ap-ap1] radio 1 type dot11a [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable If a non-wmm client goes online and sends SVP packets to the AC, the SVP packets will be assigned to the AC-VO queue. 159

172 Traffic differentiation test configuration example Network requirements As shown in Figure 82, AC is connected to L2 switch. AP and AC are in the same network. Configure the AC to map IP precedence 7 to local precedence 7, allowing such packets to occupy more bandwidth when being transmitted on the wireless network. Figure 82 Network diagram Configuration procedure # Configure a QoS policy named wmm. <AC> system-view # Create a class named wmm, and configure the class to match packets with IP precedence value 7. [AC] traffic classifier wmm [AC-classifier-wmm] if-match ip-precedence 7 [AC-classifier-wmm] quit # Create a traffic behavior named wmm, and configure the traffic behavior to mark packets with local precedence value 7. [AC] traffic behavior wmm [AC-behavior-wmm] remark local-precedence 7 [AC-behavior-wmm] quit # Create a QoS policy named wmm, and associate class wmm with behavior wmm in the QoS policy. [AC] qos policy wmm [AC-qospolicy-wmm] classifier wmm behavior wmm [AC-qospolicy-wmm] quit # Apply QoS policy wmm to the incoming traffic of interface GigabitEthernet 1/0/1. [AC] interface GigabitEthernet 1/0/1 [AC-GigabitEthernet1/0/1] qos apply policy wmm inbound [AC-GigabitEthernet1/0/1] quit # Create interface WLAN-ESS 1. [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] quit # Enter the specified priority mapping table view (optional, because the mapping table exists by default.). [AC] qos map-table lp-dot11e # Create a clear-type WLAN service template, configure its SSID as market, and bind WLAN-ESS 1 to the service template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid market [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] authentication-method open-system 160

173 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Configure a radio policy named radiopolicy1. Then enable WMM for the policy (optional, because WMM is enabled by default). [AC] wlan radio-policy radiopolicy1 [AC-wlan-rp-radiopolicy1] wmm enable [AC-wlan-rp-radiopolicy1] quit # Create a template named ap1, configure the model name as WA2100, and configure the serial ID as A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C # Bind service template 1 and radio policy radiopolicy1 to interface Radio 1. [AC-wlan-ap-ap1] radio 1 type dot11a [AC-wlan-ap-ap1-radio-1] channel 149 [AC-wlan-ap-ap1-radio-1] radio-policy radiopolicy1 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable After above configuration, the AC maps IP precedence 7 to local precedence 7. Troubleshooting EDCA parameter configuration failure Symptom Analysis Solution Configuring EDCA parameters for an AP failed. The EDCA parameter configuration of an AP is restricted by the radio chip of the AP. 1. Use the display wlan wmm radio ap ap-name command to view the support of the radio chip for the EDCA parameters. Make sure the configured EDCA parameters are supported by the radio chip. 2. Check that the values configured for the EDCA parameters are valid. SVP or CAC configuration failure Symptom Analysis The SVP packet priority mapping function configured with the wmm svp map-ac command does not take effect. CAC configured with the wmm edca client command does not take effect. The SVP packet priority mapping function or CAC takes effect only after WMM is enabled. 161

174 Solution SVP takes effect on only non-wmm clients. Determine whether the associated clients are non-wmm clients: 1. Use the wmm enable command to enable the WMM function. 2. Check the state of the SVP priority mapping function or CAC again. Configuring bandwidth guaranteeing When traffic is heavy, a BSS without any rate limitation may aggressively occupy the available bandwidth for other BSSs. If you limit the rate of the BSS, it cannot use the idle bandwidth of other BSSs. To improve bandwidth use efficiency when ensuring bandwidth use fairness among WLAN services, use the bandwidth guaranteeing function. Bandwidth guaranteeing makes sure that all traffic from each BSS can pass through freely when the network is not congested, and each BSS can get the guaranteed bandwidth when the network is congested. For example, suppose you guarantee SSID1, SSID2, and SSID3 25%, 25%, and 50% of the bandwidth. When the network is not congested, SSID1 can use all idle bandwidth in addition to its guaranteed bandwidth. When the network is congested, SSID1 can use at least its guaranteed bandwidth, 25% of the bandwidth. NOTE: This feature applies to only the traffic from AP to client. Configuration procedure To configure bandwidth guaranteeing: To do Use the command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] N/A 3. Enter radio view. radio radio-id N/A 4. Enable bandwidth guaranteeing. 5. Configure a guaranteed bandwidth percent for the specified BSS. bandwidth-guarantee enable bandwidth-guarantee service-template service-template-number percent percent By default, bandwidth guaranteeing is disabled. The WLAN service must have been bound to the radio. For the WLAN services bound to the same radio, the sum of guaranteed bandwidth percents cannot exceed 100%. 162

175 Displaying and maintaining bandwidth guaranteeing Task Command Remarks Display bandwidth guaranteeing configuration. display wlan bandwidth-guarantee [ ap ap-name radio radio-id ] [ { begin exclude include } regular-expression ] Available in any view. Bandwidth guaranteeing configuration example Network requirements In an enterprise, three clients access the wireless network through WLAN services research, office, and entertain, respectively. To,make sure that the enterprise network works normally, guarantee 20% of the bandwidth for WLAN service office, 80% for research, and none for entertain within the same AP. Figure 83 Network diagram Configuration procedure # Configure the maximum a bandwidth as kbps. <AC> system-view [AC] wlan rrm [AC-wlan-rrm] dot11a max-bandwidth [AC-wlan-rrm] quit # Create a WLAN-ESS interface. <AC> system-view [AC] interface wlan-ess 1 [AC-WLAN-BSS1] port-security port-mode psk [AC-WLAN-BSS1] port-security tx-key-type 11key [AC-WLAN-BSS1] port-security preshared-key pass-phrase simple [AC-WLAN-ESS1] quit [AC] interface wlan-ess 2 [AC-WLAN-BSS2] port-security port-mode psk [AC-WLAN-BSS2] port-security tx-key-type 11key [AC-WLAN-BSS2] port-security preshared-key pass-phrase simple abcdefgh [AC-WLAN-ESS2] quit 163

176 [AC] interface wlan-ess 3 [AC-WLAN-ESS3] quit # Create service template 1 of the crypto type, and set the SSID as research for service template 1. [AC] wlan service-template 1 crypto [AC-wlan-st-1] ssid research [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system [AC-wlan-st-1] cipher-suite ccmp [AC-wlan-st-1] security-ie rsn [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit # Create service template 2 of the crypto type, and set the SSID as office for service template 2. [AC] wlan service-template 2 crypto [AC-wlan-st-2] ssid office [AC-wlan-st-2] bind wlan-ess 2 [AC-wlan-st-2] authentication-method open-system [AC-wlan-st-2] cipher-suite ccmp [AC-wlan-st-2] security-ie rsn [AC-wlan-st-2] service-template enable [AC-wlan-st-2] quit # Create service template 2 of the clear type, and set the SSID as entertain for service template 2. [AC] wlan service-template 3 clear [AC-wlan-st-3] ssid entertain [AC-wlan-st-3] bind wlan-ess 3 [AC-wlan-st-3] service-template enable [AC-wlan-st-3] quit # Apply service templates to radio 1. [AC] wlan ap ap1 model wa2220e-ag [AC-wlan-ap-ap1] radio 1 type dot11a [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] service-template 2 [AC-wlan-ap-ap1-radio-1] service-template 3 [AC-wlan-ap-ap1-radio-1] radio enable # Enable bandwidth guaranteeing. [AC-wlan-ap-ap1-radio-1] bandwidth-guarantee enable # Set the guaranteed bandwidth percent to 80% for service template 1 and 20% for service template 2. [AC-wlan-ap-ap1-radio-1] bandwidth-guarantee service-template 1 percent 80 [AC-wlan-ap-ap1-radio-1] bandwidth-guarantee service-template 2 percent 20 [AC-wlan-ap-ap1-radio-1] return Verifying the configuration # Use the display wlan bandwidth-guarantee command to display the bandwidth guaranteeing configuration. <AC> display wlan bandwidth-guarantee Bandwidth Guarantee ST: service template 164

177 AP Radio Mode ST Percent ap a 1 80% ap a 2 20% When the total traffic rate from the AP to all clients is lower than kbps, the rate of traffic from the AP to any client is not limited. 2. Suppose the rate of traffic from the AP to Client 1 exceeds 2000 kbps and the rate of traffic from the AP to Client 2 exceeds 8000 kbps, and the rate of traffic from the AP to all clients exceeds kbps. In this case, because WLAN services research and office are configured with bandwidth guaranteeing, the AP will preferentially forward traffic from the AP to Client 1 and Client 2. As a result, the AP sends traffic to Client 1 at a rate of 2000 kbps, the AP sends traffic to client 2 at a rate of 8000 kbps, and the rate of traffic from the AP to Client 3 is limited. Configuring client rate limiting The WLAN provides limited bandwidth for each AP. Because the bandwidth is shared by wireless clients attached to the AP, aggressive use of bandwidth by a client will affect other clients. To ensure fair use of bandwidth, rate limit traffic of clients in either of the following approaches: Configure the total bandwidth shared by all clients. This is called "dynamic mode". The rate limit of a client is the configured total rate/the number of online clients. For example, if the configure total rate is 10 Mbps and five clients are online, the rate limit of each client is 2 Mbps. Configure the maximum bandwidth that can be used by each client. This is called "static mode". For example, if the configured rate is 1 Mbps, the rate limit of each client online is 1 Mbps. When the set rate limit multiplied by the number of access clients exceeds the available bandwidth provided by the AP, no clients can get the guaranteed bandwidth. Configuration procedure You can configure WLAN service-based client rate limiting, so that the AC can limit client rates for a WLAN service. To configure WLAN service-based client rate limiting: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter service template view. 3. Configure WLAN service-based client rate limiting. wlan service-template service-template-number { clear crypto } client-rate-limit direction { inbound outbound } mode { dynamic static } cir cir N/A Disabled by default. You can configure radio-based client rate limiting, so that the AC can limit client rates for the same radio. To configure radio-based client rate limiting (available only on ACs): 165

178 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter radio view. 3. Configure radio-based client rate limiting. radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] client-rate-limit direction { inbound outbound } mode { dynamic static } cir cir N/A Disabled by default. Displaying and maintaining client rate limiting Task Command Remarks Display client rate limiting information. display wlan client-rate-limit { service-template [ service-template-number ] ap [ ap-name radio radio-id ] } [ { begin exclude include } regular-expression ] Available in any view. Client rate limiting configuration example Network requirements AC is connected to Switch, and is in the same network as the AP. Configure client rate limiting on AC, so that AP limits the incoming traffic in static mode and limits the outgoing traffic in dynamic mode for the clients. Figure 84 Network diagram Client 1 AC Switch AP Client 2 Configuration procedure # Enable the WLAN service. (Optional, because the WLAN service is enabled by default) <AC> system-view [AC] wlan enable # Create a WLAN-ESS interface. [AC] interface wlan-ess 1 [AC-WLAN-ESS1] quit # Create a WLAN service template of the clear type, configure its SSID as service, and bind interface WLAN-ESS 1 to the service template. [AC] wlan service-template 1 clear 166

179 [AC-wlan-st-1] ssid service [AC-wlan-st-1] bind wlan-ess 1 [AC-wlan-st-1] authentication-method open-system # Configure WLAN service-based client rate limiting on AC to limit the rate of traffic from clients to AP (incoming traffic) to 8000 kbps in static mode and the rate of traffic from AP to clients (outgoing traffic) to 8000 kbps in dynamic mode. [AC-wlan-st-1] client-rate-limit direction inbound mode static cir 8000 [AC-wlan-st-1] client-rate-limit direction outbound mode dynamic cir 8000 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] return # Create an AP template named ap1, set the AP model to WA2100, and set the AP serial ID to A29G007C [AC] wlan ap ap1 model WA2100 [AC-wlan-ap-ap1] serial-id A29G007C # Configure an g radio. [AC-wlan-ap-ap1] radio 1 type dot11g # Bind service template 1 to radio 1. [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return Verifying the configuration # Use the display wlan client-rate-limit service-template command to display the client rate limiting configuration. <AC> display wlan client-rate-limit service-template Client Rate Limit Service Template Direction Mode CIR(kbps) Inbound Static Outbound Dynamic When only Client 1 accesses the WLAN through SSID service, the available bandwidth is limited to around 8000 kbps. 2. When both Client 1 and Client 2 access the WLAN through SSID service, the bandwidth available for the traffic from either Client 1 or Client 2 to the AP is limited to around 8000 kbps, and the bandwidth available for the traffic from the AP to either Client 1 or Client 2 is limited to around 4000 kbps. 167

180 Configuring WLAN mesh link Introduction to WLAN mesh A WLAN network can be used to extend or replace an existing wired LAN to provide both connectivity and mobility for wireless users. A WLAN mesh network differs from the traditional WLAN in that it allows for wireless connections between access points (APs), increasing mobility and flexibility. Moreover, multi-hop wireless links can be established between APs. From end users' perspective, a WLAN mesh network appears no different; the wireless connectivity is available, just as in a traditional WLAN. WLAN mesh is also designed for WLAN application in subways, and complies with s draft. Basic concepts in WLAN mesh Figure 85 Typical WLAN mesh network The concepts involved in WLAN mesh are described below. Concept Access controller (AC) Mesh point (MP) Description A device that controls and manages all the APs in the WLAN. The AC communicates with an authentication server for WLAN client authentication. An IEEE entity that contains an IEEE conformant medium access control (MAC) and physical layer (PHY) interface to the wireless medium (WM) that supports mesh services 168

181 Concept Authenticator MP Candidate peer MP Link metric Mesh Mesh access point (MAP) Mesh action frame Mesh link Mesh portal point (MPP) Peer MP Selector MP Station (STA) Description An MP that acts as an authenticator in forming the link between two MPs A neighbor MP to which a mesh link has not been established, but it meets eligibility requirements to become a peer MP. A criterion used to characterize the performance/quality/eligibility of a mesh link for use in a mesh path A network consisting of two or more mesh points which communicate with each other via mesh services A mesh point that is collocated with one or more access points management frame which has mesh specific action category A link between two MPs A mesh point that is collocated with one or more portals Peer MP to which the local MP has established a mesh link The MP that is responsible for selecting the security parameters between two MPs A wireless terminal (a PC or laptop) with a wireless network card Advantages of WLAN mesh In the current WLAN solution, APs must be interconnected by using cables, switches, routers, and power supplies, making the wireless network complex, costly, and time consuming to deploy. The WLAN mesh technology offers a totally new approach for deploying wireless networks by allowing operators to deploy wireless networks anywhere and anytime. WLAN mesh has the following advantages: Low cost and high performance Expandable without the need of new wiring or access points Easy deployment Applicable to areas such as metros, companies, offices, large warehouses, manufacturing plants, ports, and waterfronts Avoidance of single point failures because of multi-path availability Deployment scenarios This section covers deployment scenarios of WLAN mesh, available in two categories: one for subway networking and the other for typical networking. Typical WLAN mesh deployment AC + fit MP scenario 169

182 Figure 86 Normal AC + fit MP scenario Internet AC MPP MPP MP MP MP MP MP MAP MAP STA Mesh 1 Mesh 2 Quasi secure peer link STA As shown in Figure 86, two mesh networks are controlled by the same AC. At least one MPP in a mesh has wired connectivity with the AC. When an MP starts up, it scans the network and forms quasi-secure connections with all available MPs in its vicinity (quasi-secure connections are temporary links with default or minimum configuration which allows the MP to connect to the AC for downloading its configurations. Only configuration-related messages are allowed to pass through the links). After downloading its configurations from the AC, the MP establishes secure connections with neighbors. In a geographical area that has more than one mesh network deployed, when an MP starts up, it does not know through which mesh it should connect to the AC, so it forms quasi-secure links with MPs in all available mesh networks. One MP with two radios, each on a different mesh 170

183 Figure 87 One fit MP with two radios, each on a different mesh Internet AC MPP MPP MP MP MP MP MP MAP MAP STA Mesh 1 Mesh 2 Radio 1 in mesh 1 Radio 2 in mesh 2 STA As shown in Figure 87, an MP has two radios, each of which is present in a different mesh network. The only constraint is that both meshes are managed by the same AC. Two mesh networks controlled by two ACs Figure 88 Two mesh networks controlled by two ACs in the same wired network AC 1 AC 2 MPP MPP MP MP MP MP Mesh 1 Mesh 2 MAP MAP STA STA STA STA As shown in Figure 88, two mesh networks in the same geographical area are managed by different ACs, which can be in the same wired network or in different wired networks. 171

184 Subway WLAN mesh deployment In a subway system, the control and data information must be sent to fast-moving trains in real time to provide Internet access service for customers in the trains and provide control information for train operation. As shown in Figure 89, a subway WLAN mesh solution adopts the AC + Rail MP (in fit mode) + Train MP (fat mode) networking mode. Rail MPs are deployed along the railway and connected to the AC through wired connections. Figure 89 Subway deployment of mesh The train MPs connect to rail MPs based on the radio signal strength indicator (RSSI) values. A train MP establishes with rail MPs two types of links (active and dormant), in which, one link is the active and all the other links are dormant. Data is transferred through the active link only. The active link changes during the movement of the train MP. The subway WLAN mesh deployment uses the Mobile Link Switch Protocol (MLSP), a proprietary protocol developed by H3C for obtaining high-speed link switch with zero packet loss during train movement. H3C has adopted new IEEE standard s as the underlying protocol for link formation and communication between mobile radio (MR) and wayside AP. Train MPs are not required to act as authenticators. WLAN mesh security WLAN mesh networks use airwaves as a communication medium, so they are very vulnerable to attacks. Therefore, security is an essential part of WLAN mesh networks. Security involves encryption algorithms and key distribution and management. Mesh link metric The metric of a mesh link is calculated based on the signal strength indication (RSSI) of the frame received from the peer MP. The metric or cost of the mesh link is used to select the best route to forward data frames. 172

185 Mobile link switch protocol At any given time, an active link should be available between a rail MP and a train MP for data communication. MLSP was developed to create and break links during train movement. Terminology of MLSP As shown in Figure 90, when the train is moving, it needs to break the existing active link with rail MP 2 and create a new active link with another rail MP. Figure 90 Diagram for MLSP MLSP advantages Active Link Logical link through which all data communication from/to a train MP happens. Dormant Link Logical link over which no data transfer happens, but it satisfies all the criteria for becoming an active link. Proxy device A device such as a server that is connected to a train MP for receiving traffic. 1. MLSP makes sure that the link switch time is less than 30 ms. 2. MLSP works well even if the chipset gets saturated at high power level. 3. MLSP achieves zero packet loss during link switch. Operation of MLSP MLSP establishes multiple links at any given time between a train MP and multiple rail MPs to provide link redundancy, ensuring high performance and good robustness for the network. The following four parameters are considered by MLSP for link switch. Based on the deployment, all these parameters are tunable to achieve best results. Link formation RSSI/link hold RSSI This is the minimum RSSI to allow a link to be formed and held. Therefore, the minimum RSSI must be ensured at any given point in the tunnel. Otherwise, the error rate can be very high. Link switch margin If the RSSI of the new link is greater than that of the current active link by the link switch margin, active link switch will happen. This mechanism is used to avoid frequent link switch. 173

186 Link hold time An active link remains up within the link hold time, even if the link switch margin is reached. This mechanism is used to avoid frequent link switch. Link saturation RSSI This is the upper limit of RSSI on the active link. If the value is reached, the chipset is saturated and link switch will happen. Formation of dormant links A train MP performs active scanning to find neighboring rail MPs by sending probe requests at a very high rate. Based on probe responses received, the train MP forms a neighbor table. After that, the train MP creates dormant links with rail MPs that have an RSSI value greater than the link formation RSSI. Selection of active link A train MP selects the active link from dormant links based on the following rules: 1. If no dormant link is available, the active link cannot be formed. 2. Active link switch will not happen within the link hold time, except the following two conditions: Condition 1 The active link RSSI exceeds the link saturation RSSI. Condition 2 The active link RSSI is below the link hold RSSI. 3. When the link hold timer expires, if no dormant link has RSSI greater than the active link RSSI by the link switch margin, link switch will not happen. 4. In normal scenarios, active link switch will happen when all of these following conditions are met: The link hold timer expires. The dormant link's RSSI is higher than the current active link's RSSI by the link switch margin. The dormant link RSSI is not greater than the link saturation RSSI. The RSSI of the new link should be increasing. 5. Once the RSSI of the active and dormant links has gone below the link hold RSSI, links should be broken. However, to ensure service availability in worse cases, if the active link RSSI has gone below the link hold RSSI and no dormant links exist, the active link will not be broken. Protocols and standards Draft P802.11s_D1.06 ANSI/IEEE Std , 1999 Edition IEEE Std a IEEE Std b IEEE Std g IEEE Std i IEEE Std s IEEE Std draft-ohara-capwap-lwapp-03 Introduction to WDS Wireless distribution system (WDS) provides wireless bridging links between separate LAN segments to provide connectivity between them. 174

187 Basic concepts in WDS The WDS feature provides a single hop wireless link between two APs, including: Link formation Connections made based on the messages exchanged between two peer nodes. Link security Provides PSK plus CCMP security. Advantages of WDS At present, based WLAN technologies are widely applied in the home, SOHO, and enterprise scenarios. APs are connected through cables, switches, routers and power supplies. As a result, the wireless network is complex, costly and no longer wireless, and it requires a lot time to deploy a network. WDS provides wireless connectivity between separate LAN segments to simplify WLAN deployment. WDS has the following advantages: Low cost for high performance deployment options Expansion availability without the need for new wiring or more access points Easy deployment in scenarios such as metros, companies, offices, large warehouses, manufacturing divisions, ports, and waterfronts. Deployment scenarios The WDS feature supports the following three topologies. Topology 1 Peer to Peer Connection [Point to Point]: In this topology, two neighbor MPs form a bridge between two LANs. In Figure 91, AP 1 and AP 2 bridge data between LAN segments 1 and 2 by converting it to s format and sending it over a wireless link. Figure 91 WDS point to point topology Topology 2 Centralized Bridging [Point to multipoint]: In this topology, a centralized bridging device forms wireless links with multiple MPs to bridge data among multiple LAN segments. As shown in Figure 92, data transferred between different LAN segments goes via AP

188 Figure 92 WDS point to multipoint topology Topology 3 (Self Topology Detection and Bridging): In this topology, MPs automatically detect neighbors and form wireless links to provide wireless connectivity between LAN segments, as shown in Figure 93. Figure 93 Self topology detection and bridging LAN Segment 2 AP 2 AC AP 1 AP 3 AP 4 LAN Segment 4 WLAN mesh/wds configuration task list Complete the following tasks to configure WLAN mesh/wds: Task Configuring an MKD ID Remarks Required 176

189 Task Configuring mesh port security Configuring a mesh profile Configuring mesh portal service Configuring an MP policy Mapping a mesh profile to the radio of an MP Mapping an MP policy to the radio of an MP Specifying a peer MAC address on the radio Disabling temporary link establishment Remarks Required Required Optional Optional Required Required Required Optional Configuring an MKD ID A common MKD ID should be configured for all fat MPs to form links in between. To configure an MKD ID: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure an MKD ID. wlan mkd-id mkd-id By default, the MKD ID is 000F-E Configuring mesh port security Step Command Remarks 1. Enter system view. system-view N/A 2. Enter WLAN mesh interface view. 3. Enable 11key negotiation. 4. Configure a PSK. 5. Configure the port to operate in PSK mode. Interface wlan-mesh interface-number port-security tx-key-type 11key port-security preshared-key { pass-phrase raw-key } key port-security port-mode psk N/A By default, 11key negotiation is disabled. By default, no PSK is configured. By default, the port operates in norestrictions mode. NOTE: For more information about the port-security tx-key-type 11key, port-security preshared-key, and port-security port-mode commands, see Security Command Reference. 177

190 Configuring a mesh profile A mesh profile is created and mapped to an MP so that it can provide mesh services to other MPs that have the same mesh profile mapped. To configure a mesh profile: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a mesh profile and enter mesh profile view. wlan mesh-profile mesh-profile-number N/A 3. Configure the mesh ID. mesh-id mesh-id-name 4. Bind a WLAN mesh interface. bind wlan-mesh interface-index By default, no mesh ID is set for the mesh profile. By default, no interface is bound to the mesh profile. 5. Configure the mesh link keep alive interval. 6. Configure the backhaul radio rate. link-keep-alive keep-alive-interval link-backhaul-rate rate-value By default, the mesh link keep-alive interval is 2 seconds. By default, the link backhaul rate is 18 Mbps. 7. Enable the mesh profile. mesh-profile enable By default, the mesh profile is disabled. 8. Return to system view. quit N/A 9. Enable the mesh key distributor (MKD) service for the mesh profile. mkd-service enable mesh-profile mesh-profile-number By default, the MKD service is disabled. Configuring mesh portal service Mesh portal service should be enabled for an MP to work as a mesh portal point (MPP). NOTE: Enable mesh portal service only for MPPs (APs connected to the AC). To configure mesh portal service: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an AP template and enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] The model name is required only when you create a new AP template. 3. Enable the portal service. portal-service enable By default, the portal service is disabled. 178

191 Configuring an MP policy Link formation and maintenance are driven by the attributes specified in the MP policy. To configure an MP policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an MP policy and enter MP policy view. wlan mp-policy policy-name By default, the radio adopts the default MP policy default_mp_plcy that cannot be modified. 3. Enable link initiation. link-initiation enable By default, link initiation is enabled. 4. Configure the maximum number of links. 5. Configure the link formation/link hold RSSI. link-maximum-number max-link-number link-hold-rssi value By default, the maximum number is 2. The default is 15 dbm. 6. Configure the link hold time. link-hold-time value The default is 4000 milliseconds. 7. Configure the link switch margin. 8. Configure the link saturation RSSI. 9. Configure the probe request interval. link-switch-margin value link-saturation-rssi value probe-request-interval interval-value The default is 10 dbm. The default is 150 dbm. By default, the probe request interval is 1000 ms. 10. Enable MLSP. mlsp enable By default, MLSP is disabled. If MLSP is disabled on a radio, the MLSP proxy MAC address configured under the current MP policy is removed. 11. Configure the MLSP proxy MAC address. 12. Enable the device to act as an authenticator based on negotiation results. mlsp-proxy mac-address mac-address [ vlan vlan-id ] [ ip ip-address ] role-authenticator enable By default, no MLSP proxy MAC address is configured. This command is visible only when MLSP is enabled. By default, whether a device acts as an authenticator is based on negotiation results. 179

192 Step Command Remarks 13. Configure the link rate mode. link rate-mode { fixed real-time } The default link rate mode is fixed. NOTE: The mlsp enable and mlsp-proxy mac-address commands are applicable to subway WLAN mesh networks only. Mapping a mesh profile to the radio of an MP For an MP to advertise mesh capabilities, a mesh profile should be mapped to the radio of the MP. To map a mesh profile to a radio: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. 3. Enter radio view. 4. Map the mesh profile to the radio. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] mesh-profile mesh-profile-number The model name is required only when you create a new AP template. N/A By default, no mesh profile is mapped to the radio. Mapping an MP policy to the radio of an MP An MP policy should be mapped to a radio so that link formation and maintenance on the radio can be driven by the attributes specified in the MP policy. To map an MP policy to the radio of an MP (on an AC): Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. 3. Enter radio view. 4. Map the MP policy to the radio. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] mp-policy policy-name The model name is required only when you create a new AP template. N/A By default, the radio adopts the default MP policy default_mp_plcy. 180

193 Specifying a peer MAC address on the radio You need to specify the MAC addresses of permitted peers on the local radio interface. To specify a peer MAC address on a radio: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter AP template view. 3. Enter radio view. 4. Specify a permitted peer and specify the cost of the mesh link to the peer. wlan ap ap-name [ model model-name [ id ap-id ] ] radio radio-number [ type { dot11a dot11an dot11b dot11g dot11gn } ] mesh peer-mac-address mac-address [ cost cost ] The model name is required only when you create a new AP template. N/A By default, the radio has no peer MAC address configured, all neighbors are permitted, and the cost of the mesh link to a peer is automatically calculated. Disabling temporary link establishment In a subway mesh network shown in Figure 89, when a Rail MP goes offline (because of power loss, for example), it loses its configuration and tries to establish a temporary link with another Rail MP to reach the AC. You can perform this task to disable temporary link establishment on the AC so other Rail MPs will not provide AC access for the failed Rail MP. The Rail MP can reach the AC only when its wired port goes up. To disable temporary link establishment: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter MP policy view. wlan mp-policy policy-name N/A 3. Disable temporary link establishment. undo temporary-link enable By default, temporary link establishment is enabled. Displaying and maintaining WLAN mesh link Task Command Remarks Display mesh link information. display wlan mesh-link ap { all name ap-name [ verbose ] } [ { begin exclude include } regular-expression ] Available in any view 181

194 Task Command Remarks Display mesh profile information. Display MP policy information. Perform a mesh link test on the specified AP and display the test results. display wlan mesh-profile { mesh-profile-number all } [ { begin exclude include } regular-expression ] display wlan mp-policy { mp-policy-name all } [ { begin exclude include } regular-expression ] wlan mesh-link-test ap-name Available in any view Available in any view Available in user view WLAN mesh configuration examples Normal WLAN mesh configuration example Network requirements As shown in Figure 94, establish a mesh link between the MAP and the MPP. Configure g on the MAP so that the client can access the network. Figure 94 Network diagram Configuration procedure 1. Configure Mesh: # Enable port security. <AC> system-view [AC] port-security enable # Create WLAN mesh interface 1. Enable 11key negotiation, set a PSK, and set the port security mode as PSK mode for the interface. [AC] interface WLAN-MESH 1 [AC-WLAN-MESH1] port-security tx-key-type 11key [AC-WLAN-MESH1] port-security preshared-key pass-phrase [AC-WLAN-MESH1] port-security port-mode psk [AC-WLAN-MESH1] quit # Create mesh profile 1, and bind WLAN mesh interface 1 to it. [AC] wlan mesh-profile 1 [AC-wlan-mshp-1] bind WLAN-MESH 1 [AC-wlan-mshp-1] quit # Configure an MKD-ID (an MKD-ID exists by default, and you can omit this command). [AC] wlan mkd-id 0eab-01cd-ef00 182

195 # Enable the MKD service. [AC] mkd-service enable mesh-profile 1 # Set the mesh ID as outdoor for mesh profile 1, and enable the mesh profile. [AC] wlan mesh-profile 1 [AC-wlan-mshp-1] mesh-id outdoor [AC-wlan-mshp-1] mesh-profile enable [AC-wlan-mshp-1] quit # A default MP policy exists by default. You can also configure an MP policy. The default MP policy is used in this example. 2. Configure MPP: # Create AP template mpp of model WA2620-AGN, and configure its serial ID. [AC] wlan ap mpp model WA2620-agn [AC-wlan-ap-mpp] serial-id 59235B15D114C # Create radio 1, specify channel 149, map mesh profile 1 to the radio, and then enable the radio. [AC-wlan-ap-mpp] radio 1 type dot11a [AC-wlan-ap-mpp-radio-1] channel 149 [AC-wlan-ap-mpp-radio-1] mesh-profile 1 [AC-wlan-ap-mpp-radio-1] radio enable [AC-wlan-ap-mpp-radio-1] quit # Enable the mesh portal service for MPP. [AC-wlan-ap-mpp] portal-service enable 3. Configure MAP: # Create AP template map of model WA2620-AGN, and configure its serial ID. [AC] wlan ap map model WA2620-agn [AC-wlan-ap-map] serial-id G007C # Create radio 1, specify channel 149 for it, and map mesh profile 1 to it, and then enable the radio. [AC-wlan-ap-map] radio 1 type dot11a [AC-wlan-ap-map-radio-1] channel 149 [AC-wlan-ap-map-radio-1] mesh-profile 1 [AC-wlan-ap-map-radio-1] radio enable [AC-wlan-ap-map-radio-1] return After the configuration, a mesh link will be established between the MAP and MPP, and they can ping each other. 4. Configure g service on the MAP so that the client can access the network. For the related configuration, see "Configuring WLAN services." After g is configured on the MAP, the client and the AC can ping each other, and the client can access the network through the mesh link. Verifying the configuration # Display the mesh link information on the AC. <AC> display wlan mesh-link ap all Mesh Link Information AP Name: mpp 183

196 Peer Local Status RSSI Packets(Rx/Tx) ef b4a 00aa Forwarding / AP Name: map Peer Local Status RSSI Packets(Rx/Tx) aa ef b4a Forwarding / The output shows that the MPP and MAP have established a mesh link. Subway WLAN mesh configuration example Network requirements Configure WLAN mesh so that the train MP will form links with rail MPs during movement, among them one link is the active link and all others are dormant links. Figure 95 Network diagram AC /24 Rail MP /24 Rail MP /24 Rail MP /24... Rail MP n Train MP /24 Active link Dormant link Configuration procedure 1. Configure AC related functions: # Enable port security. <AC> system-view [AC] port-security enable # Create WLAN mesh interface 1. Enable 11key negotiation, set a PSK, and set the port security mode as PSK mode for the interface. [AC] interface WLAN-MESH 1 [AC-WLAN-MESH1] port-security tx-key-type 11key [AC-WLAN-MESH1] port-security preshared-key pass-phrase [AC-WLAN-MESH1] port-security port-mode psk [AC-WLAN-MESH1] quit 184

197 # Create mesh profile 1, and bind WLAN mesh interface 1 to it. [AC] wlan mesh-profile 1 [AC-wlan-mshp-1] bind WLAN-MESH 1 [AC-wlan-mshp-1] quit # Configure an MKD-ID (The MKD-ID exists by default, and you can omit this command). [AC] wlan mkd-id 0eab-01cd-ef00 # Enable the MKD service. [AC] mkd-service enable mesh-profile 1 # Set the mesh ID as train for mesh profile 1, and enable the mesh profile. [AC] wlan mesh-profile 1 [AC-wlan-mshp-1] mesh-id train [AC-wlan-mshp-1] mesh-profile enable [AC-wlan-mshp-1] quit # Create MP policy rail_policy, and disable link initiation and the authenticator role. [AC] wlan mp-policy rail_policy [AC-wlan-mp-policy-rail_policy] undo link-initiation enable [AC-wlan-mp-policy-rail_policy] undo role-authenticator enable [AC-wlan-mp-policy-rail_policy] quit # Create AP template railmpl of model WA2210X-GE, and configure its serial ID as A42RB [AC] wlan ap railmp1 model wa2210x-ge [AC-wlan-ap-railmp1] serial-id A42RB [AC-wlan-ap-railmp1] portal-sevice enable # Create radio 1, specify channel 149, map MP policy rail_policy and mesh profile 1 to the radio, and enable the radio. [AC-wlan-ap-railmp1] radio 1 [AC-wlan-ap-railmp1-radio-1] channel 1 [AC-wlan-ap-railmp1-radio-1] mp-policy rail_policy [AC-wlan-ap-railmp1-radio-1] mesh-profile 1 [AC-wlan-ap-railmp1-radio-1] radio enable [AC-wlan-ap-railmp1-radio-1] return Configurations for other rail MPs are similar. 2. Configure train MP: # Enable port security. <TrainMP> system-view [TrainMP] port-security enable # Create WLAN mesh interface 1. Enable 11key negotiation, set a PSK, and set the port security mode as PSK mode for the interface. [TrainMP] interface wlan-mesh 1 [TrainMP-WLAN-MESH1] port-security tx-key-type 11key [TrainMP-WLAN-MESH1] port-security preshared-key pass-phrase [TrainMP-WLAN-MESH1] port-security port-mode psk [TrainMP-WLAN-MESH1] quit # Create mesh profile 1, and bind WLAN mesh interface 1 to it. [TrainMP] wlan mesh-profile 1 [TrainMP-wlan-mshp-1] bind wlan-mesh 1 185

198 # Set the mesh ID as train for mesh profile 1, and enable the mesh profile. [TrainMP-wlan-mshp-1] mesh-id train [TrainMP-wlan-mshp-1] mesh-profile enable [TrainMP-wlan-mshp-1] quit # Create MP policy train_policy, set the maximum number of links as 8, enable MLSP, and configure the proxy MAC address as 000f-e [TrainMP] wlan mp-policy train_policy [TrainMP-wlan-mp-policy-train_policy] link-maximum-number 8 [TrainMP-wlan-mp-policy-train_policy] mlsp enable [TrainMP-wlan-mp-policy-train_policy] mlsp-proxy mac-address 000f-e [TrainMP-wlan-mp-policy-train_policy] quit # Configure interface WLAN-Radio1/0/2: specify the working channel as 1, and bind MP policy train_policy and mesh profile 1. [TrainMP] interface wlan-radio 1/0/2 [TrainMP-WLAN-Radio1/0/2] channel 1 [TrainMP-WLAN-Radio1/0/2] mp-policy train_policy [TrainMP-WLAN-Radio1/0/2] mesh-profile 1 [TrainMP-WLAN-Radio1/0/2] return Troubleshooting WLAN mesh link Authentication process not started Symptom Analysis Solution A PMK MA request is sent successfully for client 000F-E27C-6C00, but the authentication process is not started. The portal service is enabled for an MP without wired connection. Enter AP template view and use command display this to verify if portal service is enabled. If yes, use command undo portal-service enable to disable the portal service. Failed to ping MAP Symptom Analysis Solution Ping from a station is not working through the MAP. The portal service is disabled and authenticator role is enabled for the MAP. 1. Enter AP template view and use command display this to verify if portal service is disabled. If yes, use command portal-service enable to enable the portal service for the MAP. 2. Enter radio view and verify if the MP policy mapped to the radio has role authenticator enabled. If yes, disable all the radios to which this MP policy is mapped. 186

199 3. Enter MP policy view and use command undo role-authenticator enable to set the device not to play the role of an authenticator. 4. Enable all the radios. Configuration download failed for zeroconfig device Symptom Analysis Solution A zero-configuration device forms links but configuration download does not happen. Channel configuration may be wrong. The mapped mesh profile may be wrong. 1. Go to radio view and use command display this. 2. Verify that the channel must be the same as the MPP. If not, change the channel using command channel. 3. Verify that the mesh profile mapped to the radio is the same as that mapped to the MPP's radio. If not, unmap the current mesh profile using command undo mesh-profile. Then map the correct mesh profile by using command mesh-profile. Configuration download failed for MP Symptom Analysis Solution A mesh profile is mapped to the radio of an MP but configuration is not downloaded to the MP. Verify that the security configuration has been made. Verify that the mapped mesh profile is enabled. Verify that the radio is enabled. 1. Configure the security parameters. 2. Enable the mapped mesh profile by using command mesh-profile enable. 3. Enable the radio by using command radio enable. Debug error: neither local nor remote is connected to MKD Symptom Analysis Solution Debug error: Neither local nor remote is connected to MKD. Check if MKD service is enabled for the mapped mesh profile. Enable the MKD service for the mesh profile by using command mkd-service enable. 187

200 PMKMA delete is received by MPP for MP Symptom Analysis Solution After the MPP comes up, an MP tries to connect to it. During this process, the AC will receive a number of PMKMA requests, and send back PMKMA responses. After that, PMKMA delete is sent to the MPP for the MP. Check if intrusion detection is enabled. If intrusion detection is enabled, disable it. 188

201 Configuring WLAN sniffer In a wireless network, it is difficult to locate signal interference and packet collision by debugging information or terminal display information of WLAN devices. WLAN sniffer facilitates the troubleshooting by using an AP as a packet sniffer to listen to, capture, and record wireless packets. The information about captured packets is stored in a CAP file. As shown in Figure 96, enable WLAN sniffer on the Capture AP. The Capture AP listens to the wireless packets in the network, including the packets from other APs, rouge APs, and clients, and stores the captured packets in the specified CAP file. The administrator can download the CAP file to a PC for analysis. Figure 96 Network diagram LAN Segment Configuring WLAN sniffer NOTE: Disable other services such as WLAN and mesh before you enable WLAN sniffer on the radio, and do not enable these services during the WLAN sniffer process. To configure WLAN sniffer: Step Command Remarks 1. Enter system view. system-view N/A 189

202 Step Command Remarks 2. Configure the maximum number of packets that can be captured by an AP. 3. Specify the name of the CAP file to which the captured packets are saved. 4. Enable WLAN sniffer on a radio of an AP. wlan capture packet-limit packet-limit wlan capture file-name file-name wlan capture start ap ap-name radio radio-number By default the maximum number of packets that can be captured by an AP is You are not allowed to change the maximum number of packets that can be captured by an AP during the WLAN sniffer process. WLAN sniffer stops when the maximum number is reached. CaptureRecord by default. The file has a fixed extension.dmp, which is not configurable. You are not allowed to change the name of the CAP file during the WLAN sniffer process. WLAN sniffer can be enabled for only one radio of an AP. The radio must have been enabled and its working channel has been manually specified. The AP that holds the radio must have been associated with the AC. WLAN sniffer can be enabled for only one radio of an AP. 5. Disable WLAN sniffer. wlan capture stop Optional NOTE: An auto AP does not support the WLAN sniffer function. To enable WLAN sniffer on a radio, the AP must operate in normal mode and must be in Run state, and the working channel of the radio must be manually specified. Disabling the sniffer-enabled radio, deleting the Capture AP, disconnecting the Capture AP from the AC, or disabling WLAN sniffer stops the sniffer operation. The captured packets are saved to the specified CAP file in the default storage medium. The default storage medium varies with device models. The working mode of the AP cannot be changed with the work-mode monitor or device-detection enable command when it is capturing packets. 190

203 Displaying and maintaining WLAN sniffer Task Command Remarks Display information about WLAN sniffer enabled APs. display wlan capture [ { begin exclude include } regular-expression ] Available in any view WLAN sniffer configuration example Network requirements As shown in Figure 97, on the AC, enable WLAN sniffer for an AP to capture wireless packets. Figure 97 Network diagram Configuration procedure NOTE: To enable WLAN sniffer on a radio, the AP must operate in normal mode and must be in Run state, and the working channel of the radio must be manually specified. The working channel for WLAN sniffer in this example is Configure the WLAN sniffer function: # Enable WLAN sniffer on Radio 2 of the AP named captureap. <AC> system-view [AC] wlan capture start ap captureap radio 2 2. Verify the configuration: # Display information about the AP that is capturing packets. The output shows that Radio 2 on the AP is capturing packets. [AC] display wlan capture WLAN Capture AP : captureap Radio : 2 191

204 Radio Mode : g Channel : 11 Capture Limit : 5000 File Name : CaptureRecord.dmp Status : Capturing

205 Configuring wireless location Wireless location overview NOTE: Support for this feature depends on your device model. Wireless location is a technology to locate, track and, monitor specific assets by using WiFi-based Radio Frequency Identification (RFID) and sensors. APs send collected Tag or MU messages to an AeroScout Engine (referred to as AE hereinafter). The AE performs location calculation and sends the results to the graphics software. You can view the location information of the assets in maps, forms, and reports provided by the software. The graphics software provides search, alert and query functions to facilitate your operations. Wireless location can be applied to medical monitoring, asset management, and logistics, helping users effectively manage and monitor assets. Architecture of the wireless location system A wireless location system is composed of three parts: devices or sources to be located, location information receivers, and location systems. Devices or sources to be located include Tags (small, portable RFIDs, which are usually placed or glued to the assets to be located) of Aero Scout or Mobile Units (MU), and MUs (wireless terminals or devices running ). The tags and MUs can send wireless messages periodically. Location information receivers include APs. Location systems include the location server, AE calculation software, and different types of graphics software. Wireless locating process A wireless location system can locate wireless clients, APs, rogue APs, rogue clients, Tags and other devices supporting WLAN protocols. Except Tags, all wireless devices will be identified as MUs by the wireless location system. 1. Located devices send Tag or MU messages An RFID sends tag messages that contain channel information over different channels. The RFID periodically sends messages over the configured channels first and then sends tag messages over channels 1, 6, and 11 in turn periodically. Standard wireless devices send MU messages. An MU message does not contain channel information, so an AP cannot filter MU messages by channel number. The work is done by the location server by using a certain algorithm and rules. 2. The AP collects Tag and MU messages The working mode of an AP determines how it collects Tag and MU messages: When the AP operates in monitor mode or hybrid mode, it can locate wireless clients or other wireless devices that are not associated with it. When the AP operates in normal mode, it can only locate wireless clients associated with it. The wireless location system considers wireless clients associated with the AP as wireless clients, 193

206 and considers wireless clients or other wireless devices not associated with the AP as unknown devices. NOTE: For more information about monitor mode and hybrid mode, see "Configuring WLAN security." The AP collects Tag and MU messages as follows. Upon receiving Tag messages (suppose that the Tags mode has been configured on the AC, and the location server has notified the AP to report Tag messages), the AP checks the Tag messages, encapsulates those passing the check and sends them to the location server. The AP encapsulates a Tag message by copying all its information (including message header and payload) except the multicast address and adding the BSSID, channel, timestamp, data rate, RSSI, SNR, and radio mode of the radio that received the Tag message. Upon receiving MU messages (suppose that the MUs mode has been configured on the AC, and the location server has notified the AP to report MU messages), the AP checks the messages, encapsulates those that pass the check and sends the messages to the location server. The AP encapsulates an MU message by copying its source address, Frame Control field, and Sequence Control field, and adding the BSSID, channel, timestamp, data rate, RSSI, SNR and radio mode of the radio that received the MU message. The location server calculates the locations of devices After receiving Tag and MU messages from APs, the location server uses an algorithm to calculate the locations of the devices according to the RSSI, SNR, radio mode and data rate carried in the messages, and displays the locations on the imported map. Typically, the location server can calculate the locations as long as there are more than three APs (in monitor or hybrid mode) used to report Tag and MU messages. Configuring wireless location To perform wireless location, perform following configurations on the location server and the device: On the location server Configure whether to locate Tags or MUs, Tag message multicast address, and dilution factor on the location server. These settings will be notified to the APs through configuration messages. For more information about location server and configuration parameters, see the location server manuals. On the wireless device Configure the wireless location function. NOTE: Configure the AP mode settings when you configure wireless location on the AC. To configure wireless location: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable wireless location. wlan rfid-tracking enable By default, wireless location is disabled. 3. Specify the port number for the location server vendor. wlan rfid-tracking vendor-port vendor-port-value By default, the port number for the vendor is

207 Step Command Remarks 4. Specify the AP name and model, and enter AP template view. wlan ap ap-name [ model model-name [ id ap-id ] ] 5. Enter WLAN radio view. radio radio-id N/A The AP model needs to be specified only when you create an AP template. 6. Configure the wireless location mode for the radio. rfid-tracking mode { all mu tag } By default, no wireless location mode is configured for the radio. After the configuration, the AP waits for the configuration message sent by the location server, and after receiving that message, starts to receive and report Tag and MU messages. In addition, the AP reports its IP address change and reboot events to the location server so that the location server can respond in time. To report a reboot event after reboot, the AP must use the IP address and port information of the location server stored in its flash. The AP maintains such information as follows: The AP updates the data in the flash after receiving a configuration message. To protect the flash, the AP does not update the flash immediately, but waits for 10 minutes. If it receives another configuration message before the 10 minutes elapse, the AP only updates the configuration information in the cache, and when the 10-minute timer expires, saves the information in the flash. If the AP reboots within 10 minutes since it receives the first configuration message, no server information is saved in the flash, so it does not send a reboot message to the location server. Displaying and maintaining wireless location Task Command Remarks Display wireless location radio information. display wlan rfid-tracking radio [ ap ap-name radio radio-id ] [ { begin exclude include } regular-expression ] Available in any view Wireless location configuration example Network requirements As shown in Figure 98, AP 1, AP 2, and AP 3 operate in monitor mode, and send collected tag and MU messages to the AE (the location server). The AE performs location calculation and sends the results to the graphics software. The software shows the location information of the rogue AP, APs, and clients in maps, forms, or reports. 195

208 Figure 98 Network diagram Configuration procedure 1. Configure the AE: Configure the IP addresses of AP 1, AP 2, and AP 3 on the AE, or select broadcast for the AE to discover APs. Perform configuration related to wireless location on the AE. 2. Configure AP 1 to operate in monitor mode: On the AC, configure AP 1, AP 2, and AP 3 to operate in monitor mode. AP 1, AP 2, and AP 3 are configured similarly, and this section only describes how to configure AP 1 for illustration. # Create AP 1. <AC> system-view [AC] wlan ap ap1 model WA2220-AG # Specify the serial ID for the AP. [AC-wlan-ap-ap1] serial-id A29G007C # Configure the AP to operate in monitor mode. [AC-wlan-ap-ap1] work-mode monitor # Enable the radio. [AC-wlan-ap-ap1] radio 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] return # Enable wireless location. <AC> system-view [AC] wlan rfid-tracking enable # Configure the wireless location mode. [AC] wlan ap ap1 [AC-wlan-ap-ap1] radio 1 [AC-wlan-ap-ap1-radio-1] rfid-tracking mode all [AC-wlan-ap-ap1-radio-1] return 3. Verify the configuration: # Display wireless location radio information. <AC> display wlan rfid-tracking radio 196

209 Configuration guidelines WLAN RFID Tracking AP Radio Mode ap1 1 MU/Tag ap1 2 N/A # You can view the location information of the rogue AP, APs, and clients by maps, forms or reports provided by the graphics software. To implement wireless location, configure at least three APs to operate in monitor or hybrid mode. An AP monitors clients on different channels periodically. If the Tag message sending interval is configured as 1 second, the AP scans and reports Tag messages every half a minute. If higher location efficiency is required, you can set the Tag sending interval to the smallest value, 124 milliseconds on the AE. 197

210 Optimizing WLAN Proper channel planning and power control policies during WLAN deployment are very important for good performance. In live WLAN networks, however, channel overlapping, collisions, and interference can easily occur because the none-overlapping channels are limited but the number of WLAN devices always increases. This chapter describes a set of features used to improve the quality and stability of live WLAN networks. NOTE: A feature applied in different WLANs may have different effects because there are many factors impacting WLAN performance. There is no fixed combination of features for optimizing a specific WLAN. Select the features most suitable for your WLAN. The features described in this chapter cannot significantly change the performance of a WLAN. In practice, if the features used can improve the WLAN performance by 3%, the optimization is considered successful. Rejecting wireless clients with low RSSI Wireless clients whose packets have low received signal strength indicator (RSSI) cannot get good service or performance but they occupy wireless channels especially when they are downloading huge amounts of data, affecting other clients with high RSSI. This task configures an RSSI so that clients whose RSSI is lower than the configured RSSI cannot access the WLAN. CAUTION: This feature disables wireless clients whose RSSI is lower than the specified RSSI from accessing the WLAN. To configure the client-reject signal threshold: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the client-reject RSSI. wlan option client-reject rssi Not configured by default. Enabling fair scheduling The fair scheduling feature sends a packet destined to a different client each time to ensure fairness. This mechanism avoids the situation where some clients occupy the output queues on an AP for a long time when they are downloading bulky data by using applications such as BT and video on demand. To enable fair scheduling: 198

211 Step Command Remarks 1. Enter system view. system-view N/A 2. Enable fair scheduling. wlan option fair-schedule enable Enabled by default. Ignoring weak signals When an AP detects weak signals from a remote client, it considers the channel is occupied and does not forward other packets. This feature can avoid the impact of weak signals by enabling an AP to ignore packets whose signal strength is lower than a specific RSSI. NOTE: Although this feature increases the forwarding rate of the AP, it may cause interference or collisions with other devices working on the same channel. To ignore signals weaker than an RSSI: Step Command Remarks 1. Enter system view. system-view N/A 2. Ignore signals weaker than an RSSI. wlan option signal-ignore rssi Not configured by default. Enabling n packet suppression n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU can accommodate multiple MPDUs that have their PHY headers removed. This reduces the overhead in transmission and the number of ACK frames to be used, and improves network throughput. In practice, however, gn, g, and b clients may coexist, and the MPDU aggregation capability of n affects the performance of other types of clients. This feature can suppress n packets by defining two thresholds, a maximum number of aggregated MPDUs and a maximum A-MPDU length. The two thresholds take effect at the same time. If either threshold is reached, the AP stops aggregation and sends the A-MPDU. NOTE: This feature reduces the impact of n clients to other types of clients. To configure packet suppression: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable packet suppression and specify the thresholds. wlan option dot11n-restraint packet-number max-packets packet-length max-length Not enabled by default. 199

212 Enabling traffic shaping based on link status Clients near an AP have high RSSI while clients at the border of the coverage area of the AP have low RSSI. When the network is busy, the weak clients occupy the working channel of the AP for a long time due to their lower speeds and affect the clients with good RSSI. The traffic shaping feature identifies the weak clients by checking their signal strength and packet loss ratio, and dynamically controls their packet throughput to reduce their impact to other clients. To enable traffic shaping: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable traffic shaping based on link status. wlan option traffic-shaping enable Disabled by default. Configuring the rate algorithm protocols each support a set of rates. For example, g supports the rates of 1, 2, 5.5, 11, 6, 9, 12, 18, 24, 36, 48, and 54. An protocol dynamic selects a proper rate based on the channel quality and history data. A rate algorithm applied on a radio can avoid improper rate adjustments that can impact network operation. The system supports multiple rate algorithms, including ARR, HDD, HDD2, and LPL. The default rate algorithm ARR is applicable in various scenarios. NOTE: You can configure the rate algorithm only on a/b/g radios. To configure the rate algorithm: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the rate algorithm. wlan option rate-algorithm { arr band hdd hdd2 lpl packet-count up-threshold down-threshold } ARR by default. Enabling channel sharing adjustment The non-overlapping channels of an protocol are very limited. For example, g has only three non-overlapping channels. Therefore, an AP can easily detect other APs working on the same channel, especially in a high-density WLAN. Channel overlapping causes collisions and interference and reduces WLAN performance. Proper channel planning and power control policies during WLAN deployment are the major methods to reduce overlapping. In addition, you can perform this task in a live network to reduce the impact of overlapping. 200

213 This task configures a power level. If an AP detects signals stronger than the power level, the AP considers the channel is occupied and does not send packets. If the detected signals are weaker than the power level, the AP sends the packets. This mechanism avoids collisions and interference. CAUTION: Do not enable channel sharing adjustment and channel reuse adjustment at the same time. To enable channel sharing adjustment: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable channel sharing adjustment and specify the power level. wlan option channel-share power-level By default, the power level is 30. Enabling channel reuse adjustment WLAN devices within a space share the same media. They use collision avoidance and contention mechanisms to send frames over channels. As the number of devices working on a channel increases, the whole WLAN performance degrades. To solve the problem, make proper channel planning and power control policies before WLAN deployment. In addition, you can perform this task in a live network to improve the performance of APs working on the same channel. This task configures a channel reuse level. An AP ignores packets whose RSSI is lower than the reuse level so that it can get more radio frequency resources and higher speed. CAUTION: Do not enable channel sharing adjustment and channel reuse adjustment at the same time. Enabling channel reuse adjustment may result in increased hidden nodes. To enable channel reuse adjustment: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable channel reuse adjustment and specify the reuse level. wlan option channel-reuse reuse-level Not enabled by default. Disabling buffering of multicasts and broadcasts If one of the clients associated with an AP is in sleep state, the AC stops sending all broadcast and multicast packets and buffers them before it sends the next Beacon frame. This mechanism affects the performance of multicast applications. You can perform this task to disable buffering multicast and broadcast packets. The AC directly sends all broadcast and multicast packets regardless of whether an associated client is in sleep state. 201

214 NOTE: Set the power management parameter to the maximum value on wireless clients to prevent them entering sleep state. Disabling buffering of multicasts and broadcasts improves multicast performance in specific scenarios such as multicast-based training, but clients in sleep state will lose some broadcast and multicast packets.. To disable buffering of multicasts and broadcasts: Step Command Remarks 1. Enter system view. system-view N/A 2. Disable buffering of multicasts and broadcasts. undo wlan option broadcast-buffer enable Enabled by default. Enabling multi-service optimization This feature can maximize the overall performance of multiple WLAN services provided by an n AP. CAUTION: Do not enable this feature on an AP providing only one or two services. Otherwise, BSSID changes will occur on the radio. Only the WA2612-AGN and WA2610-AGN support this feature. To enable multi-service optimization: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable multi-service optimization. wlan option multi-service enable Not enabled by default. Enabling AP blinking Perform this task to enable fit APs to blink different colors to show whether they have been associated with the AC. This feature is very useful for AP registration state inspection because fit APs are often installed in high or hidden positions. For information about AP blinking colors and their meanings, see the corresponding installation guide. NOTE: Disable this feature after you complete AP registration state inspection. The WA3600 series, WA2620i-AGN, and WA2610i-GN support this feature. To enable AP blinking: 202

215 Step Command Remarks 1. Enter system view. system-view N/A 2. Enable AP blinking. wlan option blink enable Disabled by default. Enabling packet-based TPC An AP usually uses a high and fixed transmit power to cover an area as large as possible. This mechanism is not energy saving. This feature enables an AP to dynamically perform transmit power control (TPC) on a per packet basis. For example, the AP reduces the transmit power when it sends packets to a client with high RSSI. This feature can reduce power consumption, radiation, and interference, improving user experience. To enable TPC on a per packet basis: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable TPC on a per packet basis. wlan option tpc enable Disabled by default. Enabling the AP to trigger client re-connection This feature enables an AP to send unsolicited de-authentication frames to a client when the signal strength of the client is lower than the specified RSSI value so that the client can re-connect to the AP or roam to another AP. To enable an AP to trigger client re-connection: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable an AP to trigger client re-connection. wlan option client-reconnect-trigger rssi signal-check Disabled by default. Enabling the AP to receive all broadcasts NOTE: Support for this feature depends on the AP model. APs that do not support this feature will ignore this configuration obtained from the AC. Disable this feature when it is not needed because receiving all broadcasts affects the normal operation of an AP. This feature enables an AP to receive all broadcasts so that the AP can detect spoofing attacks for all BSSs. To enable the AP to receive all broadcasts: 203

216 Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the AP to receive all broadcasts. wlan option rx-broadcast-all enable Disabled by default. Enabling the green-ap function This feature enables an AP to use one radio when no clients are associated with it to save energy. To enable the green-ap function: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the green-ap function. wlan option green-ap enable By default, the green-ap function is disabled. Configuring a power supply mode for the AP The AP supports local, PoE, and PoE+ power supply modes. H3C recommends that you use the local or PoE+ power supply mode to achieve better performance. To configure a power supply mode for the AP: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a power supply mode for the AP. wlan option power-supply { local poe poeplus } By default, the power supply mode for the AP is local. This command takes effect only on the WA3620i-AGN and WA3628i-AGN APs. WLAN optimization configuration examples Optimizing a high-density WLAN Network requirements Deploy a WLAN in a six-floor dormitory building. Each floor has 20 dormitory rooms, and each room has an average of four wireless clients. Deploy four APs at each floor, and connect them to an AC through a Layer-2 switch in the wiring closet of the floor. In addition, configure the following features to optimize the WLAN: Reject wireless clients with low RSSI Ignore weak signals 204

217 Enable traffic shaping based on link status Enable fair scheduling Figure 99 Network diagram Configuration procedure 1. Configure IP addresses and masks for devices as shown in Figure 99. (Details not shown.) 2. Configure the AC: Configure a WLAN service. For more information about WLAN service configuration, see "Configuring WLAN services". The following configures a clear-type WLAN service. # Add interface WLAN-ESS 1 to VLAN 100. <AC> system-view [AC] interface WLAN-ESS 1 [AC-WLAN-ESS1] port access vlan 100 [AC-WLAN-ESS1] quit # Create clear-type service template 1, specify its SSID as Clear-Test, bind the template with WLAN-ESS1, and enable the template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid Clear-Test [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit 3. Configure the APs: Configure all the APs on the AC. The following takes an AP as an example. # Create AP template ap1 with the model as WA2100, and specify the serial ID as A29G007C [AC] wlan ap ap1 model wa2100 [AC-wlan-ap-ap1] serial-id A29G007C # Apply the service template 1 to radio 1 and enable the radio. [AC-wlan-ap-ap1] radio 1 205

218 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable [AC-wlan-ap-ap1-radio-1] quit [AC-wlan-ap-ap1] quit 4. Configure WLAN optimization features: # Reject clients whose signal strength is lower than 15 dbm. [AC] wlan option client-reject 15 # Ignore signals with strength lower than 15 dbm. [AC] wlan option signal-ignore 15 # Enable traffic shaping based on link status and enable fair scheduling. [AC] wlan option traffic-shaping enable [AC] wlan option fair-schedule enable Optimizing a WLAN with multicast application Network requirements Deploy an AC and five dual-band APs in a training center that has multiple training rooms and provides multicast-based training programs. Use WLAN RRM to set the multicast rate. In addition, disable buffering of multicasts and broadcasts for the WLAN so that the clients can receive multicast traffic in real time. NOTE: H3C recommends that you install a dual-band wireless network interface card and set the power management parameter to the maximum on each client to prevent the clients entering sleep state. Figure 100 Network diagram L2 Switch Client 1 AP 1 AC /24 Client 2 AP 2 DHCP server /24 Configuration procedure 1. Configure IP addresses for devices as shown in Figure 100. (Details not shown.) 2. Configure the AC: Configure a WLAN service. For more information about WLAN service configuration, see "Configuring WLAN services." The following configures a clear-type WLAN service. # Add interface WLAN-ESS 1 to VLAN 100. <AC> system-view [AC] interface WLAN-ESS 1 206

219 [AC-WLAN-ESS1] port access vlan 100 [AC-WLAN-ESS1] quit # Create clear-type service template 1, specify its SSID as Clear-Test, bind the template with WLAN-ESS1, and enable the template. [AC] wlan service-template 1 clear [AC-wlan-st-1] ssid Clear-Test [AC-wlan-st-1] bind WLAN-ESS 1 [AC-wlan-st-1] service-template enable [AC-wlan-st-1] quit 3. Configure the APs: Configure all the APs on the AC. The following takes an AP as an example. # Create AP template ap1 with the model as WA2620-AGN, and specify the serial ID as A29F007C [AC] wlan ap ap1 model wa2620-agn [AC-wlan-ap-ap1] serial-id A29G007C # Apply the service template 1 to radio 1, specify its working channel as 149, and enable radio 1. [AC-wlan-ap-ap1] radio 1 [AC-wlan-ap-ap1-radio-1] channel 149 [AC-wlan-ap-ap1-radio-1] service-template 1 [AC-wlan-ap-ap1-radio-1] radio enable # Apply the service template 1 to radio 2, specify its working channel as 1, and enable radio 2. [AC-wlan-ap-ap1-radio-1] radio 2 [AC-wlan-ap-ap1-radio-2] channel 1 [AC-wlan-ap-ap1-radio-2] service-template 1 [AC-wlan-ap-ap1-radio-2] radio enable 4. Set the multicast rate: # Log in to the Web interface of the AC, and enter the Rate page as shown in Figure 101. Set the multicast rate to 24 Mbps for g and a, and click Apply. 207

220 Figure 101 Configuring the multicast rate 5. Disable buffering of multicast and broadcast packets: [AC] undo wlan option broadcast-buffer enable Optimizing an n WLAN Network requirements As shown in Figure 102, all the clients and APs get their IP addresses from the DHCP server. Client 1 using n associates with AP 1, and Client 2 using g associates with AP 2. Enable n packet suppression and enable traffic shaping based on link status so that Client 1 does not affect Client 2. Figure 102 Network diagram L2 Switch Client 1 AP 1 AC /24 Client 2 AP 2 DHCP server /24 208